MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65f76564fa007c2d3eeae10ed5ee9512903bc62d745850cc8faef6b50c53b21a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner.XMRig


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 65f76564fa007c2d3eeae10ed5ee9512903bc62d745850cc8faef6b50c53b21a
SHA3-384 hash: 066a006300457466d741f966d86e92931f6b3fb4856b35969399a00cea177edf44c9a7598d39f4f8f0a4cd2d8868f34c
SHA1 hash: 31d219de92fd5c80cb7b97907951d493f9fa26bb
MD5 hash: b8764252ff52d8b29685298a9eda35f1
humanhash: east-may-virginia-muppet
File name:b8764252ff52d8b29685298a9eda35f1
Download: download sample
Signature CoinMiner.XMRig
Create hunting rule
File size:2'219'008 bytes
First seen:2021-06-12 00:12:51 UTC
Last seen:2021-06-12 01:09:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 49152:ub/IS2VmNeS8HJzKo6CtHapTSgw/d7IFeYWiGuEhhld242z:ut2wN6+htP2d7DaQldZ2
TLSH 11A5332222AD10DBC3C417B2A5AD6EC9C244BFFB7CC1452D74CC25AD6F36DAC5188B59
Reporter zbetcheckin
Tags:CoinMiner.XMRig exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
337
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b8764252ff52d8b29685298a9eda35f1
Verdict:
No threats detected
Analysis date:
2021-06-12 00:16:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d950973b-55be-4401-aa9b-51b346be3fc2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/166201/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.721.30777.6715.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a custom TCP request
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% directory
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Creating a file
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d8b7ba2a-aa83-487d-a874-bcf09b84fca7
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/801094
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to a pastebin service (likely for C&C)
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Xmrig
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 433490 Sample: tvijATOn6L Startdate: 12/06/2021 Architecture: WINDOWS Score: 100 95 Sigma detected: Xmrig 2->95 97 Malicious sample detected (through community Yara rule) 2->97 99 Multi AV Scanner detection for submitted file 2->99 101 6 other signatures 2->101 8 tvijATOn6L.exe 9 2->8         started        12 CMD.exe 3 2->12         started        14 svchost.exe 2->14         started        16 10 other processes 2->16 process3 dnsIp4 75 C:\Users\user\AppData\...\sihost64.exe, PE32+ 8->75 dropped 77 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 8->77 dropped 79 C:\Users\user\AppData\Roaming\CMD.exe, PE32+ 8->79 dropped 81 2 other malicious files 8->81 dropped 127 Adds a directory exclusion to Windows Defender 8->127 129 Sample is not signed and drops a device driver 8->129 19 CMD.exe 8->19         started        22 cmd.exe 1 8->22         started        24 sihost64.exe 8->24         started        27 cmd.exe 1 8->27         started        131 Multi AV Scanner detection for dropped file 12->131 133 Machine Learning detection for dropped file 12->133 135 Writes to foreign memory regions 12->135 139 3 other signatures 12->139 29 cmd.exe 12->29         started        31 cmd.exe 1 12->31         started        33 cmd.exe 12->33         started        137 Changes security center settings (notifications, updates, antivirus, firewall) 14->137 35 MpCmdRun.exe 14->35         started        83 127.0.0.1 unknown unknown 16->83 file5 signatures6 process7 dnsIp8 103 Writes to foreign memory regions 19->103 105 Allocates memory in foreign processes 19->105 107 Modifies the context of a thread in another process (thread injection) 19->107 109 Injects a PE file into a foreign processes 19->109 37 cmd.exe 19->37         started        41 cmd.exe 19->41         started        43 cmd.exe 19->43         started        111 Tries to detect sandboxes and other dynamic analysis tools (window names) 22->111 113 Uses schtasks.exe or at.exe to add and modify task schedules 22->113 115 Adds a directory exclusion to Windows Defender 22->115 45 conhost.exe 22->45         started        51 4 other processes 22->51 89 192.168.2.1 unknown unknown 24->89 117 Machine Learning detection for dropped file 24->117 47 cmd.exe 24->47         started        53 2 other processes 27->53 91 retracker.host 29->91 93 pastebin.com 29->93 119 Query firmware table information (likely to detect VMs) 29->119 55 2 other processes 33->55 49 conhost.exe 35->49         started        signatures9 process10 dnsIp11 85 retracker.host 81.163.246.9, 3333, 49731, 49736 KOLT-ASRU Russian Federation 37->85 87 pastebin.com 104.23.99.190, 443, 49728, 49730 CLOUDFLARENETUS United States 37->87 121 Query firmware table information (likely to detect VMs) 37->121 57 conhost.exe 41->57         started        67 4 other processes 41->67 69 2 other processes 43->69 123 Adds a directory exclusion to Windows Defender 47->123 59 conhost.exe 47->59         started        61 powershell.exe 47->61         started        71 3 other processes 47->71 63 powershell.exe 20 53->63         started        65 conhost.exe 53->65         started        73 2 other processes 53->73 signatures12 125 Detected Stratum mining protocol 85->125 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/65f76564fa007c2d3eeae10ed5ee9512903bc62d745850cc8faef6b50c53b21a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-11 21:19:36 UTC
AV detection:
15 of 46 (32.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mx3wkzh2ab6c2pxk4ehnl3uvckidxrrnormfbtepv33lkdctwina._file
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/210612-rbjk7zpnpn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
65f76564fa007c2d3eeae10ed5ee9512903bc62d745850cc8faef6b50c53b21a
MD5 hash:
b8764252ff52d8b29685298a9eda35f1
SHA1 hash:
31d219de92fd5c80cb7b97907951d493f9fa26bb
Link:
https://www.unpac.me/results/b1d83f73-528d-41e9-81ec-66aaed095056/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/65f76564fa007c2d3eeae10ed5ee9512903bc62d745850cc8faef6b50c53b21a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner.XMRig

Executable exe 65f76564fa007c2d3eeae10ed5ee9512903bc62d745850cc8faef6b50c53b21a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1355484/
Cape
Cape
https://www.capesandbox.com/analysis/166201/

Comments