MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12
SHA3-384 hash: b38fa6e11f9a0b92c942bb2e0567bc1a80304a22edc5639a139963b61f3d5a8992ed0c4af49a083d9997cce4442d2515
SHA1 hash: 6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f
MD5 hash: ffada57f998ed6a72b6ba2f072d2690a
humanhash: juliet-wyoming-leopard-oranges
File name:ffada57f998ed6a72b6ba2f072d2690a
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'665'984 bytes
First seen:2024-01-23 03:50:55 UTC
Last seen:2024-07-20 04:14:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash de41d4e0545d977de6ca665131bb479a (85 x CoinMiner)
ssdeep 49152:UjBP3/qGrdNJ8VZFhY++Yk/4aLq8wH7mm6qJsSRRjyl:aBPvfrAZF28k/RLbwH7mvcRRjy
Threatray 39 similar samples on MalwareBazaar
TLSH T177C53381678033ACC58F4A395C755F3A881A3174034666C7AEE78706BA75BC2D271BFB
TrID 49.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
31.8% (.EXE) Win64 Executable (generic) (10523/12/4)
6.1% (.EXE) OS/2 Executable (generic) (2029/13)
6.0% (.EXE) Generic Win/DOS Executable (2002/3)
6.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 00f2e6ececee9898 (1 x CoinMiner)
Reporter zbetcheckin
Tags:64 CoinMiner exe

Intelligence

File Origin
# of uploads :
33
# of downloads :
403
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12.exe
Verdict:
Malicious activity
Analysis date:
2024-01-23 03:51:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4f7786ec-1cc8-4d2e-83d1-fe165b854e6a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/472424/
Detection(s):
Win.Packed.Zusy-10017004-0
Create hunting rule

Win.Packed.Zusy-10018533-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Running batch commands
Deleting a system file
Launching a process
Creating a service
Creating a file
Launching a service
Creating a process from a recently created file
Creating a file in the Windows subdirectories
Searching for synchronization primitives
Creating a file in the system32 subdirectories
Enabling autorun for a service
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug
Link:
https://www.filescan.io/uploads/65af37a81dcf0cd54470ac46/reports/6059ce3b-94d6-438a-a2a7-104dae4bbf76/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/929c7275-e698-464c-8f87-14f78496d21f
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1379253
Signature
Adds a directory exclusion to Windows Defender
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
DNS related to crypt mining pools
Injects code into the Windows Explorer (explorer.exe)
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses powercfg.exe to modify the power settings
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1379253 Sample: 13V1JA305H.exe Startdate: 23/01/2024 Architecture: WINDOWS Score: 100 54 zeph-eu2.nanopool.org 2->54 56 pastebin.com 2->56 64 Multi AV Scanner detection for submitted file 2->64 66 Yara detected Xmrig cryptocurrency miner 2->66 68 Connects to many ports of the same IP (likely port scanning) 2->68 8 reakuqnanrkn.exe 1 2->8         started        12 13V1JA305H.exe 1 2 2->12         started        signatures3 70 DNS related to crypt mining pools 54->70 72 Connects to a pastebin service (likely for C&C) 56->72 process4 file5 50 C:\Windows\Temp\wmdnbrbxmwvo.sys, PE32+ 8->50 dropped 74 Multi AV Scanner detection for dropped file 8->74 76 Injects code into the Windows Explorer (explorer.exe) 8->76 78 Modifies the context of a thread in another process (thread injection) 8->78 80 Sample is not signed and drops a device driver 8->80 14 explorer.exe 8->14         started        18 cmd.exe 1 8->18         started        20 powershell.exe 21 8->20         started        28 10 other processes 8->28 52 C:\ProgramData\...\reakuqnanrkn.exe, PE32+ 12->52 dropped 82 Uses powercfg.exe to modify the power settings 12->82 84 Adds a directory exclusion to Windows Defender 12->84 86 Modifies power options to not sleep / hibernate 12->86 22 cmd.exe 1 12->22         started        24 powershell.exe 23 12->24         started        26 powercfg.exe 1 12->26         started        30 12 other processes 12->30 signatures6 process7 dnsIp8 58 51.15.61.114, 10943, 49705 OnlineSASFR France 14->58 60 zeph-eu2.nanopool.org 51.15.89.13, 10943, 49707 OnlineSASFR France 14->60 62 pastebin.com 172.67.34.170, 443, 49706 CLOUDFLARENETUS United States 14->62 88 System process connects to network (likely due to code injection or exploit) 14->88 90 Query firmware table information (likely to detect VMs) 14->90 92 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->92 44 2 other processes 18->44 32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        36 wusa.exe 22->36         started        38 conhost.exe 24->38         started        40 conhost.exe 26->40         started        46 9 other processes 28->46 42 conhost.exe 30->42         started        48 11 other processes 30->48 signatures9 process10
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-01-22 23:24:23 UTC
File Type:
PE+ (Exe)
Extracted files:
2
AV detection:
22 of 24 (91.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m57tsndc4jh3nw5bur5ttztu6scukd4r33xga5wmxlm72xqfxuja._file
Verdict:
malicious
Similar samples:
03c72cfabace07b6787d2d1fd66d6d6d9a2fbcb74a827ca4ab7e59aba40cb306
CoinMiner
34ab005b549534dba9a83d9346e1618a18ecee2c99a93079551634f9480b2b79
CoinMiner
8f4c3348423dbc5dadff663216b4b015109535a06e5a81fb7cb3993a90ff26c5
CoinMiner
99c24686e9ac15ec6914d314a1d72dd9a1ebece08fd1b8a75e00373051e82079
CoinMiner
d6e7ccaafc7a6641ce67c75483994806c20cd2a8d5235c0e74dbad4ef10ddc53
CoinMiner
f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499
CoinMiner
f882cbd19bca7935fb6d2214f305299399dec452b9db794cc4f97b1a1104c538
CoinMiner
+ 29 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion miner persistence upx
Link:
https://tria.ge/reports/240123-eegx5sgbc9/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Executes dropped EXE
Loads dropped DLL
UPX packed file
Stops running service(s)
Creates new service(s)
XMRig Miner payload
xmrig
Unpacked files
SH256 hash:
677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12
MD5 hash:
ffada57f998ed6a72b6ba2f072d2690a
SHA1 hash:
6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f
Link:
https://www.unpac.me/results/f8988674-2ffe-4574-a0b5-bd0e9c7fec3c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/677f393462e2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
CoinMiner
Score:
0.60
Link:
https://yomi.yoroi.company/submissions/677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2750618/
Cape
Cape
https://www.capesandbox.com/analysis/472424/

Comments


Avatar
zbet commented on 2024-01-23 03:50:56 UTC

url : hxxp://185.172.128.19/FirstZ.exe