MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67bf2dc07e41aea2cbb9727a8153626d6e853003aaa38bd1950b7c567794858c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 67bf2dc07e41aea2cbb9727a8153626d6e853003aaa38bd1950b7c567794858c
SHA3-384 hash: b243f4547cc5028e566e4517c443ac295901c512ccf7110473551d27879b63255127d2b457de33218e6a0ed6b4ed9e19
SHA1 hash: 4af6bf03f200f62fcdbf01e1ced30a41b30cf1c9
MD5 hash: 7f31a5a75588f81261d90e1d1930116e
humanhash: apart-oregon-minnesota-hot
File name:7f31a5a75588f81261d90e1d1930116e
Download: download sample
Signature CoinMiner
Create hunting rule
File size:5'101'056 bytes
First seen:2021-11-15 10:52:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 31023d5744de3370464ffe7b77a57d1d (2 x CoinMiner)
ssdeep 98304:ZJSz8yBb2Tdum3S0uD3rkxszg7nOxRt8T:jAqdbwD3uFnaTw
TLSH T1D6367DFB11ECA397C55AB0789A05F22EC70BF56C0B59B567F4D028B0AA17AC13E1B711
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
149
Origin country :
n/a
Vendor Threat Intelligence
Detection:
CoinMiner02
Create hunting rule
Link:
https://www.capesandbox.com/analysis/205890/
Detection(s):
SecuriteInfo.com.UDS.Trojan.Win64.Donut.30458.8832.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Running batch commands
Launching a process
Sending a UDP request
Creating a process from a recently created file
Creating a process with a hidden window
DNS request
Connecting to a cryptocurrency mining pool
Connection attempt
Sending a custom TCP request
Creating a service
Launching a service
Loading a system driver
Enabling autorun for a service
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/61923c123edf00a722d52e7a/reports/5d7826b0-f7f3-4584-8d9c-b60664c06f53/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/193d565d-f7cf-4a3f-ab1e-7fa5be5f5516
Result
Threat name:
BitCoin Miner Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/889348
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
DNS related to crypt mining pools
Found strings related to Crypto-Mining
Hides threads from debuggers
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Suspicius Add Task From User AppData Temp
Sigma detected: Xmrig
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses nslookup.exe to query domains
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 521817 Sample: hmoLmJDtvL Startdate: 15/11/2021 Architecture: WINDOWS Score: 100 76 Sigma detected: Xmrig 2->76 78 Malicious sample detected (through community Yara rule) 2->78 80 Multi AV Scanner detection for submitted file 2->80 82 7 other signatures 2->82 10 hmoLmJDtvL.exe 2->10         started        13 services64.exe 2->13         started        15 svchost.exe 9 1 2->15         started        18 3 other processes 2->18 process3 dnsIp4 104 Query firmware table information (likely to detect VMs) 10->104 106 Writes to foreign memory regions 10->106 108 Allocates memory in foreign processes 10->108 116 2 other signatures 10->116 20 conhost.exe 5 10->20         started        110 Multi AV Scanner detection for dropped file 13->110 112 Tries to detect sandboxes and other dynamic analysis tools (window names) 13->112 114 Hides threads from debuggers 13->114 24 conhost.exe 6 13->24         started        72 127.0.0.1 unknown unknown 15->72 74 192.168.2.1, 49766 unknown unknown 18->74 signatures5 process6 file7 56 C:\Users\user\AppData\...\services64.exe, PE32+ 20->56 dropped 58 C:\Users\...\services64.exe:Zone.Identifier, ASCII 20->58 dropped 92 Uses nslookup.exe to query domains 20->92 26 cmd.exe 1 20->26         started        28 cmd.exe 1 20->28         started        60 C:\Users\user\AppData\...\sihost64.exe, PE32+ 24->60 dropped 62 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 24->62 dropped 94 Writes to foreign memory regions 24->94 96 Modifies the context of a thread in another process (thread injection) 24->96 98 Sample is not signed and drops a device driver 24->98 100 Injects a PE file into a foreign processes 24->100 31 sihost64.exe 24->31         started        33 nslookup.exe 24->33         started        signatures8 process9 dnsIp10 36 services64.exe 26->36         started        39 conhost.exe 26->39         started        118 Uses schtasks.exe or at.exe to add and modify task schedules 28->118 41 conhost.exe 28->41         started        43 schtasks.exe 1 28->43         started        120 Writes to foreign memory regions 31->120 122 Allocates memory in foreign processes 31->122 124 Creates a thread in another existing process (thread injection) 31->124 45 conhost.exe 2 31->45         started        64 51.15.78.68, 14433, 49773 OnlineSASFR France 33->64 66 xmr-eu1.nanopool.org 33->66 126 Query firmware table information (likely to detect VMs) 33->126 signatures11 process12 signatures13 84 Query firmware table information (likely to detect VMs) 36->84 86 Writes to foreign memory regions 36->86 88 Allocates memory in foreign processes 36->88 90 3 other signatures 36->90 47 conhost.exe 2 36->47         started        50 conhost.exe 41->50         started        process14 signatures15 128 Uses nslookup.exe to query domains 47->128 130 Writes to foreign memory regions 47->130 132 Modifies the context of a thread in another process (thread injection) 47->132 134 Injects a PE file into a foreign processes 47->134 52 nslookup.exe 47->52         started        process16 dnsIp17 68 51.68.143.81, 14433, 49765 OVHFR France 52->68 70 xmr-eu1.nanopool.org 52->70 102 Query firmware table information (likely to detect VMs) 52->102 signatures18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/67bf2dc07e41aea2cbb9727a8153626d6e853003aaa38bd1950b7c567794858c/
Threat name:
Win64.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2021-11-15 10:53:07 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion miner themida trojan
Link:
https://tria.ge/reports/211115-myzajahhg4/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Checks BIOS information in registry
Loads dropped DLL
Themida packer
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
67bf2dc07e41aea2cbb9727a8153626d6e853003aaa38bd1950b7c567794858c
MD5 hash:
7f31a5a75588f81261d90e1d1930116e
SHA1 hash:
4af6bf03f200f62fcdbf01e1ced30a41b30cf1c9
Link:
https://www.unpac.me/results/c551b56e-5b30-48fb-bbc5-04679742415e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/67bf2dc07e41/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 67bf2dc07e41aea2cbb9727a8153626d6e853003aaa38bd1950b7c567794858c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1788265/
Cape
Cape
https://www.capesandbox.com/analysis/205890/

Comments


Avatar
zbet commented on 2021-11-15 10:52:34 UTC

url : hxxp://globalgamesnews.com/onion/monero.exe