MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915
SHA3-384 hash: 7f2ce0944f724ac75ababa5a00861a2a329f30aae3bea8614bbd5d48db3c647034aa26c0bc63d09c423af43be0e69e38
SHA1 hash: 5224506ce265475452aeddf540f5f9b996f84bd6
MD5 hash: cff0e1b4af4ef5a2d4cb78ea5d403d58
humanhash: oregon-minnesota-bulldog-apart
File name:SecuriteInfo.com.Variant.MSILHeracles.47499.17504.29269
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'823'168 bytes
First seen:2022-11-13 21:48:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 49152:YX9bvpxA+I4AY+a7xIrLlxJq5ZjoVrY4u0uXh/DP+P:2DnNExInjojwRK
Threatray 19'170 similar samples on MalwareBazaar
TLSH T11CD523DD7A3472CFC86BD836CB6C1D24E26465BB431B9307946316AD9A4C99FCF240A3
TrID 63.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Reporter SecuriteInfoCom
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
217
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Variant.MSILHeracles.47499.17504.29269
Verdict:
No threats detected
Analysis date:
2022-11-13 21:50:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/668e0115-b097-461a-a2dc-530cb04ff5c7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/333446/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.47499.17504.29269.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Running batch commands
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file
Creating a file in the Windows subdirectories
Moving a system file
Creating a file in the system32 subdirectories
Forced system process termination
Unauthorized injection to a recently created process
Searching for synchronization primitives
Setting browser functions hooks
Possible injection to a system process
Changing the hosts file
Unauthorized injection to a system process
Enabling autorun by creating a file
Unauthorized injection to a browser process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
donut packed
Link:
https://www.filescan.io/uploads/6371664e2445ecec3cc494fb/reports/e7546dbb-38b3-480b-8f3f-ddeb86ea3bc9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5285625e-fa7d-4a5e-9451-48b388b71393
Result
Threat name:
Crypto Miner
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1112448
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates files in the system32 config directory
Encrypted powershell cmdline option found
Found stalling execution ending in API Sleep call
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Obfuscated command line found
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sigma detected: Stop multiple services
Uses cmd line tools excessively to alter registry or file data
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Writes to foreign memory regions
Yara detected Crypto Miner
Yara detected RUNPE
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 745144 Sample: SecuriteInfo.com.Variant.MS... Startdate: 13/11/2022 Architecture: WINDOWS Score: 100 80 Multi AV Scanner detection for domain / URL 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 Antivirus detection for URL or domain 2->84 86 14 other signatures 2->86 7 SecuriteInfo.com.Variant.MSILHeracles.47499.17504.29269.exe 14 3 2->7         started        12 powershell.exe 2->12         started        14 powershell.exe 2->14         started        process3 dnsIp4 56 ip-api.com 208.95.112.1, 49702, 80 TUT-ASUS United States 7->56 58 raw.githubusercontent.com 185.199.111.133, 443, 49703 FASTLYUS Netherlands 7->58 60 192.168.2.1 unknown unknown 7->60 54 C:\Windows\System32\drivers\etc\hosts, ASCII 7->54 dropped 88 Very long command line found 7->88 90 May check the online IP address of the machine 7->90 92 Encrypted powershell cmdline option found 7->92 100 2 other signatures 7->100 16 cmd.exe 1 7->16         started        19 powershell.exe 7->19         started        22 cmd.exe 1 7->22         started        30 2 other processes 7->30 94 Creates files in the system32 config directory 12->94 96 Writes to foreign memory regions 12->96 98 Modifies the context of a thread in another process (thread injection) 12->98 24 dllhost.exe 12->24         started        26 conhost.exe 12->26         started        28 conhost.exe 14->28         started        file5 signatures6 process7 file8 62 Uses cmd line tools excessively to alter registry or file data 16->62 64 Uses schtasks.exe or at.exe to add and modify task schedules 16->64 66 Uses powercfg.exe to modify the power settings 16->66 32 icacls.exe 1 16->32         started        34 conhost.exe 16->34         started        36 reg.exe 1 16->36         started        46 21 other processes 16->46 50 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 19->50 dropped 52 C:\...\updater.exe:Zone.Identifier, ASCII 19->52 dropped 38 conhost.exe 19->38         started        68 Modifies power options to not sleep / hibernate 22->68 40 conhost.exe 22->40         started        48 4 other processes 22->48 70 Found stalling execution ending in API Sleep call 24->70 72 Injects code into the Windows Explorer (explorer.exe) 24->72 74 Contains functionality to inject code into remote processes 24->74 78 3 other signatures 24->78 42 winlogon.exe 24->42 injected 76 Powershell drops PE file 30->76 44 conhost.exe 30->44         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2022-11-13 21:49:23 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nam3zj45lwkzra46txh2dijp5nqh4tjgtjjlafuutkmznqszrekq._file
Verdict:
malicious
Similar samples:
054174b77c43d2b1a97a1238282818dc2792535ec0e3b94102c58d9d9ffeba15
CoinMiner
0614b3b867d5a5dc21ece263f34af1de851bf4e84552eb921d6fc95e90c309c2
CoinMiner
16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b
CoinMiner
2027e263e2872242faf65b3e6bf249223cb09b8e9b335f44bf3e89b9951be9f9
CoinMiner
65970760831f083ce65c5ec185f5c1d1c73217bcf600de567f2960b592412c52
CoinMiner
888497ac8f3cb030dc34d198ef8e307fab6b129f31f4fc9c41ea78f94d831529
CoinMiner
9148bcf1957c9dc89339b577fc122c8d947cafc09b275c95361dc6b4150eeaa1
CoinMiner
ab15105c31b25984d7a7838bc7f95c65002c1657d8cd25c69fa8a7dd3e624077
CoinMiner
b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3
CoinMiner
c500fecde8b41e100ed5bcfdaf6b6047e4e1958e69c693869772147316bea289
CoinMiner
+ 19'160 additional samples on MalwareBazaar
Gathering data
Unpacked files
SH256 hash:
6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915
MD5 hash:
cff0e1b4af4ef5a2d4cb78ea5d403d58
SHA1 hash:
5224506ce265475452aeddf540f5f9b996f84bd6
Link:
https://www.unpac.me/results/e2c1d7ea-bb22-4e69-8074-368ac711baa1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6819bca79d5d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 6819bca79d5d9598839e9dcfa1a12feb607e4d269a52b016949a9996c2598915

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2409910/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2409911/
Cape
Cape
https://www.capesandbox.com/analysis/333446/

Comments