MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6958b67fa4b8e6b4cb8a503cb6199b81c6df7491a97ec8edf51662e350078fda. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 12

Intelligence 12 IOCs YARA 10 File information Comments

SHA256 hash:	6958b67fa4b8e6b4cb8a503cb6199b81c6df7491a97ec8edf51662e350078fda
SHA3-384 hash:	e202978ce007ac27415407e48f0ba8b7798ce8fce538d4708748d511477d45f15f7ec96b7b085467168be9e082e2ffea
SHA1 hash:	0912383575a2b4c3b999984265718be89d069bb4
MD5 hash:	64680606044ae7b36f969dbf81e7b4c8
humanhash:	queen-neptune-autumn-hydrogen
File name:	MSBuild.exe
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	2'186'752 bytes
First seen:	2023-04-27 00:01:10 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	49152:ED1+W8fbdZexBBi3anWhIkT4Npqf068+MddudCSdddd22ksdxMdfnBiRd2H2ldjJ:3
Threatray	159 similar samples on MalwareBazaar
TLSH	T158A501311AA37DEEE2BD0EB8D49211480D9868AFA31CD7B8B8C411DE52F27149DB3D75
TrID	56.5% (.EXE) Win64 Executable (generic) (10523/12/4) 11.0% (.ICL) Windows Icons Library (generic) (2059/9) 10.9% (.EXE) OS/2 Executable (generic) (2029/13) 10.7% (.EXE) Generic Win/DOS Executable (2002/3) 10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter	Chainskilabs
Tags:	CoinMiner exe

Intelligence

File Origin

# of uploads :

# of downloads :

288

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

MSBuild.exe

Verdict:

Malicious activity

Analysis date:

2023-04-27 00:01:49 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/91a43cb4-e77b-499f-9528-a87fbc8685be

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/385117/

Detection(s):

SecuriteInfo.com.Variant.MSILHeracles.79059.7417.14726.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Creating a file

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

Creating a window

Enabling autorun

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

hacktool msbuild.exe

Link:

https://www.filescan.io/uploads/6449bb7b8615b5d32a535618/reports/f726b242-bb67-4f46-9c45-3caa43fd45ee/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/6958b67fa4b8e6b4cb8a503cb6199b81c6df7491a97ec8edf51662e350078fda

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/cb236a10-eaee-4020-b488-e5a969510296

Result

Threat name:

Xmrig

Detection:

malicious

Classification:

evad.mine

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1221879

Signature

Creates an undocumented autostart registry key

Detected Stratum mining protocol

Encrypted powershell cmdline option found

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Yara detected Costura Assembly Loader

Yara detected Xmrig cryptocurrency miner

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6958b67fa4b8e6b4cb8a503cb6199b81c6df7491a97ec8edf51662e350078fda/

Threat name:

ByteCode-MSIL.Trojan.Heracles

Status:

Malicious

First seen:

2023-04-26 20:48:37 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

17 of 23 (73.91%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nfmlm75exdtljs4kka6lmgm3qhdn65ervf7mr3pvczroguahr7na._file

Verdict:

malicious

CoinMiner

12a5158d4768fb51739e6b0fc155057116e20228c7ab22ef3e08dbfdca2e13ad

CoinMiner

29b5468c799dbba5a156b67c04f3082f41c647c0cf9330e824f57d456d2e234e

CoinMiner

509876bf98ee51fc5d7a4d6af1244227fccd94a556a9c85dd9bdf535d8619b39

CoinMiner

6620065fb747acd80ed59d91d4b76316b9402c739530a8436e36f188e9a3f03f

CoinMiner

6885a9ebd3e4a2d367b385f8d846f528bacfc944b7be6f1e2eca12d6c951a7d5

CoinMiner

879b5fef5bd8bbd8a81ae74de86e38f88f60e4da9aa35941ee3e676ebc386718

CoinMiner

963f054c289e0855e2d119fa2e290bcc3a1d7787c60ed226fb6512b52b3750c5

CoinMiner

e904870d3952bad327314df46c9fa32f9aac69ef0028123515da1cda4c1c6706

CoinMiner

fd24ac75f267d1cc406697651273087eaf7c5f86ff59d323fdf66a41915429b0

CoinMiner

+ 149 additional samples on MalwareBazaar

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:xmrig miner persistence

Link:

https://tria.ge/reports/230427-abftfsed9s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

Checks computer location settings

XMRig Miner payload

Modifies WinLogon for persistence

xmrig

Unpacked files

SH256 hash:

6958b67fa4b8e6b4cb8a503cb6199b81c6df7491a97ec8edf51662e350078fda

MD5 hash:

64680606044ae7b36f969dbf81e7b4c8

SHA1 hash:

0912383575a2b4c3b999984265718be89d069bb4

Link:

https://www.unpac.me/results/e22f3aaf-d328-4a73-aabf-b561287fbbb5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.51

Link:

https://yomi.yoroi.company/submissions/6958b67fa4b8e6b4cb8a503cb6199b81c6df7491a97ec8edf51662e350078fda

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	MacOS_Cryptominer_Generic_333129b7 Create hunting rule
Author:	Elastic Security

Rule name:	MacOS_Cryptominer_Xmrig_241780a1 Create hunting rule
Author:	Elastic Security

Rule name:	MALWARE_Win_CoinMiner02 Create hunting rule
Author:	ditekSHen
Description:	Detects coinmining malware

Rule name:	MAL_XMR_Miner_May19_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Monero Crypto Coin Miner
Reference:	https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/

Rule name:	MAL_XMR_Miner_May19_1_RID2E1B Create hunting rule
Author:	Florian Roth
Description:	Detects Monero Crypto Coin Miner
Reference:	https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/

Rule name:	pe_imphash Create hunting rule

Rule name:	rig_win64_xmrig_6_13_1_xmrig Create hunting rule
Author:	yarGen Rule Generator
Description:	rig_win64 - file xmrig.exe
Reference:	https://github.com/Neo23x0/yarGen

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	XMRIG_Monero_Miner Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Monero mining software
Reference:	https://github.com/xmrig/xmrig/releases

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

exe 6958b67fa4b8e6b4cb8a503cb6199b81c6df7491a97ec8edf51662e350078fda

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/385117/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample