MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b80fa7ccbabe9b2ccbaf3fc1888c60be4d7fb84a18f48e772bc61c3f0f258e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner.XMRig


Vendor detections: 10


Intelligence 10 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b80fa7ccbabe9b2ccbaf3fc1888c60be4d7fb84a18f48e772bc61c3f0f258e5
SHA3-384 hash: 4ed9aa25544d3a86f8525341cf730eb88b06fecc1f82d6b864dd11174acd80368d4c3cf749a2d5b3fb2ff614e601ea8c
SHA1 hash: 056c3a742610529b127dc7f28867cf5a9ed1b385
MD5 hash: 105f7e2bf6d888a4892ecd77d8eded44
humanhash: green-ceiling-sodium-stairway
File name:SecuriteInfo.com.Trojan.DownLoader44.42929.521.13158
Download: download sample
Signature CoinMiner.XMRig
Create hunting rule
File size:8'538'112 bytes
First seen:2022-03-08 19:55:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (235 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 196608:tsl06Grlre2pGEaOcf2NnG5PExW+M51p8VGE+LX42B3ms1VisG3nQ:tsiXK2YEwrjPp86znB
Threatray 53 similar samples on MalwareBazaar
TLSH T19D8633E59109D170D933CFB67134922FA891134A98F3C626C40A15EB7CEA5E9F82B1F7
Reporter SecuriteInfoCom
Tags:CoinMiner.XMRig exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
250
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/248482/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.42929.521.13158.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Searching for synchronization primitives
Connecting to a cryptocurrency mining pool
Creating a service
Launching a service
Loading a system driver
Creating a process from a recently created file
Enabling autorun for a service
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6227b4a0b94fb38cb4408629/reports/2a221f08-8115-4792-95cc-64429196dfc2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Kraken
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e87a2fe5-c1cd-42e4-916f-671739268b7e
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/952949
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: Suspicious Svchost Process
Sigma detected: Suspicius Schtasks From Env Var Folder
Sigma detected: Windows Crypto Mining Indicators
Sigma detected: Xmrig
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 585427 Sample: SecuriteInfo.com.Trojan.Dow... Startdate: 08/03/2022 Architecture: WINDOWS Score: 100 56 Sigma detected: Xmrig 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 Yara detected Xmrig cryptocurrency miner 2->60 62 6 other signatures 2->62 7 SecuriteInfo.com.Trojan.DownLoader44.42929.521.exe 3 2->7         started        12 update.exe 1 2->12         started        14 update.exe 1 2->14         started        process3 dnsIp4 46 discord.com 162.159.136.232, 443, 49783 CLOUDFLARENETUS United States 7->46 48 httpbin.org 52.55.211.119, 49782, 80 AMAZON-AESUS United States 7->48 38 C:\Users\user\AppData\Local\...\update.exe, PE32+ 7->38 dropped 64 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->64 66 Uses schtasks.exe or at.exe to add and modify task schedules 7->66 68 Writes to foreign memory regions 7->68 76 4 other signatures 7->76 16 svchost.exe 1 7->16         started        20 powershell.exe 23 7->20         started        22 schtasks.exe 1 7->22         started        70 Multi AV Scanner detection for dropped file 12->70 72 Machine Learning detection for dropped file 12->72 74 Adds a directory exclusion to Windows Defender 12->74 24 powershell.exe 12->24         started        26 powershell.exe 14->26         started        file5 signatures6 process7 dnsIp8 40 149.202.83.171, 3333, 49788 OVHFR France 16->40 42 pool.supportxmr.com 16->42 44 pool-fr.supportxmr.com 16->44 50 System process connects to network (likely due to code injection or exploit) 16->50 52 Query firmware table information (likely to detect VMs) 16->52 28 conhost.exe 16->28         started        30 conhost.exe 20->30         started        32 conhost.exe 22->32         started        34 conhost.exe 24->34         started        36 conhost.exe 26->36         started        signatures9 54 Detected Stratum mining protocol 40->54 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b80fa7ccbabe9b2ccbaf3fc1888c60be4d7fb84a18f48e772bc61c3f0f258e5/
Threat name:
Win64.Trojan.WinGoCoinMiner
Create hunting rule
Status:
Malicious
First seen:
2022-03-02 01:24:50 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
19 of 27 (70.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=noapu7glvpu3ftf26p6brcggbpsnp64eughurz3sxrq4h4hsldsq._file
Verdict:
malicious
Similar samples:
0757a3b97f39c1d8a6c3d94770762a3912304cfaffa0330761945acd7f236213
CoinMiner.XMRig
3153caf54366c0ddeddd293791b8f05eabd7343d9a73cc6444b769d0115dabf8
CoinMiner.XMRig
37b3a1d0c99b42d11596890640c076a18929f5087f924d22e9b751b3afd4f94c
CoinMiner.XMRig
63301a39b93b63acab80e0a05b909f733d792c7ae829a0a207d2fa2e1498158f
CoinMiner.XMRig
8d7953ccff3dbc3b9aad9e25f9437b71070d7e63613e193ab4be05cffd9a1f8d
CoinMiner.XMRig
a390e37424852274a627183769d43e7015e88fbb02e54d1b2b8367abdc18ec7e
CoinMiner.XMRig
a3c34cc5f8a13545a73b2a21512232e91dfef275a3cecb81215a5affb69709fb
CoinMiner.XMRig
a8d8a6f9478a60a05d3b8c57a616da20c83b99bc7877c46163fcd126bbb25409
CoinMiner.XMRig
c7df63bd3d9dbd3cbd11e02d0ca6f8988251bf5bea12d6d76c40ba2d33b5468d
CoinMiner.XMRig
e4cf8390df0db1d1e0d703427544992d5e4622f44986350e5143ffdac25af20d
CoinMiner.XMRig
+ 43 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner upx
Link:
https://tria.ge/reports/220308-ym62saebdj/
Behaviour
Creates scheduled task(s)
GoLang User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
UPX packed file
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
6b80fa7ccbabe9b2ccbaf3fc1888c60be4d7fb84a18f48e772bc61c3f0f258e5
MD5 hash:
105f7e2bf6d888a4892ecd77d8eded44
SHA1 hash:
056c3a742610529b127dc7f28867cf5a9ed1b385
Link:
https://www.unpac.me/results/d46609db-41ca-469a-88e5-fc47fce4b4c2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/6b80fa7ccbabe9b2ccbaf3fc1888c60be4d7fb84a18f48e772bc61c3f0f258e5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ClamAV_Emotet_String_Aggregate
Create hunting rule
Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:MALWARE_Win_CoinMiner02
Create hunting rule
Author:ditekSHen
Description:Detects coinmining malware
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:MAL_XMR_Miner_May19_1_RID2E1B
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:rig_win64_xmrig_6_13_1_xmrig
Create hunting rule
Author:yarGen Rule Generator
Description:rig_win64 - file xmrig.exe
Reference:https://github.com/Neo23x0/yarGen
Rule name:shad0w_beacon_16June
Create hunting rule
Author:SBousseaden
Description:Shad0w beacon compressed
Reference:https://github.com/bats3c/shad0w

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner.XMRig

Executable exe 6b80fa7ccbabe9b2ccbaf3fc1888c60be4d7fb84a18f48e772bc61c3f0f258e5

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/248482/
  
URLhaus
https://urlhaus.abuse.ch/url/2084490/
  
Delivery method
Distributed via web download

Comments