MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c4cf7b175c499172b59d7f5f5ece3b6717345b6ea0b6e53d56b315516dd870e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c4cf7b175c499172b59d7f5f5ece3b6717345b6ea0b6e53d56b315516dd870e
SHA3-384 hash: 7033b5bdec4856914fbc707c80431095510c47f2bc1c8ccb9fc2e34aa9dbc95081506c1ef1462a8f7930507db2293723
SHA1 hash: 61a18e5a47b39d34998ef50fcb5d7dbbbb8684ac
MD5 hash: 0aa26750fa55dbc9d65c8f1d4b1b8a32
humanhash: happy-burger-crazy-neptune
File name:hdghgfdhfghdfghdg.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:5'633'088 bytes
First seen:2023-01-06 05:21:46 UTC
Last seen:2023-01-06 06:27:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4328f7206db519cd4e82283211d98e83 (533 x RedLineStealer, 18 x Arechclient2, 15 x DCRat)
ssdeep 98304:xRcScwlZH8VMK5JkL36b40ZcqRk92Cf92B0Dg43Yg+1E:x93crkLKb4z92IK5YVf
Threatray 16'987 similar samples on MalwareBazaar
TLSH T10E461AA27A16AABFC3867478909FAD03D3B403F3473396C1CD1578B84782B551E87B5A
TrID 51.8% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
22.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
7.4% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter r3dbU7z
Tags:CoinMiner exe Themida

Intelligence

File Origin
# of uploads :
2
# of downloads :
237
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
hdghgfdhfghdfghdg.exe
Verdict:
Malicious activity
Analysis date:
2023-01-06 05:23:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/43b8e3b7-91df-48f2-aaac-6184d09ce7c7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/349869/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.64704954.9520.28535.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for analyzing tools
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Sending a custom TCP request
Creating a window
Creating a file in the %temp% directory
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
hacktool overlay packed
Link:
https://www.filescan.io/uploads/63b7affc0e926711fd772d68/reports/d13c20d9-7373-49ff-9032-6ae88324f38e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bec35387-f2c8-43d3-97a7-fc2cde8c93d0
Result
Threat name:
Pennywise Stealer, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1146039
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
DNS related to crypt mining pools
Found C&C like URL pattern
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Pennywise Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 778771 Sample: hdghgfdhfghdfghdg.exe Startdate: 06/01/2023 Architecture: WINDOWS Score: 100 51 xmr-eu1.nanopool.org 2->51 61 Malicious sample detected (through community Yara rule) 2->61 63 Antivirus detection for URL or domain 2->63 65 Antivirus detection for dropped file 2->65 67 12 other signatures 2->67 8 hdghgfdhfghdfghdg.exe 15 42 2->8         started        13 WinUpdate.exe 2->13         started        15 fontdrvhost.exe 2->15         started        17 5 other processes 2->17 signatures3 process4 dnsIp5 53 79.137.248.99, 49704, 80 DINET-ASRU Russian Federation 8->53 55 api4.ipify.org 64.185.227.156, 443, 49703 WEBNXUS United States 8->55 57 3 other IPs or domains 8->57 43 C:\Users\user\...\tmp6A9D.tmp3alp5xsxb52.exe, PE32+ 8->43 dropped 45 C:\Users\user\...\tmp6A10.tmpmmc16vymh7r5.exe, PE32 8->45 dropped 87 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->87 89 Query firmware table information (likely to detect VMs) 8->89 91 May check the online IP address of the machine 8->91 101 2 other signatures 8->101 19 tmp6A10.tmpmmc16vymh7r5.exe 1 4 8->19         started        23 tmp6A9D.tmp3alp5xsxb52.exe 3 8->23         started        25 WerFault.exe 8->25         started        47 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 13->47 dropped 49 C:\Users\user\AppData\Local\...\iwgqhvtt.tmp, PE32+ 13->49 dropped 93 Multi AV Scanner detection for dropped file 13->93 95 Tries to detect virtualization through RDTSC time measurements 13->95 97 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->97 99 Uses schtasks.exe or at.exe to add and modify task schedules 17->99 28 conhost.exe 17->28         started        30 conhost.exe 17->30         started        32 schtasks.exe 17->32         started        34 conhost.exe 17->34         started        file6 signatures7 process8 dnsIp9 39 C:\Users\user\AppData\...\fontdrvhost.exe, PE32 19->39 dropped 69 Antivirus detection for dropped file 19->69 71 Multi AV Scanner detection for dropped file 19->71 73 Detected unpacking (changes PE section rights) 19->73 77 3 other signatures 19->77 36 fontdrvhost.exe 19->36         started        41 C:\Users\user\AppData\...\WinUpdate.exe, PE32+ 23->41 dropped 75 Tries to detect virtualization through RDTSC time measurements 23->75 59 192.168.2.1 unknown unknown 25->59 file10 signatures11 process12 signatures13 79 Antivirus detection for dropped file 36->79 81 Multi AV Scanner detection for dropped file 36->81 83 Query firmware table information (likely to detect VMs) 36->83 85 2 other signatures 36->85
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6c4cf7b175c499172b59d7f5f5ece3b6717345b6ea0b6e53d56b315516dd870e/
Threat name:
Win32.Infostealer.Coins
Create hunting rule
Status:
Malicious
First seen:
2023-01-02 18:20:19 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
15 of 21 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nrgppmlvysmrok2z2727l3hdwzyxgrnw5ifw4u6vnmyvkfw5q4ha._file
Verdict:
malicious
Similar samples:
24cd4865f03fcaa7b5e76245734a43309cae82e24843cd667ceb3c3d46aa3095
CoinMiner
739a3e0733b75f4d7fcd2bc746422ea269ee8cb04e30fcad6d3b1e1163ececf1
CoinMiner
841572da329176a7f23da214406a8c5d19c4107206df3d83bfcd8dd6dc906ecf
CoinMiner
9a9b6177e715c7461d686b2773507d48c7ee7ce96e26aef62b25e0249e392fef
CoinMiner
a484a486e4ccce5d89bed7fd21d3aef4802a85b3147a0445ccca16b3df95267a
CoinMiner
a7b9f85870179430e1d8776a0fe5b2bfde0dfee26a168c5ace0287a7a461835c
CoinMiner
c53f7ebd83475a296ad52cd4e9c44c7eb93f0db72182e66c2816a81571400112
CoinMiner
e21d4e0b2f711e72b6251d1a0a5f1a703baffb7c7ddd1d1b087bc9068f17aaa8
CoinMiner
fad1b92b67d6509a5d114b43395bd428b8fff6b827198083f1abc801a9c78525
CoinMiner
+ 16'977 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion miner persistence spyware stealer themida trojan upx
Link:
https://tria.ge/reports/230106-f2kg8ahh3x/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
Suspicious use of NtCreateUserProcessOtherParentProcess
xmrig
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/72c783ed-4739-45c4-b392-f15478ef2c8a
Unpacked files
SH256 hash:
a4009288982e4c30d22b544167f72db882e34f0fda7d4061b2c02c84688c0ed1
MD5 hash:
7c359500407dd393a276010ab778d5af
SHA1 hash:
4d63d669b73acaca3fc62ec263589acaaea91c0b
Link:
https://www.unpac.me/results/f451c0f4-8729-4b63-be88-769c945a8d2b/
SH256 hash:
6c4cf7b175c499172b59d7f5f5ece3b6717345b6ea0b6e53d56b315516dd870e
MD5 hash:
0aa26750fa55dbc9d65c8f1d4b1b8a32
SHA1 hash:
61a18e5a47b39d34998ef50fcb5d7dbbbb8684ac
Link:
https://www.unpac.me/results/f451c0f4-8729-4b63-be88-769c945a8d2b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6c4cf7b175c4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/6c4cf7b175c499172b59d7f5f5ece3b6717345b6ea0b6e53d56b315516dd870e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 6c4cf7b175c499172b59d7f5f5ece3b6717345b6ea0b6e53d56b315516dd870e

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/349869/

Comments