MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 75b77800228079a5b6b94166581b2b406f6dca7baf3a9fb163aa0a2d2a89926b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 75b77800228079a5b6b94166581b2b406f6dca7baf3a9fb163aa0a2d2a89926b
SHA3-384 hash: 5a18a7d8b4a77872332b2a033d3d620e1753d0480ec33e246ae1e225bbe9209aa7bb3114e3cc64b6cb5af43f25b8aacd
SHA1 hash: 138f85fabb71e56ff351508ed79b2308883cbc41
MD5 hash: 9618279667a233d19c843a54cf2e1c81
humanhash: shade-ack-arizona-purple
File name:9618279667a233d19c843a54cf2e1c81
Download: download sample
Signature CoinMiner
Create hunting rule
File size:168'960 bytes
First seen:2021-08-05 07:45:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 67 x LummaStealer, 61 x Rhadamanthys)
ssdeep 3072:mahKyd2n31D5GWp1icKAArDZz4N9GhbkrNEkbw2rv:mahO3p0yN90QEc
Threatray 99 similar samples on MalwareBazaar
TLSH T176F36C0B67F811A6E4B5937059F203D359327D615B3882EF128EE97E1E336E0A631B17
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9618279667a233d19c843a54cf2e1c81
Verdict:
No threats detected
Analysis date:
2021-08-05 07:46:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e03cb659-d166-4ccb-af3f-69c95f685a46

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/176563/
Detection(s):
SecuriteInfo.com.BAT.TrojanDownloader.Agent.OIR.7563.13161.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Connection attempt to an infection source
Sending a UDP request
Query of malicious DNS domain
Sending a TCP request to an infection source
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/573edd88-acaf-43d8-a301-c513471d9ada
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/827815
Signature
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 460246 Sample: WWtyaDzm1d Startdate: 05/08/2021 Architecture: WINDOWS Score: 56 20 Multi AV Scanner detection for domain / URL 2->20 22 Multi AV Scanner detection for submitted file 2->22 7 WWtyaDzm1d.exe 1 3 2->7         started        9 rundll32.exe 2->9         started        process3 process4 11 cmd.exe 1 7->11         started        process5 13 powershell.exe 14 19 11->13         started        16 conhost.exe 11->16         started        dnsIp6 18 qmumdjffuiocstjfmdqt.com 5.63.154.248, 443, 49731 AS-REGRU Russian Federation 13->18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/75b77800228079a5b6b94166581b2b406f6dca7baf3a9fb163aa0a2d2a89926b/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ow3xqabcqb42lnvziftfqgzlibxw3st3v45j7mldvifc2kujsjvq._file
Verdict:
malicious
Similar samples:
243b5b84bb63e98fb3d54e4e1d8592c367540a79f677a464f2c2ea5491f4c90f
CoinMiner
479579cc0f9ecdbcdb6d8df674940a411a0fdaa9ab66fc87db6a24658f979204
CoinMiner
7c88f9d38fcb9dd17d733e65a8ebee46d6b74700a02ba5a4614b7b6002d5ef0c
CoinMiner
b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae
CoinMiner
c6c9d678a3313c5bb7fe71194a2a1e4d3ffca2f04252dd1983ba657cfe17320e
CoinMiner
d94fd5cde3574048397162ee252ed9fd3b6ad79ad02b63eb513c78911c2191ab
CoinMiner
f54decb2e130b98a9bfe13d57fe46af74d408720f490a1df519417125d2c206c
CoinMiner
f970fb9186f287b64997d76b1d4ddc5121b42e4bf697734ae1855a641e95b923
CoinMiner
+ 89 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion miner persistence
Link:
https://tria.ge/reports/210805-lnn4hj6q7s/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
75b77800228079a5b6b94166581b2b406f6dca7baf3a9fb163aa0a2d2a89926b
MD5 hash:
9618279667a233d19c843a54cf2e1c81
SHA1 hash:
138f85fabb71e56ff351508ed79b2308883cbc41
Link:
https://www.unpac.me/results/da361f66-c384-4020-8c5c-c630bf7225aa/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/75b778002280/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/75b77800228079a5b6b94166581b2b406f6dca7baf3a9fb163aa0a2d2a89926b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 75b77800228079a5b6b94166581b2b406f6dca7baf3a9fb163aa0a2d2a89926b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1507224/
Cape
Cape
https://www.capesandbox.com/analysis/176563/

Comments


Avatar
zbet commented on 2021-08-05 07:45:11 UTC

url : hxxps://qmumdjffuiocstjfmdqt.com/miner.EXE