MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76005ce2b7eb0c95f8dcc06b501244c73b17b3aff65e78c672c4a6ae56e67306. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner.XMRig


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 76005ce2b7eb0c95f8dcc06b501244c73b17b3aff65e78c672c4a6ae56e67306
SHA3-384 hash: e93642a41f92deda603ff8a91b01ea08d2211424854337a20fb6e2dbdbabc011e72184f9f9e3763a87c3a9dfa789699f
SHA1 hash: 42ea2c9f4548614574dff36e019ae1cbc68b54e3
MD5 hash: 1fc1c860e86a8fbc2021d2567d62f703
humanhash: august-foxtrot-chicken-lithium
File name:11.exe
Download: download sample
Signature CoinMiner.XMRig
Create hunting rule
File size:1'459'712 bytes
First seen:2021-05-07 12:55:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f27641a9746cdd4a03a233e1cf5e6ee7 (1 x CoinMiner.XMRig)
ssdeep 24576:A5qezbM2Lh4oA3CMGGjXFQN/UTujRUsB57MSvpMnMW3+C/+QGJlsnUtZIi9u:Ak4ttS5vjXS3hZMipMnMW3+CaJynpi
Threatray 136 similar samples on MalwareBazaar
TLSH D66533A9A05BD4ADD4D21D395B5CFEC10C863B234FA2391B3E48C1D02A356E163E9F67
Reporter starsSk87264403
Tags:CoinMiner CoinMiner.XMRig

Intelligence

File Origin
# of uploads :
1
# of downloads :
312
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://124.160.126.238/Down.exe
Verdict:
Malicious activity
Analysis date:
2021-01-25 07:27:23 UTC
Tags:
trojan loader
Link:
https://app.any.run/tasks/6c1d9aa4-2147-4872-8ac4-71a7ccf8f815

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/152687/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

Win.Dropper.Tiggre-9845940-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Creating a service
Launching the process to change network settings
Creating a process with a hidden window
Sending a custom TCP request
Launching a service
Launching a process
Running batch commands
Creating a window
Adding an access-denied ACE
DNS request
Sending an HTTP GET request
Deleting a recently created file
Creating a process from a recently created file
Sending a UDP request
Replacing files
Possible injection to a system process
Enabling autorun for a service
Sending a TCP request to an infection source
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/719708
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates a Windows Service pointing to an executable in C:\Windows
Detected Stratum mining protocol
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspect Svchost Activity
System process connects to network (likely due to code injection or exploit)
Uses netsh to modify the Windows network and firewall settings
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 408782 Sample: 11.exe Startdate: 09/05/2021 Architecture: WINDOWS Score: 100 61 Multi AV Scanner detection for domain / URL 2->61 63 Antivirus detection for URL or domain 2->63 65 Antivirus / Scanner detection for submitted sample 2->65 67 7 other signatures 2->67 8 svchost.exe 2->8         started        11 11.exe 3 2 2->11         started        14 svchost.exe 1 2->14         started        process3 file4 73 System process connects to network (likely due to code injection or exploit) 8->73 75 DLL side loading technique detected 8->75 77 Injects a PE file into a foreign processes 8->77 16 svchost.exe 17 8->16         started        53 C:\Windows\Cursors\WUDFhosts.exe, PE32+ 11->53 dropped 79 Creates a Windows Service pointing to an executable in C:\Windows 11->79 81 Uses netsh to modify the Windows network and firewall settings 11->81 21 netsh.exe 33 3 11->21         started        23 netsh.exe 9 3 11->23         started        25 netsh.exe 13 3 11->25         started        27 9 other processes 11->27 signatures5 process6 dnsIp7 55 www.362com.com 222.99.11.146, 49746, 80 KIXS-AS-KRKoreaTelecomKR Korea Republic of 16->55 49 C:\Windows\...\active_desktop_render_New.dll, PE32 16->49 dropped 51 C:\Windows\Help\active_desktop_render.dll, PE32 16->51 dropped 69 System process connects to network (likely due to code injection or exploit) 16->69 71 Drops executables to the windows directory (C:\Windows) and starts them 16->71 29 WUDFhosts.exe 1 16->29         started        33 conhost.exe 21->33         started        35 conhost.exe 23->35         started        37 conhost.exe 25->37         started        39 conhost.exe 27->39         started        41 conhost.exe 27->41         started        43 conhost.exe 27->43         started        45 6 other processes 27->45 file8 signatures9 process10 dnsIp11 57 xmr.usa-138.com 211.108.74.246, 49747, 80 SKB-ASSKBroadbandCoLtdKR Korea Republic of 29->57 59 192.168.2.1 unknown unknown 29->59 83 Antivirus detection for dropped file 29->83 85 Multi AV Scanner detection for dropped file 29->85 87 Machine Learning detection for dropped file 29->87 47 conhost.exe 29->47         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/76005ce2b7eb0c95f8dcc06b501244c73b17b3aff65e78c672c4a6ae56e67306/
Threat name:
Win32.Trojan.BlackMoon
Create hunting rule
Status:
Malicious
First seen:
2020-12-14 12:52:02 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=oyafzyvx5mgjl6g4ybvvaesey45rpm5p6zphrrtsystk4vxgomda._file
Verdict:
malicious
Similar samples:
03e2a3a9c9b3198096bb8d8048d26057fb9dd3aedc0956971571d2e8c315a628
CoinMiner.XMRig
932d20d000d9937c91fa274b237da8437124209ebfcf1eb5ab1aaa3bfd25b342
CoinMiner.XMRig
9b62c3d508b19fc49f89587508b3347822e445175f6bdabee2890894d20f0c07
CoinMiner.XMRig
a693d0ca07c52b3b762b35235ef911995d28cfef99d77fed6756b720ae1cfb46
CoinMiner.XMRig
a8731ccdac72abc4006c2673bff8821ef87785bbbc3bfdda97d6af625a920451
CoinMiner.XMRig
b50347da8c31dba7f53b175e7348227f6343b8b33343a91370b3a29eb00ff8dc
CoinMiner.XMRig
b9788196edf2a97f700a1f5237961e3353bf29dc1a7dbe61191314b8dcf10cf0
CoinMiner.XMRig
d83dab4a218498a92725b0ddf41cc02c55705ded690c71ded36305ab4d8af5dd
CoinMiner.XMRig
dd9fe2b276905236c36f6f8461ac20cc5f7f1a3c999b4211f6d606027f02a21f
CoinMiner.XMRig
f781bb584b94995153c63991eda5ca80e4bfdac2f4d50a27534669bd26f8a3cd
CoinMiner.XMRig
+ 126 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/210507-jsxwgwgc7n/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Deletes itself
Loads dropped DLL
Executes dropped EXE
Sets DLL path for service in the registry
UPX packed file
Unpacked files
SH256 hash:
8f75205f74148b34d8dddd300d88d41090d886927cbed40218e6f2424f63fb6f
MD5 hash:
6997da063f4612a2ce4b543e6079bc98
SHA1 hash:
de968a4577ed2c27d4ea70020477c0cc05eff585
Link:
https://www.unpac.me/results/09b61bd4-6187-4bc1-9d08-e6e594c239eb/
SH256 hash:
62322d2ff7c9304c095e287631327d81656670fe4a33caa88bdfe9d8b56c833b
MD5 hash:
44625ea9c720fbb79d259ea4a37256b1
SHA1 hash:
a567cae75cb7928d3564f29844b5e35a919e98cc
Link:
https://www.unpac.me/results/09b61bd4-6187-4bc1-9d08-e6e594c239eb/
SH256 hash:
76005ce2b7eb0c95f8dcc06b501244c73b17b3aff65e78c672c4a6ae56e67306
MD5 hash:
1fc1c860e86a8fbc2021d2567d62f703
SHA1 hash:
42ea2c9f4548614574dff36e019ae1cbc68b54e3
Link:
https://www.unpac.me/results/09b61bd4-6187-4bc1-9d08-e6e594c239eb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/76005ce2b7eb0c95f8dcc06b501244c73b17b3aff65e78c672c4a6ae56e67306

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner.XMRig

Executable exe 76005ce2b7eb0c95f8dcc06b501244c73b17b3aff65e78c672c4a6ae56e67306

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/863146/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/152687/

Comments