MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 773a42f5dd2dbe163dbc36037d53a25675c29fd0dba24d19ccb249a6f590ef12. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 773a42f5dd2dbe163dbc36037d53a25675c29fd0dba24d19ccb249a6f590ef12
SHA3-384 hash: 119c80b28bd34a8eeb7db3554a9da8a3b0b6eac54158cce995a794b68679469b4da2512421331032595a7bc9b720d91f
SHA1 hash: 7a716d1fa006444305738825f61fcf7b115bcaef
MD5 hash: a078f3e8e65c2bf3151c7bda96ce07d9
humanhash: ohio-jupiter-stream-arkansas
File name:SecuriteInfo.com.Variant.Bulz.242344.9747.13430
Download: download sample
Signature CoinMiner
Create hunting rule
File size:1'952'768 bytes
First seen:2020-12-01 01:45:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 49152:yEfNCdaOgyJt4XxPHC1nBjfrY85mfGz9ucbIsq+tDR4OlP:yEfNiaOgyJAKlBPif89uxsDtlbP
Threatray 4 similar samples on MalwareBazaar
TLSH 86953365756474ADF303467341B90A2B5E9EF094ADDB0B3E1C1848AB1362FE97B2B0C7
Reporter SecuriteInfoCom
Tags:CoinMiner

Intelligence

File Origin
# of uploads :
1
# of downloads :
493
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106148/
Detection(s):
SecuriteInfo.com.Variant.Bulz.242344.9747.13430.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Launching a process
DNS request
Connecting to a cryptocurrency mining pool
Sending a custom TCP request
Creating a service
Launching a service
Loading a system driver
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Enabling autorun for a service
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/553089
Signature
Allocates memory in foreign processes
Detected Stratum mining protocol
DNS related to crypt mining pools
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 325639 Sample: SecuriteInfo.com.Variant.Bu... Startdate: 02/12/2020 Architecture: WINDOWS Score: 100 54 Multi AV Scanner detection for submitted file 2->54 56 Yara detected Xmrig cryptocurrency miner 2->56 58 Machine Learning detection for sample 2->58 60 3 other signatures 2->60 8 SecuriteInfo.com.Variant.Bulz.242344.9747.exe 1 3 2->8         started        11 PresentationFontCache.exe 2->11         started        14 PresentationFontCache.exe 2->14         started        16 svchost.exe 2->16         started        process3 file4 36 C:\Users\user\...\PresentationFontCache.exe, PE32+ 8->36 dropped 38 SecuriteInfo.com.V...242344.9747.exe.log, ASCII 8->38 dropped 18 PresentationFontCache.exe 4 8->18         started        40 C:\Users\user\AppData\...\WinRing0x64.sys, PE32+ 11->40 dropped 74 Injects code into the Windows Explorer (explorer.exe) 11->74 76 Writes to foreign memory regions 11->76 78 Allocates memory in foreign processes 11->78 21 explorer.exe 1 11->21         started        80 Modifies the context of a thread in another process (thread injection) 14->80 82 Injects a PE file into a foreign processes 14->82 24 explorer.exe 1 14->24         started        signatures5 process6 dnsIp7 62 Multi AV Scanner detection for dropped file 18->62 64 Machine Learning detection for dropped file 18->64 66 Injects code into the Windows Explorer (explorer.exe) 18->66 72 5 other signatures 18->72 26 explorer.exe 1 18->26         started        42 217.182.169.148, 14444, 49747 OVHFR France 21->42 44 192.168.2.1 unknown unknown 21->44 46 xmr-eu1.nanopool.org 21->46 68 System process connects to network (likely due to code injection or exploit) 21->68 30 conhost.exe 21->30         started        48 51.15.65.182, 14444, 49746 OnlineSASFR France 24->48 50 xmr-eu1.nanopool.org 24->50 32 conhost.exe 24->32         started        signatures8 70 Detected Stratum mining protocol 48->70 process9 dnsIp10 52 xmr-eu1.nanopool.org 51.15.54.102, 14444, 49743 OnlineSASFR France 26->52 84 System process connects to network (likely due to code injection or exploit) 26->84 34 conhost.exe 26->34         started        signatures11 86 Detected Stratum mining protocol 52->86 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/773a42f5dd2dbe163dbc36037d53a25675c29fd0dba24d19ccb249a6f590ef12/
Threat name:
ByteCode-MSIL.Trojan.Masson
Create hunting rule
Status:
Malicious
First seen:
2020-11-30 14:46:04 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o45ef5o5fw7bmpn4gybx2u5ckz24fh6q3ore2gomwje2n5mq54ja._file
Verdict:
malicious
Similar samples:
a4bd1ce6832e9cfa0078b39e7dc035047ff593ff4f875fd19ed7ab54508fa7e4
CoinMiner
af56963172182772cfb8ece6dee221898b281e8f93a62dc82a08cc188131849f
CoinMiner
c6b664ffd10c03d085b36bd57b72467b6508ba736e9c8d77182e0d1518b91295
CoinMiner
dea877be3b8ceb7eb4cb1bb40895bc6886d3ccb0f2498e7b3c4257d726a7d896
CoinMiner
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner persistence
Link:
https://tria.ge/reports/201201-bxj53r6s2j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
773a42f5dd2dbe163dbc36037d53a25675c29fd0dba24d19ccb249a6f590ef12
MD5 hash:
a078f3e8e65c2bf3151c7bda96ce07d9
SHA1 hash:
7a716d1fa006444305738825f61fcf7b115bcaef
Link:
https://www.unpac.me/results/99613723-95e2-47d4-8890-d0ae39b94118/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
CoinMiner
Score:
0.60
Link:
https://yomi.yoroi.company/submissions/773a42f5dd2dbe163dbc36037d53a25675c29fd0dba24d19ccb249a6f590ef12

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cryptocoin_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:XMRIG_Miner
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 773a42f5dd2dbe163dbc36037d53a25675c29fd0dba24d19ccb249a6f590ef12

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/870925/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/106148/

Comments