MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77866060d47be3f2b4395314cfa66b7f9faf4007b72bfcb0cb406e4207e64aad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77866060d47be3f2b4395314cfa66b7f9faf4007b72bfcb0cb406e4207e64aad
SHA3-384 hash: f32cbb4b3915ed40133db4a2ae0b9a5c79e8924ff884423f9b5a15e402d94cb7eab2117f3622ed0b70df036b7fa56777
SHA1 hash: 8778645fd3045b9aff5ec2b0706a8acbd51d98e0
MD5 hash: 642dbeb37f2954365179c67f3c5d02dd
humanhash: freddie-quiet-oregon-october
File name:midnight.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:13'971'456 bytes
First seen:2022-03-25 06:11:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bb2e9e2bb2989c645bb17e20b34e011e (3 x DCRat, 1 x CoinMiner, 1 x njrat)
ssdeep 196608:o/nXYkaVTrTI5eDGEDmiefgcdVc/4gs8D0DD6k9JihvV36xm/S+3q/IzH1ln:4XYRTMvEDug6u4b8QPP9JixwN++kHbn
Threatray 3 similar samples on MalwareBazaar
TLSH T1D5E63363553831C6E4C5CC3A8A37BED675FA07ABC784B8B555CF7AC628278806613C63
Reporter adm1n_usa32
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
316
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Searching for synchronization primitives
Creating a file
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/623d5d3aa19c6494128bff6f/reports/1d922627-af05-46ab-8a9b-dedfa39f618b/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/420590c2-44f1-4f91-b19c-bb8284bea795
Result
Threat name:
BitCoin Miner
Create hunting rule
Detection:
malicious
Classification:
spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/964290
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates a thread in another existing process (thread injection)
Detected VMProtect packer
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected BitCoin Miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 596772 Sample: midnight.exe Startdate: 25/03/2022 Architecture: WINDOWS Score: 100 68 Antivirus detection for URL or domain 2->68 70 Antivirus / Scanner detection for submitted sample 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 7 other signatures 2->74 10 midnight.exe 3 2->10         started        process3 file4 38 C:\Users\user\AppData\Local\Tempbehaviorgraphinzo.exe, PE32 10->38 dropped 40 C:\Users\user\...xLoader_Installer.exe, PE32+ 10->40 dropped 84 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->84 86 Tries to detect virtualization through RDTSC time measurements 10->86 14 Ginzo.exe 15 22 10->14         started        19 ExLoader_Installer.exe 1 65 10->19         started        signatures5 process6 dnsIp7 56 freegeoip.app 188.114.97.7, 443, 49767, 49768 CLOUDFLARENETUS European Union 14->56 58 nominally.ru 14->58 42 C:\Users\user\AppData\Local\152344.exe, PE32+ 14->42 dropped 44 C:\Users\user\AppData\...\SQLite.Interop.dll, PE32 14->44 dropped 46 C:\Users\user\AppData\...\SQLite.Interop.dll, PE32+ 14->46 dropped 52 4 other files (none is malicious) 14->52 dropped 60 Multi AV Scanner detection for dropped file 14->60 62 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->62 64 Machine Learning detection for dropped file 14->64 66 Tries to harvest and steal browser information (history, passwords, etc) 14->66 21 152344.exe 14->21         started        48 C:\Users\user\AppData\...\flutter_windows.dll, PE32+ 19->48 dropped 50 C:\Users\user\AppData\...xL_Installer.exe, PE32+ 19->50 dropped 24 ExL_Installer.exe 2 19->24         started        file8 signatures9 process10 dnsIp11 76 Antivirus detection for dropped file 21->76 78 Multi AV Scanner detection for dropped file 21->78 80 Writes to foreign memory regions 21->80 82 2 other signatures 21->82 27 conhost.exe 2 21->27         started        54 www.google.com 172.217.18.100, 443, 49774, 49775 GOOGLEUS United States 24->54 29 conhost.exe 24->29         started        signatures12 process13 process14 31 cmd.exe 1 27->31         started        signatures15 88 Encrypted powershell cmdline option found 31->88 34 powershell.exe 23 31->34         started        36 conhost.exe 31->36         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/77866060d47be3f2b4395314cfa66b7f9faf4007b72bfcb0cb406e4207e64aad/
Threat name:
Win32.Dropper.Delfea
Create hunting rule
Status:
Malicious
First seen:
2022-03-17 02:06:38 UTC
File Type:
PE (Exe)
AV detection:
21 of 26 (80.77%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o6dgayguppr7fnbzkmkm7jtlp6p26qahw4v7zmglibxeeb7gjkwq._file
Verdict:
malicious
Similar samples:
3fd0837381babda7ef617b810457f0db32bd7c1f7e345480e6c525050ca818fa
CoinMiner
b043820fef215c161bb53c9c1fa9a2cd221cecc4bae58103a9327c575697760d
CoinMiner
b840f10ae378fa15f8570f6eb208e2f280618bd49ade560eca00c93b6a4bd7d9
CoinMiner
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner spyware stealer vmprotect
Link:
https://tria.ge/reports/220325-gx7mmafbgr/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
d6d425a1f845a8ff4c4aefaa967ab910737cb06f17e4e1cf9cb7de85caecb7b5
MD5 hash:
371bca9d86ffe68282e6183a8da5b123
SHA1 hash:
fa89d0e0820afb3e4799d8ab6f25df09551f5bfc
Link:
https://www.unpac.me/results/dc423ca9-1d2e-4dfb-9cf6-913249d4e9d7/
SH256 hash:
3210772860f0a22acd9e1d179a20f9d1dd23ef7f79a8dca7c8bac06c59877fe2
MD5 hash:
e00f7fc5b939205dd7179d7b8e78a290
SHA1 hash:
a33e6fbba09122cf26e2f6c0487fab0c9818b44d
Link:
https://www.unpac.me/results/dc423ca9-1d2e-4dfb-9cf6-913249d4e9d7/
SH256 hash:
0c15509fd237b4384ccc01e53419f166c6460a74c4f4b13350bea17ce1d94866
MD5 hash:
8b0862a2e6ba2a8f03c96c793cb039d7
SHA1 hash:
bdfb0db3eb7699869d07f6e8145c483b9379d598
Link:
https://www.unpac.me/results/dc423ca9-1d2e-4dfb-9cf6-913249d4e9d7/
SH256 hash:
77866060d47be3f2b4395314cfa66b7f9faf4007b72bfcb0cb406e4207e64aad
MD5 hash:
642dbeb37f2954365179c67f3c5d02dd
SHA1 hash:
8778645fd3045b9aff5ec2b0706a8acbd51d98e0
Link:
https://www.unpac.me/results/dc423ca9-1d2e-4dfb-9cf6-913249d4e9d7/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/77866060d47b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.95
Link:
https://yomi.yoroi.company/submissions/77866060d47be3f2b4395314cfa66b7f9faf4007b72bfcb0cb406e4207e64aad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments