MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7870d51e2ec6a82fede5bcb9a3dd55c530354b9847b1342e15bfd9f6dc5b40fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7870d51e2ec6a82fede5bcb9a3dd55c530354b9847b1342e15bfd9f6dc5b40fb
SHA3-384 hash: c8afc551ae6009d964bb21e1b4385b79b982611c8b4202d2ddf8f5de1f2a6b8db894c01ba1c77891af6840d67c98f6e2
SHA1 hash: 305196cf96a25f11138cc71d33711f644b66cf53
MD5 hash: 599d2d45fa16bd871c7f4d57533fc0a4
humanhash: paris-twenty-edward-river
File name:SecuriteInfo.com.Win64.Evo-gen.19443.26842
Download: download sample
Signature CoinMiner
Create hunting rule
File size:10'972'160 bytes
First seen:2024-09-15 15:25:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3fac356340f08f787f93cbf317f090cd (13 x CoinMiner)
ssdeep 196608:dzfvBqR2zVkX2xnxX907v7Ir7O8N4u0IqrkxSejlGEBmTejOE:5hR1xN07DE730uxj8LK
TLSH T1A7B633C5299741BDC2B2293072BB4B6601B03DEEC1FE8A2F3AD5F92532F4D469C58974
TrID 33.6% (.EXE) OS/2 Executable (generic) (2029/13)
33.1% (.EXE) Generic Win/DOS Executable (2002/3)
33.1% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
File icon (PE):PE icon
dhash icon fcdcf4d4c4c4c4c4 (10 x CoinMiner)
Reporter SecuriteInfoCom
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
373
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win64.Evo-gen.19443.26842.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66e6fcb671e91b3281b9fbf2
Tags:
Malware
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug packed packed vmprotect
Link:
https://www.filescan.io/uploads/66e6fcabd2758b8668ba05d8/reports/3389e92a-0422-4cc7-86ed-1a936479ec01/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/7870d51e2ec6a82fede5bcb9a3dd55c530354b9847b1342e15bfd9f6dc5b40fb
Result
Verdict:
MALICIOUS
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0daef122-ca4d-485f-b45e-4f1ee202a24a
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1511499
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found direct / indirect Syscall (likely to bypass EDR)
Modifies power options to not sleep / hibernate
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Disable power options
Sigma detected: Stop EventLog
Uses powercfg.exe to modify the power settings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1511499 Sample: SecuriteInfo.com.Win64.Evo-... Startdate: 15/09/2024 Architecture: WINDOWS Score: 100 37 Antivirus / Scanner detection for submitted sample 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Sigma detected: Stop EventLog 2->41 43 2 other signatures 2->43 7 SecuriteInfo.com.Win64.Evo-gen.19443.26842.exe 2 2->7         started        11 etzpikspwykg.exe 2->11         started        process3 file4 35 C:\ProgramData\...\etzpikspwykg.exe, PE32+ 7->35 dropped 45 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 7->45 47 Uses powercfg.exe to modify the power settings 7->47 49 Found direct / indirect Syscall (likely to bypass EDR) 7->49 51 Modifies power options to not sleep / hibernate 7->51 13 powercfg.exe 1 7->13         started        15 powercfg.exe 1 7->15         started        17 powercfg.exe 1 7->17         started        19 5 other processes 7->19 53 Antivirus detection for dropped file 11->53 55 Multi AV Scanner detection for dropped file 11->55 signatures5 process6 process7 21 conhost.exe 13->21         started        23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        29 conhost.exe 19->29         started        31 conhost.exe 19->31         started        33 2 other processes 19->33
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7870d51e2ec6a82fede5bcb9a3dd55c530354b9847b1342e15bfd9f6dc5b40fb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7870d51e2ec6a82fede5bcb9a3dd55c530354b9847b1342e15bfd9f6dc5b40fb/
Threat name:
Win32.Coinminer.XMRig
Create hunting rule
Status:
Malicious
First seen:
2024-08-23 14:55:53 UTC
File Type:
PE+ (Exe)
Extracted files:
17
AV detection:
23 of 38 (60.53%)
Threat level:
  4/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pbynkhroy2uc73pfxs42hxkvyuydks4yi6ytilqvx7m7nxc3id5q._file
Verdict:
malicious
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion execution miner persistence
Link:
https://tria.ge/reports/240915-sve1da1cmn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Launches sc.exe
Suspicious use of SetThreadContext
Power Settings
Executes dropped EXE
Loads dropped DLL
Creates new service(s)
Stops running service(s)
XMRig Miner payload
xmrig
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0bb26d5c-94d4-41f2-bbfb-372944bdc5b6
Unpacked files
SH256 hash:
7870d51e2ec6a82fede5bcb9a3dd55c530354b9847b1342e15bfd9f6dc5b40fb
MD5 hash:
599d2d45fa16bd871c7f4d57533fc0a4
SHA1 hash:
305196cf96a25f11138cc71d33711f644b66cf53
Link:
https://www.unpac.me/results/7c821bcb-81f3-47a8-9900-ecd33f382664/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7870d51e2ec6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.17
Link:
https://yomi.yoroi.company/submissions/7870d51e2ec6a82fede5bcb9a3dd55c530354b9847b1342e15bfd9f6dc5b40fb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_Malicious_VBScript_Base64
Create hunting rule
Author:daniyyell
Description:Detects malicious VBScript patterns, including Base64 decoding, file operations, and PowerShell.
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 7870d51e2ec6a82fede5bcb9a3dd55c530354b9847b1342e15bfd9f6dc5b40fb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3174236/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh

Comments