MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 78b811d0d4031e590324cc4892780f4caa5bb94dc92bbc04f8ea2dc254ac5c8b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner.XMRig


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 78b811d0d4031e590324cc4892780f4caa5bb94dc92bbc04f8ea2dc254ac5c8b
SHA3-384 hash: e141140dccdf3891ecb402fc40e98881735f2ad70ff3917e32d15f4b91c671336a9087bc14a786c8f61d91316f72eaa5
SHA1 hash: 658855aa4ec08ce672caefd4e11a0b103e13e526
MD5 hash: 19f5fbb860118ee3626c57487c7e51f1
humanhash: monkey-artist-hotel-spring
File name:Documents_on_your_case.exe
Download: download sample
Signature CoinMiner.XMRig
Create hunting rule
File size:3'139'072 bytes
First seen:2022-07-08 21:32:02 UTC
Last seen:2022-07-08 22:38:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 98b252a51a01fcba63f9c21f7f1ec9e1 (2 x CoinMiner.XMRig, 2 x RedLineStealer)
ssdeep 49152:KjMUwGYOuxAz3fLc5ClZ6FPdu2mHMWuA5L5KI438uW5TPSQr7dqz3a/g2SHVyUtT:KjMAEIKulMbiL5KxsuWsQroLv15
Threatray 22 similar samples on MalwareBazaar
TLSH T1DEE5D06EEB1585B0E51B53B5864FDB7B8B286A145031DEBFFF4AD628F533003B858242
TrID 44.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
23.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.4% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter 0xToxin
Tags:CoinMiner.XMRig exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
426
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://gg.gg/Your_case_files
Verdict:
Malicious activity
Analysis date:
2022-07-08 15:00:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f59ae52a-f914-440d-983a-11ce42922084

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/285715/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.112364.8924.22576.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Sending an HTTP GET request
Creating a window
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/24649/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug greyware packed
Link:
https://www.filescan.io/uploads/62c8a2903298ebd789087eb0/reports/27de52f1-ccb0-448f-9986-91053d87d503/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/41bd3ee7-b43c-4668-a58c-b145aed67c4d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1027569
Signature
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/78b811d0d4031e590324cc4892780f4caa5bb94dc92bbc04f8ea2dc254ac5c8b/
Threat name:
Win32.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2022-07-08 18:58:37 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pc4bduguampfsazezreje6apjsvfxoknzev3ybhy5iw4evfmlsfq._file
Verdict:
malicious
Similar samples:
06cd1b17015926da3c902f7b67e130054e9170f355a1cdf1274ddc955f4152ee
CoinMiner.XMRig
0c722728ca1a996bbb83455332fa27018158cef21ad35dc057191a0353960256
CoinMiner.XMRig
39f1a98ab29664ef492b052c44f6ea76148d75baaf55b7b037cc0575eb8b25d4
CoinMiner.XMRig
40daa898f98206806ad3ff78f63409d509922e0c482684cf4f180faac8cac273
CoinMiner.XMRig
595a5d21b386ba8e30b567cbe575b24ed104ee589037a48aa2d277452ba0b6a6
CoinMiner.XMRig
6887d3d4d5baa135418c2305915c56b448960d03c427f6c63c430465ddaa6547
CoinMiner.XMRig
960ce3cc26c8313b0fe41197e2aff5533f5f3efb1ba2970190779bc9a07bea63
CoinMiner.XMRig
b7cea1f983cf8ed41120e2d4a17b7fe2ec6693d2d990172568cdbbd6b9fbd319
CoinMiner.XMRig
e8e4a4c7c5c593136058722cabe2d42631feffde95d923f5fd7020b0c7286f22
CoinMiner.XMRig
+ 12 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon discovery evasion spyware stealer suricata
Link:
https://tria.ge/reports/220708-1dmynahffl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
Modifies security service
Raccoon
Unpacked files
SH256 hash:
b5ede17def47bf0500a9c5f9cc3298aad4801125cf433c3e0d851643e0a2d167
MD5 hash:
27c43dcf43bbca19a36f74fd2771d47e
SHA1 hash:
d91904ab2a880ce7b0ab14fa32e2a47dc374773b
Link:
https://www.unpac.me/results/b11bbfa8-380f-4c04-bc78-efce4965f548/
SH256 hash:
78b811d0d4031e590324cc4892780f4caa5bb94dc92bbc04f8ea2dc254ac5c8b
MD5 hash:
19f5fbb860118ee3626c57487c7e51f1
SHA1 hash:
658855aa4ec08ce672caefd4e11a0b103e13e526
Link:
https://www.unpac.me/results/b11bbfa8-380f-4c04-bc78-efce4965f548/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/78b811d0d403/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/78b811d0d4031e590324cc4892780f4caa5bb94dc92bbc04f8ea2dc254ac5c8b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

CoinMiner.XMRig

Executable exe 78b811d0d4031e590324cc4892780f4caa5bb94dc92bbc04f8ea2dc254ac5c8b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/285715/

Comments