MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c72220143c425a516165961c18921c0e63fc760d7dc1a68da52087b99f1350d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7c72220143c425a516165961c18921c0e63fc760d7dc1a68da52087b99f1350d
SHA3-384 hash: a19e936a232afd57b0e746a2fc8e4b88bace4c00d3064017b196af07d194aa3b97ab0466085fe46ab93692fa784c8985
SHA1 hash: e8488a254531b26f4d5aa2c4ad303001d9ef7f8e
MD5 hash: 504ccaec887a67902cf81c6b584fa1ec
humanhash: colorado-monkey-april-papa
File name:504ccaec887a67902cf81c6b584fa1ec.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:602'600 bytes
First seen:2021-02-07 07:31:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b78c7836a924f9a31372fe7f8bcc6142 (20 x CoinMiner, 1 x CoinMiner.XMRig)
ssdeep 12288:xrWfN3TrQ/g3iK5iiWjnyOymhwiAAsvYciSdsaNzm9hOLKbMJUY29:xif1gTKETHsOesaMTOLKbMz29
Threatray 86 similar samples on MalwareBazaar
TLSH 3CD412AB70009A61D11D8830CF5BCEF99E26FC11D941062F61B8BF5F2FB4961BB1365A
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
566
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/115946/
Detection(s):
PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Trojan.Winlock-6629293-0
Create hunting rule

PUA.Win.Malware.Generic-6718284-0
Create hunting rule

PUA.Win.Adware.Hpdefender-6725853-0
Create hunting rule

Multios.Coinminer.Miner-6781728-2
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Sending a UDP request
Searching for the window
Launching a process
Launching a tool to kill processes
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
mine
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/601204
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found strings related to Crypto-Mining
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 349621 Sample: GPxGE4KziJ.exe Startdate: 07/02/2021 Architecture: WINDOWS Score: 80 35 Multi AV Scanner detection for domain / URL 2->35 37 Antivirus detection for URL or domain 2->37 39 Antivirus / Scanner detection for submitted sample 2->39 41 3 other signatures 2->41 7 GPxGE4KziJ.exe 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 cmd.exe 1 7->11         started        13 cmd.exe 1 7->13         started        15 13 other processes 7->15 process5 17 taskkill.exe 1 9->17         started        19 conhost.exe 9->19         started        21 taskkill.exe 1 11->21         started        23 conhost.exe 11->23         started        25 taskkill.exe 1 13->25         started        27 conhost.exe 13->27         started        29 taskkill.exe 1 15->29         started        31 taskkill.exe 1 15->31         started        33 15 other processes 15->33
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7c72220143c425a516165961c18921c0e63fc760d7dc1a68da52087b99f1350d/
Threat name:
Win32.Trojan.MinerXMRig
Create hunting rule
Status:
Malicious
First seen:
2021-02-07 07:32:07 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=przceakdyqs2kfqwlfq4dcjbydtd7r3a27obu2g2kiehxgprgugq._file
Verdict:
malicious
Similar samples:
2e13c882d28c2236893a0a543e67c74a4f2e560d98c98b800f95c07938156a37
CoinMiner
56133c0d017af35f49253926e3583cf72c36146ab7faa65b6058971685166652
CoinMiner
7333ddf4a7e53eeda33a8360b307471358597aeff78f4a5a7f4610640f97bdc7
CoinMiner
75b388003cc32b680abc3d9b41bc6c435af723de235eaab36a323fddcb906f62
CoinMiner
799b7395c9f279d8cd1cd24657788ecb37db7ae03c0dddeb3344a95a551d1325
CoinMiner
82385c5627675bb1a2f760238c766d1b8d3c31e109e067334959c084d62e5d55
CoinMiner
a4053c9427fa00b62f65abf8ad7760e39df7f7ea0c72ed89375e2076f7cb79a3
CoinMiner
b6a56587ff63ad2c27323d56510915125be1f171324029353303659eb438d0ed
CoinMiner
f4158e798cb1c425cd5c50250f7016e9acd26bae7373e46585907682f120c546
CoinMiner
f7a8d3fb89711f208f281c267ed8dd647cda207ecb514d37892b56a0ddafbe9a
CoinMiner
+ 76 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion upx
Link:
https://tria.ge/reports/210207-4647xfjp3a/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Launches sc.exe
Enumerates connected drives
Loads dropped DLL
Executes dropped EXE
Stops running service(s)
UPX packed file
Unpacked files
SH256 hash:
ee52760f42cdfb2a00eea530ff1611a428a9ee6c70e8e3b15357a5d9c868aee7
MD5 hash:
716195a2f6a5658c0ac883472019f6fe
SHA1 hash:
4ac4d538d6a9847e7dc6b6c23e981ab744004fe5
Link:
https://www.unpac.me/results/694ebe3c-a213-4be3-8bf0-8b4d2395ef47/
SH256 hash:
41913a267dbe3ca49a3cef8ea17cf1bbac9114d0fbfd1bb1486c6349f388a4c3
MD5 hash:
297564476432cc5b7345d438d115942f
SHA1 hash:
250c342289f6f75ae2e6a86503c62cd0c725d622
Link:
https://www.unpac.me/results/694ebe3c-a213-4be3-8bf0-8b4d2395ef47/
SH256 hash:
8fae8ad0f887d246e7b775e58d02e9a44cd6ef5b8e34336333cbeb0f052d6299
MD5 hash:
67c7b1ce745d036217404122de1e7a00
SHA1 hash:
476aeeab9527834f909f4026b43bcd9f515b4624
Link:
https://www.unpac.me/results/694ebe3c-a213-4be3-8bf0-8b4d2395ef47/
SH256 hash:
7c72220143c425a516165961c18921c0e63fc760d7dc1a68da52087b99f1350d
MD5 hash:
504ccaec887a67902cf81c6b584fa1ec
SHA1 hash:
e8488a254531b26f4d5aa2c4ad303001d9ef7f8e
Link:
https://www.unpac.me/results/694ebe3c-a213-4be3-8bf0-8b4d2395ef47/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7c72220143c425a516165961c18921c0e63fc760d7dc1a68da52087b99f1350d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:XMRIG_Miner
Create hunting rule
Rule name:Yayih
Create hunting rule
Author:Seth Hardy
Description:Yayih
Rule name:YayihStrings
Create hunting rule
Author:Seth Hardy
Description:Yayih Identifying Strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 7c72220143c425a516165961c18921c0e63fc760d7dc1a68da52087b99f1350d

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/115946/
  
URLhaus
https://urlhaus.abuse.ch/url/983291/
  
Delivery method
Distributed via web download

Comments