MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c88f9d38fcb9dd17d733e65a8ebee46d6b74700a02ba5a4614b7b6002d5ef0c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7c88f9d38fcb9dd17d733e65a8ebee46d6b74700a02ba5a4614b7b6002d5ef0c
SHA3-384 hash: 17f12ec90f2e8678e8cb66bbd1d3a45f5862866a627fe94fd85c89f43d30f2c5bfa197910f10207bc527a0e854fd1340
SHA1 hash: a365aa7c60357c693b1493eb0f13f112525e1e1f
MD5 hash: e80c9491a679eec91b58c5a8cc20e1b4
humanhash: summer-sad-paris-angel
File name:e80c9491a679eec91b58c5a8cc20e1b4
Download: download sample
Signature CoinMiner
Create hunting rule
File size:171'520 bytes
First seen:2021-07-15 06:04:18 UTC
Last seen:2021-07-15 06:44:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 3072:DRXN9Mo836D4O/sE9lKJvtNK/Iqr35bgMwxHHUtoGO2SD:9xDIkUjK/3Dufs
Threatray 59 similar samples on MalwareBazaar
TLSH T1B1F37D1D5F8AB8DBE8140AB55CA7E6D1066CEFA4F5E1469C34E8BE3CB7D2474C600B90
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
208
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e80c9491a679eec91b58c5a8cc20e1b4
Verdict:
No threats detected
Analysis date:
2021-07-15 06:06:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a0a5d736-0726-49ab-b724-53e779caf70e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/171866/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader40.40516.11587.10609.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XMRig Miner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/630181fe-05a7-43cb-82b8-89ac09930502
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/816673
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to a pastebin service (likely for C&C)
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Schedule system process
Sigma detected: Xmrig
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 449084 Sample: CYzY9Pi2ny Startdate: 15/07/2021 Architecture: WINDOWS Score: 100 86 Sigma detected: Xmrig 2->86 88 Malicious sample detected (through community Yara rule) 2->88 90 Multi AV Scanner detection for submitted file 2->90 92 7 other signatures 2->92 8 CYzY9Pi2ny.exe 6 2->8         started        11 smssmanagment.exe 6 2->11         started        15 svchost.exe 2->15         started        17 10 other processes 2->17 process3 dnsIp4 56 C:\Users\user\AppData\...\smssmanagment.exe, PE32+ 8->56 dropped 58 C:\...\smssmanagment.exe:Zone.Identifier, ASCII 8->58 dropped 60 C:\Users\user\AppData\...\CYzY9Pi2ny.exe.log, ASCII 8->60 dropped 19 smssmanagment.exe 14 5 8->19         started        24 cmd.exe 1 8->24         started        72 github.com 140.82.121.3, 443, 49710, 49711 GITHUBUS United States 11->72 74 192.168.2.1 unknown unknown 11->74 76 raw.githubusercontent.com 11->76 112 Multi AV Scanner detection for dropped file 11->112 114 Machine Learning detection for dropped file 11->114 116 Injects code into the Windows Explorer (explorer.exe) 11->116 120 5 other signatures 11->120 26 explorer.exe 11->26         started        28 sihost64.exe 2 11->28         started        30 cmd.exe 1 11->30         started        118 Changes security center settings (notifications, updates, antivirus, firewall) 15->118 78 127.0.0.1 unknown unknown 17->78 file5 signatures6 process7 dnsIp8 64 194.147.142.230, 43187, 49707, 49708 PTPEU unknown 19->64 66 raw.githubusercontent.com 185.199.109.133, 443, 49712, 49713 FASTLYUS Netherlands 19->66 68 github.com 19->68 52 C:\Users\user\AppData\...\sihost64.exe, PE32+ 19->52 dropped 54 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 19->54 dropped 94 Injects code into the Windows Explorer (explorer.exe) 19->94 96 Writes to foreign memory regions 19->96 98 Allocates memory in foreign processes 19->98 110 2 other signatures 19->110 32 explorer.exe 19->32         started        36 cmd.exe 1 19->36         started        38 sihost64.exe 3 19->38         started        100 Uses schtasks.exe or at.exe to add and modify task schedules 24->100 40 conhost.exe 24->40         started        42 schtasks.exe 1 24->42         started        70 pastebin.com 26->70 102 System process connects to network (likely due to code injection or exploit) 26->102 104 Query firmware table information (likely to detect VMs) 26->104 106 Machine Learning detection for dropped file 28->106 44 conhost.exe 30->44         started        46 schtasks.exe 1 30->46         started        file9 108 Detected Stratum mining protocol 64->108 signatures10 process11 dnsIp12 62 pastebin.com 104.23.99.190, 443, 49718, 49725 CLOUDFLARENETUS United States 32->62 80 System process connects to network (likely due to code injection or exploit) 32->80 82 Query firmware table information (likely to detect VMs) 32->82 84 Tries to detect sandboxes and other dynamic analysis tools (window names) 32->84 48 conhost.exe 36->48         started        50 schtasks.exe 1 36->50         started        signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7c88f9d38fcb9dd17d733e65a8ebee46d6b74700a02ba5a4614b7b6002d5ef0c/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-07-15 00:57:20 UTC
AV detection:
13 of 29 (44.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pseptu4pzoo5c7lthzs2r27oi3lloryauav2ljdbjn5waawv54ga._file
Verdict:
malicious
Similar samples:
06ae265d022abb3efb56a9aaf1b4cbee322817434b6dbebd93afa4e2869a2236
CoinMiner
1ed5337566938228ee9afcad29b1f722d55f4f8172a3157af4d4ad913541b2ea
CoinMiner
299dc3bb613a10e1a2d96c3e49d62d42145b1a48fbd6a087da6cc56661e82546
CoinMiner
357a1d94af889c7d73ca1a767222066f3550e007c7f52d3f83895fc5bf2e17b6
CoinMiner
a8288077dd8efe988232bbcc8519f636f097795cd34d87963ea61ac712336d1a
CoinMiner
e08f276f148db04bdcd9fe52e5418b06572a5c537e5610d1ef711591c6d416bf
CoinMiner
e8c4bcdcf46f101cc7126f7bde6955f6a971d06dc2bea9f6499594b475b091e2
CoinMiner
f970fb9186f287b64997d76b1d4ddc5121b42e4bf697734ae1855a641e95b923
CoinMiner
fb49ad3836c334d8d06a36a45994eaa52d7629ecbf765fe46aa53825aef56e56
CoinMiner
feb12de92aa1536ba75f69b41bf74cc3bd8438df7eb0f0705ebbd1de73994624
CoinMiner
+ 49 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/210715-das4ekz5ze/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Executes dropped EXE
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
7c88f9d38fcb9dd17d733e65a8ebee46d6b74700a02ba5a4614b7b6002d5ef0c
MD5 hash:
e80c9491a679eec91b58c5a8cc20e1b4
SHA1 hash:
a365aa7c60357c693b1493eb0f13f112525e1e1f
Link:
https://www.unpac.me/results/0811bcf7-1609-411b-9acc-e9aa758926d6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7c88f9d38fcb9dd17d733e65a8ebee46d6b74700a02ba5a4614b7b6002d5ef0c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 7c88f9d38fcb9dd17d733e65a8ebee46d6b74700a02ba5a4614b7b6002d5ef0c

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/171866/
  
URLhaus
https://urlhaus.abuse.ch/url/1094014/

Comments


Avatar
zbet commented on 2021-07-15 06:04:19 UTC

url : hxxp://194.147.142.230/download/activation.exe