MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f7ebad193f76acfd76deebe1f9614da18537896e0e6b04d7873cd486f0cf4fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	7f7ebad193f76acfd76deebe1f9614da18537896e0e6b04d7873cd486f0cf4fd
SHA3-384 hash:	10bb421b0f193b0cc72cec7c7eb42c4723411c73aeba396f81be82bd2d941b08c7a1c87b48003fc7fe1fa2b8197fc84c
SHA1 hash:	20d9d204ffd36baa007c3cbe3f463d6d52285543
MD5 hash:	aa05cdf4da78420528e8c3f328f79e0e
humanhash:	papa-pasta-hot-two
File name:	31847597.exe
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	3'387'904 bytes
First seen:	2022-03-20 05:07:12 UTC
Last seen:	2022-03-20 07:02:18 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	dc12932426806b6b47a373d7ae42c21d (12 x CoinMiner, 1 x StealeriumStealer)
ssdeep	98304:ezgEywKybm81KQ7F9caSPi69893Oj81RGL+F6f2IW:etyEZ1KQEaSPH9C5vGL+ZI
Threatray	16 similar samples on MalwareBazaar
TLSH	T180F501E311D111ADC226C1BEC322F87F8A9FB6BA1B06E7D3A14471196513DD07ABCB25
Reporter	adm1n_usa32
Tags:	CoinMiner exe

Intelligence

File Origin

# of uploads :

# of downloads :

363

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/253044/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.27323.3290.17496.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Launching a process

DNS request

Sending a custom TCP request

Creating a service

Launching a service

Loading a system driver

Query of malicious DNS domain

Sending a TCP request to an infection source

Enabling autorun for a service

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe packed

Link:

https://www.filescan.io/uploads/6236b6b8b94fb38cb4b521a8/reports/ba369318-731e-41cd-a42c-196dd5614268/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2e0288d6-c5e1-4178-8da0-1f1815741a27

Result

Threat name:

Xmrig

Detection:

malicious

Classification:

troj.evad.mine

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/960240

Signature

Allocates memory in foreign processes

Changes security center settings (notifications, updates, antivirus, firewall)

Connects to a pastebin service (likely for C&C)

Detected Stratum mining protocol

Detected unpacking (changes PE section rights)

Found strings related to Crypto-Mining

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Queries BIOS fan information (via WMI, Win32_Fan, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sigma detected: Windows Crypto Mining Indicators

Sigma detected: Xmrig

System process connects to network (likely due to code injection or exploit)

Writes to foreign memory regions

Yara detected Xmrig cryptocurrency miner

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7f7ebad193f76acfd76deebe1f9614da18537896e0e6b04d7873cd486f0cf4fd/

Verdict:

malicious

CoinMiner

9a45c640e91c9140c994f9e9ca5cfaea2f11000f988d538482356aa385ece7ba

CoinMiner

c8ac98c4e43e4290cdaefce51ebf9165143c31d3fbce0f9f80cf5a3258058c4a

CoinMiner

ca46cdaacb0f193d203f135cd546310e06125405c9c44648f10f1dbcdb343ca0

CoinMiner

d5b1a96dc7d4007a9228abee105cd77305827ed28aac77932e7c416c888c9d30

CoinMiner

ea10f282be1864ccfe204fcba69fea1b172213a5dc114ef46c629a1ea98c8c24

CoinMiner

edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f

CoinMiner

+ 6 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/220320-fskfvshfaj/

Behaviour

Checks BIOS information in registry

Unpacked files

SH256 hash:

7f7ebad193f76acfd76deebe1f9614da18537896e0e6b04d7873cd486f0cf4fd

MD5 hash:

aa05cdf4da78420528e8c3f328f79e0e

SHA1 hash:

20d9d204ffd36baa007c3cbe3f463d6d52285543

Link:

https://www.unpac.me/results/070dd822-cb04-42f8-afa2-05d27de61f1d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7f7ebad193f76acfd76deebe1f9614da18537896e0e6b04d7873cd486f0cf4fd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

exe 7f7ebad193f76acfd76deebe1f9614da18537896e0e6b04d7873cd486f0cf4fd

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2072739/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/253044/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample