MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8080524135f4518bd83acbe95dc37cb615fdcf4be70308a6e9555060ecd2f10c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8080524135f4518bd83acbe95dc37cb615fdcf4be70308a6e9555060ecd2f10c
SHA3-384 hash: b5b2d06f7df9d5ae804bee01f8c2b62e9c2ebbf3eaa3a592580c33439ea887796c929199614392393f1438e6b8a3575f
SHA1 hash: 417630de170078dc38e34fed6ae1686479846a3a
MD5 hash: e1fcebc083fa9c9998b17f5cc04c4c64
humanhash: arizona-mountain-chicken-freddie
File name:8080524135f4518bd83acbe95dc37cb615fdcf4be70308a6e9555060ecd2f10c
Download: download sample
Signature CoinMiner
Create hunting rule
File size:1'335'486 bytes
First seen:2021-09-23 07:05:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:6DWHSb4NhXcTYIgatsyA69wxo3nfvNt+m6FBsrQCUJYCWG:J84DcTa969wuv1D6FqrQtvN
Threatray 684 similar samples on MalwareBazaar
TLSH T1BF551202FD91A6B1D5621C329969AA52713EFD301F258FDBB3D4591EDA300E0E734BA3
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter JAMESWT_WT
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
202
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ff538c5a421374310cbf49a8cd574ec5492861cc86f7ca1719f03b3473ee3630
Verdict:
Malicious activity
Analysis date:
2021-09-23 06:56:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dab9e836-d6ed-429e-9445-3688184ccd75

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
EnigmaStub
Create hunting rule
Link:
https://www.capesandbox.com/analysis/190620/
Detection(s):
SecuriteInfo.com.Gen.Variant.Razy.582340.18684.14597.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/77e09500-0c0e-4633-a2a4-862e3edb5707
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/856234
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Creates autorun.inf (USB autostart)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables the Windows task manager (taskmgr)
Drops PE files to the startup folder
Drops PE files with benign system names
Hides threads from debuggers
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Tries to evade analysis by execution special instruction which cause usermode exception
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 488664 Sample: 38h7dytomX Startdate: 23/09/2021 Architecture: WINDOWS Score: 100 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus detection for dropped file 2->62 64 Multi AV Scanner detection for dropped file 2->64 66 7 other signatures 2->66 11 38h7dytomX.exe 8 2->11         started        process3 file4 56 C:\Users\user\AppData\Local\...\????????.exe, PE32 11->56 dropped 14 ????????.exe 7 11->14         started        process5 signatures6 86 Antivirus detection for dropped file 14->86 88 Multi AV Scanner detection for dropped file 14->88 90 Detected unpacking (changes PE section rights) 14->90 92 4 other signatures 14->92 17 server.exe 2 17 14->17         started        process7 file8 42 C:\system.exe, PE32 17->42 dropped 44 C:\Umbrella.flv.exe, PE32 17->44 dropped 46 C:\autorun.inf, Microsoft 17->46 dropped 68 Antivirus detection for dropped file 17->68 70 Multi AV Scanner detection for dropped file 17->70 72 Creates autorun.inf (USB autostart) 17->72 74 8 other signatures 17->74 21 svchost.exe 5 17->21         started        24 netsh.exe 1 3 17->24         started        signatures9 process10 signatures11 76 Antivirus detection for dropped file 21->76 78 Multi AV Scanner detection for dropped file 21->78 80 Detected unpacking (changes PE section rights) 21->80 82 4 other signatures 21->82 26 server.exe 12 21->26         started        30 conhost.exe 24->30         started        process12 file13 48 C:\Windows\SysWOW64xplower.exe, PE32 26->48 dropped 50 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32 26->50 dropped 52 C:\Users\user\...\Microsoft Corporation.exe, PE32 26->52 dropped 54 2 other malicious files 26->54 dropped 84 Hides threads from debuggers 26->84 32 svchost.exe 26->32         started        36 netsh.exe 26->36         started        signatures14 process15 file16 40 C:\Users\user\AppData\Roaming\server.exe, PE32 32->40 dropped 58 Hides threads from debuggers 32->58 38 conhost.exe 36->38         started        signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8080524135f4518bd83acbe95dc37cb615fdcf4be70308a6e9555060ecd2f10c/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 07:45:00 UTC
AV detection:
20 of 45 (44.44%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
106c12a3e09c4585808382c93be13f5b60f7cd86e5a28d638d9de5f6662f3609
CoinMiner
1f2c235e93529aff918ec8634035b3069992ebb16ef8042903edd07b0a21db5b
CoinMiner
25a5d91f4c867eb1436fdba263123537b96a582fd0f80dccf96537198678925e
CoinMiner
43fc7007823fa8f0e718a782ba2d85a5e63eb77a8efebc223e72d5671465e44f
CoinMiner
7ee77a45282939f784f7d224b7345399efa09a14a9ca619d6692d6ac04ebfa17
CoinMiner
7fb40d2c4011f9aa66d25183702ac6872fff070ff9c7433fab6d3785ebc95f4c
CoinMiner
84ae6fe4cd4f1357409af9eeea51b0ceb8385242c1e67b1f22a51a9475f3ce01
CoinMiner
9a080e918c88adb048ffca38c0604318eee80e19be5a578186a63cdd64d45a41
CoinMiner
bd15b8dc3c9eeddcc7e33877876fb0d3856495b473df950f50bec4701db73d5c
CoinMiner
ff538c5a421374310cbf49a8cd574ec5492861cc86f7ca1719f03b3473ee3630
CoinMiner
+ 674 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion miner
Link:
https://tria.ge/reports/210923-hw34gsabhq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops autorun.inf file
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops startup file
Loads dropped DLL
Disables Task Manager via registry modification
Executes dropped EXE
Modifies Windows Firewall
xmrig
Unpacked files
SH256 hash:
8080524135f4518bd83acbe95dc37cb615fdcf4be70308a6e9555060ecd2f10c
MD5 hash:
e1fcebc083fa9c9998b17f5cc04c4c64
SHA1 hash:
417630de170078dc38e34fed6ae1686479846a3a
Link:
https://www.unpac.me/results/7b386001-9658-49ba-a959-1575d40defcd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8080524135f4518bd83acbe95dc37cb615fdcf4be70308a6e9555060ecd2f10c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/190620/

Comments