MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81360eaefc10433630852eb6099125a7ab991de94ec4167613d27169fc762670. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 6

Intelligence 6 IOCs YARA 5 File information Comments

SHA256 hash:	81360eaefc10433630852eb6099125a7ab991de94ec4167613d27169fc762670
SHA3-384 hash:	09daa8cd0d7622960ef111d187b4452288625ee2f6bd4d648ca7de06d65a3db9061b62649090dc5129177087a3bf4790
SHA1 hash:	4311eeb95ad879bb4412a52b17cf5d03c8b8f790
MD5 hash:	40988b856f53e80be3dfef632372ff5d
humanhash:	missouri-earth-connecticut-angel
File name:	SecuriteInfo.com.Variant.Razy.611171.31058.13735
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	6'921'744 bytes
First seen:	2020-12-24 16:34:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b40d0bc4e3d3893746bb408494c11b31 (1 x CoinMiner)
ssdeep	196608:bzBOAa2+Znh3lbCXpFBs9kWz4FhFlfvPNei:fBOcanh3lbuBs9kFzH/
Threatray	1'228 similar samples on MalwareBazaar
TLSH	396633666A8878D6E86126F368E67B0C4826AC5034C55CC67DDF79798D31BC8EFE7C00
Reporter	SecuriteInfoCom
Tags:	CoinMiner

Intelligence

File Origin

# of uploads :

# of downloads :

1'003

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Variant.Razy.611171.31058.13735

Verdict:

No threats detected

Analysis date:

2020-12-24 16:37:14 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/6dc06037-e02d-4595-9739-e94634f24ed6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/109383/

Detection(s):

SecuriteInfo.com.Variant.Razy.611171.31058.13735.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a custom TCP request

Searching for analyzing tools

Searching for the window

DNS request

Sending a UDP request

Creating a window

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Xmrig

Detection:

malicious

Classification:

evad.mine

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/569850

Signature

Detected Stratum mining protocol

Found strings related to Crypto-Mining

Hides threads from debuggers

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Potential thread-based time evasion detected

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Yara detected Xmrig cryptocurrency miner

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/81360eaefc10433630852eb6099125a7ab991de94ec4167613d27169fc762670/

Threat name:

Win64.Trojan.Shelma

Status:

Malicious

First seen:

2020-12-22 04:20:52 UTC

AV detection:

20 of 29 (68.97%)

Threat level:

5/5

Verdict:

malicious

CoinMiner

42a630cda5266fd03e55bb8621e6d14cf5a6b0abda2426be1a657522c1bbb3a7

CoinMiner

433811102726bc15416ca338a2df55ec1daaf3f2565ee00d7f6484064746fb30

CoinMiner

464ce8619b8be7a6a724ac23777ecaf20be27686bd02ed7e9b4585c30d5e7d8d

CoinMiner

7c2bcbc90aad473e93b52051f11b1c1d8f3d9436b7d95b49e1ca4c7c835b0115

CoinMiner

86332943ae70c02b449589f6d7bba2792bdf18bf5d67ba38def2cd7ffcac6866

CoinMiner

9a1f36511ec56cbf0cf30080cdc11d8f261823079838cedd5ce0e6391ec815ef

CoinMiner

c4d2bbc3c3b3adae600631e9ab22124ce0b92588af7fabe69183469e0644cd4b

CoinMiner

cafafc019f410ecf18ae5f44a816e77e790e90a4720e5801b051113c0caa37bb

CoinMiner

fdf5f9635c047cde3c096139490f3462d03434986b1450ca5f01be74e1f5b559

CoinMiner

+ 1'218 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

evasion trojan

Link:

https://tria.ge/reports/201224-n5rnnxz3me/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks whether UAC is enabled

Checks BIOS information in registry

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Unpacked files

SH256 hash:

81360eaefc10433630852eb6099125a7ab991de94ec4167613d27169fc762670

MD5 hash:

40988b856f53e80be3dfef632372ff5d

SHA1 hash:

4311eeb95ad879bb4412a52b17cf5d03c8b8f790

Link:

https://www.unpac.me/results/a22e16f1-6d57-4df9-9410-3f3af09206eb/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Themida

Score:

0.70

Link:

https://yomi.yoroi.company/submissions/81360eaefc10433630852eb6099125a7ab991de94ec4167613d27169fc762670

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cryptocoin_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Steam in files like avemaria

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	XMRIG_Miner Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/109383/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample