MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 833990804d459870448fdb9a0f74f6b8f5c59d395a71da86f347cf7a74f858d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 833990804d459870448fdb9a0f74f6b8f5c59d395a71da86f347cf7a74f858d2
SHA3-384 hash: 0adf959b85e1c729a96348396e0165d88756ba7ca4781dbcbfc4b1585bc68a9e310a72342827961f8b118751430dfe6a
SHA1 hash: e8d1372959ffdba695d2c1d8036735f0953fc274
MD5 hash: 292990cfd27d869a5af4e466aa498f8d
humanhash: florida-salami-twenty-april
File name:292990cfd27d869a5af4e466aa498f8d.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:9'227'776 bytes
First seen:2021-11-27 08:19:08 UTC
Last seen:2021-11-27 10:10:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 889336afd01a952ba79d1e90fb751739 (14 x CoinMiner)
ssdeep 196608:gj3ezSFsRZXLQOXSsJ8w9l65dfpvvSKzqOhPmDYW/pNjk1TbzFGvCe:gSSFs7XLQPHOOfpvFz9h+MWBxsTbxe
Threatray 353 similar samples on MalwareBazaar
TLSH T1EC9623BD619877ACC01FC5B8A433FD4AB2F1171E43E995E9B0DBBAC033DA5049609B42
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
235
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://profreecrack.com/fl-studio-20-6-0-1458-crack-registration-key-separator/
Verdict:
Malicious activity
Analysis date:
2021-11-27 04:28:07 UTC
Tags:
evasion trojan rat redline stealer loader opendir vidar
Link:
https://app.any.run/tasks/bb84c927-e743-49d6-acab-aec45aa3773d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.56329.6300.18956.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Using the Windows Management Instrumentation requests
Running batch commands
Launching a process
Sending a custom TCP request
Creating a file in the %AppData% directory
Creating a file
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Creating a process with a hidden window
Connecting to a cryptocurrency mining pool
Creating a service
Launching a service
Loading a system driver
Creating a file in the Windows subdirectories
Enabling autorun for a service
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
donut packed
Link:
https://www.filescan.io/uploads/61a1ea37f36138de3f4114af/reports/9f6abf4f-5493-41f3-b469-3e44f2198e63/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0daf09e5-59bd-4903-9ff2-1ea8cadb9e5c
Result
Threat name:
BitCoin Miner Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/897090
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Detected VMProtect packer
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 529564 Sample: 9cXEquEIOS.exe Startdate: 27/11/2021 Architecture: WINDOWS Score: 100 65 Malicious sample detected (through community Yara rule) 2->65 67 Antivirus / Scanner detection for submitted sample 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 5 other signatures 2->71 9 9cXEquEIOS.exe 5 2->9         started        13 scvhost.exe 4 2->13         started        16 svchost.exe 1 2->16         started        18 4 other processes 2->18 process3 dnsIp4 47 C:\Users\user\AppData\Roaming\scvhost.exe, PE32+ 9->47 dropped 49 C:\Users\user\...\scvhost.exe:Zone.Identifier, ASCII 9->49 dropped 51 C:\Users\user\AppData\...\9cXEquEIOS.exe.log, ASCII 9->51 dropped 91 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->91 93 Tries to detect virtualization through RDTSC time measurements 9->93 20 cmd.exe 1 9->20         started        22 cmd.exe 1 9->22         started        61 192.168.2.1 unknown unknown 13->61 95 Antivirus detection for dropped file 13->95 97 Multi AV Scanner detection for dropped file 13->97 25 sihost64.exe 13->25         started        99 System process connects to network (likely due to code injection or exploit) 16->99 63 127.0.0.1 unknown unknown 18->63 file5 signatures6 process7 signatures8 27 scvhost.exe 7 20->27         started        31 conhost.exe 20->31         started        73 Uses schtasks.exe or at.exe to add and modify task schedules 22->73 33 conhost.exe 22->33         started        35 schtasks.exe 1 22->35         started        75 Writes to foreign memory regions 25->75 77 Allocates memory in foreign processes 25->77 79 Creates a thread in another existing process (thread injection) 25->79 37 conhost.exe 2 25->37         started        process9 file10 53 C:\Users\user\AppData\...\sihost64.exe, PE32+ 27->53 dropped 55 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 27->55 dropped 101 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 27->101 103 Writes to foreign memory regions 27->103 105 Modifies the context of a thread in another process (thread injection) 27->105 107 2 other signatures 27->107 39 sihost64.exe 27->39         started        42 svchost.exe 27->42         started        signatures11 process12 dnsIp13 81 Multi AV Scanner detection for dropped file 39->81 83 Writes to foreign memory regions 39->83 85 Allocates memory in foreign processes 39->85 87 Creates a thread in another existing process (thread injection) 39->87 45 conhost.exe 2 39->45         started        57 rentry.co 51.158.178.115, 443, 49761 OnlineSASFR France 42->57 59 pool.hashvault.pro 49.12.130.173, 49760, 80 HETZNER-ASDE Germany 42->59 89 Query firmware table information (likely to detect VMs) 42->89 signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/833990804d459870448fdb9a0f74f6b8f5c59d395a71da86f347cf7a74f858d2/
Threat name:
Win64.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2021-11-27 08:20:29 UTC
File Type:
PE+ (Exe)
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qm4zbacniwmharep3ona65hwxd24lhjzljy5vbxti7hxu5hyldja._file
Verdict:
malicious
Similar samples:
0028d3b936c329c8bb2a7c17d677d9808eed4f46c123048100050819d1657464
CoinMiner
2b0cd91072bc81875fba4d9dc3b293500f110b57dd9d37028556fdb296705fb0
CoinMiner
3aca6ead27ffa0e7384af61f022b180f305bca729e8cc4b29390b5067b673fcc
CoinMiner
4a2c3f7e489652350d3fd9df4259c52e2a9be9eb507d011779079d1e57e0301d
CoinMiner
66d2fe8e0af50d2d155608a4dfba701aa321fa7b83d5858a91f95f9bbc96f1d1
CoinMiner
7e6b525d20c679bb8241177f2e307bb9c5b9070e4846a033640eb45eafcf64ea
CoinMiner
b37e87a30c379dd3d84b2f9b5819cb32335d7230156d3ea01a7309502e9e6d0d
CoinMiner
cdb8a234c896df8b45ee7bc0d69ecdaec0bfce73cacdb376048bcd3abb85a75d
CoinMiner
e67db91b7e8bcf1cf40735c556df7971af493cfd6b0fe4ffd25774ca7c31e070
CoinMiner
fa1a41ff82f9d6ca0473f9ac67f0d46e9576dd6608f9682d245f48ea872a3859
CoinMiner
+ 343 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner vmprotect
Link:
https://tria.ge/reports/211127-j8gxfscff7/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
VMProtect packed file
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
833990804d459870448fdb9a0f74f6b8f5c59d395a71da86f347cf7a74f858d2
MD5 hash:
292990cfd27d869a5af4e466aa498f8d
SHA1 hash:
e8d1372959ffdba695d2c1d8036735f0953fc274
Link:
https://www.unpac.me/results/04fd97b9-1887-47cd-b342-5b9d25b59252/
Malware family:
XMRIG
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/833990804d45/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/833990804d459870448fdb9a0f74f6b8f5c59d395a71da86f347cf7a74f858d2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments