MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 865baa577a2cdad80e6daefdd7b9bf06d4f9c5007d3bc17e98d13ca8d620feb6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 865baa577a2cdad80e6daefdd7b9bf06d4f9c5007d3bc17e98d13ca8d620feb6
SHA3-384 hash: ec79d7d76c6fa9e82e15af6c99265a9658e99ca86db51ff51a654d856c0609e10522abbdc23fae5872d520f72e97a0b8
SHA1 hash: aef3545a945416cbe6933e59523ebe578d701b7f
MD5 hash: d69d98688500c7266bda25458214dfca
humanhash: lactose-uniform-bakerloo-india
File name:Install this if launcher doesn't work.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:8'755'712 bytes
First seen:2021-12-25 10:23:46 UTC
Last seen:2021-12-25 12:19:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 22a7d193681235f08e33cfcfbc112896 (2 x CoinMiner)
ssdeep 196608:4wK9lDX7131Aw4Q6KHHg0r+14b+cilFv99b46:RQRXBFiQbnly1/z3
Threatray 285 similar samples on MalwareBazaar
TLSH T1E596338BF12E12EEFF896D72E0CA3985486CEAF420E956C8D354930D521B654D0CBB5F
Reporter tech_skeech
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
253
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Install this if launcher doesn't work.exe
Verdict:
No threats detected
Analysis date:
2021-12-25 10:26:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3e3be9ea-bbad-483e-88d5-802be55c5cbd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Siggen16.15342.952.19841.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Launching a process
Using the Windows Management Instrumentation requests
DNS request
Sending a custom TCP request
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
donut enigma packed
Link:
https://www.filescan.io/uploads/61c6f145ec6c6c14a9f17cfc/reports/1c2ea048-5e27-4c29-afa2-7f7f00d8a0be/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/33c7ded3-06db-4d1c-91d8-116489a852f6
Result
Threat name:
BitCoin Miner Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/912730
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Creates a thread in another existing process (thread injection)
Detected Stratum mining protocol
Detected unpacking (changes PE section rights)
Encrypted powershell cmdline option found
Found strings related to Crypto-Mining
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Potential dropper URLs found in powershell memory
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 545208 Sample: Install this if launcher do... Startdate: 25/12/2021 Architecture: WINDOWS Score: 100 80 Malicious sample detected (through community Yara rule) 2->80 82 Multi AV Scanner detection for submitted file 2->82 84 Detected unpacking (changes PE section rights) 2->84 86 8 other signatures 2->86 9 Install this if launcher doesn't work.exe 6 2->9         started        13 services64.exe 2->13         started        15 svchost.exe 2->15         started        17 9 other processes 2->17 process3 file4 66 C:\Users\user\Microsoft\services64.exe, PE32+ 9->66 dropped 68 C:\Users\...\services64.exe:Zone.Identifier, ASCII 9->68 dropped 70 Install this if la...oesn't work.exe.log, ASCII 9->70 dropped 104 Hides threads from debuggers 9->104 19 cmd.exe 9->19         started        21 cmd.exe 1 9->21         started        24 cmd.exe 9->24         started        106 Multi AV Scanner detection for dropped file 13->106 108 Detected unpacking (changes PE section rights) 13->108 110 Machine Learning detection for dropped file 13->110 26 cmd.exe 13->26         started        112 Changes security center settings (notifications, updates, antivirus, firewall) 15->112 28 MpCmdRun.exe 15->28         started        114 System process connects to network (likely due to code injection or exploit) 17->114 signatures5 process6 signatures7 30 services64.exe 19->30         started        34 conhost.exe 19->34         started        100 Encrypted powershell cmdline option found 21->100 102 Uses schtasks.exe or at.exe to add and modify task schedules 21->102 36 powershell.exe 20 21->36         started        38 powershell.exe 19 21->38         started        40 conhost.exe 21->40         started        42 conhost.exe 24->42         started        44 schtasks.exe 24->44         started        48 3 other processes 26->48 46 conhost.exe 28->46         started        process8 file9 72 C:\Users\user\AppData\...\sihost64.exe, PE32+ 30->72 dropped 74 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 30->74 dropped 116 Writes to foreign memory regions 30->116 118 Allocates memory in foreign processes 30->118 120 Modifies the context of a thread in another process (thread injection) 30->120 122 3 other signatures 30->122 50 sihost64.exe 30->50         started        53 cmd.exe 30->53         started        55 svchost.exe 30->55         started        signatures10 process11 dnsIp12 88 Antivirus detection for dropped file 50->88 90 Multi AV Scanner detection for dropped file 50->90 92 Writes to foreign memory regions 50->92 98 2 other signatures 50->98 58 conhost.exe 50->58         started        94 Encrypted powershell cmdline option found 53->94 60 conhost.exe 53->60         started        62 powershell.exe 53->62         started        64 powershell.exe 53->64         started        76 131.153.56.98, 49800, 80 CWIEUS United States 55->76 78 pool.hashvault.pro 55->78 96 Query firmware table information (likely to detect VMs) 55->96 signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/865baa577a2cdad80e6daefdd7b9bf06d4f9c5007d3bc17e98d13ca8d620feb6/
Threat name:
Win64.Trojan.Injectgen
Create hunting rule
Status:
Malicious
First seen:
2021-12-23 04:03:41 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
19 of 43 (44.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qzn2uv32ftnnqdtnv365pon7a3kptriapu54c7uy2e6krvra723a._file
Verdict:
malicious
Similar samples:
38a2144651bd3980612f92a1cd2308adf10dd630d618ee05232bf1a8cf76444c
CoinMiner
3dbd5487b19aa019bade16d9061195230b742a45ddb2e411d0e6b7fac6778e17
CoinMiner
42421c08872fa9a261dfe3184f7747d224ed3deb2c0420bbb2ce8f00387fd258
CoinMiner
64edbaff99fe8c87c2f5f826b0d1741c575295e3ab0c3d16db8bbacd2baebd30
CoinMiner
92d30855da0de535afe7d2b432108880f5d3766767c09c493defcb6c05c10448
CoinMiner
c0efa247a497b4d9d721d0f54e30e44007c5e53882cf822ade5c3b8f9dd6bbaf
CoinMiner
e9f1d411e9f40b3050fd6bec3caf316b0986bce3f8185b6529efc6586800fd4a
CoinMiner
f3a0806bf7e9030e703483f4469a2292d9595d500a2365336de454a3bf047e26
CoinMiner
feb365d784b06535c3bd3ab5c525e771521f0f7dcc71c8c3e800226fdb117085
CoinMiner
+ 275 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/211225-mfdk4sgedr/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
865baa577a2cdad80e6daefdd7b9bf06d4f9c5007d3bc17e98d13ca8d620feb6
MD5 hash:
d69d98688500c7266bda25458214dfca
SHA1 hash:
aef3545a945416cbe6933e59523ebe578d701b7f
Link:
https://www.unpac.me/results/1f8c14b4-4b44-4684-a371-a871cd1afd3f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/865baa577a2cdad80e6daefdd7b9bf06d4f9c5007d3bc17e98d13ca8d620feb6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819
Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 865baa577a2cdad80e6daefdd7b9bf06d4f9c5007d3bc17e98d13ca8d620feb6

(this sample)

  
Delivery method
Distributed via web download

Comments