MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 916978096f904cd7f02b11cec556e07856d407750eea1fe8473b0d8385674a81. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 916978096f904cd7f02b11cec556e07856d407750eea1fe8473b0d8385674a81
SHA3-384 hash: bfc9632e544d37b1f2e29dd6462ec140dcce18aaa49cf85c3a31f965d94df20713709cc24be6e61ee69f696cdad76bea
SHA1 hash: 9a7ae82a6b32a23b337742ed94476bddaa5fde75
MD5 hash: e0ec69844c2f7595f8470484f55c4342
humanhash: victor-avocado-twenty-tennessee
File name:e0ec69844c2f7595f8470484f55c4342
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'181'120 bytes
First seen:2021-07-05 16:07:37 UTC
Last seen:2021-07-05 16:37:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:YqNkE1lrl1YlPTfFeyg7YVPW3FzdUwnK4:bkE1VGb9g7YVPczbnK4
TLSH ACA5234925F7D333D1A553F039AEF0A1CF2B586E506CE0D87444D52A2FA338AD86393A
Reporter zbetcheckin
Tags:32 CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
294
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e0ec69844c2f7595f8470484f55c4342
Verdict:
Malicious activity
Analysis date:
2021-07-05 16:09:17 UTC
Tags:
trojan miner
Link:
https://app.any.run/tasks/6ab5079b-1b21-4f82-b522-720cec9876a0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Zeus
Create hunting rule
Link:
https://www.capesandbox.com/analysis/169768/
Detection(s):
SecuriteInfo.com.ArtemisE0EC69844C2F.7978.1645.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Retadup
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e8fffbb6-ca1e-4ae5-a46f-fea296603f58
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/811914
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Creates a thread in another existing process (thread injection)
Detected Stratum mining protocol
DNS related to crypt mining pools
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 444325 Sample: H9QnI1DbC1 Startdate: 05/07/2021 Architecture: WINDOWS Score: 100 54 Multi AV Scanner detection for domain / URL 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus detection for URL or domain 2->58 60 11 other signatures 2->60 8 H9QnI1DbC1.exe 5 2->8         started        12 svchost.exe 1 2->12         started        14 svchost.exe 1 2->14         started        16 svchost.exe 1 2->16         started        process3 file4 40 C:\Users\user\AppData\...\H9QnI1DbC1.exe, PE32 8->40 dropped 42 C:\Users\...\H9QnI1DbC1.exe:Zone.Identifier, ASCII 8->42 dropped 44 C:\Users\user\AppData\...\H9QnI1DbC1.exe.log, ASCII 8->44 dropped 74 Writes to foreign memory regions 8->74 76 Injects a PE file into a foreign processes 8->76 18 H9QnI1DbC1.exe 6 8->18         started        signatures5 process6 dnsIp7 48 45.144.225.135, 49742, 80 DEDIPATH-LLCUS Netherlands 18->48 36 C:\ProgramData\LKBNMTFJgl\csrss, PE32 18->36 dropped 38 C:\ProgramData\LKBNMTFJgl\r.vbs, data 18->38 dropped 62 Multi AV Scanner detection for dropped file 18->62 64 Machine Learning detection for dropped file 18->64 66 Writes to foreign memory regions 18->66 68 4 other signatures 18->68 23 notepad.exe 18->23         started        27 cmd.exe 1 18->27         started        29 VVEybfRFhleulpMvM.exe 18->29 injected file8 signatures9 process10 dnsIp11 50 142.44.243.6, 14444, 49743 OVHFR Canada 23->50 52 xmr-us-east1.nanopool.org 23->52 70 System process connects to network (likely due to code injection or exploit) 23->70 31 wscript.exe 1 27->31         started        34 conhost.exe 27->34         started        signatures12 72 Detected Stratum mining protocol 50->72 process13 file14 46 C:\Users\user\AppData\...\viTRMUuKeV.url, MS 31->46 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/916978096f904cd7f02b11cec556e07856d407750eea1fe8473b0d8385674a81/
Threat name:
ByteCode-MSIL.Coinminer.BitCoinMiner
Create hunting rule
Status:
Malicious
First seen:
2021-07-05 16:08:11 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  4/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sfuxqclpsbgnp4blchhmkvxapblnib3vb3vb72chhmgyhblhjkaq._file
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner upx
Link:
https://tria.ge/reports/210705-p4wc54lqq6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Drops startup file
UPX packed file
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
b663aab9f08d69bf4501e1d33b995ea43a18e3741d42fcc48f668233433d6f82
MD5 hash:
20f7d5bae3ac481ec2bfa461ee73205f
SHA1 hash:
f63e833c1d65f55f87bab5e9dd86e5c5a2fbbe49
Link:
https://www.unpac.me/results/47b714db-d1dd-4d82-b5ef-cabf09cce9a5/
SH256 hash:
837c72835fe7d233d0de1d3f36d6d7db077365a286d03c54f45d0b8f6709d85b
MD5 hash:
9714169ca5d5c64994579a5c05ea94bb
SHA1 hash:
d77d3bcc52844f1eafec41f19d6e1e3dfff5bb5c
Link:
https://www.unpac.me/results/47b714db-d1dd-4d82-b5ef-cabf09cce9a5/
SH256 hash:
56968595d6660c06e812865199eefbcd70d92cf49c871a917c3c21b4d889f414
MD5 hash:
62111e8ef3887774ab35220701b1363d
SHA1 hash:
288cf8d663854b3cec3f664ef0b51a006d8b05f0
Link:
https://www.unpac.me/results/47b714db-d1dd-4d82-b5ef-cabf09cce9a5/
SH256 hash:
916978096f904cd7f02b11cec556e07856d407750eea1fe8473b0d8385674a81
MD5 hash:
e0ec69844c2f7595f8470484f55c4342
SHA1 hash:
9a7ae82a6b32a23b337742ed94476bddaa5fde75
Link:
https://www.unpac.me/results/47b714db-d1dd-4d82-b5ef-cabf09cce9a5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/916978096f904cd7f02b11cec556e07856d407750eea1fe8473b0d8385674a81

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 916978096f904cd7f02b11cec556e07856d407750eea1fe8473b0d8385674a81

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1105101/
Cape
Cape
https://www.capesandbox.com/analysis/169768/

Comments


Avatar
zbet commented on 2021-07-05 16:07:38 UTC

url : hxxp://45.144.225.135/notepad.exe