MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93eefdff4ee4bc7cb7ad565c2f61b45a791568a3f428c936b96f65538656f464. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 93eefdff4ee4bc7cb7ad565c2f61b45a791568a3f428c936b96f65538656f464
SHA3-384 hash: afa0d684438e811b457150b78908ca3b2b83b94883c8f4bdf85947b50b906b0ed796a2b039645d1349830aa9fc80ffcf
SHA1 hash: bfae792c8b41431e05a288f04474560c41729459
MD5 hash: 733a27138e3476ec6de2aa5180de5019
humanhash: beryllium-pizza-mars-nuts
File name:SecuriteInfo.com.Variant.Bulz.416939.12657.10783
Download: download sample
Signature CoinMiner
Create hunting rule
File size:1'637'376 bytes
First seen:2021-04-09 19:57:09 UTC
Last seen:2021-04-09 20:49:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 49152:rhc5iynFzLRDpQN+e3Rl/NM83BteXJdAnUxx:ruiypJOwe3Rl+83feXbe6
Threatray 2 similar samples on MalwareBazaar
TLSH BE75332C6CC02B67C07C09391853F1751A7D7F5608B38CADE0F46E9B78756A8B7A163A
Reporter SecuriteInfoCom
Tags:CoinMiner

Intelligence

File Origin
# of uploads :
2
# of downloads :
475
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.Siggen12.45962.28547.4792
Verdict:
Malicious activity
Analysis date:
2021-04-09 17:57:43 UTC
Tags:
loader
Link:
https://app.any.run/tasks/64198180-f004-4f42-9f14-96eb969101e2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/133441/
Detection(s):
SecuriteInfo.com.Variant.Bulz.416939.12657.10783.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/671752
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Drops PE files with benign system names
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 384820 Sample: SecuriteInfo.com.Variant.Bu... Startdate: 09/04/2021 Architecture: WINDOWS Score: 100 89 Multi AV Scanner detection for submitted file 2->89 91 Yara detected Xmrig cryptocurrency miner 2->91 93 .NET source code contains potential unpacker 2->93 95 2 other signatures 2->95 13 SecuriteInfo.com.Variant.Bulz.416939.12657.exe 7 2->13         started        17 svchost.exe 4 2->17         started        process3 file4 83 C:\Users\user\AppData\Local\...\svchost.exe, PE32+ 13->83 dropped 85 SecuriteInfo.com.V...16939.12657.exe.log, ASCII 13->85 dropped 129 Drops PE files with benign system names 13->129 19 svchost.exe 3 13->19         started        23 cmd.exe 1 13->23         started        25 sihost32.exe 2 13->25         started        131 Multi AV Scanner detection for dropped file 17->131 133 Machine Learning detection for dropped file 17->133 135 Injects code into the Windows Explorer (explorer.exe) 17->135 137 4 other signatures 17->137 27 cmd.exe 1 17->27         started        29 explorer.exe 17->29         started        signatures5 process6 dnsIp7 87 192.168.2.1 unknown unknown 19->87 97 Injects code into the Windows Explorer (explorer.exe) 19->97 99 Writes to foreign memory regions 19->99 101 Allocates memory in foreign processes 19->101 107 2 other signatures 19->107 31 sihost32.exe 3 19->31         started        33 cmd.exe 1 19->33         started        35 explorer.exe 19->35         started        103 Uses schtasks.exe or at.exe to add and modify task schedules 23->103 37 conhost.exe 23->37         started        39 schtasks.exe 1 23->39         started        105 Multi AV Scanner detection for dropped file 25->105 41 conhost.exe 27->41         started        43 schtasks.exe 1 27->43         started        signatures8 process9 process10 45 svchost.exe 31->45         started        48 conhost.exe 33->48         started        50 schtasks.exe 1 33->50         started        signatures11 121 Injects code into the Windows Explorer (explorer.exe) 45->121 123 Writes to foreign memory regions 45->123 125 Allocates memory in foreign processes 45->125 127 2 other signatures 45->127 52 sihost32.exe 45->52         started        54 cmd.exe 45->54         started        56 explorer.exe 45->56         started        process12 process13 58 svchost.exe 52->58         started        61 conhost.exe 54->61         started        63 schtasks.exe 54->63         started        signatures14 113 Injects code into the Windows Explorer (explorer.exe) 58->113 115 Writes to foreign memory regions 58->115 117 Allocates memory in foreign processes 58->117 119 2 other signatures 58->119 65 sihost32.exe 58->65         started        67 cmd.exe 58->67         started        69 explorer.exe 58->69         started        process15 process16 71 svchost.exe 65->71         started        75 conhost.exe 67->75         started        77 schtasks.exe 67->77         started        file17 81 C:\Users\user\AppData\...\sihost32.exe, PE32+ 71->81 dropped 109 Modifies the context of a thread in another process (thread injection) 71->109 111 Injects a PE file into a foreign processes 71->111 79 cmd.exe 71->79         started        signatures18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/93eefdff4ee4bc7cb7ad565c2f61b45a791568a3f428c936b96f65538656f464/
Threat name:
ByteCode-MSIL.Trojan.Bulz
Create hunting rule
Status:
Malicious
First seen:
2021-04-09 17:22:49 UTC
AV detection:
10 of 48 (20.83%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
770b35e82759eb0107679b50d38f5e40175901c548a5fd8282e116e8d455c418
CoinMiner
d0468ea18c3ec3cc761985436a8d0d299191f27b2288597d29eed413e140cef9
CoinMiner
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210409-g6emelmxw2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
93eefdff4ee4bc7cb7ad565c2f61b45a791568a3f428c936b96f65538656f464
MD5 hash:
733a27138e3476ec6de2aa5180de5019
SHA1 hash:
bfae792c8b41431e05a288f04474560c41729459
Link:
https://www.unpac.me/results/a002df8a-e30c-4522-9b60-804df97c6991/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
CoinMiner
Score:
0.60
Link:
https://yomi.yoroi.company/submissions/93eefdff4ee4bc7cb7ad565c2f61b45a791568a3f428c936b96f65538656f464

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:XMRIG_Miner
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 93eefdff4ee4bc7cb7ad565c2f61b45a791568a3f428c936b96f65538656f464

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1105134/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/133441/

Comments