MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 995ab2c020f8d8ac61c6c5e2bfdd383f2134a6463ea2ba218337b80b639e13cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 6


Intelligence 6 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 995ab2c020f8d8ac61c6c5e2bfdd383f2134a6463ea2ba218337b80b639e13cd
SHA3-384 hash: 2aab23edfd84e4e4a50f1c01cf8be5f4f28e8bff5670612ce87a64b5fd9e96152ae5ff80d8a3c1ce186d2057386bb7bb
SHA1 hash: 97bbccd67bb3030742f8f807bbb9c0d352da9060
MD5 hash: 67b7bcd5350e0c5885555ba17698eaa2
humanhash: butter-uncle-west-ceiling
File name:67b7bcd5350e0c5885555ba17698eaa2
Download: download sample
Signature CoinMiner
Create hunting rule
File size:162'816 bytes
First seen:2021-07-07 17:13:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 3072:atFZXP6XsTQsVHlKJvtNK/Iqr3ZbgMwxHHUtoGO2SDt:QnLFUjK/3DOfs
Threatray 24 similar samples on MalwareBazaar
TLSH T197F35C1D5E8BB8DBE4250AB558B6E7D1072DEFA5F1E1469C30E9BE3CB7924708500FA0
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
298
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
67b7bcd5350e0c5885555ba17698eaa2
Verdict:
No threats detected
Analysis date:
2021-07-07 17:14:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5d259880-350e-438a-bb4c-b6e6230cb5c6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170262/
Detection(s):
Win.Dropper.Generic-7113183-0
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/24a995e4-f71b-42a5-8f1c-ac3f00f3004c
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813045
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Found strings related to Crypto-Mining
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses nslookup.exe to query domains
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 445456 Sample: QxhGQtPVT8 Startdate: 07/07/2021 Architecture: WINDOWS Score: 100 86 Multi AV Scanner detection for domain / URL 2->86 88 Multi AV Scanner detection for submitted file 2->88 90 Yara detected Xmrig cryptocurrency miner 2->90 92 3 other signatures 2->92 9 QxhGQtPVT8.exe 8 2->9         started        process3 file4 74 C:\Users\user\AppData\Roaming\nslookup.exe, PE32+ 9->74 dropped 76 C:\Users\user\AppData\...\sihost32.exe, PE32+ 9->76 dropped 78 C:\Users\...\nslookup.exe:Zone.Identifier, ASCII 9->78 dropped 80 C:\Users\user\AppData\...\QxhGQtPVT8.exe.log, ASCII 9->80 dropped 106 Uses nslookup.exe to query domains 9->106 13 sihost32.exe 1 9->13         started        17 nslookup.exe 14 4 9->17         started        19 cmd.exe 1 9->19         started        signatures5 process6 dnsIp7 82 192.168.2.1 unknown unknown 13->82 108 Uses nslookup.exe to query domains 13->108 21 nslookup.exe 3 13->21         started        24 nslookup.exe 13->24         started        26 nslookup.exe 13->26         started        36 9 other processes 13->36 84 194.147.142.230, 49719, 80 PTPEU unknown 17->84 110 Multi AV Scanner detection for dropped file 17->110 112 Hijacks the control flow in another process 17->112 114 Machine Learning detection for dropped file 17->114 118 6 other signatures 17->118 28 cmd.exe 17->28         started        30 explorer.exe 17->30         started        116 Uses schtasks.exe or at.exe to add and modify task schedules 19->116 32 conhost.exe 19->32         started        34 schtasks.exe 1 19->34         started        signatures8 process9 signatures10 94 Hijacks the control flow in another process 21->94 96 Injects code into the Windows Explorer (explorer.exe) 21->96 98 Writes to foreign memory regions 21->98 100 Allocates memory in foreign processes 21->100 38 cmd.exe 21->38         started        40 explorer.exe 21->40         started        102 Modifies the context of a thread in another process (thread injection) 24->102 104 Injects a PE file into a foreign processes 24->104 42 cmd.exe 24->42         started        44 conhost.exe 28->44         started        46 schtasks.exe 28->46         started        48 cmd.exe 36->48         started        50 cmd.exe 36->50         started        52 cmd.exe 36->52         started        54 3 other processes 36->54 process11 process12 56 conhost.exe 38->56         started        58 schtasks.exe 38->58         started        60 conhost.exe 42->60         started        62 conhost.exe 48->62         started        64 schtasks.exe 48->64         started        66 conhost.exe 50->66         started        68 schtasks.exe 50->68         started        70 2 other processes 52->70 72 6 other processes 54->72
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/995ab2c020f8d8ac61c6c5e2bfdd383f2134a6463ea2ba218337b80b639e13cd/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-07-07 17:14:06 UTC
AV detection:
12 of 29 (41.38%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tfnlfqba7dmkyyogyxrl7xjyh4qtjjsgh2rluimdg64awy46cpgq._file
Verdict:
suspicious
Similar samples:
0ddd995a4e7c7322e3552bdaa5df41a6a8e4db14054f0a4a410231092ac3c6de
CoinMiner
3b019e395d076e03b3b4a2d9468d3acb36df69115e059119194fbd8dd6d1dd6b
CoinMiner
6c3a2575d3325e7a0f520a5fefa0384855980461683e6c7463debbd668ab3258
CoinMiner
74b13418d9f50f94920aa870823732618509599ed36a57e440c32c1e9cd928f2
CoinMiner
a1a0ca95d42cb766533d9c4a8260cdcea4abab6d17214b711b7f366fbafe2413
CoinMiner
b50cfd0edcdb6b99115f83ae101003203d113e40e7cf1fa9c796886115f8c994
CoinMiner
c9181af10ea92bd10670128f29becf59ace555e7c3b2f249a0a0ee7930ac64cc
CoinMiner
e15ea1dc92dd31517334886dba17d7022c73d258096bf77f897ef60c1b8302b1
CoinMiner
e7d6efa5783c7c9a417518ee96f0ddbb919ab711669cbf68ef6caa27dac966d5
CoinMiner
e8c4bcdcf46f101cc7126f7bde6955f6a971d06dc2bea9f6499594b475b091e2
CoinMiner
+ 14 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210707-rgva8acrjx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
995ab2c020f8d8ac61c6c5e2bfdd383f2134a6463ea2ba218337b80b639e13cd
MD5 hash:
67b7bcd5350e0c5885555ba17698eaa2
SHA1 hash:
97bbccd67bb3030742f8f807bbb9c0d352da9060
Link:
https://www.unpac.me/results/1c526ae8-7f00-4c1d-af09-c96a5ef5f782/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/995ab2c020f8d8ac61c6c5e2bfdd383f2134a6463ea2ba218337b80b639e13cd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:Reverse_text_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Reverse text detected

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 995ab2c020f8d8ac61c6c5e2bfdd383f2134a6463ea2ba218337b80b639e13cd

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1094119/
Cape
Cape
https://www.capesandbox.com/analysis/170262/

Comments


Avatar
zbet commented on 2021-07-07 17:13:37 UTC

url : hxxp://194.147.142.230/download/activationeth.exe