MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9bae8f0da8acb0e760eb61482cafc928199f841e10e0426a6650d140be0154c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9bae8f0da8acb0e760eb61482cafc928199f841e10e0426a6650d140be0154c3
SHA3-384 hash: 176a17abb055ef1ef566206a7af82653bd7e37471fd8eb9f1bc4b4fc5dac9d0d89d173e1b4fbac0d2306ce4afb1d6c0f
SHA1 hash: 0045c52b59de898fcf2b5da76a837deb396af151
MD5 hash: 8cecdbcc8d280eae1fb10058ff1e03a2
humanhash: two-saturn-shade-mobile
File name:t-rex-0.19.5-win.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:18'126'943 bytes
First seen:2021-01-02 16:55:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (864 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 393216:Q4jVNNYUUvznwZ/sNpozpi5fhJsdShI8u3/gBDe2IM:7BwUUvbwZ0NX55Jsdy+/gg2d
Threatray 358 similar samples on MalwareBazaar
TLSH 43073300FF401032D9610D34D67CEF945E38D9350B35BBD72B9226BD5B3E8A1AA68F96
Reporter o2genum
Tags:CoinMiner

Intelligence

File Origin
# of uploads :
1
# of downloads :
782
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
t-rex-0.19.5-win.exe
Verdict:
Malicious activity
Analysis date:
2021-01-02 16:57:29 UTC
Tags:
miner autoit evasion trojan rat quasar
Link:
https://app.any.run/tasks/d2cd920e-c63d-4aff-8f04-982c557ccb48

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/110315/
Detection(s):
SecuriteInfo.com.BackDoor.SiggenNET.5.27436.8753.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Transferring files using the Background Intelligent Transfer Service (BITS)
DNS request
Sending a custom TCP request
Enabling the 'hidden' option for files in the %temp% directory
Moving a file to the %temp% subdirectory
Launching a process
Sending a UDP request
Running batch commands
Deleting a recently created file
Launching cmd.exe command interpreter
Creating a file in the %AppData% subdirectories
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Using BITS transfer job for data transfer
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/572957
Signature
Found strings related to Crypto-Mining
May check the online IP address of the machine
Obfuscated command line found
Sigma detected: Suspicious Certutil Command
Submitted sample is a known malware sample
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 335541 Sample: t-rex-0.19.5-win.exe Startdate: 02/01/2021 Architecture: WINDOWS Score: 76 63 raw.githubusercontent.com 2->63 65 iBpxsvNvooCSptfPJltFoi.iBpxsvNvooCSptfPJltFoi 2->65 67 2 other IPs or domains 2->67 71 Yara detected Xmrig cryptocurrency miner 2->71 73 Suspicious powershell command line found 2->73 75 Obfuscated command line found 2->75 77 5 other signatures 2->77 12 t-rex-0.19.5-win.exe 33 2->12         started        15 rundll32.exe 2->15         started        17 rundll32.exe 2->17         started        signatures3 process4 file5 59 C:\Users\user\AppData\Local\...\t-rex.exe, PE32 12->59 dropped 61 C:\Users\user\AppData\Local\...\README.md, ASCII 12->61 dropped 19 t-rex.exe 1 4 12->19         started        process6 signatures7 79 Suspicious powershell command line found 19->79 22 powershell.exe 26 19->22         started        24 powershell.exe 19 19->24         started        process8 process9 26 BL.exe 1 6 22->26         started        28 iKJ.exe 1 22->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        process10 34 cmd.exe 1 26->34         started        36 cmd.exe 1 26->36         started        39 conhost.exe 28->39         started        signatures11 41 cmd.exe 2 34->41         started        44 conhost.exe 34->44         started        46 certutil.exe 2 34->46         started        81 Submitted sample is a known malware sample 36->81 48 conhost.exe 36->48         started        process12 signatures13 83 Obfuscated command line found 41->83 85 Uses ping.exe to sleep 41->85 50 PING.EXE 41->50         started        53 findstr.exe 41->53         started        55 certutil.exe 41->55         started        57 fontdrvhost.com 41->57         started        process14 dnsIp15 69 MrJnKP.MrJnKP 50->69
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9bae8f0da8acb0e760eb61482cafc928199f841e10e0426a6650d140be0154c3/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-02 16:56:06 UTC
AV detection:
7 of 29 (24.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=toxi6dnivsyooyhlmfeczl6jfamz7ba6cdqee2tgkdiubpqbktbq._file
Verdict:
suspicious
Similar samples:
1630f3fabf80e99d1990176b5736835496bdbd74610d1e43eefd7088e2529a6e
CoinMiner
1c421e6eea0c7d28016da05e2be26a099f94bb355e05ed1088c2098c024760b1
CoinMiner
1db0242b6f7de2919880e833801ce2b48bbf83c136235a537b17211e1193d611
CoinMiner
29c0c875bd961391938a48794be49c006a1ee8c31e25a1fd5f0891f5dcd46e6c
CoinMiner
3cc33ce58536242bc9b2029cd9475a287351a379ccbd12da6b8b7bf2cc68be89
CoinMiner
637d172395f876a73f77476c2ab1261e289b8f12395110627a7c93583b11c868
CoinMiner
77867995d1e8388230c9f71fee5e835b346bfcfef3fde418c6a773eea11b4afd
CoinMiner
ab6c220ed37a3771afb540e7b1179aea65119d6e3da91d55af7f659f61541f42
CoinMiner
cb04bfdeb1a12eaab0a0442ecdf62ce49d2c1daa5b4345412cf3462b9ab26803
CoinMiner
ce2644d2d9973ab0a3004942cef2d74d210882bea29d8b698c7af02d308b289e
CoinMiner
+ 348 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/210102-hhtg7cwc6a/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Executes dropped EXE
Malware Config
Dropper Extraction:
https://raw.githubusercontent.com/Combusss/year/main/Client1.exe
https://raw.githubusercontent.com/Combusss/year/main/t-rex.exe
Unpacked files
SH256 hash:
9bae8f0da8acb0e760eb61482cafc928199f841e10e0426a6650d140be0154c3
MD5 hash:
8cecdbcc8d280eae1fb10058ff1e03a2
SHA1 hash:
0045c52b59de898fcf2b5da76a837deb396af151
Link:
https://www.unpac.me/results/91a8a129-c6e4-4657-8409-5384ff070c26/
SH256 hash:
e2e8373beaccd9b42735f9162d84a877fa5a05126fd1c05fde7ff3165aa72158
MD5 hash:
dc098fe439ea839a14f6f22d3a3db76e
SHA1 hash:
5e83863747c40e4417106a69b02dd53ac9d2de60
Link:
https://www.unpac.me/results/91a8a129-c6e4-4657-8409-5384ff070c26/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9bae8f0da8acb0e760eb61482cafc928199f841e10e0426a6650d140be0154c3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:XMRIG_Miner
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://bitbucket.org/T-RexMiner/t-rex-miner/src/main/
anyrun
any.run
https://app.any.run/tasks/46ae4b11-13f6-4c0d-bc83-ea385d101664
Cape
Cape
https://www.capesandbox.com/analysis/110315/

Comments