MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d93308d0da9c4bf9416e54d649d1474ada03affdb939e4c891e72c1088435a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9d93308d0da9c4bf9416e54d649d1474ada03affdb939e4c891e72c1088435a1
SHA3-384 hash: fa394f194f0c64fe99ee0b12928780363c4d5cdf3b395a92a7831b5920999f0997bf10743d5c1e791951554aba92b880
SHA1 hash: 4548f775b7e5f3faa61eb7360d18442d11fc3b39
MD5 hash: 9f173309df98ceeedf74a79b00c87906
humanhash: juliet-princess-gee-eighteen
File name:SecuriteInfo.com.Trojan.GenericKD.45210505.14650.20303
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'075'171 bytes
First seen:2020-12-28 10:34:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a1a66d588dcf1394354ebf6ec400c223 (49 x RedLineStealer, 7 x CryptBot, 4 x AZORult)
ssdeep 49152:K5+hFbQQRBs1+8hXivCD3FY8b1V2SghenyzfTb+w:K5aFbQQc1J1cCD1YOaJ/+w
Threatray 21 similar samples on MalwareBazaar
TLSH 01A533B1BD9A28B2D4C273317A407A7D28A7EE155F2D56C79383B1172D323C64A3F458
Reporter SecuriteInfoCom
Tags:CoinMiner

Intelligence

File Origin
# of uploads :
1
# of downloads :
740
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.GenericKD.45210505.14650.20303
Verdict:
Suspicious activity
Analysis date:
2020-12-28 10:37:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4934507f-a555-41a0-bb74-8e21fdd8b8cf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.45210505.14650.20303.UNOFFICIAL
Create hunting rule

PUA.Win.Trojan.Generic-6843329-0
Create hunting rule

PUA.Win.Dropper.Driverpack-6931197-0
Create hunting rule

PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.File.Generic-7135455-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file
Sending a UDP request
Deleting a recently created file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Launching a process
DNS request
Connecting to a cryptocurrency mining pool
Sending a custom TCP request
Creating a service
Launching a service
Loading a system driver
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/570662
Signature
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to register a low level keyboard hook
Detected Stratum mining protocol
DNS related to crypt mining pools
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sigma detected: Xmrig
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 334387 Sample: SecuriteInfo.com.Trojan.Gen... Startdate: 28/12/2020 Architecture: WINDOWS Score: 100 66 Sigma detected: Xmrig 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 Yara detected Xmrig cryptocurrency miner 2->70 72 3 other signatures 2->72 9 SecuriteInfo.com.Trojan.GenericKD.45210505.14650.exe 4 2->9         started        13 WUAPServices.exe 2->13         started        15 WUAPServices.exe 2->15         started        17 11 other processes 2->17 process3 dnsIp4 48 C:\Users\user\...\xqjwzxjhgoneheyn.exe, PE32+ 9->48 dropped 86 Contains functionality to register a low level keyboard hook 9->86 20 xqjwzxjhgoneheyn.exe 1 3 9->20         started        50 C:\Users\user\AppData\...\WinRing0x64.sys, PE32+ 13->50 dropped 88 Injects code into the Windows Explorer (explorer.exe) 13->88 90 Writes to foreign memory regions 13->90 92 Allocates memory in foreign processes 13->92 24 explorer.exe 13->24         started        94 Modifies the context of a thread in another process (thread injection) 15->94 96 Injects a PE file into a foreign processes 15->96 27 explorer.exe 15->27         started        52 127.0.0.1 unknown unknown 17->52 98 Changes security center settings (notifications, updates, antivirus, firewall) 17->98 29 MpCmdRun.exe 17->29         started        file5 signatures6 process7 dnsIp8 46 C:\Users\user\AppData\...\WUAPServices.exe, PE32+ 20->46 dropped 74 Multi AV Scanner detection for dropped file 20->74 76 Machine Learning detection for dropped file 20->76 31 WUAPServices.exe 4 20->31         started        54 51.15.65.182, 14444, 49731 OnlineSASFR France 24->54 56 xmr-eu1.nanopool.org 24->56 34 conhost.exe 24->34         started        58 51.255.34.118, 14444, 49729 OVHFR France 27->58 60 xmr-eu1.nanopool.org 27->60 78 System process connects to network (likely due to code injection or exploit) 27->78 36 conhost.exe 27->36         started        38 conhost.exe 29->38         started        file9 80 Detected Stratum mining protocol 58->80 signatures10 process11 signatures12 100 Multi AV Scanner detection for dropped file 31->100 102 Machine Learning detection for dropped file 31->102 104 Injects code into the Windows Explorer (explorer.exe) 31->104 106 5 other signatures 31->106 40 explorer.exe 1 31->40         started        process13 dnsIp14 62 5.196.13.29, 14444, 49726 OVHFR France 40->62 64 xmr-eu1.nanopool.org 40->64 82 System process connects to network (likely due to code injection or exploit) 40->82 44 conhost.exe 40->44         started        signatures15 84 Detected Stratum mining protocol 62->84 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9d93308d0da9c4bf9416e54d649d1474ada03affdb939e4c891e72c1088435a1/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2020-12-26 14:30:19 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=twjtbdinvhcl7faw4vgwjhiuosw2aox73ojz4tejdzzmcceegwqq._file
Verdict:
malicious
Similar samples:
0cd84bfd6c8c5f61e644286675ece0013aafea6a538f899afc544bcbc0c00f75
CoinMiner
5dcea548692418c3f47e0f0b2f05991720e870c2c65170c603f6e8dbcc11dd23
CoinMiner
773a42f5dd2dbe163dbc36037d53a25675c29fd0dba24d19ccb249a6f590ef12
CoinMiner
a4bd1ce6832e9cfa0078b39e7dc035047ff593ff4f875fd19ed7ab54508fa7e4
CoinMiner
af56963172182772cfb8ece6dee221898b281e8f93a62dc82a08cc188131849f
CoinMiner
c6b664ffd10c03d085b36bd57b72467b6508ba736e9c8d77182e0d1518b91295
CoinMiner
c7f6ad7d3e040d26e8103885756e2f720a97a16f12ef44bf6707676d26680586
CoinMiner
cb04bfdeb1a12eaab0a0442ecdf62ce49d2c1daa5b4345412cf3462b9ab26803
CoinMiner
dea877be3b8ceb7eb4cb1bb40895bc6886d3ccb0f2498e7b3c4257d726a7d896
CoinMiner
f7707fe4c69384493ced8f0defb76e6a9f4921e1ac14ae957329cbf92f1f00b2
CoinMiner
+ 11 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner persistence
Link:
https://tria.ge/reports/201228-jvldfh9ren/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
9d93308d0da9c4bf9416e54d649d1474ada03affdb939e4c891e72c1088435a1
MD5 hash:
9f173309df98ceeedf74a79b00c87906
SHA1 hash:
4548f775b7e5f3faa61eb7360d18442d11fc3b39
Link:
https://www.unpac.me/results/6a74660c-a3c2-4db5-b2d2-6b0a463e7f97/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Gamarue
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9d93308d0da9c4bf9416e54d649d1474ada03affdb939e4c891e72c1088435a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cryptocoin_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:XMRIG_Miner
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 9d93308d0da9c4bf9416e54d649d1474ada03affdb939e4c891e72c1088435a1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/943457/
  
Delivery method
Distributed via web download

Comments