MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f13e6628458992b3e633cd3f51e876e7146ed4ce06074ff9ab394cc248d7982. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f13e6628458992b3e633cd3f51e876e7146ed4ce06074ff9ab394cc248d7982
SHA3-384 hash: 599b399449ed0338d111837d3a5edf75fcc3094188345e819777d8b8ec5d3acdc75662c0a36fa9aac4b2dd91c07e5a99
SHA1 hash: 686f0089050e1013ffd80d81193b6f992b471c34
MD5 hash: 5d2e9716be941d7c77c05947390de736
humanhash: iowa-pizza-nitrogen-cat
File name:SecuriteInfo.com.Trojan.Siggen9.42354.4673.5766
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'084'864 bytes
First seen:2020-11-28 12:44:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a030df85b73474746a4271916d6a664f (1 x CoinMiner)
ssdeep 49152:HILTby0Xg0Q1oKPBCXihpUv8LjVD7+j38QmSS:aGpyUL7tD7+j3S
Threatray 117 similar samples on MalwareBazaar
TLSH 5EA523267611C077D866067B81E60B34EFB8A3533BB16817EB5CDFB9BC302319356689
Reporter SecuriteInfoCom
Tags:CoinMiner

Intelligence

File Origin
# of uploads :
1
# of downloads :
609
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/105930/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Creating a service
Launching the process to change network settings
Creating a process with a hidden window
Sending a UDP request
Launching a service
Launching a process
Running batch commands
Creating a window
Adding an access-denied ACE
DNS request
Sending an HTTP GET request
Deleting a recently created file
Creating a process from a recently created file
Replacing files
Possible injection to a system process
Enabling autorun for a service
Sending a TCP request to an infection source
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/550103
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to inject code into remote processes
Creates a Windows Service pointing to an executable in C:\Windows
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Xmrig
System process connects to network (likely due to code injection or exploit)
Uses netsh to modify the Windows network and firewall settings
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 324161 Sample: SecuriteInfo.com.Trojan.Sig... Startdate: 28/11/2020 Architecture: WINDOWS Score: 100 70 Sigma detected: Xmrig 2->70 72 Multi AV Scanner detection for domain / URL 2->72 74 Found malware configuration 2->74 76 9 other signatures 2->76 8 svchost.exe 2->8         started        11 SecuriteInfo.com.Trojan.Siggen9.42354.4673.exe 3 2 2->11         started        14 svchost.exe 2->14         started        17 2 other processes 2->17 process3 dnsIp4 82 Contains functionality to inject code into remote processes 8->82 84 DLL side loading technique detected 8->84 86 Injects a PE file into a foreign processes 8->86 19 svchost.exe 17 8->19         started        56 C:\Windows\Cursors\WUDFhosts.exe, PE32+ 11->56 dropped 88 Creates a Windows Service pointing to an executable in C:\Windows 11->88 24 netsh.exe 3 11->24         started        26 netsh.exe 3 11->26         started        28 netsh.exe 9 3 11->28         started        30 9 other processes 11->30 62 192.168.2.1 unknown unknown 14->62 file5 signatures6 process7 dnsIp8 60 www.362com.com 222.99.11.146, 49725, 80 KIXS-AS-KRKoreaTelecomKR Korea Republic of 19->60 52 C:\Windows\...\active_desktop_render_New.dll, PE32 19->52 dropped 54 C:\Windows\Help\active_desktop_render.dll, PE32 19->54 dropped 78 System process connects to network (likely due to code injection or exploit) 19->78 80 Drops executables to the windows directory (C:\Windows) and starts them 19->80 32 WUDFhosts.exe 1 19->32         started        36 conhost.exe 24->36         started        38 conhost.exe 26->38         started        40 conhost.exe 28->40         started        42 conhost.exe 30->42         started        44 conhost.exe 30->44         started        46 conhost.exe 30->46         started        48 6 other processes 30->48 file9 signatures10 process11 dnsIp12 58 pool.usa-138.com 180.96.62.240, 80 CHINATELECOM-JIANGSU-NANJING-IDCNanjingJiangsuProvince China 32->58 64 Antivirus detection for dropped file 32->64 66 Multi AV Scanner detection for dropped file 32->66 68 Machine Learning detection for dropped file 32->68 50 conhost.exe 32->50         started        signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9f13e6628458992b3e633cd3f51e876e7146ed4ce06074ff9ab394cc248d7982/
Threat name:
Win32.Trojan.Blamon
Create hunting rule
Status:
Malicious
First seen:
2020-05-31 07:40:45 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=t4j6myuelcmswptdhtj7khuhnzyun3km4bqhj742wokmyjenpgba._file
Verdict:
malicious
Similar samples:
03123bbf8b63f81929abbe804f442bc307e988f3f1e11d41862233f9a24fd94f
CoinMiner
03e2a3a9c9b3198096bb8d8048d26057fb9dd3aedc0956971571d2e8c315a628
CoinMiner
05316adf8cb98bc3a3d9bd174e5287f1a7b9f2ef65eac0b965c2c040d58b7b96
CoinMiner
22a3e377098a1a3479bd4f03b847c93c1939fe1660de4ed241c3302a4830c49c
CoinMiner
932d20d000d9937c91fa274b237da8437124209ebfcf1eb5ab1aaa3bfd25b342
CoinMiner
a9c7f285f8d21355ced74ceeb27adaf4438ddb88dd65bc359771183a0e7b8a04
CoinMiner
c9150a9d75f7aa890f7f71fa9fc3e44ad068ad67c8408f1ef14e58cd963178f8
CoinMiner
dd9fe2b276905236c36f6f8461ac20cc5f7f1a3c999b4211f6d606027f02a21f
CoinMiner
f781bb584b94995153c63991eda5ca80e4bfdac2f4d50a27534669bd26f8a3cd
CoinMiner
fc24c66249ff1d20ea728a18dbfe87018e27e487a43eb1f09d4b642d9766dc51
CoinMiner
+ 107 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
miner persistence upx
Link:
https://tria.ge/reports/201128-xvddbmgbej/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Deletes itself
Loads dropped DLL
Executes dropped EXE
Sets DLL path for service in the registry
UPX packed file
Detected Stratum cryptominer command
Unpacked files
SH256 hash:
cf63bdfa60aec70c2bbd6b64a54362fe848fdfe4227e9c8b3c88faccfab3e11c
MD5 hash:
814605a3e300960431714e2f318aff6f
SHA1 hash:
4bab03b35c6881cb9f85da8d8958942ad4b6393a
Link:
https://www.unpac.me/results/dcf1a73a-458f-433a-9739-48c787366f08/
SH256 hash:
9f13e6628458992b3e633cd3f51e876e7146ed4ce06074ff9ab394cc248d7982
MD5 hash:
5d2e9716be941d7c77c05947390de736
SHA1 hash:
686f0089050e1013ffd80d81193b6f992b471c34
Link:
https://www.unpac.me/results/dcf1a73a-458f-433a-9739-48c787366f08/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Hiloti
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9f13e6628458992b3e633cd3f51e876e7146ed4ce06074ff9ab394cc248d7982

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cryptocoin_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:XMRIG_Miner
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 9f13e6628458992b3e633cd3f51e876e7146ed4ce06074ff9ab394cc248d7982

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/105930/
  
URLhaus
https://urlhaus.abuse.ch/url/863146/
  
Delivery method
Distributed via web download

Comments