MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a034705c6ed17fa615435d02d6419e18ffe9a7f16f1f1c712a657aa1a0d90193. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner.XMRig


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a034705c6ed17fa615435d02d6419e18ffe9a7f16f1f1c712a657aa1a0d90193
SHA3-384 hash: 3c8cc1e7f388a2f435e3810b985f89eaeb8dee99d110339af700f8a47b02886eddb71730128d06b57b7535cee668a094
SHA1 hash: 35385b0a50f3f8b403d2c6f72fe84238f3f3775d
MD5 hash: b97962d886f1079133f133e0d4c98903
humanhash: thirteen-blue-high-magazine
File name:b97962d886f1079133f133e0d4c98903.exe
Download: download sample
Signature CoinMiner.XMRig
Create hunting rule
File size:120'832 bytes
First seen:2021-05-09 06:11:07 UTC
Last seen:2021-05-09 07:12:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1e6c6c0fef00f13f737d59db8cd89a72 (1 x CoinMiner, 1 x CoinMiner.XMRig)
ssdeep 3072:N1wRwJKi9bijvOzTdG9D+TFpTjM+zy9az:vNJNb64TdGh6DT+s
Threatray 34 similar samples on MalwareBazaar
TLSH 77C36C4B73A571FCE1728639C8615629D772B8752625CF2F139846962F232A08F2FF31
Reporter abuse_ch
Tags:CoinMiner CoinMiner.XMRig exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
423
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/153447/
Detection(s):
SecuriteInfo.com.Variant.Cerbu.95336.9883.17362.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Launching a process
Creating a file in the %AppData% directory
Connecting to a cryptocurrency mining pool
Creating a service
Launching a service
Loading a system driver
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dc0e7cd5-c6a1-4358-848c-6cec9689369d
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/719985
Signature
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to inject code into remote processes
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sets debug register (to hijack the execution of another thread)
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 408922 Sample: 75tzoUK1Jd.exe Startdate: 09/05/2021 Architecture: WINDOWS Score: 100 78 Malicious sample detected (through community Yara rule) 2->78 80 Multi AV Scanner detection for submitted file 2->80 82 Yara detected Xmrig cryptocurrency miner 2->82 84 3 other signatures 2->84 9 75tzoUK1Jd.exe 1 18 2->9         started        14 waupdat3.exe 15 2->14         started        16 waupdat3.exe 14 2->16         started        18 11 other processes 2->18 process3 dnsIp4 62 github.com 140.82.121.4, 443, 49706, 49712 GITHUBUS United States 9->62 64 github-releases.githubusercontent.com 185.199.110.154, 443, 49707, 49729 FASTLYUS Netherlands 9->64 52 C:\Users\user\AppData\Roaming\waupdat3.exe, PE32+ 9->52 dropped 54 C:\Users\...\waupdat3.exe:Zone.Identifier, ASCII 9->54 dropped 90 Contains functionality to inject code into remote processes 9->90 92 Sets debug register (to hijack the execution of another thread) 9->92 94 Writes to foreign memory regions 9->94 20 msiexec.exe 1 9->20         started        22 msiexec.exe 1 9->22         started        66 140.82.121.3, 443, 49722, 49727 GITHUBUS United States 14->66 68 185.199.108.154, 443, 49723 FASTLYUS Netherlands 14->68 96 Multi AV Scanner detection for dropped file 14->96 98 Machine Learning detection for dropped file 14->98 100 Allocates memory in foreign processes 14->100 102 Modifies the context of a thread in another process (thread injection) 16->102 104 Injects a PE file into a foreign processes 16->104 26 msiexec.exe 16->26         started        28 msiexec.exe 16->28         started        70 127.0.0.1 unknown unknown 18->70 106 Changes security center settings (notifications, updates, antivirus, firewall) 18->106 30 MpCmdRun.exe 18->30         started        file5 signatures6 process7 dnsIp8 32 conhost.exe 20->32         started        56 pool-fr.supportxmr.com 94.23.247.226, 49720, 49732, 8080 OVHFR France 22->56 58 pool.supportxmr.com 22->58 86 Query firmware table information (likely to detect VMs) 22->86 34 conhost.exe 22->34         started        60 pool.supportxmr.com 26->60 36 conhost.exe 26->36         started        38 conhost.exe 28->38         started        40 conhost.exe 30->40         started        signatures9 88 Detected Stratum mining protocol 56->88 process10 process11 42 msiexec.exe 1 32->42         started        46 msiexec.exe 1 32->46         started        dnsIp12 72 149.202.83.171, 49730, 8080 OVHFR France 42->72 74 pool.supportxmr.com 42->74 76 pool-fr.supportxmr.com 42->76 108 Query firmware table information (likely to detect VMs) 42->108 48 conhost.exe 42->48         started        50 conhost.exe 46->50         started        signatures13 110 Detected Stratum mining protocol 72->110 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a034705c6ed17fa615435d02d6419e18ffe9a7f16f1f1c712a657aa1a0d90193/
Threat name:
Win64.Trojan.Miner
Create hunting rule
Status:
Malicious
First seen:
2021-05-09 03:20:00 UTC
AV detection:
18 of 27 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ua2haxdo2f72mfkdlubnmqm6dd76tj7rn4pry4jkmv5kdigzagjq._file
Verdict:
malicious
Similar samples:
328c5eb8908b83c474ab4ab892ac1c2cae066f1f55dbcd15d850b54cc0f4c3cc
CoinMiner.XMRig
362911dc126bfc3bf0edde07ab4dcf66e79830f1da312942b1731b6f45ac9da5
CoinMiner.XMRig
55d33f116ca5cbd1e8bbf9151c2f457f7f045c8b00b7980cada01d20e9bd29c6
CoinMiner.XMRig
5f3507cbeaeda2b6fa6b1144782f45f17c274d30fba40fa1ee9b302496242265
CoinMiner.XMRig
60ab8f94c2c07255e65790079803f15fa351f94363102883a14bae63d696c2ff
CoinMiner.XMRig
630a85d082105029c1f4962acea125d2dd7da277c060ee51544f748a58d0daaf
CoinMiner.XMRig
757e7c2569cc52c9e1639fbca06e957cb40f775d5cb1a8aafa670131b62b0824
CoinMiner.XMRig
7c7cff0a48bcfe565fb02e3a39087ce2ad56d5b1c57b229f2d0142f41b7ab191
CoinMiner.XMRig
9a048c8436c448e99a3a7047781ddc5d14a323660bd69f9fd7432c316083e3b6
CoinMiner.XMRig
b0fbbee768b77e2fe719f38622b54a01efd763255048374ab0340d56a430325f
CoinMiner.XMRig
+ 24 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner persistence
Link:
https://tria.ge/reports/210509-klffph9z4s/
Behaviour
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Blocklisted process makes network request
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
a034705c6ed17fa615435d02d6419e18ffe9a7f16f1f1c712a657aa1a0d90193
MD5 hash:
b97962d886f1079133f133e0d4c98903
SHA1 hash:
35385b0a50f3f8b403d2c6f72fe84238f3f3775d
Link:
https://www.unpac.me/results/a6b16884-02fb-42ed-adcd-007ef62616fe/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a034705c6ed17fa615435d02d6419e18ffe9a7f16f1f1c712a657aa1a0d90193

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cryptocoin_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20
Create hunting rule
Author:Florian Roth
Description:Detects XMRIG crypto coin miners
Reference:https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Rule name:XMRIG_Miner
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner.XMRig

Executable exe a034705c6ed17fa615435d02d6419e18ffe9a7f16f1f1c712a657aa1a0d90193

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/934843/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/153447/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-09 07:22:05 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0030.002] Command and Control::Receive Data
1) [B0030.001] Command and Control::Send Data
2) [C0002.009] Communication Micro-objective::Connect to Server::HTTP Communication
3) [C0002.012] Communication Micro-objective::Create Request::HTTP Communication
4) [C0002.017] Communication Micro-objective::Get Response::HTTP Communication
5) [C0002.003] Communication Micro-objective::Send Request::HTTP Communication
6) [C0021] Cryptography Micro-objective::Generate Pseudo-random Sequence
7) [C0032.005] Data Micro-objective::Adler::Checksum
8) [C0026.002] Data Micro-objective::XOR::Encode Data
10) [C0045] File System Micro-objective::Copy File
11) [C0051] File System Micro-objective::Read File
12) [C0052] File System Micro-objective::Writes File
13) [C0007] Memory Micro-objective::Allocate Memory
14) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
15) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
16) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
17) [C0040] Process Micro-objective::Allocate Thread Local Storage
18) [C0017.003] Process Micro-objective::Create Suspended Process::Create Process
19) [C0017] Process Micro-objective::Create Process
20) [C0054] Process Micro-objective::Resume Thread
21) [C0041] Process Micro-objective::Set Thread Local Storage Value
22) [C0018] Process Micro-objective::Terminate Process