MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a862ea441bd7820c5fd7faf9a43a4c455c38401f486e3b0dfabc84dd53193df9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a862ea441bd7820c5fd7faf9a43a4c455c38401f486e3b0dfabc84dd53193df9
SHA3-384 hash: 30f9fc26957d0069b52b259d53fc186d79701fce097e7a48977be6a347e7d26f8b9bccef166797f17b1f37d4497834d1
SHA1 hash: 4fe955656fef76afca9604b016113b993abe7649
MD5 hash: 7750f5921594ace05c7a8d05e8d2cd27
humanhash: chicken-burger-comet-monkey
File name:mofcomp.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:155'136 bytes
First seen:2022-10-10 07:14:02 UTC
Last seen:2022-10-10 08:21:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 3072:2s2D9KzcbBdr/IbIIpRAk5Krcw80bM7gq5c0fwls1V5Am:22obz6L0cl0bqcYZ5A
Threatray 4'822 similar samples on MalwareBazaar
TLSH T10AE3F10857AD9F43C66D0ABED8A3A1699364E55E870BF30E30980134DD753E6E593E0F
TrID 63.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Reporter JAMESWT_WT
Tags:bitbucket-org CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
209
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/318202/
Detection(s):
SecuriteInfo.com.Variant.Bulz.634490.21092.4996.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Running batch commands
Launching a process
Using the Windows Management Instrumentation requests
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6343c63e1ddf36bcc3f43033/reports/b39c2d01-1145-4184-a813-5f369619af62/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/cd306edc-5913-4d49-886d-f1a216e5c32c
Result
Threat name:
BitCoin Miner, Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1087544
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
DNS related to crypt mining pools
Drops executables to the windows directory (C:\Windows) and starts them
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Xmrig
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 720121 Sample: mofcomp.exe Startdate: 11/10/2022 Architecture: WINDOWS Score: 100 136 Sigma detected: Xmrig 2->136 138 Multi AV Scanner detection for domain / URL 2->138 140 Malicious sample detected (through community Yara rule) 2->140 142 8 other signatures 2->142 12 mofcomp.exe 5 2->12         started        16 mofcomp.exe 2 2->16         started        18 svchost.exe 2->18         started        20 8 other processes 2->20 process3 file4 108 C:\Users\user\AppData\Local\...\svchost64.exe, PE32+ 12->108 dropped 110 C:\Users\user\AppData\...\mofcomp.exe.log, CSV 12->110 dropped 168 Adds a directory exclusion to Windows Defender 12->168 22 cmd.exe 1 12->22         started        24 cmd.exe 1 12->24         started        170 Antivirus detection for dropped file 16->170 172 Multi AV Scanner detection for dropped file 16->172 174 Machine Learning detection for dropped file 16->174 27 cmd.exe 16->27         started        176 Changes security center settings (notifications, updates, antivirus, firewall) 18->176 29 MpCmdRun.exe 18->29         started        178 System process connects to network (likely due to code injection or exploit) 20->178 180 Query firmware table information (likely to detect VMs) 20->180 signatures5 process6 signatures7 31 svchost64.exe 6 22->31         started        35 conhost.exe 22->35         started        154 Uses schtasks.exe or at.exe to add and modify task schedules 24->154 156 Adds a directory exclusion to Windows Defender 24->156 37 powershell.exe 19 24->37         started        39 powershell.exe 15 24->39         started        41 powershell.exe 15 24->41         started        47 2 other processes 24->47 43 conhost.exe 27->43         started        49 4 other processes 27->49 45 conhost.exe 29->45         started        process8 file9 112 C:\Windows\System32\mofcomp.exe, PE32+ 31->112 dropped 114 C:\Windows\...\mofcomp.exe:Zone.Identifier, ASCII 31->114 dropped 128 Antivirus detection for dropped file 31->128 130 Multi AV Scanner detection for dropped file 31->130 132 Machine Learning detection for dropped file 31->132 134 Drops executables to the windows directory (C:\Windows) and starts them 31->134 51 mofcomp.exe 4 31->51         started        54 cmd.exe 1 31->54         started        56 cmd.exe 31->56         started        signatures10 process11 signatures12 144 Adds a directory exclusion to Windows Defender 51->144 58 cmd.exe 51->58         started        60 cmd.exe 51->60         started        63 conhost.exe 54->63         started        65 schtasks.exe 1 54->65         started        67 conhost.exe 56->67         started        69 choice.exe 56->69         started        process13 signatures14 71 svchost64.exe 58->71         started        76 conhost.exe 58->76         started        166 Adds a directory exclusion to Windows Defender 60->166 78 conhost.exe 60->78         started        80 powershell.exe 60->80         started        82 powershell.exe 60->82         started        84 2 other processes 60->84 process15 dnsIp16 116 ezstat.ru 148.251.234.93, 443, 49703 HETZNER-ASDE Germany 71->116 118 raw.githubusercontent.com 185.199.108.133, 443, 49702, 49706 FASTLYUS Netherlands 71->118 120 3 other IPs or domains 71->120 104 C:\Windows\System32\...\sihost64.exe, PE32+ 71->104 dropped 106 C:\Windows\System32\Microsoft\Libs\WR64.sys, PE32+ 71->106 dropped 158 Drops executables to the windows directory (C:\Windows) and starts them 71->158 160 Writes to foreign memory regions 71->160 162 Modifies the context of a thread in another process (thread injection) 71->162 164 2 other signatures 71->164 86 sihost64.exe 71->86         started        89 svchost.exe 71->89         started        92 cmd.exe 71->92         started        94 cmd.exe 71->94         started        file17 signatures18 process19 dnsIp20 146 Antivirus detection for dropped file 86->146 148 Multi AV Scanner detection for dropped file 86->148 150 Machine Learning detection for dropped file 86->150 122 raw.githubusercontent.com 89->122 124 51.15.54.102, 14433, 49707 OnlineSASFR France 89->124 126 2 other IPs or domains 89->126 152 Query firmware table information (likely to detect VMs) 89->152 96 conhost.exe 92->96         started        98 schtasks.exe 92->98         started        100 conhost.exe 94->100         started        102 choice.exe 94->102         started        signatures21 process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a862ea441bd7820c5fd7faf9a43a4c455c38401f486e3b0dfabc84dd53193df9/
Threat name:
ByteCode-MSIL.Trojan.Bulz
Create hunting rule
Status:
Malicious
First seen:
2021-11-26 15:11:13 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
3
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vbroura326bayx6x7l42iosmivodqqa7jbxdwdp2xscn2uyzhx4q._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
48eee6e4eedb7291e09cd68d3ff4f1608df7fb538be806d785a4e99cb77a9da2
CoinMiner
4d1561d0305e150e1a74ef02c3c20b550cbd7e68ad3dc8e237f40b3b71e9c29e
CoinMiner
6162852486198185cf0b5444b6a9ee3748e403ac482bda81abf70d783dc2ccff
CoinMiner
81fe52e70e3f0562d02591313a49d2b353bedc557fcc09d3d6093160de68f3d0
CoinMiner
ba7a55b17174de39cb44b553a52de3d0b3c979d37104a5ad1580cb97a8acc800
CoinMiner
c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d
CoinMiner
c8b8445f2852e90f152f6f469e61af5562850ae1814d8b93f7d7f3df0cb0b114
CoinMiner
c9ceaa34d8c1644a6e7c885badc37e689f69329e757acde1620133fef8367061
CoinMiner
dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388
CoinMiner
fb82356b6c0b1fb239f023e904eb5a796da2c1b7e5560ddcaf8584a9bca912a1
CoinMiner
+ 4'812 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/221010-h2nkzsahg6/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
XMRig Miner payload
xmrig
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/58c2f9e5-0fc4-4836-840b-90e09a334cc7
Unpacked files
SH256 hash:
a862ea441bd7820c5fd7faf9a43a4c455c38401f486e3b0dfabc84dd53193df9
MD5 hash:
7750f5921594ace05c7a8d05e8d2cd27
SHA1 hash:
4fe955656fef76afca9604b016113b993abe7649
Link:
https://www.unpac.me/results/9073aae9-90ce-4f1a-ac8c-da08e1506c10/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a862ea441bd7820c5fd7faf9a43a4c455c38401f486e3b0dfabc84dd53193df9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/318202/

Comments