MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af18c1e923667ab287cd2699203e0bb6e6030dee131299ea670bc842dec76745. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner.XMRig


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af18c1e923667ab287cd2699203e0bb6e6030dee131299ea670bc842dec76745
SHA3-384 hash: d87304b6d6e91abbda83dc9347f75069d4abc9d1e130a6b45f59a97c2897e7fc0484f539eaee15202b2322bbd11600d8
SHA1 hash: 19240a26f205be2f8b4f4e00583a987e184f2875
MD5 hash: 0f65b4fa711b40e3c89a81fa69d8690f
humanhash: batman-green-lactose-texas
File name:0f65b4fa711b40e3c89a81fa69d8690f
Download: download sample
Signature CoinMiner.XMRig
Create hunting rule
File size:16'896 bytes
First seen:2021-07-23 20:01:15 UTC
Last seen:2021-07-23 20:48:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 192:e1XXt7VozmA38ntuvXOIhOWAVYidnab4WmdzdtjrII1dpv0:e1H9Vmx3+u+Inmh51dp8
Threatray 82 similar samples on MalwareBazaar
TLSH T104726C59CB5B0223EDA22DF984B3C5E1CEFC6683D4536F2FEEA6330A586800455C2E71
dhash icon c0d8d090dcd292b2 (1 x CoinMiner, 1 x CoinMiner.XMRig)
Reporter zbetcheckin
Tags:32 CoinMiner.XMRig exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0f65b4fa711b40e3c89a81fa69d8690f
Verdict:
Malicious activity
Analysis date:
2021-07-23 20:04:59 UTC
Tags:
loader
Link:
https://app.any.run/tasks/2e330ee0-b38d-4a18-8d38-622f15443dd5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/173775/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46662510.9245.3722.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/517cc666-8cac-44e8-a162-85da0d74a3ef
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/821057
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for URL or domain
Creates a thread in another existing process (thread injection)
Detected Stratum mining protocol
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
DNS related to crypt mining pools
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 453465 Sample: LZF5sOWnss Startdate: 23/07/2021 Architecture: WINDOWS Score: 100 53 xmr-us-east1.nanopool.org 2->53 61 Multi AV Scanner detection for domain / URL 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Antivirus detection for URL or domain 2->65 67 11 other signatures 2->67 10 LZF5sOWnss.exe 14 6 2->10         started        15 svchost.exe 1 2->15         started        17 svchost.exe 1 2->17         started        19 2 other processes 2->19 signatures3 process4 dnsIp5 55 45.144.225.135, 49750, 49766, 80 DEDIPATH-LLCUS Netherlands 10->55 49 C:\Users\user\AppData\...\tmp70CEtmp.exe, PE32 10->49 dropped 51 C:\Users\user\AppData\...\LZF5sOWnss.exe.log, ASCII 10->51 dropped 83 Detected unpacking (overwrites its own PE header) 10->83 21 tmp70CEtmp.exe 3 10->21         started        file6 signatures7 process8 signatures9 69 Multi AV Scanner detection for dropped file 21->69 71 Detected unpacking (creates a PE file in dynamic memory) 21->71 73 Injects a PE file into a foreign processes 21->73 24 tmp70CEtmp.exe 6 21->24         started        28 tmp70CEtmp.exe 21->28         started        process10 file11 45 C:\ProgramData\LKBNMTFJgl\csrss, PE32 24->45 dropped 47 C:\ProgramData\LKBNMTFJgl\r.vbs, data 24->47 dropped 75 Writes to foreign memory regions 24->75 77 Allocates memory in foreign processes 24->77 79 Modifies the context of a thread in another process (thread injection) 24->79 81 2 other signatures 24->81 30 notepad.exe 24->30         started        34 cmd.exe 1 24->34         started        36 kZyzpfHFNNGrokCvTtkFvKwVRsROC.exe 24->36 injected signatures12 process13 dnsIp14 57 142.44.242.100, 14444, 49767 OVHFR Canada 30->57 59 xmr-us-east1.nanopool.org 30->59 85 System process connects to network (likely due to code injection or exploit) 30->85 38 wscript.exe 1 34->38         started        41 conhost.exe 34->41         started        signatures15 87 Detected Stratum mining protocol 57->87 process16 file17 43 C:\Users\user\AppData\...\viTRMUuKeV.url, MS 38->43 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/af18c1e923667ab287cd2699203e0bb6e6030dee131299ea670bc842dec76745/
Threat name:
ByteCode-MSIL.Trojan.Dothetuk
Create hunting rule
Status:
Malicious
First seen:
2021-07-22 00:02:26 UTC
AV detection:
9 of 28 (32.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=v4mmd2jdmz5lfb6ne2msapqlw3tagdpocmjjt2thbpeefxwhm5cq._file
Verdict:
unknown
Similar samples:
1a26ce3b96b1ccd7af4c8d6f4de0e4b4320535b20895a295e1a96aa009843a71
CoinMiner.XMRig
29d0e1b77452621e42cf4efe225d0347742e3f6bc8f85ffe26b33ba589c0445c
CoinMiner.XMRig
53cae19aa470b038966c47f8e7361fde1da99f4f54ea97ab3fb7198506ecbc3d
CoinMiner.XMRig
5d9b6c49a8c84b01122da49a1237c880e2eb71d44f264e8a0effc56b7b586bf6
CoinMiner.XMRig
68657be04f5b550fec4671437e5dc5849408eada96f5ff44cb0972b0e28ca5be
CoinMiner.XMRig
8b0d6717a7d98595e7727f5309e19a1f3dae7986d1809f14f8de4edfb2810a3e
CoinMiner.XMRig
8c5e6f26ffcdaec3ec1b9e687430e51a6f6460d0572d36e826ef8f511b611b5c
CoinMiner.XMRig
cd546894a737663aacacc3c3ebe2ea85c26bd5790a57ede5913355a15deac30f
CoinMiner.XMRig
ebf8f470ffc1fa2c68fb9674c6e9842f9b5e5a15e2d37b11ffdb1de90d017b92
CoinMiner.XMRig
f8a3b64aa3c1c639a5ce1b100de860d4f97703879df0d01ce0118ae97c1b7423
CoinMiner.XMRig
+ 72 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner upx
Link:
https://tria.ge/reports/210723-5jgpe4bq2j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Drops startup file
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
af18c1e923667ab287cd2699203e0bb6e6030dee131299ea670bc842dec76745
MD5 hash:
0f65b4fa711b40e3c89a81fa69d8690f
SHA1 hash:
19240a26f205be2f8b4f4e00583a987e184f2875
Link:
https://www.unpac.me/results/f62b0d90-1efa-4953-a60b-4646a7951a45/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.50
Link:
https://yomi.yoroi.company/submissions/af18c1e923667ab287cd2699203e0bb6e6030dee131299ea670bc842dec76745

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner.XMRig

Executable exe af18c1e923667ab287cd2699203e0bb6e6030dee131299ea670bc842dec76745

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1423538/
Cape
Cape
https://www.capesandbox.com/analysis/173775/

Comments


Avatar
zbet commented on 2021-07-23 20:01:16 UTC

url : hxxp://45.144.225.135/msiexec.exe