MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner.XMRig


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae
SHA3-384 hash: 5faaf63282ad9c22e1b500e921ec035ac05bd269c71a25734bf640d4b5de24adf36bf445565a40d5eda249360b6becac
SHA1 hash: 2ced0e3577063ca3613b43661e7df5bc1411ab09
MD5 hash: 18d05e20731583a22b495d0d1f107c5b
humanhash: winter-mockingbird-floor-zulu
File name:Software updated v2.6.0.exe
Download: download sample
Signature CoinMiner.XMRig
Create hunting rule
File size:262'305 bytes
First seen:2021-07-19 00:02:50 UTC
Last seen:2021-07-19 00:44:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep 3072:Cf1BDZ0kVB67Duw9AMcb6FKglbz5107+i9CUVx/kvBFi4lBV5AfeNNu0NiF:C9X0GT6FKgpF107+iNDG5l5AfeNpNs
Threatray 81 similar samples on MalwareBazaar
TLSH T13C44571C375E8B93C75871B00A1595179EE52910E77C4283BFA43ECAEFBE346B10E85A
Reporter Anonymous
Tags:CoinMiner.XMRig exe XMRIG

Intelligence

File Origin
# of uploads :
2
# of downloads :
183
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Software updated v2.6.0.exe
Verdict:
Malicious activity
Analysis date:
2021-07-19 00:00:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ff50cbfd-c584-4106-9dd1-b848b2457a34

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172452/
Detection(s):
SecuriteInfo.com.Heur.Mint.Porcupine.quZ@baDcNkkig.19027.10290.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XMRig Miner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/99a703e4-272e-488d-8ad5-d091fa49e0e4
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/817982
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 450393 Sample: Software updated v2.6.0.exe Startdate: 19/07/2021 Architecture: WINDOWS Score: 100 109 Malicious sample detected (through community Yara rule) 2->109 111 Multi AV Scanner detection for submitted file 2->111 113 Yara detected Xmrig cryptocurrency miner 2->113 115 5 other signatures 2->115 9 Software updated v2.6.0.exe 9 2->9         started        12 svchost.exe 2->12         started        15 rtksmbs.exe 3 2->15         started        17 11 other processes 2->17 process3 dnsIp4 85 C:\Users\user\AppData\Roaming\xmrmine.exe, PE32+ 9->85 dropped 87 C:\Users\user\AppData\Roaming\etcmin.exe, PE32+ 9->87 dropped 20 xmrmine.exe 5 9->20         started        24 etcmin.exe 5 9->24         started        137 Changes security center settings (notifications, updates, antivirus, firewall) 12->137 26 MpCmdRun.exe 12->26         started        139 Machine Learning detection for dropped file 15->139 28 cmd.exe 15->28         started        93 127.0.0.1 unknown unknown 17->93 89 C:\Users\user\AppData\...\sihost64.exe, PE32+ 17->89 dropped 91 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 17->91 dropped 30 cmd.exe 17->30         started        32 sihost64.exe 17->32         started        file5 signatures6 process7 file8 79 C:\Users\user\AppData\...\serverpatch.exe, PE32+ 20->79 dropped 135 Machine Learning detection for dropped file 20->135 34 serverpatch.exe 14 8 20->34         started        38 cmd.exe 1 20->38         started        81 C:\Users\user\AppData\Roaming\rtksmbs.exe, PE32+ 24->81 dropped 40 rtksmbs.exe 24->40         started        43 cmd.exe 1 24->43         started        45 conhost.exe 24->45         started        47 schtasks.exe 24->47         started        49 conhost.exe 26->49         started        signatures9 process10 dnsIp11 95 github.com 140.82.121.3, 443, 49718 GITHUBUS United States 34->95 97 raw.githubusercontent.com 185.199.109.133, 443, 49720, 49724 FASTLYUS Netherlands 34->97 99 sanctam.net 185.65.135.248, 49717, 49721, 58899 ESAB-ASSE Sweden 34->99 117 Machine Learning detection for dropped file 34->117 119 Injects code into the Windows Explorer (explorer.exe) 34->119 121 Contains functionality to inject code into remote processes 34->121 125 5 other signatures 34->125 51 explorer.exe 34->51         started        55 sihost64.exe 34->55         started        57 cmd.exe 34->57         started        123 Uses schtasks.exe or at.exe to add and modify task schedules 38->123 59 conhost.exe 38->59         started        61 schtasks.exe 1 38->61         started        101 140.82.121.4, 443, 49722 GITHUBUS United States 40->101 83 C:\Users\user\AppData\...\sihost32.exe, PE32+ 40->83 dropped 63 sihost32.exe 40->63         started        65 cmd.exe 40->65         started        67 conhost.exe 43->67         started        69 3 other processes 43->69 file12 signatures13 process14 dnsIp15 103 168.119.38.182, 49728, 80 HETZNER-ASDE Germany 51->103 105 pastebin.com 104.23.99.190, 443, 49727 CLOUDFLARENETUS United States 51->105 107 pool.hashvault.pro 51->107 127 System process connects to network (likely due to code injection or exploit) 51->127 129 Query firmware table information (likely to detect VMs) 51->129 131 Tries to detect sandboxes and other dynamic analysis tools (window names) 51->131 133 Machine Learning detection for dropped file 55->133 71 conhost.exe 57->71         started        73 schtasks.exe 57->73         started        75 conhost.exe 65->75         started        77 schtasks.exe 65->77         started        signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae/
Threat name:
ByteCode-MSIL.Trojan.MintPorcupine
Create hunting rule
Status:
Malicious
First seen:
2021-07-19 00:03:04 UTC
AV detection:
15 of 46 (32.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=whc72xapnitwb23dqqkntp43ou3lqh2f5w6z2ue52ccti3dhu2xa._file
Verdict:
malicious
Similar samples:
299dc3bb613a10e1a2d96c3e49d62d42145b1a48fbd6a087da6cc56661e82546
CoinMiner.XMRig
6256527c14f620b3e72b8841930d51e83d9a443a5f3676e966d3f2969ed35bfa
CoinMiner.XMRig
995ab2c020f8d8ac61c6c5e2bfdd383f2134a6463ea2ba218337b80b639e13cd
CoinMiner.XMRig
e08f276f148db04bdcd9fe52e5418b06572a5c537e5610d1ef711591c6d416bf
CoinMiner.XMRig
e8c4bcdcf46f101cc7126f7bde6955f6a971d06dc2bea9f6499594b475b091e2
CoinMiner.XMRig
f89110f497e2a39c3fc34329b16e5528564bae652fda61cd07410b27e046fdf3
CoinMiner.XMRig
fb49ad3836c334d8d06a36a45994eaa52d7629ecbf765fe46aa53825aef56e56
CoinMiner.XMRig
feb12de92aa1536ba75f69b41bf74cc3bd8438df7eb0f0705ebbd1de73994624
CoinMiner.XMRig
+ 71 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/210719-wdl38yk3gx/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Executes dropped EXE
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae
MD5 hash:
18d05e20731583a22b495d0d1f107c5b
SHA1 hash:
2ced0e3577063ca3613b43661e7df5bc1411ab09
Link:
https://www.unpac.me/results/3d6c2886-3a24-4638-840e-45adfb0f7601/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172452/

Comments