MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1d462b8dd8cc081cc262c2c6ee45825aa0f45e1b02e370360db66fdea3eea8d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 7

Intelligence 7 IOCs YARA 6 File information Comments

SHA256 hash:	b1d462b8dd8cc081cc262c2c6ee45825aa0f45e1b02e370360db66fdea3eea8d
SHA3-384 hash:	0be604bbcf389e34d3216d423b439bc6732e8c655ad3881d394bd4c727d97163fed43c0375ea2ad23bd0ab0835661bbb
SHA1 hash:	6aed319e0c1769859b3cd20bdacb3792fa0ae8b1
MD5 hash:	70484579327875a42f6288203a14e5d7
humanhash:	pip-butter-papa-moon
File name:	70484579327875a42f6288203a14e5d7.exe
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	2'638'336 bytes
First seen:	2023-01-20 19:52:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ea0350fc68ec9a11296db9ab47725f8a (1 x CoinMiner)
ssdeep	49152:3QxxxM444xxx+o8/wq1GJ/Sti1GSsX5lAw:gxxxM444xxx+o8/wq1G8Y1lsDAw
Threatray	2'961 similar samples on MalwareBazaar
TLSH	T185C55C1251A9C862F4AA88BD7025DDF2CBD72C9CBF63E9873430746BD9BB5C065943C4
File icon (PE):
dhash icon	f0d8e4c4cce4d8f0 (1 x CoinMiner)
Reporter	abuse_ch
Tags:	CoinMiner exe

Intelligence

File Origin

# of uploads :

# of downloads :

186

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/355125/

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Сreating synchronization primitives

Launching a process

Creating a file

Enabling the 'hidden' option for recently created files

Using the Windows Management Instrumentation requests

Verdict:

No Threat

Threat level:

2/10

Confidence:

80%

Tags:

packed shell32.dll

Link:

https://www.filescan.io/uploads/63caf12089bd67c10fd8e145/reports/780e5d26-2ef4-454f-89e2-06b9b521f14b/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/b2b3ec37-2a3d-4aeb-882c-257aeab15cd4

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b1d462b8dd8cc081cc262c2c6ee45825aa0f45e1b02e370360db66fdea3eea8d/

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2023-01-20 16:50:24 UTC

File Type:

PE+ (Exe)

Extracted files:

172

AV detection:

13 of 37 (35.14%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=whkgfog5rtaidtbgfqwg5zcyewva6rpbwaxdoa3a3ntp32r65kgq._file

Verdict:

unknown

CoinMiner

55324764040c65977ea1eae0fcbde3af5cbc1221abc27414dcb09a6e5fb6cbf6

CoinMiner

5a329d76898db05611e2dad04c55e316f1c4bb2dd6c9d223eb85af92bc2e1893

CoinMiner

5a6f5d425060a2bfc152e1c2673991151e8863354deb3c4febd60ce42a80f35e

CoinMiner

6f0be85cffdd59d4a1d520b6985820b6a62ad3978d3325be19b0c2f0e58dea14

CoinMiner

7bd34b7923a17098175c99070569b5a49e8dea6921edcbce273ec7f59e8ab9d1

CoinMiner

9d4888ece611891fb0343b8c003703a4ec653031585a2c578b3bb525683b3b9a

CoinMiner

ec2eb6345f2e7ef75f0e38a7bd4c60f420a0ff02a8e9b37005855409f0e23aec

CoinMiner

f3a92a0b974cbe0f0c2b1236f098dde0763c220d391a83d8334d6e56946c57c3

CoinMiner

+ 2'951 additional samples on MalwareBazaar

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:xmrig miner

Link:

https://tria.ge/reports/230120-ylyzsahf83/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Checks computer location settings

Uses the VBS compiler for execution

XMRig Miner payload

xmrig

Unpacked files

SH256 hash:

b1d462b8dd8cc081cc262c2c6ee45825aa0f45e1b02e370360db66fdea3eea8d

MD5 hash:

70484579327875a42f6288203a14e5d7

SHA1 hash:

6aed319e0c1769859b3cd20bdacb3792fa0ae8b1

Link:

https://www.unpac.me/results/a8566be2-cd56-45a2-9a36-eb626125f293/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b1d462b8dd8c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.16

Link:

https://yomi.yoroi.company/submissions/b1d462b8dd8cc081cc262c2c6ee45825aa0f45e1b02e370360db66fdea3eea8d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BAZT_B5_NOCEXInvalidStream Create hunting rule

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	QbotStuff Create hunting rule
Author:	anonymous

Rule name:	win_xfilesstealer_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.xfilesstealer.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

exe b1d462b8dd8cc081cc262c2c6ee45825aa0f45e1b02e370360db66fdea3eea8d

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2511168/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/355125/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample