MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2c7dfbe576c1962cd647917207e957d17dbe367c36dde071054f12beac68499. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2c7dfbe576c1962cd647917207e957d17dbe367c36dde071054f12beac68499
SHA3-384 hash: 754aa169ec7232b635c7f44a3353555c6ec3293e380cd6e2c3f2f7710c52d80b75e0a4ab4c59ac4f39971af503beb305
SHA1 hash: 3740133e77fae5ee1c0ed1cb0493af5557e3562a
MD5 hash: f6fd2a4333007f65beef7609077ec14d
humanhash: glucose-kilo-enemy-pip
File name:f6fd2a4333007f65beef7609077ec14d.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'277'376 bytes
First seen:2022-09-27 05:47:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a1e1db4ddf300b66a3afa3056ec32bfd (14 x CoinMiner, 2 x PripyatMiner)
ssdeep 49152:C30HPteDTvEXI2s+HNZlZT+DM+dRQYpeV+wj:CgPteDTsIInZWM+bpeV+
Threatray 13 similar samples on MalwareBazaar
TLSH T1BBB5132E63A244FDC6278171C2DF9371E96AFC200360ED2F0B5ADF761D74D608A9EA54
TrID 43.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
27.6% (.EXE) Win64 Executable (generic) (10523/12/4)
13.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) OS/2 Executable (generic) (2029/13)
5.2% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
260
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/313802/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Launching a process
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Running batch commands
Creating a file in the %temp% directory
Launching cmd.exe command interpreter
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/39402/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug packed shell32.dll
Link:
https://www.filescan.io/uploads/63328e94665fcdb8807a2c0f/reports/2dbda461-046f-4e8f-88cb-6934042aaccf/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3880322f-3a4f-4a6a-aab8-6ecab657008d
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1078017
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found hidden mapped module (file has been removed from disk)
Found strings related to Crypto-Mining
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 710568 Sample: NZ7KR56jTl.exe Startdate: 27/09/2022 Architecture: WINDOWS Score: 100 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus detection for dropped file 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 4 other signatures 2->51 7 updater.exe 3 2->7         started        11 NZ7KR56jTl.exe 3 2->11         started        process3 file4 37 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 7->37 dropped 39 C:\Users\user\AppData\Local\Temp\93A2.tmp, PE32+ 7->39 dropped 53 Antivirus detection for dropped file 7->53 55 Machine Learning detection for dropped file 7->55 57 Writes to foreign memory regions 7->57 59 4 other signatures 7->59 13 cmd.exe 7->13         started        17 cmd.exe 3 7->17         started        19 powershell.exe 22 7->19         started        41 C:\Users\user\AppData\Roaming\...\updater.exe, PE32+ 11->41 dropped 21 powershell.exe 36 11->21         started        23 powershell.exe 12 11->23         started        signatures5 process6 dnsIp7 43 185.215.113.84, 49709, 49710, 49711 WHOLESALECONNECTIONSNL Portugal 13->43 61 Query firmware table information (likely to detect VMs) 13->61 25 WMIC.exe 1 17->25         started        27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        63 Uses schtasks.exe or at.exe to add and modify task schedules 21->63 31 conhost.exe 21->31         started        33 conhost.exe 23->33         started        35 schtasks.exe 1 23->35         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b2c7dfbe576c1962cd647917207e957d17dbe367c36dde071054f12beac68499/
Threat name:
Win64.Trojan.CobaltStrike
Create hunting rule
Status:
Malicious
First seen:
2022-09-25 23:29:13 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wld57psxnqmwftlepelsa7uvpul5xy3hynw54byqktysx2wgqsmq._file
Verdict:
malicious
Similar samples:
02aeff4e07664864d428440cab4be050ddc1504ff997ce0fef7068899139318d
CoinMiner
2980402300cdd466b4dd068c4352fde25c5d9edd68536b8a8911603e9a10cc94
CoinMiner
30979d6192d60158768f4bf3955399bf3289592403b4899fe7fe5de57d6e664a
CoinMiner
5850d3b23060abb351ae9dafecfe7c19c9e890004f4c14f8ee7d164838fc356b
CoinMiner
6cfd239899f3900e6eaa1c1b2a11ddb8b082ee224fb1014bdc9baadb61611135
CoinMiner
6d0429bb3533ea8cd3b10d207ec5505ac0d38692f7f4cd1375db7cd1aba0be6e
CoinMiner
713b5821fb297bf6fda93ad5fe11dabebc2cba0aa38f4c66d02c75703a0d0bce
CoinMiner
ce07b1122ef0305ce0dd1588394295073545df0b5a91c63f6ab6eaf5b7f74091
CoinMiner
ce309a2f5d17fa9dc0957947d401699492ca6f9d63206486d947aea54c65c589
CoinMiner
de85e7754cdb6c18d93f074d58406b4b4e91466cb53e82f962535452ebc2b9d9
CoinMiner
+ 3 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner upx
Link:
https://tria.ge/reports/220927-ghfklacfe3/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Suspicious use of SetThreadContext
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
UPX packed file
XMRig Miner payload
xmrig
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ac32cf50-db21-46b9-9f9a-c3b49fe9f941
Unpacked files
SH256 hash:
b2c7dfbe576c1962cd647917207e957d17dbe367c36dde071054f12beac68499
MD5 hash:
f6fd2a4333007f65beef7609077ec14d
SHA1 hash:
3740133e77fae5ee1c0ed1cb0493af5557e3562a
Link:
https://www.unpac.me/results/67a604f3-0a12-4daa-9dce-14591c1b8e97/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b2c7dfbe576c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b2c7dfbe576c1962cd647917207e957d17dbe367c36dde071054f12beac68499

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe b2c7dfbe576c1962cd647917207e957d17dbe367c36dde071054f12beac68499

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1609470/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/313802/

Comments