MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b50cfd0edcdb6b99115f83ae101003203d113e40e7cf1fa9c796886115f8c994. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b50cfd0edcdb6b99115f83ae101003203d113e40e7cf1fa9c796886115f8c994
SHA3-384 hash: 566cc951bc3766c8443f6b72babff23d6595a176f16d6d579fa682ea61f9fe362a006dc96354f125e21c5c0603bed781
SHA1 hash: 080ea57e5ceb78ca02df9bf68019a6fbfb7c1919
MD5 hash: dca89b78b3ae8add50e23e5da27f8978
humanhash: salami-equal-social-arizona
File name:Install.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'341'376 bytes
First seen:2021-05-27 05:31:27 UTC
Last seen:2021-05-27 07:00:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 49152:Ir05w0uVu0vPqn3pMvOQg8TlvxVAfJlJ1Ep8/v8:Ir05g9vSn3pMvOXi2DJep6E
Threatray 221 similar samples on MalwareBazaar
TLSH 45B5339CB020B1AFCD4BCDB58E946E55AA60247D131FC283A52756EC7B8C89F8F15933
Reporter adm1n_usa32
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
277
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Install.exe
Verdict:
No threats detected
Analysis date:
2021-05-27 05:32:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2f24c383-c8d3-4906-a0f1-598ade26d25e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/162620/
Detection(s):
SecuriteInfo.com.Mal.Generic-S.22471.28977.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/793011
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found strings related to Crypto-Mining
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 425407 Sample: Install.exe Startdate: 27/05/2021 Architecture: WINDOWS Score: 100 98 Antivirus / Scanner detection for submitted sample 2->98 100 Multi AV Scanner detection for submitted file 2->100 102 Yara detected Xmrig cryptocurrency miner 2->102 104 4 other signatures 2->104 10 Install.exe 8 2->10         started        13 Services32.exe 4 2->13         started        process3 file4 68 C:\Users\user\AppData\...\Services32.exe, PE32+ 10->68 dropped 70 C:\Users\...\Services32.exe:Zone.Identifier, ASCII 10->70 dropped 72 C:\Users\user\AppData\...\Install.exe.log, ASCII 10->72 dropped 16 Services32.exe 3 10->16         started        19 sihost32.exe 2 10->19         started        21 cmd.exe 1 10->21         started        106 Antivirus detection for dropped file 13->106 108 Multi AV Scanner detection for dropped file 13->108 110 Hijacks the control flow in another process 13->110 112 4 other signatures 13->112 23 cmd.exe 1 13->23         started        25 sihost32.exe 2 13->25         started        27 svchost.exe 13->27         started        signatures5 process6 signatures7 76 Hijacks the control flow in another process 16->76 78 Writes to foreign memory regions 16->78 80 Modifies the context of a thread in another process (thread injection) 16->80 82 Injects a PE file into a foreign processes 16->82 29 sihost32.exe 16->29         started        31 cmd.exe 1 16->31         started        33 svchost.exe 16->33         started        84 Antivirus detection for dropped file 19->84 86 Multi AV Scanner detection for dropped file 19->86 88 Machine Learning detection for dropped file 19->88 90 Uses schtasks.exe or at.exe to add and modify task schedules 21->90 35 conhost.exe 21->35         started        37 conhost.exe 21->37         started        39 schtasks.exe 1 21->39         started        41 schtasks.exe 1 21->41         started        43 conhost.exe 23->43         started        45 schtasks.exe 1 23->45         started        process8 process9 47 Services32.exe 29->47         started        51 Services32.exe 29->51         started        53 Services32.exe 29->53         started        55 6 other processes 29->55 dnsIp10 74 192.168.2.1 unknown unknown 47->74 92 Hijacks the control flow in another process 47->92 94 Modifies the context of a thread in another process (thread injection) 47->94 96 Injects a PE file into a foreign processes 47->96 58 cmd.exe 47->58         started        60 cmd.exe 51->60         started        66 C:\Users\user\AppData\...\sihost32.exe, PE32+ 55->66 dropped file11 signatures12 process13 process14 62 conhost.exe 58->62         started        64 schtasks.exe 58->64         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b50cfd0edcdb6b99115f83ae101003203d113e40e7cf1fa9c796886115f8c994/
Threat name:
ByteCode-MSIL.Trojan.Miner
Create hunting rule
Status:
Malicious
First seen:
2021-05-27 01:30:14 UTC
AV detection:
10 of 28 (35.71%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
069c39f57c81cf6e355187880c841df7c3643910d6bba230005b957072cd74d3
CoinMiner
25892540ab1c8fc887a86516e18c4813ade6b804e01e1076143e909d1fb345a7
CoinMiner
2b1e4f6443927562d460588af4264fa5c5bdde4b29779588d5c0998269958f56
CoinMiner
2c32dcb54c310daf509527d74de8ab4cb7b45425fa543a5df22afd1e9bd00fd5
CoinMiner
3bed0900c2ba2423e8b4882ef157f017a4f84068bd1f5721c0a7567a13cbb66d
CoinMiner
3ec8d6d1645881d59332953e0da03a3207d34f985dd88e975ca8bf65fb7cc3c1
CoinMiner
541ebfa6dd694728edd3cf536a13c739179edadcd880e7c28e074b60da1bcac8
CoinMiner
bf6af5ed0a5504358dc8a24b7b37c5f7ed9ed7e6b2760b64e0650a845880d3ed
CoinMiner
fe8468abd6d3b0d87ef7f437ff12d6cac170d0f2b81fe0187bd79972515a88f9
CoinMiner
ffecd6261932159067dd93f5c1df26f8da517f37ded13d122db853c1c84e7924
CoinMiner
+ 211 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210527-dpry2g146j/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b50cfd0edcdb6b99115f83ae101003203d113e40e7cf1fa9c796886115f8c994

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe b50cfd0edcdb6b99115f83ae101003203d113e40e7cf1fa9c796886115f8c994

(this sample)

anyrun
any.run
https://app.any.run/tasks/dff36298-586c-4967-98ae-9c6a09fef250
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/162620/

Comments