MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5ad236f3ad54f2c46b4567892330c553fe20f8c0ea85f26fe47cbd88aa555d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b5ad236f3ad54f2c46b4567892330c553fe20f8c0ea85f26fe47cbd88aa555d8
SHA3-384 hash: bd5bc33cb8464823df0ebd95dc7c100c0f6d52774dd832611dbfad811d7e50a0ed2b8880ff92a32aa177f6f155412c26
SHA1 hash: 8625a4f4bdab1d007a8ecec95d40f9cf9c5217fd
MD5 hash: 528b0c3da07891f258f33408edb3b780
humanhash: table-ceiling-maine-arizona
File name:file
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'605'056 bytes
First seen:2024-02-03 22:55:30 UTC
Last seen:2024-02-04 00:48:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash de41d4e0545d977de6ca665131bb479a (85 x CoinMiner)
ssdeep 49152:Y2gsklxWlXQPQ/6jHLg6DrBtqSMlfEDOp4/JBDBJ2LvINoW6RJHp5TR+TboZql+i:YO1se6zhlUD3MJp2EN6p5ZExxp
Threatray 97 similar samples on MalwareBazaar
TLSH T197C533BB25B5A6EEE5518D7841411A1F423BF2331F7249E3AAF3022F4B072E67935B44
TrID 49.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
31.8% (.EXE) Win64 Executable (generic) (10523/12/4)
6.1% (.EXE) OS/2 Executable (generic) (2029/13)
6.0% (.EXE) Generic Win/DOS Executable (2002/3)
6.0% (.EXE) DOS Executable Generic (2000/1)
Reporter Bitsight
Tags:CoinMiner exe


Avatar
Bitsight
url: http://193.233.132.167/lend/X1.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
429
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/474442/
Detection(s):
SecuriteInfo.com.Win64.Evo-gen.20534.6706.UNOFFICIAL
Create hunting rule

Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
anti-debug
Link:
https://www.filescan.io/uploads/65bec482a858ab3d2108de34/reports/b5441905-dd48-4896-a5df-2c1db4e296fe/overview
Verdict:
Malicious
Labled as:
Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/b5ad236f3ad54f2c46b4567892330c553fe20f8c0ea85f26fe47cbd88aa555d8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2b38cc17-901b-4f06-8fb3-64db762d40a5
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1386209
Signature
Found strings related to Crypto-Mining
Injects code into the Windows Explorer (explorer.exe)
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1386209 Sample: file.exe Startdate: 04/02/2024 Architecture: WINDOWS Score: 88 36 Malicious sample detected (through community Yara rule) 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected Xmrig cryptocurrency miner 2->40 42 Found strings related to Crypto-Mining 2->42 7 gzexiztdwrwd.exe 1 2->7         started        11 file.exe 2 2->11         started        process3 file4 32 C:\Windows\Temp\nmsjxrtbxhri.sys, PE32+ 7->32 dropped 44 Multi AV Scanner detection for dropped file 7->44 46 Injects code into the Windows Explorer (explorer.exe) 7->46 48 Modifies the context of a thread in another process (thread injection) 7->48 50 Sample is not signed and drops a device driver 7->50 13 explorer.exe 7->13         started        34 C:\ProgramData\...\gzexiztdwrwd.exe, PE32+ 11->34 dropped 16 sc.exe 1 11->16         started        18 sc.exe 1 11->18         started        20 sc.exe 1 11->20         started        22 sc.exe 1 11->22         started        signatures5 process6 signatures7 52 Found strings related to Crypto-Mining 13->52 24 conhost.exe 16->24         started        26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        process8
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b5ad236f3ad54f2c46b4567892330c553fe20f8c0ea85f26fe47cbd88aa555d8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b5ad236f3ad54f2c46b4567892330c553fe20f8c0ea85f26fe47cbd88aa555d8/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-02-03 22:56:06 UTC
File Type:
PE+ (Exe)
AV detection:
21 of 38 (55.26%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wwwsg3z22vhsyrvukz4jemymku76ed4mb2uf6jx6i7f5rcvfkxma._file
Verdict:
malicious
Similar samples:
2ac49aa26525c881355d22b0980ae8bf3c2887bb4303230b4cf0431b7cfc1970
CoinMiner
4bd8648e1321262d988f1379ffc4d752dfffd5b0de4b16d2ece6fd5965bca31e
CoinMiner
601c533eafba2372de90af0784470a2d053f76cabe119af8add29d7a05be1ac5
CoinMiner
9151e8f43f29772128e76d48d2cb94a7ad1bd114bf554c47309396a7b1d14e47
CoinMiner
97efe91fe5eff3dcdcb055f037f1df01c1409e6bd38a8f07170ea53a0ff265ef
CoinMiner
a121eaf83f868e22b9a58496c91698bdd3cef759237320d87c2b7970767dcfa9
CoinMiner
a3791f9a33de62edfcfbb4bad919ed4dfdf81b914ce7af5120233bd20228765b
CoinMiner
b7d749fb9ae8ad5fff025f69cbfb54c6b52e559fc989e46622e53a662a667c5e
CoinMiner
dfecb99cc255e99b5df34a042f0585c0e8458a4e0075e7d513d2c0b492c41806
CoinMiner
+ 87 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion miner persistence upx
Link:
https://tria.ge/reports/240203-2wnhksbhb3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Launches sc.exe
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
UPX packed file
Creates new service(s)
Stops running service(s)
XMRig Miner payload
xmrig
Unpacked files
SH256 hash:
b5ad236f3ad54f2c46b4567892330c553fe20f8c0ea85f26fe47cbd88aa555d8
MD5 hash:
528b0c3da07891f258f33408edb3b780
SHA1 hash:
8625a4f4bdab1d007a8ecec95d40f9cf9c5217fd
Link:
https://www.unpac.me/results/89f71441-3cf7-4a9d-8b1a-cbc4a35ab69b/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b5ad236f3ad5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
CoinMiner
Score:
0.60
Link:
https://yomi.yoroi.company/submissions/b5ad236f3ad54f2c46b4567892330c553fe20f8c0ea85f26fe47cbd88aa555d8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe b5ad236f3ad54f2c46b4567892330c553fe20f8c0ea85f26fe47cbd88aa555d8

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2756248/
Cape
Cape
https://www.capesandbox.com/analysis/474442/

Comments