MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5c72a18578c6cc7007b6c7738fa9f72b57ecaf26be44964af3947f7f2b5422f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b5c72a18578c6cc7007b6c7738fa9f72b57ecaf26be44964af3947f7f2b5422f
SHA3-384 hash: b4a9e052577d895a11e16930b52baa4ab2288058affac42cfde16add468598e4e8f59c736341ea2d4d6782e80516bde1
SHA1 hash: 76a6da00893bf5fa29e9b9a6e69e83e1ded5856c
MD5 hash: d4fc8415802d26f5902a925dafa09f95
humanhash: december-freddie-fruit-aspen
File name:d4fc8415802d26f5902a925dafa09f95
Download: download sample
Signature CoinMiner
Create hunting rule
File size:3'887'922 bytes
First seen:2023-03-16 17:12:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c1f9ea6d51ba4934aeaee8b1f7d283d7 (2 x CoinMiner, 1 x FatalRAT, 1 x Blackmoon)
ssdeep 98304:GUwJ6Lv3608hjXk/o58364xowyoYLDVEjIHpnzwu7GsD:CSv61hjXk/W8364xowMqcnzwuCg
Threatray 150 similar samples on MalwareBazaar
TLSH T19A06331FB39A2E91CC0EAF737097D7D2C8EEC6913905F6235E5E01199C80B7AB0959E1
TrID 45.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.3% (.EXE) OS/2 Executable (generic) (2029/13)
18.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 00f8c8d4c4e0f100 (1 x CoinMiner)
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
295
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-03-16 12:29:22 UTC
Tags:
loader smoke trojan rat redline stealer amadey opendir aurorastealer evasion
Link:
https://app.any.run/tasks/cd987dab-58b9-4b25-9792-983cf40a1dd7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/374866/
Detection(s):
Win.Malware.Misc-9963874-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Launching a process
DNS request
Sending a custom TCP request
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/73417/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
enigma overlay packed shell32.dll virus virut
Link:
https://www.filescan.io/uploads/64134e20c65d1ebf04c0be87/reports/6553c717-3298-4feb-b904-d713b5bd3f1d/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/b5c72a18578c6cc7007b6c7738fa9f72b57ecaf26be44964af3947f7f2b5422f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/43dfa326-efce-420f-8c2a-a642f8417a70
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1195186
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Creates a thread in another existing process (thread injection)
Creates files in the system32 config directory
Detected Stratum mining protocol
Detected unpacking (changes PE section rights)
Found hidden mapped module (file has been removed from disk)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
PowerShell case anomaly found
Powershell drops PE file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
Suspicious powershell command line found
Uses powercfg.exe to modify the power settings
Very long command line found
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 828094 Sample: 95j04b10fW.exe Startdate: 16/03/2023 Architecture: WINDOWS Score: 100 73 Snort IDS alert for network traffic 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 Antivirus detection for dropped file 2->77 79 7 other signatures 2->79 8 95j04b10fW.exe 8 2->8         started        11 mshta.exe 2 2->11         started        14 cmd.exe 2->14         started        16 11 other processes 2->16 process3 file4 55 C:\Users\user\AppData\Local\...\installer.exe, PE32+ 8->55 dropped 18 installer.exe 1 4 8->18         started        22 cmd.exe 1 8->22         started        24 cmd.exe 8->24         started        113 Suspicious powershell command line found 11->113 26 powershell.exe 20 11->26         started        115 Modifies power options to not sleep / hibernate 14->115 29 conhost.exe 14->29         started        31 powercfg.exe 14->31         started        35 3 other processes 14->35 117 Creates files in the system32 config directory 16->117 119 Changes security center settings (notifications, updates, antivirus, firewall) 16->119 33 MpCmdRun.exe 16->33         started        37 2 other processes 16->37 signatures5 process6 dnsIp7 61 192.168.2.1 unknown unknown 18->61 81 Multi AV Scanner detection for dropped file 18->81 83 Detected unpacking (changes PE section rights) 18->83 85 Query firmware table information (likely to detect VMs) 18->85 97 5 other signatures 18->97 39 powershell.exe 15 9 18->39         started        87 Uses powercfg.exe to modify the power settings 22->87 89 Modifies power options to not sleep / hibernate 22->89 43 conhost.exe 22->43         started        45 conhost.exe 24->45         started        57 C:\Windows\Temp\dqjjvhqz.tmp, PE32+ 26->57 dropped 59 C:\Windows\System32\config\...\WR64.sys, PE32+ 26->59 dropped 91 Very long command line found 26->91 93 Creates files in the system32 config directory 26->93 95 Writes to foreign memory regions 26->95 99 3 other signatures 26->99 47 dwm.exe 26->47         started        49 conhost.exe 26->49         started        51 conhost.exe 33->51         started        file8 signatures9 process10 dnsIp11 63 api4.ipify.org 173.231.16.76, 443, 49707 WEBNXUS United States 39->63 65 iplogger.com 148.251.234.93, 443, 49706 HETZNER-ASDE Germany 39->65 71 2 other IPs or domains 39->71 101 Very long command line found 39->101 103 May check the online IP address of the machine 39->103 105 Found hidden mapped module (file has been removed from disk) 39->105 107 Powershell drops PE file 39->107 53 conhost.exe 39->53         started        67 179.43.154.176, 49708, 49710, 7000 PLI-ASCH Panama 47->67 69 snippet.host 192.144.37.43, 443, 49709 SERVERUM-ASRU Russian Federation 47->69 109 Query firmware table information (likely to detect VMs) 47->109 signatures12 111 Detected Stratum mining protocol 67->111 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b5c72a18578c6cc7007b6c7738fa9f72b57ecaf26be44964af3947f7f2b5422f/
Threat name:
Win64.Trojan.Bsymem
Create hunting rule
Status:
Malicious
First seen:
2023-03-16 08:42:41 UTC
File Type:
PE+ (Exe)
Extracted files:
83
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wxdsugcxrrwmoad3nr3tr6u7ok2x5sxsnpseszfphfd7p4vviixq._file
Verdict:
unknown
Similar samples:
09a996ac5f7ab1a72f0ae488b92997555ef0e89afb8a534b1f608b6e25f40ae1
CoinMiner
26a4c5b36d9fde80ea47137eb53b40dacf240432a5895f98417eae51b6b681da
CoinMiner
3900faf462027df0e3945f7d114e5f13289f4a4cc5ffa06adebe54cd344ccef9
CoinMiner
5ca5cab79d9b387706f90117023acdd86e7628027d0e55ac55e28f637efe9405
CoinMiner
ceba09dc5368ded2d7d5b62bd36fdecbd47aee8f3219abfd2ca32f31b0eba7b0
CoinMiner
d38f78f931898d8cd152dc2e10900e784392c0a8e22e9d45f6f65827c6d17782
CoinMiner
e463d24b09ee120b0d0b6230d24f4337a73e312a4ac7fb9a3b434ec0a805db00
CoinMiner
ee71bbc5156cd3ac63e47cc99b4d22a5cda3dbdb95da39cad425edce831d2c94
CoinMiner
+ 140 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner persistence upx
Link:
https://tria.ge/reports/230316-vreasaec5y/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
UPX packed file
Blocklisted process makes network request
XMRig Miner payload
Suspicious use of NtCreateUserProcessOtherParentProcess
xmrig
Unpacked files
SH256 hash:
42a629086c14b61baa07dfb55f783e8a3c6dd1ec4f16033b830d7791cc018eed
MD5 hash:
c74870b611a37d68984b714079470526
SHA1 hash:
44994242ae9e14c7cdc25aa2b55f72fe3aa31b4f
Link:
https://www.unpac.me/results/6bd01594-07d8-46d0-8e75-281b22d6d01d/
SH256 hash:
b5c72a18578c6cc7007b6c7738fa9f72b57ecaf26be44964af3947f7f2b5422f
MD5 hash:
d4fc8415802d26f5902a925dafa09f95
SHA1 hash:
76a6da00893bf5fa29e9b9a6e69e83e1ded5856c
Link:
https://www.unpac.me/results/6bd01594-07d8-46d0-8e75-281b22d6d01d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b5c72a18578c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
CoinMiner
Score:
0.60
Link:
https://yomi.yoroi.company/submissions/b5c72a18578c6cc7007b6c7738fa9f72b57ecaf26be44964af3947f7f2b5422f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:INDICATOR_EXE_Packed_Enigma
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Enigma
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe b5c72a18578c6cc7007b6c7738fa9f72b57ecaf26be44964af3947f7f2b5422f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2573692/
Cape
Cape
https://www.capesandbox.com/analysis/374866/

Comments


Avatar
zbet commented on 2023-03-16 17:12:40 UTC

url : hxxp://62.204.41.88/lend/Setupdark.exe