MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f
SHA3-384 hash: c7742f4457d519efb983d88b8dab19de4df57236962b085f20d5e9481c23e68406c4ebb535d12665352c27be1fd88832
SHA1 hash: 0a938faca18c4733bc5fad3b1ae8c523eebcba86
MD5 hash: 34d4591575fdbde20d36469f54b0022f
humanhash: white-uncle-bulldog-uranus
File name:file
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'676'736 bytes
First seen:2024-02-04 01:23:53 UTC
Last seen:2024-02-19 09:18:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash de41d4e0545d977de6ca665131bb479a (85 x CoinMiner)
ssdeep 49152:CrifRBLHC9vvGmkPqzwhzcVUjEBjALZSIlvPfcM/uW8/ae89VqyJBbtKn7:CrALHC9vGm6hILBjALUIlvPUM2W3e89I
TLSH T11BC53369B8C5A270E94C4576B608EAB65AC47C6DC778D1F725D0DEF3BBE20F0162CA10
TrID 49.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
31.8% (.EXE) Win64 Executable (generic) (10523/12/4)
6.1% (.EXE) OS/2 Executable (generic) (2029/13)
6.0% (.EXE) Generic Win/DOS Executable (2002/3)
6.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter Bitsight
Tags:CoinMiner cre8ure exe


Avatar
Bitsight
url: http://193.233.132.167/lend/art33.exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
550
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/474453/
Detection(s):
SecuriteInfo.com.Win64.Evo-gen.24676.9095.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug
Link:
https://www.filescan.io/uploads/65bee733b012cce0edbb2579/reports/f3d9136e-ca57-47ed-bd1d-05d92cc036a5/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eb966dfd-8558-44a8-ae7a-2bae59a0a3d5
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1386249
Signature
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
Uses powercfg.exe to modify the power settings
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1386249 Sample: file.exe Startdate: 04/02/2024 Architecture: WINDOWS Score: 100 54 pool.hashvault.pro 2->54 58 Snort IDS alert for network traffic 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 3 other signatures 2->64 8 uyzpsnbeowaz.exe 1 2->8         started        12 file.exe 2 2->12         started        signatures3 process4 file5 50 C:\Windows\Temp\ejecottirzko.sys, PE32+ 8->50 dropped 66 Multi AV Scanner detection for dropped file 8->66 68 Modifies the context of a thread in another process (thread injection) 8->68 70 Sample is not signed and drops a device driver 8->70 14 cmd.exe 8->14         started        18 powercfg.exe 1 8->18         started        20 powercfg.exe 1 8->20         started        28 2 other processes 8->28 52 C:\ProgramData\...\uyzpsnbeowaz.exe, PE32+ 12->52 dropped 72 Uses powercfg.exe to modify the power settings 12->72 74 Modifies power options to not sleep / hibernate 12->74 22 powercfg.exe 1 12->22         started        24 powercfg.exe 1 12->24         started        26 powercfg.exe 1 12->26         started        30 5 other processes 12->30 signatures6 process7 dnsIp8 56 pool.hashvault.pro 142.202.242.45, 49729, 80 1GSERVERSUS Reserved 14->56 76 Query firmware table information (likely to detect VMs) 14->76 78 Found strings related to Crypto-Mining 14->78 32 conhost.exe 18->32         started        34 conhost.exe 20->34         started        36 conhost.exe 22->36         started        38 conhost.exe 24->38         started        40 conhost.exe 26->40         started        46 2 other processes 28->46 42 conhost.exe 30->42         started        44 conhost.exe 30->44         started        48 3 other processes 30->48 signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-02-04 01:24:06 UTC
File Type:
PE+ (Exe)
Extracted files:
2
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xt7ulgsh53ob243xvir6ccezdbiws2go7d6e7tvz3j357gcusb7q._file
Verdict:
unknown
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion miner persistence upx
Link:
https://tria.ge/reports/240204-bsdabsgfcn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Launches sc.exe
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
UPX packed file
Blocklisted process makes network request
Creates new service(s)
Stops running service(s)
XMRig Miner payload
xmrig
Unpacked files
SH256 hash:
bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f
MD5 hash:
34d4591575fdbde20d36469f54b0022f
SHA1 hash:
0a938faca18c4733bc5fad3b1ae8c523eebcba86
Link:
https://www.unpac.me/results/68dcb689-13df-47f0-90f8-a51dd3ef3c9c/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bcff459a47ee/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2756310/
Cape
Cape
https://www.capesandbox.com/analysis/474453/

Comments