MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf13e4e3b3b0205ed0a76b3eea58c274d6f9794c62e16a34a815759237623844. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf13e4e3b3b0205ed0a76b3eea58c274d6f9794c62e16a34a815759237623844
SHA3-384 hash: b29ee4fcc20844d49e3f88317918a27bb4ccb3a8d070741fc766a22de59985ff766f73b81e03bda49f91c81e637c925e
SHA1 hash: aec2b66c5c53eb4fa7c038942273588b244ae5dc
MD5 hash: b0a24b64d3661ccdb228655001772be8
humanhash: summer-chicken-sink-kitten
File name:NiNjector.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:6'180'352 bytes
First seen:2023-03-29 04:50:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d5d9d937853db8b666bd4b525813d7bd (40 x DCRat, 28 x njrat, 5 x RedLineStealer)
ssdeep 98304:NQVc1eph1NRHS7SGOEXXlaZ1TGxPhzOLI/VTDDNWYqU+hiF1cuZ1D8gXQ+wgK1fU:N06eH1NRsSGOEXXlaZ1KPs0DJnqRhQ/X
Threatray 45 similar samples on MalwareBazaar
TLSH T13F563336B2AE8798DC0495F80BE45D0068DDEE30FA9347BC9FEE9DB88A8D05455153E2
TrID 83.6% (.EXE) Win32 Executable MS Visual C++ 4.x (134693/65)
4.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.7% (.EXE) Win32 Executable (generic) (4505/5/1)
1.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon e0cc8e9d148eccf0 (1 x CoinMiner)
Reporter tcains1
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
315
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NiNjector.exe
Verdict:
Malicious activity
Analysis date:
2023-03-29 04:46:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/85dfd3d6-d405-4ae8-be59-6fcda46e0122

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
PlugX
Create hunting rule
Link:
https://www.capesandbox.com/analysis/378364/
Detection(s):
Win.Trojan.Poison-8692
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
Creating a file
Changing a file
Reading critical registry keys
Sending an HTTP GET request
Creating a process with a hidden window
Unauthorized injection to a recently created process
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/75549/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed poison ramnit shell32.dll virus xorist
Link:
https://www.filescan.io/uploads/6423c3b784fe7631c302a960/reports/865448de-bb81-4e30-93f7-16ccaef031e0/overview
Verdict:
Malicious
Labled as:
Trojan.MSIL.Injector
Link:
https://www.hybrid-analysis.com/sample/bf13e4e3b3b0205ed0a76b3eea58c274d6f9794c62e16a34a815759237623844
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
KeyBase
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0ac94f52-18b7-43ae-9753-9a8099d1dc2d
Result
Threat name:
Luca Stealer, Rusty Stealer, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1204029
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains process injector
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Detected Stratum mining protocol
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Xmrig
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected Luca Stealer
Yara detected Rusty Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 836945 Sample: NiNjector.exe Startdate: 29/03/2023 Architecture: WINDOWS Score: 100 140 Snort IDS alert for network traffic 2->140 142 Sigma detected: Xmrig 2->142 144 Multi AV Scanner detection for domain / URL 2->144 146 18 other signatures 2->146 12 NiNjector.exe 11 2->12         started        15 services64.exe 2->15         started        process3 file4 98 C:\Users\user\AppData\Local\Temp\update.exe, PE32+ 12->98 dropped 100 C:\Users\user\AppData\...100injaInjector.exe, PE32 12->100 dropped 102 C:\Users\user\AppData\...behaviorgraphoogle Update.exe, PE32+ 12->102 dropped 18 Google Update.exe 12->18         started        21 NinjaInjector.exe 15 5 12->21         started        25 update.exe 14 12->25         started        196 Antivirus detection for dropped file 15->196 198 Writes to foreign memory regions 15->198 200 Allocates memory in foreign processes 15->200 202 Creates a thread in another existing process (thread injection) 15->202 27 conhost.exe 15->27         started        signatures5 process6 dnsIp7 148 Writes to foreign memory regions 18->148 150 Allocates memory in foreign processes 18->150 152 Creates a thread in another existing process (thread injection) 18->152 29 conhost.exe 4 18->29         started        112 files.zerobytez.xyz 199.115.116.43, 443, 49702 LEASEWEB-USA-WDCUS United States 21->112 114 ww25.files.zerobytez.xyz 21->114 116 30781.bodis.com 199.59.243.223, 49703, 80 BODIS-NJUS United States 21->116 96 C:\Users\user\...\SiticoneDotNetRT.dll, PE32 21->96 dropped 154 Multi AV Scanner detection for dropped file 21->154 156 Performs DNS queries to domains with low reputation 21->156 158 Machine Learning detection for dropped file 21->158 160 Tries to detect virtualization through RDTSC time measurements 21->160 118 api.telegram.org 149.154.167.220, 443, 49704 TELEGRAMRU United Kingdom 25->118 120 ipwho.is 195.201.57.90, 443, 49701 HETZNER-ASDE Germany 25->120 162 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 25->162 164 Tries to harvest and steal browser information (history, passwords, etc) 25->164 166 Tries to steal Crypto Currency Wallets 25->166 33 powershell.exe 13 25->33         started        168 Adds a directory exclusion to Windows Defender 27->168 35 sihost64.exe 27->35         started        37 cmd.exe 27->37         started        39 cmd.exe 27->39         started        file8 signatures9 process10 file11 108 C:\Users\user\AppData\...\services64.exe, PE32+ 29->108 dropped 188 Adds a directory exclusion to Windows Defender 29->188 41 cmd.exe 29->41         started        43 cmd.exe 1 29->43         started        46 cmd.exe 29->46         started        48 conhost.exe 33->48         started        190 Writes to foreign memory regions 35->190 192 Allocates memory in foreign processes 35->192 194 Creates a thread in another existing process (thread injection) 35->194 50 conhost.exe 35->50         started        52 conhost.exe 37->52         started        59 2 other processes 37->59 54 taskkill.exe 39->54         started        57 conhost.exe 39->57         started        signatures12 process13 dnsIp14 61 services64.exe 41->61         started        64 conhost.exe 41->64         started        170 Uses schtasks.exe or at.exe to add and modify task schedules 43->170 172 Adds a directory exclusion to Windows Defender 43->172 66 powershell.exe 19 43->66         started        68 conhost.exe 43->68         started        70 powershell.exe 43->70         started        72 conhost.exe 46->72         started        74 schtasks.exe 46->74         started        122 192.168.2.1 unknown unknown 54->122 signatures15 process16 signatures17 174 Writes to foreign memory regions 61->174 176 Allocates memory in foreign processes 61->176 178 Creates a thread in another existing process (thread injection) 61->178 76 conhost.exe 61->76         started        process18 file19 104 C:\Users\user\AppData\...\sihost64.exe, PE32+ 76->104 dropped 106 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 76->106 dropped 180 Writes to foreign memory regions 76->180 182 Modifies the context of a thread in another process (thread injection) 76->182 184 Adds a directory exclusion to Windows Defender 76->184 186 2 other signatures 76->186 80 sihost64.exe 76->80         started        83 svchost.exe 76->83         started        86 cmd.exe 76->86         started        signatures20 process21 dnsIp22 124 Antivirus detection for dropped file 80->124 126 Writes to foreign memory regions 80->126 128 Allocates memory in foreign processes 80->128 130 Creates a thread in another existing process (thread injection) 80->130 88 conhost.exe 80->88         started        110 mine.bmpool.org 94.131.97.127, 49705, 6004 NASSIST-ASGI Ukraine 83->110 132 System process connects to network (likely due to code injection or exploit) 83->132 134 Query firmware table information (likely to detect VMs) 83->134 136 Adds a directory exclusion to Windows Defender 86->136 90 conhost.exe 86->90         started        92 powershell.exe 86->92         started        94 powershell.exe 86->94         started        signatures23 138 Detected Stratum mining protocol 110->138 process24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bf13e4e3b3b0205ed0a76b3eea58c274d6f9794c62e16a34a815759237623844/
Threat name:
Win32.Trojan.VBinder
Create hunting rule
Status:
Malicious
First seen:
2023-03-29 04:51:09 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
24 of 24 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x4j6jy5twaqf5ufhnm7ouwgcotlps6kmmlqwunficv2zen3chbca._file
Verdict:
malicious
Similar samples:
0f3f497656360cc536d0b0ff8832fadfa10f3c3ae0aed5c1deb2e4b406afe0d5
CoinMiner
4608c3c211744ce283dac6c36cb7a2c0fd584ee440fa4f671bc270f1bc737ff0
CoinMiner
48eee6e4eedb7291e09cd68d3ff4f1608df7fb538be806d785a4e99cb77a9da2
CoinMiner
640315d3ee04d383d4b8702b0d29a11846139cb9505078440f2e67b2d9bc3cce
CoinMiner
81fe52e70e3f0562d02591313a49d2b353bedc557fcc09d3d6093160de68f3d0
CoinMiner
ba7a55b17174de39cb44b553a52de3d0b3c979d37104a5ad1580cb97a8acc800
CoinMiner
c8b8445f2852e90f152f6f469e61af5562850ae1814d8b93f7d7f3df0cb0b114
CoinMiner
c8bb8271adc398661a408fc99b14a7d3797bd546b0b836f68a059c2f72948937
CoinMiner
cd23680ab97a8fa8c459690061e90ea0d48d19975900f1a0ee41ffcd76bbb311
CoinMiner
facab61038ac54dfdae40e4d9557b33a891439f8201be728004c354a0bfbd7ab
CoinMiner
+ 35 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner spyware stealer
Link:
https://tria.ge/reports/230329-fgtkdseg64/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
XMRig Miner payload
xmrig
Unpacked files
SH256 hash:
c2c12d31b4844e29de31594fc9632a372a553631de0a0a04c8af91668e37cf49
MD5 hash:
34ea7f7d66563f724318e322ff08f4db
SHA1 hash:
d0aa8038a92eb43def2fffbbf4114b02636117c5
Link:
https://www.unpac.me/results/449353d9-b234-486f-b740-c72c372456e7/
SH256 hash:
77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db
MD5 hash:
9af5eb006bb0bab7f226272d82c896c7
SHA1 hash:
c2a5bb42a5f08f4dc821be374b700652262308f0
Link:
https://www.unpac.me/results/449353d9-b234-486f-b740-c72c372456e7/
SH256 hash:
fd7073c37858df675e09941ecce469b425d4b4133832be1fb684ed1741449fbb
MD5 hash:
6c4b559b8b56d386399da24e36e2a4c6
SHA1 hash:
b509544c9621dd25d193b8a09d2ebea0293851b1
Link:
https://www.unpac.me/results/449353d9-b234-486f-b740-c72c372456e7/
SH256 hash:
7e706b2fe6dad411441d9a2064147cb88aa4f6d9cfef8f78f8457b98051cfbfc
MD5 hash:
aad35299ec74ba52168de6801ab61faa
SHA1 hash:
60488548a574b53cf1d0441e57dfdfcb7fbb3d1b
Link:
https://www.unpac.me/results/449353d9-b234-486f-b740-c72c372456e7/
SH256 hash:
77bc75a73cccc8e47bbd81051f2289b9bce8296ca7f7f1be50b388c98a319455
MD5 hash:
4c35bea4800278b93ffcf7b0c1a20800
SHA1 hash:
6bdcf35d6a99588c6ccecc4f24e634540c4ae6d6
Link:
https://www.unpac.me/results/449353d9-b234-486f-b740-c72c372456e7/
SH256 hash:
bf13e4e3b3b0205ed0a76b3eea58c274d6f9794c62e16a34a815759237623844
MD5 hash:
b0a24b64d3661ccdb228655001772be8
SHA1 hash:
aec2b66c5c53eb4fa7c038942273588b244ae5dc
Link:
https://www.unpac.me/results/449353d9-b234-486f-b740-c72c372456e7/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bf13e4e3b3b0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Poison
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bf13e4e3b3b0205ed0a76b3eea58c274d6f9794c62e16a34a815759237623844

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MacOS_Cryptominer_Generic_333129b7
Create hunting rule
Author:Elastic Security
Rule name:MacOS_Cryptominer_Xmrig_241780a1
Create hunting rule
Author:Elastic Security
Rule name:MALWARE_Win_CoinMiner02
Create hunting rule
Author:ditekSHen
Description:Detects coinmining malware
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:MAL_XMR_Miner_May19_1_RID2E1B
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:rig_win64_xmrig_6_13_1_xmrig
Create hunting rule
Author:yarGen Rule Generator
Description:rig_win64 - file xmrig.exe
Reference:https://github.com/Neo23x0/yarGen
Rule name:XMRIG_Monero_Miner
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Monero mining software
Reference:https://github.com/xmrig/xmrig/releases

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe bf13e4e3b3b0205ed0a76b3eea58c274d6f9794c62e16a34a815759237623844

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/378364/

Comments