MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0243843ad83a16bc3c9fe59f8d530aee08fbe163b45cf676c4327d1f2a0a6fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 15


Intelligence 15 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c0243843ad83a16bc3c9fe59f8d530aee08fbe163b45cf676c4327d1f2a0a6fb
SHA3-384 hash: 7fe49fb194353b5e8c096b33d1822649390acfbc2c8e596366281998b2f3197a025409a8ad550133d115513ef78e7cce
SHA1 hash: 5a4ab23846c5425abba98c24009c561a787dadfb
MD5 hash: 9b2514f290b0e5fe4cd2e6f1745ea188
humanhash: lithium-california-bakerloo-summer
File name:file.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:1'952'768 bytes
First seen:2023-05-09 00:04:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bbac62fd99326ea68ec5a33b36925dd1 (46 x AgentTesla, 38 x njrat, 27 x Formbook)
ssdeep 49152:Wkwkn9IMHeaA5bCshNwynVIQwMlw1yYtor6KadBaPCS:VdnV3AXVLwMlwJo2vGPC
Threatray 526 similar samples on MalwareBazaar
TLSH T18395F10263DDC3A4C7725273BA66BB01AEBF7C2506B1F49B2FD4053DE960162521EA73
TrID 85.7% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
4.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter Chainskilabs
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
293
Origin country :
CO CO
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file.exe
Verdict:
Malicious activity
Analysis date:
2023-05-09 00:07:41 UTC
Tags:
miner
Link:
https://app.any.run/tasks/abf59938-1706-47ab-b863-969610b7d60e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/387616/
Detection(s):
Win.Malware.Nymeria-6956239-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Creating a file in the %AppData% directory
Sending a custom TCP request
Unauthorized injection to a recently created process
Сreating synchronization primitives
Launching a process
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/83118/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckNumberOfProcessor
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
autoit greyware keylogger packed shell32.dll
Link:
https://www.filescan.io/uploads/64598e2e3b40ceeb9637a682/reports/7e0d1e07-8611-48eb-83b9-6b2ec9fe3fd1/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/c0243843ad83a16bc3c9fe59f8d530aee08fbe163b45cf676c4327d1f2a0a6fb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CoinMiner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c79cdd3a-502e-4d77-a88e-77cdd92793ff
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1228756
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to modify clipboard data
Detected Stratum mining protocol
Detected unpacking (creates a PE file in dynamic memory)
Found strings related to Crypto-Mining
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 861720 Sample: file.exe Startdate: 09/05/2023 Architecture: WINDOWS Score: 100 42 Antivirus detection for dropped file 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for dropped file 2->46 48 4 other signatures 2->48 7 file.exe 3 2->7         started        process3 file4 20 C:\...\blsncxvoxmotpljzrxtwkmpap5606009.png, COM 7->20 dropped 22 C:\Users\user\AppData\Local\...\autF235.tmp, COM 7->22 dropped 50 Detected unpacking (creates a PE file in dynamic memory) 7->50 52 Contains functionality to modify clipboard data 7->52 54 Injects a PE file into a foreign processes 7->54 11 file.exe 1 4 7->11         started        signatures5 process6 dnsIp7 36 149.210.249.142, 11119 TRANSIP-ASAmsterdamtheNetherlandsNL Netherlands 11->36 24 C:\ProgramData\zmWLVbyRgm\lsas.exe, PE32 11->24 dropped 26 C:\ProgramData\zmWLVbyRgm\cfgi, JSON 11->26 dropped 28 C:\ProgramData\zmWLVbyRgm\cfg, JSON 11->28 dropped 56 Monitors registry run keys for changes 11->56 58 Writes to foreign memory regions 11->58 60 Allocates memory in foreign processes 11->60 62 3 other signatures 11->62 16 notepad.exe 11->16         started        file8 signatures9 process10 dnsIp11 30 141.94.96.195, 49702, 49704, 49705 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 16->30 32 141.94.96.71, 49700, 49701, 49703 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 16->32 34 2 other IPs or domains 16->34 38 System process connects to network (likely due to code injection or exploit) 16->38 signatures12 40 Detected Stratum mining protocol 32->40
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c0243843ad83a16bc3c9fe59f8d530aee08fbe163b45cf676c4327d1f2a0a6fb/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2018-06-04 15:42:00 UTC
File Type:
PE (Exe)
Extracted files:
23
AV detection:
28 of 37 (75.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yasdqq5nqoqwxq6j7zm7rvjqv3qi7pqwhnc46z3mimt5d4vau35q._file
Verdict:
malicious
Similar samples:
16475b2dabce04660e1f6127adf54827b7cf024f4cded92b9be6e07c85ae7a89
CoinMiner
22c729d8f90b69b76d5a3f5f2dce8c149ff62d25f2b6d8d60a9557d4b0ebdc07
CoinMiner
2551a571a99fb4d75cdcb33388ee46757767d949fb098658e38144f77733db97
CoinMiner
3888e180beb35b0ebef5b78b77e27f47879ea46b32adee17e65278d3d3a7fe47
CoinMiner
78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66
CoinMiner
78cb0c7ea82e64dec145b41cd56d77693e75e312f27a83ae102680233089f549
CoinMiner
818f62189c2eb790718f547dab81018ead3a70064bb891fb54667f0a2e474910
CoinMiner
98d1a1ed8da6588112a805e5864e7ff29031d5bf9db49486a63fc7d652e66f8e
CoinMiner
+ 516 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner persistence upx
Link:
https://tria.ge/reports/230509-ac6q9sfc5x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
UPX packed file
XMRig Miner payload
xmrig
Unpacked files
SH256 hash:
2b0604da9e045794bbdd00dc432542c873ba0f013f826601480cfb62006944a3
MD5 hash:
64888bd1becea06a22f69aeb2ae7f192
SHA1 hash:
9e8cdbe2433ecf9b70aa48dc96b16599c22fab29
Link:
https://www.unpac.me/results/c0d034a8-b048-410c-95a6-8c619cc0b114/
SH256 hash:
f1ddd998327f3740d81337e7b7daa83b98aa4dd994bb2fb4f27c7e87012a5f64
MD5 hash:
9d1d7dc72fc0a328157d50790efe0e16
SHA1 hash:
54770533536ad9a687cf747a25a7eb103b79ee3b
Link:
https://www.unpac.me/results/c0d034a8-b048-410c-95a6-8c619cc0b114/
SH256 hash:
c0243843ad83a16bc3c9fe59f8d530aee08fbe163b45cf676c4327d1f2a0a6fb
MD5 hash:
9b2514f290b0e5fe4cd2e6f1745ea188
SHA1 hash:
5a4ab23846c5425abba98c24009c561a787dadfb
Link:
https://www.unpac.me/results/c0d034a8-b048-410c-95a6-8c619cc0b114/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c0243843ad83/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c0243843ad83a16bc3c9fe59f8d530aee08fbe163b45cf676c4327d1f2a0a6fb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:CoinMiner_Strings
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects mining pool protocol string in Executable
Reference:https://minergate.com/faq/what-pool-address
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:Linux_Cryptominer_Xmrig_af809eea
Create hunting rule
Author:Elastic Security
Rule name:MacOS_Cryptominer_Generic_333129b7
Create hunting rule
Author:Elastic Security
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:MAL_XMR_Miner_May19_1_RID2E1B
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:MINER_monero_mining_detection
Create hunting rule
Author:Trellix ATR team
Description:Monero mining software
Rule name:PUA_Crypto_Mining_CommandLine_Indicators_Oct21
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects command line parameters often used by crypto mining software
Reference:https://www.poolwatch.io/coin/monero
Rule name:PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects XMRIG crypto coin miners
Reference:https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Rule name:PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20_RID33BA
Create hunting rule
Author:Florian Roth
Description:Detects XMRIG crypto coin miners
Reference:https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:SUSP_XMRIG_String
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a suspicious XMRIG crypto miner executable string in filr
Reference:Internal Research
Rule name:SUSP_XMRIG_String_RID2D18
Create hunting rule
Author:Florian Roth
Description:Detects a suspicious XMRIG crypto miner executable string in filr
Reference:Internal Research
Rule name:XMRIG_Monero_Miner
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Monero mining software
Reference:https://github.com/xmrig/xmrig/releases
Rule name:XMRIG_Monero_Miner_RID2DC1
Create hunting rule
Author:Florian Roth
Description:Detects Monero mining software
Reference:https://github.com/xmrig/xmrig/releases

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe c0243843ad83a16bc3c9fe59f8d530aee08fbe163b45cf676c4327d1f2a0a6fb

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/387616/

Comments