MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1082902dff7b4652dbd0b43e974c0c1d34f135fdb8353ec5e92f9cdc54b6ed2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner.XMRig


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c1082902dff7b4652dbd0b43e974c0c1d34f135fdb8353ec5e92f9cdc54b6ed2
SHA3-384 hash: 1405728660dce05d6160915e6cbdfd0ccf518ced7567f4e534670899c8d459133d69f818ae3748b233a6079abcb61bf0
SHA1 hash: b841445c64ac7518cad0f342102ac9e92d567fba
MD5 hash: c4e772c253f64f4ad2ba7bb930ebfde0
humanhash: bulldog-fillet-earth-skylark
File name:Updater.exe
Download: download sample
Signature CoinMiner.XMRig
Create hunting rule
File size:2'269'696 bytes
First seen:2021-06-24 21:59:58 UTC
Last seen:2021-06-24 22:46:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 49152:qX6jN/Z4k4aGi71e49cYMjpNuKjsypV03HSZZ1vWD2Ex43Bq5LrZ7+Bk+IIKhY:46jN/Sk4hiBxNMjfuKjsE6He1vWBxZ7Z
Threatray 10 similar samples on MalwareBazaar
TLSH 7EB523271E49880FF0878E77113487D122CEABDD69E95A47026F735F563BE074AB2B12
Reporter Anonymous
Tags:CoinMiner.XMRig exe gaming


Avatar
Anonymous
We run a multi-gaming organisation/multi-game guild with a large amount of members, and receive targeted spearphishing and non-targeted malware typically RATs or keyloggers, attempting to compromise accounts and steal items.

On our forums, we also automatically quarantine new accounts that DM users links. These uploads are typically the outputs of online uploads, spambots, or users trying to steal kids' game accounts.

Intelligence

File Origin
# of uploads :
2
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Updater.exe
Verdict:
No threats detected
Analysis date:
2021-06-24 22:03:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/86db4894-0cfb-4509-9da1-4a2193d8f448

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168162/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.721.2212.28137.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/99ba4cef-8cd0-493b-9e3c-8efcc645b71f
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807802
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to a pastebin service (likely for C&C)
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Xmrig
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 440213 Sample: Updater.exe Startdate: 25/06/2021 Architecture: WINDOWS Score: 100 60 Sigma detected: Xmrig 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 6 other signatures 2->66 8 Updater.exe 8 2->8         started        12 svchost.exe 2->12         started        14 svchost.exe 9 1 2->14         started        17 8 other processes 2->17 process3 dnsIp4 46 C:\Users\user\AppData\Local\Temp\Config.exe, PE32+ 8->46 dropped 48 C:\Users\user\...\Config.exe:Zone.Identifier, ASCII 8->48 dropped 50 C:\Users\user\AppData\...\Updater.exe.log, ASCII 8->50 dropped 78 Sample is not signed and drops a device driver 8->78 19 Config.exe 4 8->19         started        24 cmd.exe 1 8->24         started        80 Changes security center settings (notifications, updates, antivirus, firewall) 12->80 26 MpCmdRun.exe 1 12->26         started        58 127.0.0.1 unknown unknown 14->58 file5 signatures6 process7 dnsIp8 52 192.168.2.1 unknown unknown 19->52 44 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 19->44 dropped 68 Multi AV Scanner detection for dropped file 19->68 70 Machine Learning detection for dropped file 19->70 72 Injects code into the Windows Explorer (explorer.exe) 19->72 76 4 other signatures 19->76 28 explorer.exe 19->28         started        32 cmd.exe 1 19->32         started        74 Uses schtasks.exe or at.exe to add and modify task schedules 24->74 34 conhost.exe 24->34         started        36 schtasks.exe 1 24->36         started        38 conhost.exe 26->38         started        file9 signatures10 process11 dnsIp12 54 mine.bmpool.org 157.90.156.89, 49712, 6004 REDIRISRedIRISAutonomousSystemES United States 28->54 56 pastebin.com 104.23.99.190, 443, 49711 CLOUDFLARENETUS United States 28->56 82 System process connects to network (likely due to code injection or exploit) 28->82 84 Query firmware table information (likely to detect VMs) 28->84 86 Tries to detect sandboxes and other dynamic analysis tools (window names) 28->86 40 conhost.exe 32->40         started        42 schtasks.exe 1 32->42         started        signatures13 88 Detected Stratum mining protocol 54->88 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c1082902dff7b4652dbd0b43e974c0c1d34f135fdb8353ec5e92f9cdc54b6ed2/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-19 03:44:45 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yeecsaw7662gkln5bnb6s5gayhju6e273obvh3c6sl443rkln3ja._file
Verdict:
unknown
Similar samples:
1ed5337566938228ee9afcad29b1f722d55f4f8172a3157af4d4ad913541b2ea
CoinMiner.XMRig
568a4dae9810114a99e28f70c4b3daa29ecdfa9757675f61b2947f578c5f2c05
CoinMiner.XMRig
6c3a2575d3325e7a0f520a5fefa0384855980461683e6c7463debbd668ab3258
CoinMiner.XMRig
74b13418d9f50f94920aa870823732618509599ed36a57e440c32c1e9cd928f2
CoinMiner.XMRig
8409519ab2c6e5ca0e85e40216c98444ac257a491fa8849ce4b3b320df0a0566
CoinMiner.XMRig
a1a0ca95d42cb766533d9c4a8260cdcea4abab6d17214b711b7f366fbafe2413
CoinMiner.XMRig
a5e6caf0fc19953ef3c7ec323b851f1b14bde593f75d0113e0cada70880912df
CoinMiner.XMRig
b17bfed7ccb65140f22de398cfcb56faa877dd36410bac51453f8ad9f1537bda
CoinMiner.XMRig
e15ea1dc92dd31517334886dba17d7022c73d258096bf77f897ef60c1b8302b1
CoinMiner.XMRig
e8c4bcdcf46f101cc7126f7bde6955f6a971d06dc2bea9f6499594b475b091e2
CoinMiner.XMRig
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/210624-292jrhra2x/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Executes dropped EXE
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
c1082902dff7b4652dbd0b43e974c0c1d34f135fdb8353ec5e92f9cdc54b6ed2
MD5 hash:
c4e772c253f64f4ad2ba7bb930ebfde0
SHA1 hash:
b841445c64ac7518cad0f342102ac9e92d567fba
Link:
https://www.unpac.me/results/b5ae7ef7-c874-4097-a5c5-f6c5d6c13719/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c1082902dff7b4652dbd0b43e974c0c1d34f135fdb8353ec5e92f9cdc54b6ed2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Multiple
Cape
Cape
https://www.capesandbox.com/analysis/168162/

Comments