MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c295fd06c87d51ea44008eada1aebdf83b796d84110d0c887b30dd1f3f042136. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c295fd06c87d51ea44008eada1aebdf83b796d84110d0c887b30dd1f3f042136
SHA3-384 hash: 5159c919b346664dd65ba306e452632697a3526079179d99b431ee9790f90d45615c5bd79bb4bc25096f455bd70e5cd3
SHA1 hash: 0d49c50765b8bf2b4204e879a7be4cc26687f067
MD5 hash: 092d064fa7c8b7c292462d00eb149265
humanhash: ohio-crazy-diet-orange
File name:092d064fa7c8b7c292462d00eb149265
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'137'088 bytes
First seen:2023-05-11 06:18:07 UTC
Last seen:2023-07-11 15:13:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash df9a7bc1c6c6cd97d04c3762fdde6719 (18 x CoinMiner, 2 x CoinMiner.XMRig, 1 x PripyatMiner)
ssdeep 49152:x4PS8H+0oebhaupXOZcifTeCv31EMFvxbcS32paotG:xl8e0oebgE0xEYAHpa0
Threatray 116 similar samples on MalwareBazaar
TLSH T173A52326F6C2CAFCD326507D46EE86B65E226080E3F48B6E79EC5C658E109315D2C5F3
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10523/12/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter zbetcheckin
Tags:64 CoinMiner exe

Intelligence

File Origin
# of uploads :
5
# of downloads :
308
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file.exe
Verdict:
Malicious activity
Analysis date:
2023-05-05 15:32:25 UTC
Tags:
installer evasion opendir stealer blackguard loader
Link:
https://app.any.run/tasks/3ccea79c-ed56-4210-aa45-0da87c7329d2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/388337/
Detection(s):
SecuriteInfo.com.Variant.Barys.382682.32423.6242.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Сreating synchronization primitives
Creating a file in the %temp% directory
Running batch commands
Deleting a recently created file
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/83466/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug barys coinminer packed
Link:
https://www.filescan.io/uploads/645c88d76031b4f257201726/reports/8b56b220-30e0-4ecc-a74a-4758a72f8432/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c295fd06c87d51ea44008eada1aebdf83b796d84110d0c887b30dd1f3f042136
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9697b688-d803-4825-837a-d52a93764c30
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1230564
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Detected Stratum mining protocol
Found hidden mapped module (file has been removed from disk)
Found strings related to Crypto-Mining
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sample uses string decryption to hide its real strings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 863542 Sample: ZobPRAZtVD.exe Startdate: 11/05/2023 Architecture: WINDOWS Score: 100 47 xmr.2miners.com 2->47 56 Antivirus detection for dropped file 2->56 58 Antivirus / Scanner detection for submitted sample 2->58 60 Multi AV Scanner detection for dropped file 2->60 62 5 other signatures 2->62 8 updater.exe 4 2->8         started        12 svchost.exe 2->12         started        14 powershell.exe 36 2->14         started        16 12 other processes 2->16 signatures3 process4 file5 41 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 8->41 dropped 43 C:\Users\user\AppData\Local\...\rnfrlnvq.tmp, PE32+ 8->43 dropped 64 Antivirus detection for dropped file 8->64 66 Multi AV Scanner detection for dropped file 8->66 68 Writes to foreign memory regions 8->68 76 4 other signatures 8->76 18 conhost.exe 8->18         started        21 cmd.exe 8->21         started        23 conhost.exe 8->23         started        70 Changes security center settings (notifications, updates, antivirus, firewall) 12->70 25 MpCmdRun.exe 1 12->25         started        72 Uses schtasks.exe or at.exe to add and modify task schedules 14->72 27 conhost.exe 14->27         started        45 C:\Users\user\AppData\Roaming\...\updater.exe, PE32+ 16->45 dropped 74 Query firmware table information (likely to detect VMs) 16->74 29 WMIC.exe 1 16->29         started        31 conhost.exe 16->31         started        33 conhost.exe 16->33         started        35 2 other processes 16->35 signatures6 process7 dnsIp8 49 xmr.2miners.com 162.19.139.184, 2222, 49700 CENTURYLINK-US-LEGACY-QWESTUS United States 18->49 52 192.168.2.1 unknown unknown 18->52 37 conhost.exe 21->37         started        39 conhost.exe 25->39         started        signatures9 54 Detected Stratum mining protocol 49->54 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c295fd06c87d51ea44008eada1aebdf83b796d84110d0c887b30dd1f3f042136/
Threat name:
Win64.Trojan.Barys
Create hunting rule
Status:
Malicious
First seen:
2023-05-05 12:03:05 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
24 of 37 (64.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ykk72bwipvi6uraar2w2dlv57a5xs3mecegqzcd3gdor6pyeee3a._file
Verdict:
malicious
Similar samples:
4087249b32bc81f6df39a587acd55b0f0cf59a53d14f734a05886ff3e1bdaaa2
CoinMiner
51b3d59d59b618ade2fa6c244a0055219e718d32aaacbc61bf7ab964d0059b51
CoinMiner
58c06312c4b8a6e6e68873da9afe2a79a486e16a2d764f7268880ae27bf0d8be
CoinMiner
8ce939e78f764da1da27154cc2c2b9ead8c4fd9c3954958bde1f2afa423dd218
CoinMiner
9a938f47030e9b34dcee96382fae40ed2f980299e1ced3a04c19c859b24ae40c
CoinMiner
a0626a283b6e2cbcacfbcc06c21691aff5e3386d43a76909304b2b0bacf8f45a
CoinMiner
ac08903be48df04ee8b744c61a65c8003af729943049cb4d04870854686c93ca
CoinMiner
ce340caa209423fd8edbdeec206fbc19b434deeb58f6d0d4cc1b2a1bd4e1f963
CoinMiner
e84fe903559b6d7048d69e0e4a7136236fa35dbd3591670de54ea81cec31a480
CoinMiner
+ 106 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner upx
Link:
https://tria.ge/reports/230511-g26k5aca98/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Drops file in System32 directory
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
UPX packed file
XMRig Miner payload
Suspicious use of NtCreateUserProcessOtherParentProcess
xmrig
Unpacked files
SH256 hash:
c295fd06c87d51ea44008eada1aebdf83b796d84110d0c887b30dd1f3f042136
MD5 hash:
092d064fa7c8b7c292462d00eb149265
SHA1 hash:
0d49c50765b8bf2b4204e879a7be4cc26687f067
Link:
https://www.unpac.me/results/0d2f4620-df62-4bf6-845a-d6ff36e997fd/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c295fd06c87d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe c295fd06c87d51ea44008eada1aebdf83b796d84110d0c887b30dd1f3f042136

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2629551/
Cape
Cape
https://www.capesandbox.com/analysis/388337/

Comments


Avatar
zbet commented on 2023-05-11 06:18:08 UTC

url : hxxp://94.142.138.111/software/tst2.exe