MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7f6ad7d3e040d26e8103885756e2f720a97a16f12ef44bf6707676d26680586. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c7f6ad7d3e040d26e8103885756e2f720a97a16f12ef44bf6707676d26680586
SHA3-384 hash: a7ced12c9df299aaf057063a86c45510fe83a702c8650bb8fb474b979d2037aeb5fb10a44f4fbd0aad1a422e436912d4
SHA1 hash: c6a4f987d107bd4896f67e19aa55ef4d5af6d32b
MD5 hash: e41c90899d2847560c735e0285e3e410
humanhash: virginia-alaska-golf-oregon
File name:e41c90899d2847560c735e0285e3e410.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:428'544 bytes
First seen:2020-12-02 15:16:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fc6683d30d9f25244a50fd5357825e79 (92 x Formbook, 52 x AgentTesla, 23 x SnakeKeylogger)
ssdeep 12288:l5m8ZlWk6VT6qIm9qCZb5rTa8kdVXpPalrF:mO+DD9qCZb5rTa8UPPM
Threatray 5 similar samples on MalwareBazaar
TLSH 7C94122690A4DCB1D26A67B2C8368E941CA03D31EF80367E6715F15DB831347D9A7F2E
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
587
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106425/
Detection(s):
Win.Dropper.Razy-6646749-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP GET request
Creating a process from a recently created file
Connecting to a cryptocurrency mining pool
Sending a custom TCP request
Creating a service
Launching a service
Loading a system driver
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun for a service
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/553731
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 325964 Sample: N6Fv7clWxO.exe Startdate: 02/12/2020 Architecture: WINDOWS Score: 100 32 prda.aadg.msidentity.com 2->32 34 pool.hashvault.pro 2->34 36 cdn.onenote.net 2->36 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for dropped file 2->44 46 Multi AV Scanner detection for dropped file 2->46 48 4 other signatures 2->48 8 N6Fv7clWxO.exe 2 17 2->8         started        13 svsv.exe 12 2->13         started        15 svsv.exe 12 2->15         started        17 svsv.exe 2->17         started        signatures3 process4 dnsIp5 40 cnc.c25e6559668942.xyz 193.239.147.105, 49694, 80 DEDIPATH-LLCUS Brunei Darussalam 8->40 28 C:\Users\user\AppData\Roaming\...\svsv.exe, PE32+ 8->28 dropped 30 C:\Users\user\AppData\Local\...\xmrig[1].exe, PE32+ 8->30 dropped 50 Binary is likely a compiled AutoIt script file 8->50 52 Writes to foreign memory regions 8->52 54 Allocates memory in foreign processes 8->54 56 2 other signatures 8->56 19 svsv.exe 1 8->19         started        22 svsv.exe 1 13->22         started        file6 signatures7 process8 dnsIp9 38 pool.hashvault.pro 168.119.38.182, 49695, 49705, 49707 HETZNER-ASDE Germany 19->38 24 conhost.exe 19->24         started        26 conhost.exe 22->26         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c7f6ad7d3e040d26e8103885756e2f720a97a16f12ef44bf6707676d26680586/
Threat name:
Win64.Trojan.Miner
Create hunting rule
Status:
Malicious
First seen:
2020-12-02 15:17:05 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y73k27j6aqgsn2aqhccxk3rpoifjpilpclxujp3ha5tw2jtiawda._file
Verdict:
unknown
Similar samples:
773a42f5dd2dbe163dbc36037d53a25675c29fd0dba24d19ccb249a6f590ef12
CoinMiner
a4bd1ce6832e9cfa0078b39e7dc035047ff593ff4f875fd19ed7ab54508fa7e4
CoinMiner
af56963172182772cfb8ece6dee221898b281e8f93a62dc82a08cc188131849f
CoinMiner
c6b664ffd10c03d085b36bd57b72467b6508ba736e9c8d77182e0d1518b91295
CoinMiner
dea877be3b8ceb7eb4cb1bb40895bc6886d3ccb0f2498e7b3c4257d726a7d896
CoinMiner
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner persistence upx
Link:
https://tria.ge/reports/201202-ysavjvts8x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
UPX packed file
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
c7f6ad7d3e040d26e8103885756e2f720a97a16f12ef44bf6707676d26680586
MD5 hash:
e41c90899d2847560c735e0285e3e410
SHA1 hash:
c6a4f987d107bd4896f67e19aa55ef4d5af6d32b
Link:
https://www.unpac.me/results/0cd99ce7-72e6-4114-99b0-042dbfe8e345/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Sdbot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c7f6ad7d3e040d26e8103885756e2f720a97a16f12ef44bf6707676d26680586

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe c7f6ad7d3e040d26e8103885756e2f720a97a16f12ef44bf6707676d26680586

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/878149/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/106425/
  
URLhaus
https://urlhaus.abuse.ch/url/878184/

Comments