MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9181af10ea92bd10670128f29becf59ace555e7c3b2f249a0a0ee7930ac64cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c9181af10ea92bd10670128f29becf59ace555e7c3b2f249a0a0ee7930ac64cc
SHA3-384 hash: 3822a1ec7f7c40c1745e9ed49785109cc3e9a630be636059a95cdb210eb304e3bc811fdbc560a277474d17bd4a5428f7
SHA1 hash: 2bd524d9b3281e9eda3af6747e05bc7b7b954775
MD5 hash: 450dde436ddfe1704183c0d576f39ed3
humanhash: island-vegan-delaware-oklahoma
File name:activationeth.exe
Download: download sample
File size:1'842'176 bytes
First seen:2021-05-07 12:56:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 49152:yq/IMhmghFQalP9Vg9mAYvYpwkF896L64C3IjQB8JbWwkuC4A69Poi:1LH3DPMYJYpwk+QL69I8BkWZuC4A6P
Threatray 5 similar samples on MalwareBazaar
TLSH 8E8502D632A5A5B2D41F9CF5D4FB1E175B023992DCC3066E1B90FB55C06A8A32823E4F
Reporter starsSk87264403
Tags:CoinMiner

Intelligence

File Origin
# of uploads :
1
# of downloads :
289
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/152689/
Detection(s):
Win.Trojan.Coinminer-9851297-0
Create hunting rule

Win.Trojan.Coinminer-9859229-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %temp% directory
Sending a UDP request
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/719702
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found strings related to Crypto-Mining
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Xmrig
Uses nslookup.exe to query domains
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 408779 Sample: activationeth.exe Startdate: 09/05/2021 Architecture: WINDOWS Score: 100 39 Sigma detected: Xmrig 2->39 41 Antivirus / Scanner detection for submitted sample 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 5 other signatures 2->45 8 activationeth.exe 7 2->8         started        process3 file4 33 C:\Users\user\AppData\...\sihost32.exe, PE32+ 8->33 dropped 35 C:\Users\user\AppData\Local\...\nslookup.exe, PE32+ 8->35 dropped 37 C:\Users\user\...\activationeth.exe.log, ASCII 8->37 dropped 47 Uses nslookup.exe to query domains 8->47 12 nslookup.exe 4 8->12         started        15 sihost32.exe 2 8->15         started        17 cmd.exe 1 8->17         started        signatures5 process6 signatures7 49 Antivirus detection for dropped file 12->49 51 Multi AV Scanner detection for dropped file 12->51 53 Hijacks the control flow in another process 12->53 59 5 other signatures 12->59 19 cmd.exe 1 12->19         started        21 nslookup.exe 12->21         started        55 Machine Learning detection for dropped file 15->55 57 Uses schtasks.exe or at.exe to add and modify task schedules 17->57 23 schtasks.exe 1 17->23         started        25 conhost.exe 17->25         started        process8 process9 27 conhost.exe 19->27         started        29 schtasks.exe 1 19->29         started        31 conhost.exe 23->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c9181af10ea92bd10670128f29becf59ace555e7c3b2f249a0a0ee7930ac64cc/
Threat name:
ByteCode-MSIL.Trojan.Miner
Create hunting rule
Status:
Malicious
First seen:
2021-04-12 15:23:06 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
3b019e395d076e03b3b4a2d9468d3acb36df69115e059119194fbd8dd6d1dd6b
770b35e82759eb0107679b50d38f5e40175901c548a5fd8282e116e8d455c418
93eefdff4ee4bc7cb7ad565c2f61b45a791568a3f428c936b96f65538656f464
d0468ea18c3ec3cc761985436a8d0d299191f27b2288597d29eed413e140cef9
e7d6efa5783c7c9a417518ee96f0ddbb919ab711669cbf68ef6caa27dac966d5
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210507-zfdng5xavn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
c9181af10ea92bd10670128f29becf59ace555e7c3b2f249a0a0ee7930ac64cc
MD5 hash:
450dde436ddfe1704183c0d576f39ed3
SHA1 hash:
2bd524d9b3281e9eda3af6747e05bc7b7b954775
Link:
https://www.unpac.me/results/21ddb204-dc42-4a33-86a0-819dfadc52f3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c9181af10ea92bd10670128f29becf59ace555e7c3b2f249a0a0ee7930ac64cc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe c9181af10ea92bd10670128f29becf59ace555e7c3b2f249a0a0ee7930ac64cc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1094119/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/152689/

Comments