MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d29acdeb134477223baaf3b97aef34f5ff2b5832567718025bdac30421ac7ad7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d29acdeb134477223baaf3b97aef34f5ff2b5832567718025bdac30421ac7ad7
SHA3-384 hash: e6bd77184944e68f12834ba11765632b5cc4391e739232b596c9b157a9eea45f9f39d223129f2efc112addf2f6961103
SHA1 hash: 7f04a35dc8c3db0a683d71ae8edde8d3ed583e65
MD5 hash: be6b6e027032475d9803d34e0a41a956
humanhash: juliet-mobile-maryland-iowa
File name:be6b6e027032475d9803d34e0a41a956
Download: download sample
Signature CoinMiner
Create hunting rule
File size:9'393'826 bytes
First seen:2021-12-15 17:31:02 UTC
Last seen:2021-12-15 20:45:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ca1bc56825379f5b034a1b6092fa2cee (3 x CoinMiner)
ssdeep 196608:bnK5xpo5NflpgSy6CkhJEtYBAmg9/1+U1/rekiA5ldBY4vaOM:bapo5NflpgSTLJEYhQ/1+U9LHdqr
TLSH T1209623FE1254731CC40988709037FC45F2B61B5E16DDD86DB6EBBAC03BB6568A902F1A
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
218
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
be6b6e027032475d9803d34e0a41a956
Verdict:
No threats detected
Analysis date:
2021-12-15 17:36:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/411b5850-e9d2-4a5b-ab73-df45e80fa6c8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CoinMiner02
Create hunting rule
Link:
https://www.capesandbox.com/analysis/214381/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38275775.13960.13280.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Using the Windows Management Instrumentation requests
Running batch commands
Launching a process
Creating a file in the %AppData% subdirectories
Creating a file
Creating a process from a recently created file
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2136/overview
Behaviour
MalwareBazaar
AntidebugCommonApi
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
donut packed
Link:
https://www.filescan.io/uploads/61ba265d45ca64e57f120c92/reports/87fa3cb2-b6ce-403e-ac2b-d1320028273a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d3b1e5f5-8b2e-436e-97ef-5cc9c9ffa052
Result
Threat name:
BitCoin Miner Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/908029
Signature
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Creates a thread in another existing process (thread injection)
Detected Stratum mining protocol
DNS related to crypt mining pools
Found strings related to Crypto-Mining
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to detect debuggers (CloseHandle check)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 540506 Sample: VNuH2h13AS Startdate: 15/12/2021 Architecture: WINDOWS Score: 100 67 Malicious sample detected (through community Yara rule) 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 Yara detected BitCoin Miner 2->71 73 6 other signatures 2->73 9 VNuH2h13AS.exe 5 2->9         started        13 umciavi32.exe 4 2->13         started        15 svchost.exe 2->15         started        17 6 other processes 2->17 process3 dnsIp4 51 C:\Users\user\AppData\...\umciavi32.exe, PE32+ 9->51 dropped 53 C:\Users\...\umciavi32.exe:Zone.Identifier, ASCII 9->53 dropped 55 C:\Users\user\AppData\...\VNuH2h13AS.exe.log, ASCII 9->55 dropped 83 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->83 85 Tries to evade analysis by execution special instruction which cause usermode exception 9->85 87 Tries to detect debuggers (CloseHandle check) 9->87 20 cmd.exe 1 9->20         started        22 cmd.exe 1 9->22         started        89 Machine Learning detection for dropped file 13->89 91 Tries to detect virtualization through RDTSC time measurements 13->91 93 Hides threads from debuggers 13->93 25 sihost64.exe 13->25         started        95 Changes security center settings (notifications, updates, antivirus, firewall) 15->95 27 MpCmdRun.exe 1 15->27         started        61 192.168.2.1 unknown unknown 17->61 97 System process connects to network (likely due to code injection or exploit) 17->97 file5 signatures6 process7 signatures8 29 umciavi32.exe 7 20->29         started        33 conhost.exe 20->33         started        75 Uses schtasks.exe or at.exe to add and modify task schedules 22->75 35 conhost.exe 22->35         started        37 schtasks.exe 1 22->37         started        77 Writes to foreign memory regions 25->77 79 Allocates memory in foreign processes 25->79 81 Creates a thread in another existing process (thread injection) 25->81 39 conhost.exe 2 25->39         started        41 conhost.exe 27->41         started        process9 file10 57 C:\Users\user\AppData\...\sihost64.exe, PE32+ 29->57 dropped 59 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 29->59 dropped 111 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 29->111 113 Writes to foreign memory regions 29->113 115 Modifies the context of a thread in another process (thread injection) 29->115 117 4 other signatures 29->117 43 sihost64.exe 29->43         started        46 svchost.exe 29->46         started        signatures11 process12 dnsIp13 99 Multi AV Scanner detection for dropped file 43->99 101 Writes to foreign memory regions 43->101 103 Allocates memory in foreign processes 43->103 105 Creates a thread in another existing process (thread injection) 43->105 49 conhost.exe 2 43->49         started        63 51.255.34.118, 14444, 49691 OVHFR France 46->63 65 xmr-eu1.nanopool.org 46->65 107 Query firmware table information (likely to detect VMs) 46->107 signatures14 109 Detected Stratum mining protocol 63->109 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d29acdeb134477223baaf3b97aef34f5ff2b5832567718025bdac30421ac7ad7/
Threat name:
Win64.Coinminer.Malxmr
Create hunting rule
Status:
Malicious
First seen:
2021-12-15 17:32:21 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
17 of 28 (60.71%)
Threat level:
  4/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2knm32ytir3seo5k6o4xv3zu6x7swwbskz3rqas33lbqiinmpllq._file
Verdict:
malicious
Similar samples:
0028d3b936c329c8bb2a7c17d677d9808eed4f46c123048100050819d1657464
CoinMiner
2b0cd91072bc81875fba4d9dc3b293500f110b57dd9d37028556fdb296705fb0
CoinMiner
3aca6ead27ffa0e7384af61f022b180f305bca729e8cc4b29390b5067b673fcc
CoinMiner
65a90f7ce88c21097bde9575109000efa1832a51d0cbd9c47ef701838884ca4f
CoinMiner
7e6b525d20c679bb8241177f2e307bb9c5b9070e4846a033640eb45eafcf64ea
CoinMiner
b37e87a30c379dd3d84b2f9b5819cb32335d7230156d3ea01a7309502e9e6d0d
CoinMiner
cdb8a234c896df8b45ee7bc0d69ecdaec0bfce73cacdb376048bcd3abb85a75d
CoinMiner
dff8b47d7290a0502a4c5ee183b85ea28a9ab501d93b7c1a11c9592e544d1fe7
CoinMiner
e67db91b7e8bcf1cf40735c556df7971af493cfd6b0fe4ffd25774ca7c31e070
CoinMiner
fa1a41ff82f9d6ca0473f9ac67f0d46e9576dd6608f9682d245f48ea872a3859
CoinMiner
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/211215-v3q4qaabh9/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
d29acdeb134477223baaf3b97aef34f5ff2b5832567718025bdac30421ac7ad7
MD5 hash:
be6b6e027032475d9803d34e0a41a956
SHA1 hash:
7f04a35dc8c3db0a683d71ae8edde8d3ed583e65
Link:
https://www.unpac.me/results/2c92643b-8d2c-4c39-8d51-17d85292b0a4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d29acdeb1344/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/d29acdeb134477223baaf3b97aef34f5ff2b5832567718025bdac30421ac7ad7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe d29acdeb134477223baaf3b97aef34f5ff2b5832567718025bdac30421ac7ad7

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1888236/
Cape
Cape
https://www.capesandbox.com/analysis/214381/

Comments


Avatar
zbet commented on 2021-12-15 17:31:04 UTC

url : hxxp://oniondq7shlx1001.cyou/miexciuz.exe