MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db0cc4d3e9b995e63953ad4b8b8d3bc67ed19326254bc89d4f23991561360aca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 18


Intelligence 18 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db0cc4d3e9b995e63953ad4b8b8d3bc67ed19326254bc89d4f23991561360aca
SHA3-384 hash: b69e88606c38c34bfcc868924161af78a7a9d040427c9b75881d7873b44745dd164f8263cd84cd2adc938ffcacecde07
SHA1 hash: 83900aab9a410275a619d5d5dc608b13d3d9cd46
MD5 hash: 71eaacac1984834d31a1a98aec549b86
humanhash: twenty-lemon-carolina-lemon
File name:SecuriteInfo.com.FileRepMetagen.15411.2699
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'208'768 bytes
First seen:2025-03-14 11:32:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 559ec13448c2a24a52e2bee7f41288b5 (1 x CoinMiner)
ssdeep 49152:k9vyPo+tFl2V9ULd5KZ2UJdHBJHME33wbSIRT4fC:k9vyPoQr2V90d0Z2AFHME33USE0a
TLSH T118A533881510A40FC65AC1B104ABD748FE3CFF678FB11467B62E77AE26343999E43C99
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4504/4/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
dhash icon 79756cecb29999b9 (734 x Heodo, 20 x Nitol, 20 x ManusCrypt)
Reporter SecuriteInfoCom
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
423
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
xmrig
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.FileRepMetagen.15411.2699
Verdict:
Malicious activity
Analysis date:
2025-03-14 11:44:38 UTC
Tags:
autorun-sched xmrig themida
Link:
https://app.any.run/tasks/3978eca6-a55b-407b-a136-dc59c4c3c03b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67d42f283962f1a6f4714704
Tags:
autorun crypt miner blic
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Enabling the 'hidden' option for analyzed file
Launching a process
Creating a process with a hidden window
DNS request
Connecting to a cryptocurrency mining pool
Connection attempt
Moving of the original file
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
coinminer microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/67d413fe5663b080596e0993/reports/5834b308-a07b-4952-a11c-9741ee05fcbe/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/db0cc4d3e9b995e63953ad4b8b8d3bc67ed19326254bc89d4f23991561360aca
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CoinMiner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a4fa10ac-354b-4732-b273-616792e780b7
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1638478
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Detected unpacking (changes PE section rights)
Found strings related to Crypto-Mining
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1638478 Sample: SecuriteInfo.com.FileRepMet... Startdate: 14/03/2025 Architecture: WINDOWS Score: 100 33 xmr.pool.minergate.com 2->33 35 pool.minergate.com 2->35 37 pool.electroneum.hashvault.pro 2->37 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 3 other signatures 2->47 8 SecuriteInfo.com.FileRepMetagen.15411.2699.exe 2->8         started        11 Iostream.exe 2->11         started        13 Iostream.exe 2->13         started        15 3 other processes 2->15 signatures3 process4 signatures5 49 Found strings related to Crypto-Mining 8->49 51 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->51 53 Uses schtasks.exe or at.exe to add and modify task schedules 8->53 67 4 other signatures 8->67 17 attrib.exe 1 8->17         started        21 schtasks.exe 1 8->21         started        55 Detected unpacking (changes PE section rights) 11->55 57 Tries to detect sandboxes and other dynamic analysis tools (window names) 11->57 59 Tries to evade debugger and weak emulator (self modifying code) 11->59 61 Hides threads from debuggers 13->61 63 Tries to detect sandboxes / dynamic malware analysis system (registry check) 13->63 65 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 13->65 process6 dnsIp7 27 49.12.80.38, 45560, 49694, 49699 HETZNER-ASDE Germany 17->27 29 49.12.80.39, 45560, 49685, 49696 HETZNER-ASDE Germany 17->29 31 pool.minergate.com 49.12.80.40, 45560, 49693, 49698 HETZNER-ASDE Germany 17->31 39 Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners) 17->39 23 conhost.exe 17->23         started        25 conhost.exe 21->25         started        signatures8 process9
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/db0cc4d3e9b995e63953ad4b8b8d3bc67ed19326254bc89d4f23991561360aca
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/db0cc4d3e9b995e63953ad4b8b8d3bc67ed19326254bc89d4f23991561360aca/
Threat name:
Win32.Infostealer.Tinba
Create hunting rule
Status:
Malicious
First seen:
2018-01-12 23:42:49 UTC
File Type:
PE (Exe)
Extracted files:
64
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3mgmju7jxgk6moktvvfyxdj3yz7ndezgevf4rhkpeomrkyjwblfa._file
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig defense_evasion discovery miner
Link:
https://tria.ge/reports/250314-nnw8vssrw8/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks BIOS information in registry
Cryptocurrency Miner
Executes dropped EXE
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
Xmrig family
xmrig
Verdict:
Malicious
Tags:
coinminer
YARA:
n/a
Link:
https://app.threat.zone/submission/2f0def1a-039e-4026-9fc4-4d3ab31b5d2d
Unpacked files
SH256 hash:
db0cc4d3e9b995e63953ad4b8b8d3bc67ed19326254bc89d4f23991561360aca
MD5 hash:
71eaacac1984834d31a1a98aec549b86
SHA1 hash:
83900aab9a410275a619d5d5dc608b13d3d9cd46
Link:
https://www.unpac.me/results/7d35b46c-8625-41cb-9181-5ff555dee0da/
SH256 hash:
142e1d1e590e4d61145aa9801c541f679ab490965d8c027aebb0dc8f1b4208cf
MD5 hash:
d25629fa279213a35dfa92e50288fe5f
SHA1 hash:
41ac0024aa50014ab61fc260bab7eb9a9a9405a2
Link:
https://www.unpac.me/results/7d35b46c-8625-41cb-9181-5ff555dee0da/
SH256 hash:
d382895a3d68482ccebb92437293d142f4e58ac0c272b2e1e2faa7263c5f35f7
MD5 hash:
a5d840a8126728fb36268c53b39d4bcc
SHA1 hash:
cb4229e88e1a459112d7435c4fba71b969ba2aa7
Detections:
XMRig
Create hunting rule
BTC_Miner_lsass1_chrome_2
Create hunting rule
PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20
Create hunting rule
CoinMiner_Strings
Create hunting rule
PUA_Crypto_Mining_CommandLine_Indicators_Oct21
Create hunting rule
XMRIG_Monero_Miner
Create hunting rule
Link:
https://www.unpac.me/results/7d35b46c-8625-41cb-9181-5ff555dee0da/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/db0cc4d3e9b9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/db0cc4d3e9b995e63953ad4b8b8d3bc67ed19326254bc89d4f23991561360aca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BTC_Miner_lsass1_chrome_2
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a Bitcoin Miner
Reference:Internal Research - CN Actor
Rule name:BTC_Miner_lsass1_chrome_2_RID3068
Create hunting rule
Author:Florian Roth
Description:Detects a Bitcoin Miner
Reference:Internal Research - CN Actor
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects XMRIG crypto coin miners
Reference:https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Rule name:PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20_RID33BA
Create hunting rule
Author:Florian Roth
Description:Detects XMRIG crypto coin miners
Reference:https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:XMRIG_Monero_Miner
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Monero mining software
Reference:https://github.com/xmrig/xmrig/releases
Rule name:xmrig_v1
Create hunting rule
Author:RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_TRUST_INFORequires Elevated Execution (Unrestricted:true)high

Comments