MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd84819f9d2e108ac8dbbfedf10d61f787b6082f02ddb63ca05c98d78e877597. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd84819f9d2e108ac8dbbfedf10d61f787b6082f02ddb63ca05c98d78e877597
SHA3-384 hash: df071be64a6aae764ecb6184b51443dbfc4eda9eef577ab4a19031e1ccc948a1eb4df471e2135375ac68222cbf264ab7
SHA1 hash: 34f32d3e3609620a8b11ccfa00393e1fba139133
MD5 hash: 551bb49398210767506ee38866b9e8cb
humanhash: jupiter-comet-fifteen-hamper
File name:551bb49398210767506ee38866b9e8cb.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'318'848 bytes
First seen:2023-01-03 16:34:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash df9a7bc1c6c6cd97d04c3762fdde6719 (18 x CoinMiner, 2 x CoinMiner.XMRig, 1 x PripyatMiner)
ssdeep 49152:Fm4Ej8Vy14scOEONO7JI/RejV8rMGnIh9/ZvSYa+:Fty14spEON6I5ejV8rMDF6YL
Threatray 30 similar samples on MalwareBazaar
TLSH T140B512A160156459D3D18234DAE1C775264ABE2940E0C98F39F9BF7B3FFE883C729588
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10523/12/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon b2b2b27169f0f4c4 (1 x CoinMiner)
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
217
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
551bb49398210767506ee38866b9e8cb.exe
Verdict:
Malicious activity
Analysis date:
2023-01-03 16:38:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/468638aa-f85a-467b-af54-3965f2b993e9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Bladabindi-9940103-0
Create hunting rule

Win.Malware.Miner-9978777-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Launching a process
Using the Windows Management Instrumentation requests
Running batch commands
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Enabling autorun by creating a file
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
anti-debug packed
Link:
https://www.filescan.io/uploads/63b45903a70bef46551cdce6/reports/d22fc892-aab5-44c0-8505-0d328050b4ac/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c78d7965-6c42-4570-b2de-959f09d7dcb7
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1144671
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to a pastebin service (likely for C&C)
Creates files in the system32 config directory
DNS related to crypt mining pools
Found hidden mapped module (file has been removed from disk)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Self deletion via cmd or bat file
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 777402 Sample: pZyiE258mu.exe Startdate: 03/01/2023 Architecture: WINDOWS Score: 100 53 Antivirus detection for dropped file 2->53 55 Multi AV Scanner detection for dropped file 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 6 other signatures 2->59 7 updater.exe 3 2->7         started        11 pZyiE258mu.exe 1 2->11         started        13 cmd.exe 1 2->13         started        15 18 other processes 2->15 process3 file4 39 C:\Windows\Temp\skmigijh.tmp, PE32+ 7->39 dropped 41 C:\Program Filesbehaviorgraphoogle\Libs\WR64.sys, PE32+ 7->41 dropped 61 Writes to foreign memory regions 7->61 63 Modifies the context of a thread in another process (thread injection) 7->63 65 Adds a directory exclusion to Windows Defender 7->65 81 2 other signatures 7->81 17 conhost.exe 7->17         started        20 conhost.exe 7->20         started        43 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 11->43 dropped 67 Self deletion via cmd or bat file 11->67 69 Uses powercfg.exe to modify the power settings 13->69 71 Modifies power options to not sleep / hibernate 13->71 23 conhost.exe 13->23         started        25 powercfg.exe 1 13->25         started        33 3 other processes 13->33 73 Query firmware table information (likely to detect VMs) 15->73 75 Creates files in the system32 config directory 15->75 77 Changes security center settings (notifications, updates, antivirus, firewall) 15->77 79 Uses schtasks.exe or at.exe to add and modify task schedules 15->79 27 MpCmdRun.exe 15->27         started        29 conhost.exe 15->29         started        31 conhost.exe 15->31         started        35 16 other processes 15->35 signatures5 process6 dnsIp7 51 Adds a directory exclusion to Windows Defender 17->51 45 51.255.34.118, 14433, 49725 OVHFR France 20->45 47 xmr-eu1.nanopool.org 51.68.137.66, 14433, 49727 OVHFR France 20->47 49 pastebin.com 104.20.68.143, 443, 49726 CLOUDFLARENETUS United States 20->49 37 conhost.exe 27->37         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dd84819f9d2e108ac8dbbfedf10d61f787b6082f02ddb63ca05c98d78e877597/
Threat name:
Win64.Dropper.Convagent
Create hunting rule
Status:
Malicious
First seen:
2022-12-21 12:37:29 UTC
File Type:
PE+ (Exe)
Extracted files:
18
AV detection:
21 of 26 (80.77%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3wcidh45fyiivsg3x7w7cdlb66d3mcbpalo3mpfalsmnpduhowlq._file
Verdict:
malicious
Similar samples:
12f308243fe099acdb7718428e027aa77846efa6f18e6cf8235daaadcb46ed1f
CoinMiner
4087249b32bc81f6df39a587acd55b0f0cf59a53d14f734a05886ff3e1bdaaa2
CoinMiner
4b56d0b0c8c52803bf7c21587bd98a16f73f0d6ed4e4153eee1964533ac394ee
CoinMiner
505a09c5be91d9e44a7b459ac5e8961fe01a234c1633a789ba290e94e81fa5f5
CoinMiner
554205366ff07e0fa59789cbf9ba72e1d1966d9d3d1889154408b9c0b4dbd861
CoinMiner
68dd15c384e6d7b3fc6afeda9a17df9ffa55ed29861e9249751488b03abac2fc
CoinMiner
7812b5f5fd710358255d8847f61729386cb982c55beb12a77e240d3377aaeafb
CoinMiner
89a342bb20ad895c86665599e40ecd591b2993f5a1b343768dbb7af038aebd31
CoinMiner
e249064e0227b91181a4cc52d2af88b56d10a01cafea2a4962dca3155f0a37d2
CoinMiner
ef1cb9555d780addb510d052b41f070dbdeb931c3f916bf345a419a4d437a167
CoinMiner
+ 20 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner upx
Link:
https://tria.ge/reports/230103-t26bksfc3y/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Loads dropped DLL
Executes dropped EXE
UPX packed file
XMRig Miner payload
Suspicious use of NtCreateUserProcessOtherParentProcess
xmrig
Unpacked files
SH256 hash:
dd84819f9d2e108ac8dbbfedf10d61f787b6082f02ddb63ca05c98d78e877597
MD5 hash:
551bb49398210767506ee38866b9e8cb
SHA1 hash:
34f32d3e3609620a8b11ccfa00393e1fba139133
Link:
https://www.unpac.me/results/bbabaf99-bdbe-4d4c-8b31-17caea6f5827/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dd84819f9d2e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/dd84819f9d2e108ac8dbbfedf10d61f787b6082f02ddb63ca05c98d78e877597

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe dd84819f9d2e108ac8dbbfedf10d61f787b6082f02ddb63ca05c98d78e877597

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2495508/
  
Delivery method
Distributed via web download

Comments