MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0ba6af5f371f64548b29d2abb11a8e01cec53aed1a3af8e6d70813ce8732e83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e0ba6af5f371f64548b29d2abb11a8e01cec53aed1a3af8e6d70813ce8732e83
SHA3-384 hash: 45f46457339286ad200a0779f9d770c3258257ce82c334713d078d21c37a99012e0afa7fffec68ef164b5fc3fb851dc9
SHA1 hash: d81aa39b50b11217c66d7fe69500d3928200157c
MD5 hash: ac8fcf55ecdd17fd09024abeca72cc5e
humanhash: white-pip-hot-music
File name:ac8fcf55ecdd17fd09024abeca72cc5e.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:16'150'511 bytes
First seen:2022-01-01 15:40:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 02ed3575b7f1b355edc24642727fb2e7 (4 x VoidCrypt, 1 x CoinMiner, 1 x Ouroboros)
ssdeep 393216:nOlE0U4ATcuORndVEXIJAB5yINgeLUYm26V9fB8GUw:n4fhdVEX1B5eekBqw
Threatray 10 similar samples on MalwareBazaar
TLSH T17EF633713A03D0B1E59240F58A78EB3F8A6DAD740B700AD7B3D81B2D99315C19E37B5A
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
245
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ac8fcf55ecdd17fd09024abeca72cc5e.exe
Verdict:
Malicious activity
Analysis date:
2022-01-01 15:41:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/69be077a-cabe-4526-b219-5367f4eaae00

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Ransomware.Vipasana-9783618-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Running batch commands
Launching a process
Launching the process to change network settings
DNS request
Сreating synchronization primitives
Launching a service
Launching the process to change the firewall settings
Launching the process to interact with network services
Enabling autorun for a service
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
filecoder greyware overlay packed ransomware vipasana voidcrypt
Link:
https://www.filescan.io/uploads/61d076118991ba72b3a43cee/reports/6ec465a4-8776-4d78-bc62-3db0a3dbd465/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d1642662-6309-4afa-a483-d341b79f8349
Result
Threat name:
Wixawm
Create hunting rule
Detection:
malicious
Classification:
rans.spre.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/914477
Signature
Creates files in the recycle bin to hide itself
Disables security and backup related services
Disables the windows firewall (over ALG)
Drops executable to a common third party application directory
Infects executable files (exe, dll, sys, html)
Machine Learning detection for sample
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Sigma detected: WannaCry Ransomware
Uses bcdedit to modify the Windows boot settings
Uses netsh to modify the Windows network and firewall settings
Writes many files with high entropy
Yara detected Wixawm Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 546955 Sample: MzM6aaixIN.exe Startdate: 01/01/2022 Architecture: WINDOWS Score: 100 73 Sigma detected: WannaCry Ransomware 2->73 75 Multi AV Scanner detection for submitted file 2->75 77 Yara detected Wixawm Ransomware 2->77 79 Machine Learning detection for sample 2->79 9 MzM6aaixIN.exe 34 2->9         started        process3 dnsIp4 69 api.my-ip.io 161.35.189.70, 443, 49755 DIGITALOCEAN-ASNUS United States 9->69 71 127.0.0.1 unknown unknown 9->71 61 TURABIAN.XSL,(MJ-I...m@gmail.com).wixawm, data 9->61 dropped 63 GostTitle.XSL,(MJ-...m@gmail.com).wixawm, data 9->63 dropped 65 GostName.XSL,(MJ-I...m@gmail.com).wixawm, data 9->65 dropped 67 30 other malicious files 9->67 dropped 81 Creates files in the recycle bin to hide itself 9->81 83 Uses bcdedit to modify the Windows boot settings 9->83 85 Modifies the windows firewall 9->85 87 5 other signatures 9->87 14 cmd.exe 1 9->14         started        17 cmd.exe 1 9->17         started        19 cmd.exe 1 9->19         started        21 11 other processes 9->21 file5 signatures6 process7 signatures8 89 Uses netsh to modify the Windows network and firewall settings 14->89 23 conhost.exe 14->23         started        25 net.exe 1 14->25         started        27 net.exe 1 17->27         started        29 conhost.exe 17->29         started        31 net.exe 1 19->31         started        33 conhost.exe 19->33         started        35 net.exe 1 21->35         started        37 net.exe 21->37         started        39 15 other processes 21->39 process9 process10 41 WerFault.exe 23->41         started        43 net1.exe 1 25->43         started        45 net1.exe 1 27->45         started        47 net1.exe 1 31->47         started        49 net1.exe 1 35->49         started        51 net1.exe 37->51         started        53 net1.exe 39->53         started        55 net1.exe 39->55         started        57 net1.exe 39->57         started        process11 59 RuntimeBroker.exe 41->59 injected
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e0ba6af5f371f64548b29d2abb11a8e01cec53aed1a3af8e6d70813ce8732e83/
Threat name:
Win32.Ransomware.Amnesia
Create hunting rule
Status:
Malicious
First seen:
2021-12-30 14:14:00 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
24 of 43 (55.81%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4
CoinMiner
318c6717d3881cbc9b1f24325a85e79d5c5768a03387dfb2cf605638a4b45056
CoinMiner
33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3
CoinMiner
353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f
CoinMiner
49921fa466e1dc65ea6c037726015a69c634fc1631a2e379bfb3d7cf7644bcad
CoinMiner
581122114ad28f404b2cc4f8df5d77b6ed447f8f26f862960bb0181776bfacd9
CoinMiner
91a66df8eaf8bc989c0e1a296b4bc5c578ceb8bcaf3d256d609480535def3da9
CoinMiner
a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461
CoinMiner
cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f
CoinMiner
e615aae714898a4f78dc35243b76440021527835c02cdb904349e412b9631b8c
CoinMiner
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion miner ransomware spyware stealer
Link:
https://tria.ge/reports/220101-s4rqjagccm/
Behaviour
NTFS ADS
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Windows directory
Drops autorun.inf file
Drops file in System32 directory
Drops desktop.ini file(s)
Drops startup file
Reads user/profile data of web browsers
Modifies Windows Firewall
Modifies extensions of user files
xmrig
Unpacked files
SH256 hash:
e0ba6af5f371f64548b29d2abb11a8e01cec53aed1a3af8e6d70813ce8732e83
MD5 hash:
ac8fcf55ecdd17fd09024abeca72cc5e
SHA1 hash:
d81aa39b50b11217c66d7fe69500d3928200157c
Link:
https://www.unpac.me/results/233b9c9d-ca75-49ea-a21f-df3589811c55/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e0ba6af5f371/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e0ba6af5f371f64548b29d2abb11a8e01cec53aed1a3af8e6d70813ce8732e83

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
Author:ditekSHen
Description:detects command variations typically used by ransomware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments