MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6d721a289c4f4976f8501ae50c373513230533c1f2aea486ca88b5c431a918a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	e6d721a289c4f4976f8501ae50c373513230533c1f2aea486ca88b5c431a918a
SHA3-384 hash:	ade6b8db482d49379b89b6a2cde75bb12c118fc5c68082f90c789838ef35b4de106e952290bd890a71d6d39fdbc64f25
SHA1 hash:	6e672d8a4677a5899017e4103141336f9d5a4174
MD5 hash:	a77637bf48d36d0741f36eef5f928cb4
humanhash:	nineteen-white-wyoming-fruit
File name:	file
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	729'600 bytes
First seen:	2023-01-04 01:46:46 UTC
Last seen:	2023-01-04 03:28:58 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4e7c5d85d27b27ff0b44feec27866911 (1 x CoinMiner)
ssdeep	12288:RW0LmzwHJetpJ4GaOjMEuGUFiaPjH2xL5j1DD5ZUkcUMt9ADl/Juwvhm/d21CLbB:RW0L8wpetpJ4fOjM2UgaPDE5MtSI/d2w
Threatray	2'648 similar samples on MalwareBazaar
TLSH	T192F423D2AA0AD2F1E9ED57F128095CA265D63D5FD8E6115B20E67B1E70F3032460EF42
File icon (PE):
dhash icon	70f0c9e0dcd8d8de (3 x RedLineStealer, 2 x CoinMiner, 2 x DCRat)
Reporter	jstrosch
Tags:	CoinMiner exe X64

Intelligence

File Origin

# of uploads :

# of downloads :

190

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-01-04 01:51:16 UTC

Tags:

trojan

Link:

https://app.any.run/tasks/9c1de2bd-7682-4e34-ac06-3b0a3d2105d6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/349280/

Detection(s):

SecuriteInfo.com.Win64.Evo-gen.2686.20787.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Сreating synchronization primitives

Creating a file

Enabling the 'hidden' option for recently created files

Using the Windows Management Instrumentation requests

Running batch commands

Creating a process with a hidden window

Creating a window

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/63b4da970e926711fd76bf4b/reports/60500535-7a06-401d-b197-ec527ac097d6/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/16c71c45-e205-429e-94dc-e6169f51c9ea

Result

Threat name:

Xmrig

Detection:

malicious

Classification:

evad.mine

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1144871

Signature

Adds a directory exclusion to Windows Defender

Antivirus detection for URL or domain

Contains functionality to detect virtual machines (IN, VMware)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

DNS related to crypt mining pools

Found strings related to Crypto-Mining

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sets debug register (to hijack the execution of another thread)

Tries to evade debugger and weak emulator (self modifying code)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Xmrig cryptocurrency miner

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e6d721a289c4f4976f8501ae50c373513230533c1f2aea486ca88b5c431a918a/

Threat name:

Win64.Trojan.Privateloader

Status:

Malicious

First seen:

2023-01-04 00:35:50 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=43lsdiujyt2jo34fagxfbq3tkezdauz4d4vousdmvcfvyqy2sgfa._file

Verdict:

unknown

CoinMiner

334b8c0681f7876ea9108a19da9d216e8c9a9248511ea56dc0ac02fadc0a2e00

CoinMiner

4a41f8f731cbcc12964701358e0bf99d73c928ccb69a53dce19441ab7bc90f3c

CoinMiner

683e5ce2920030d4cfdf3b2060a705f654d882a376d2f1671e8d240761ffdd64

CoinMiner

7bd34b7923a17098175c99070569b5a49e8dea6921edcbce273ec7f59e8ab9d1

CoinMiner

9d4888ece611891fb0343b8c003703a4ec653031585a2c578b3bb525683b3b9a

CoinMiner

ac33a4954a11cabb9fce2e006d671f385b136f51453eec5b63456bcc6d50171d

CoinMiner

cde90075cab113a8f7865aa2233bfea7065c754655d30db2114127ca7255a888

CoinMiner

d6d728c1c24d9e6f05a81e8d54846be4c89ca6d9a1a59e52a1ccfb32d9b65d42

CoinMiner

fc52bdc35a10badcd4f88cd91d0c071bc05520c78097501f5f23fd5114e15e64

CoinMiner

+ 2'638 additional samples on MalwareBazaar

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:xmrig miner

Link:

https://tria.ge/reports/230104-b7jqnagg8z/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Uses the VBS compiler for execution

XMRig Miner payload

xmrig

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/52134a93-0c8f-4216-a339-eaa103d69adf

Unpacked files

SH256 hash:

e6d721a289c4f4976f8501ae50c373513230533c1f2aea486ca88b5c431a918a

MD5 hash:

a77637bf48d36d0741f36eef5f928cb4

SHA1 hash:

6e672d8a4677a5899017e4103141336f9d5a4174

Link:

https://www.unpac.me/results/59678d59-1dc6-476e-a5df-36d730e963fe/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e6d721a289c4/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.19

Link:

https://yomi.yoroi.company/submissions/e6d721a289c4f4976f8501ae50c373513230533c1f2aea486ca88b5c431a918a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

exe e6d721a289c4f4976f8501ae50c373513230533c1f2aea486ca88b5c431a918a

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2452741/

Cape

https://www.capesandbox.com/analysis/349280/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample