MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e89843256ff5ba727b9195361447d30e88fbfb660e97aaad5cb0196fd2f0991a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner.XMRig


Vendor detections: 6


Intelligence 6 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e89843256ff5ba727b9195361447d30e88fbfb660e97aaad5cb0196fd2f0991a
SHA3-384 hash: 6e22fe7df44c6bb0c24e9fe798350ae832f9426e4185ead97b4eab0f69bd1b140b8842c96a4bbf1c9490fd489fd415c1
SHA1 hash: 1fca181af23ccc81399be5fb5dc98607e58ad97d
MD5 hash: 2fccdd78e870983b60e3e0a00f3a5556
humanhash: fillet-sink-kentucky-eight
File name:start.exe
Download: download sample
Signature CoinMiner.XMRig
Create hunting rule
File size:14'785'024 bytes
First seen:2020-11-16 12:54:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 393216:S+Q3E2su9kD4Uo91mE/tGHwypqq5IRw36E1f3v1f8g8:xvu9P1j/gHSq6a60X1kZ
Threatray 903 similar samples on MalwareBazaar
TLSH 16E63313B3A1C065FFAB92731F26B6598B7C7E691127931F53481D68B9B0271227E323
Reporter JAMESWT_WT
Tags:CoinMiner.XMRig narutomadara8877

Intelligence

File Origin
# of uploads :
1
# of downloads :
162
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Deleting a recently created file
Using the Windows Management Instrumentation requests
DNS request
Sending a custom TCP request
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Running batch commands
Launching a process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
BitCoin Miner
Create hunting rule
Detection:
malicious
Classification:
spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/537738
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
AutoIt script contains suspicious strings
Binary is likely a compiled AutoIt script file
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Installs TOR (Internet Anonymizer)
May use the Tor software to hide its network traffic
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected BitCoin Miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 317967 Sample: start.exe Startdate: 16/11/2020 Architecture: WINDOWS Score: 100 78 Antivirus detection for dropped file 2->78 80 Antivirus / Scanner detection for submitted sample 2->80 82 Multi AV Scanner detection for dropped file 2->82 84 8 other signatures 2->84 8 Helper.exe 1 2->8         started        11 start.exe 7 2->11         started        15 Helper.exe 2->15         started        17 3 other processes 2->17 process3 dnsIp4 90 Antivirus detection for dropped file 8->90 92 Multi AV Scanner detection for dropped file 8->92 94 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->94 19 Helper.exe 5 8->19         started        76 2no.co 88.99.66.31, 443, 49713 HETZNER-ASDE Germany 11->76 56 C:\Users\user\AppData\Roaming\...\Helper.exe, PE32+ 11->56 dropped 58 C:\Users\user\AppData\...\SystemCheck.xml, XML 11->58 dropped 60 C:\Users\user\AppData\...\CL_Debug_Log.txt, PE32 11->60 dropped 96 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->96 22 CL_Debug_Log.txt 3 11->22         started        25 cmd.exe 1 11->25         started        27 cmd.exe 1 11->27         started        file5 signatures6 process7 file8 86 Modifies the context of a thread in another process (thread injection) 19->86 88 Injects a PE file into a foreign processes 19->88 29 Helper.exe 12 19->29         started        33 tor.exe 10 19->33         started        52 C:\Users\user\AppData\Local\Temp\64.exe, PE32+ 22->52 dropped 54 C:\Users\user\AppData\Local\Temp\32.exe, PE32 22->54 dropped 36 conhost.exe 22->36         started        38 conhost.exe 25->38         started        40 timeout.exe 1 25->40         started        42 timeout.exe 1 25->42         started        48 2 other processes 25->48 44 conhost.exe 27->44         started        46 schtasks.exe 1 27->46         started        signatures9 process10 dnsIp11 62 C:\Users\user\AppData\Roaming\...\tor.exe, PE32 29->62 dropped 64 C:\Users\user\AppData\Roaming\...\zlib1.dll, PE32 29->64 dropped 66 C:\Users\user\AppData\...\ssleay32.dll, PE32 29->66 dropped 68 8 other files (none is malicious) 29->68 dropped 98 Installs TOR (Internet Anonymizer) 29->98 50 conhost.exe 29->50         started        70 185.129.62.62, 49738, 9001 ZENCURITY-NETDK Denmark 33->70 72 192.87.28.82, 49739, 9001 SURFNET-NLSURFnetTheNetherlandsNL Netherlands 33->72 74 21 other IPs or domains 33->74 file12 signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e89843256ff5ba727b9195361447d30e88fbfb660e97aaad5cb0196fd2f0991a/
Threat name:
Win32.Dropper.Nymeria
Create hunting rule
Status:
Malicious
First seen:
2020-11-09 13:51:57 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
24 of 27 (88.89%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5cmegjlp6w5he64rsu3bir6tb2epx63gb2l2vlk4wamw7uxqtena._file
Verdict:
unknown
Similar samples:
3d551f94081e0fa3d61252f4b5ecca8c08ad6ed7f4dc9cbe5f688e7149f69823
CoinMiner.XMRig
5d9d3139341641ce29a3a0a55b11e04b6e8827d6a5eee973aa66c12887ab0cc4
CoinMiner.XMRig
82bb3e9ec03f5237ed521effee5b1825b59e31be522e71a05c129676e60839ee
CoinMiner.XMRig
8a6396b1db9c4c2eaa48f4306e06700ac576045d558aef354bac424f14dadace
CoinMiner.XMRig
93692002c0d232acc30bac07e47393b8f23576956ed738bc0aa802b6ecc92c3c
CoinMiner.XMRig
970ffc480d61b37737f34ddf738e257a99162cce8338f7c59fdd4ab995ae9dfc
CoinMiner.XMRig
b2c546db519f541e77933c1ae7884047df59775c05488c766a5b1b96eff1cb79
CoinMiner.XMRig
d4898d4aec91b789a3abb2d9e103eb1111d783a05a119ef7d1db9ab3811a79c2
CoinMiner.XMRig
da32892b691e51284649a6f71c2ff12937efcf7caddeade9fd66f589643ce25f
CoinMiner.XMRig
e9056b5596854e3473033e3b28577c83a70f1b5be20e4b1cf529688ad7591b70
CoinMiner.XMRig
+ 893 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
miner
Link:
https://tria.ge/reports/201116-wq4x4hya9e/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies system certificate store
NTFS ADS
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Drops file in System32 directory
Suspicious use of SetThreadContext
JavaScript code in executable
Deletes itself
Loads dropped DLL
Executes dropped EXE
Detected Stratum cryptominer command
Unpacked files
SH256 hash:
e89843256ff5ba727b9195361447d30e88fbfb660e97aaad5cb0196fd2f0991a
MD5 hash:
2fccdd78e870983b60e3e0a00f3a5556
SHA1 hash:
1fca181af23ccc81399be5fb5dc98607e58ad97d
Link:
https://www.unpac.me/results/fb55724b-8c73-4ad9-8096-ed19da17b8ce/
SH256 hash:
0ca7f01d1e832b71f9b2a33b627d12dedb5628173876afed32c34ed0d687a4cf
MD5 hash:
a0f6c284c5184f4a4a3686ffc0cdf985
SHA1 hash:
643826f6a8acdfa0baa6870d24d631b4b686b0b0
Link:
https://www.unpac.me/results/fb55724b-8c73-4ad9-8096-ed19da17b8ce/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:Cryptocoin_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:XMRIG_Miner
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments