MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e8c4bcdcf46f101cc7126f7bde6955f6a971d06dc2bea9f6499594b475b091e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e8c4bcdcf46f101cc7126f7bde6955f6a971d06dc2bea9f6499594b475b091e2
SHA3-384 hash: f82e19be8cbe703e6b3c839b6d6bd570f89ba7dffecd85686ccb0b6b913a7593d1b67b6a064b6c66d409e68265fc5fcc
SHA1 hash: 3b98658a6f4102e66e1cf8dd1b0b08675c330bd8
MD5 hash: 137600f4764123097f7ce08a3bbb2a1d
humanhash: tennessee-stream-fish-florida
File name:137600f4764123097f7ce08a3bbb2a1d
Download: download sample
Signature CoinMiner
Create hunting rule
File size:4'595'209 bytes
First seen:2021-06-24 13:04:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 98304:RbS+wvHdo6q31x039KT2ByPuTBbl88WxST53yrK2/SI:RzO9lq31C3PByPuTJl8Da3+7H
Threatray 395 similar samples on MalwareBazaar
TLSH 90263313FA86D8F3D97228312A6F5B01623AB6611F558B9F63E48D58AD740C0F634ED3
Reporter zbetcheckin
Tags:32 CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
250
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
137600f4764123097f7ce08a3bbb2a1d
Verdict:
Malicious activity
Analysis date:
2021-06-24 13:07:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4e6a5226-6e0e-4605-bcc4-a2821185224a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168040/
Detection(s):
SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7741746e-dfdd-4400-b209-b76d5ae525f4
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807492
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to a pastebin service (likely for C&C)
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Schedule system process
Sigma detected: System File Execution Location Anomaly
Sigma detected: Xmrig
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 439905 Sample: pimdZjF6HC Startdate: 24/06/2021 Architecture: WINDOWS Score: 100 92 Sigma detected: Xmrig 2->92 94 Malicious sample detected (through community Yara rule) 2->94 96 Multi AV Scanner detection for submitted file 2->96 98 8 other signatures 2->98 9 pimdZjF6HC.exe 8 2->9         started        12 svchost.exe 2->12         started        15 Framework64.exe 3 2->15         started        17 8 other processes 2->17 process3 dnsIp4 80 C:\Users\user\AppData\...\RuntimeBrokers.exe, PE32+ 9->80 dropped 82 C:\Users\user\AppData\...\Framework64.exe, PE32+ 9->82 dropped 20 Framework64.exe 7 9->20         started        24 RuntimeBrokers.exe 7 9->24         started        126 Changes security center settings (notifications, updates, antivirus, firewall) 12->126 26 MpCmdRun.exe 12->26         started        28 cmd.exe 15->28         started        84 127.0.0.1 unknown unknown 17->84 30 conhost.exe 17->30         started        32 schtasks.exe 17->32         started        file5 signatures6 process7 file8 72 C:\Users\user\AppData\...\sihost64.exe, PE32+ 20->72 dropped 74 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 20->74 dropped 118 Multi AV Scanner detection for dropped file 20->118 120 Machine Learning detection for dropped file 20->120 122 Injects code into the Windows Explorer (explorer.exe) 20->122 124 5 other signatures 20->124 34 explorer.exe 20->34         started        38 sihost64.exe 2 20->38         started        40 cmd.exe 1 20->40         started        76 C:\Users\user\AppData\...\RuntimeBroker.exe, PE32+ 24->76 dropped 78 C:\Users\user\AppData\...\sihost32.exe, PE32+ 24->78 dropped 42 RuntimeBroker.exe 24->42         started        44 sihost32.exe 24->44         started        46 cmd.exe 1 24->46         started        48 conhost.exe 26->48         started        50 conhost.exe 28->50         started        52 schtasks.exe 28->52         started        signatures9 process10 dnsIp11 86 mine.bmpool.org 157.90.156.89, 49724, 6004 REDIRISRedIRISAutonomousSystemES United States 34->86 88 pastebin.com 104.23.98.190, 443, 49723 CLOUDFLARENETUS United States 34->88 100 System process connects to network (likely due to code injection or exploit) 34->100 102 Query firmware table information (likely to detect VMs) 34->102 104 Tries to detect sandboxes and other dynamic analysis tools (window names) 34->104 90 192.168.2.1 unknown unknown 38->90 54 conhost.exe 40->54         started        56 schtasks.exe 1 40->56         started        106 Multi AV Scanner detection for dropped file 42->106 108 Hijacks the control flow in another process 42->108 110 Machine Learning detection for dropped file 42->110 116 5 other signatures 42->116 58 cmd.exe 42->58         started        60 explorer.exe 42->60         started        62 RuntimeBroker.exe 44->62         started        112 Uses schtasks.exe or at.exe to add and modify task schedules 46->112 64 conhost.exe 46->64         started        66 schtasks.exe 1 46->66         started        signatures12 114 Detected Stratum mining protocol 86->114 process13 process14 68 conhost.exe 58->68         started        70 schtasks.exe 58->70         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e8c4bcdcf46f101cc7126f7bde6955f6a971d06dc2bea9f6499594b475b091e2/
Threat name:
ByteCode-MSIL.Ransomware.WannaCry
Create hunting rule
Status:
Malicious
First seen:
2021-06-17 01:17:20 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5dclzxhun4ibzrysn55542kv62uxdudnyk7kt5sjswkli5nqshra._file
Verdict:
malicious
Similar samples:
0b279fc61a4f1c8ba65633d4e39d88bdaf060ffe3b73a43146e66da4b71cc2db
CoinMiner
1ed5337566938228ee9afcad29b1f722d55f4f8172a3157af4d4ad913541b2ea
CoinMiner
64ddaec35ffff60526ab760aea8d1a631a5c1b77c18d6054a1d36e95a7e4c8b1
CoinMiner
6c3a2575d3325e7a0f520a5fefa0384855980461683e6c7463debbd668ab3258
CoinMiner
74b13418d9f50f94920aa870823732618509599ed36a57e440c32c1e9cd928f2
CoinMiner
a1a0ca95d42cb766533d9c4a8260cdcea4abab6d17214b711b7f366fbafe2413
CoinMiner
b50cfd0edcdb6b99115f83ae101003203d113e40e7cf1fa9c796886115f8c994
CoinMiner
e15ea1dc92dd31517334886dba17d7022c73d258096bf77f897ef60c1b8302b1
CoinMiner
f970fb9186f287b64997d76b1d4ddc5121b42e4bf697734ae1855a641e95b923
CoinMiner
feb12de92aa1536ba75f69b41bf74cc3bd8438df7eb0f0705ebbd1de73994624
CoinMiner
+ 385 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/210624-kzrc35t24e/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Executes dropped EXE
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
e8c4bcdcf46f101cc7126f7bde6955f6a971d06dc2bea9f6499594b475b091e2
MD5 hash:
137600f4764123097f7ce08a3bbb2a1d
SHA1 hash:
3b98658a6f4102e66e1cf8dd1b0b08675c330bd8
Link:
https://www.unpac.me/results/7ade4772-315d-44fb-8d8a-bad28291b0f5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e8c4bcdcf46f101cc7126f7bde6955f6a971d06dc2bea9f6499594b475b091e2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cryptocoin_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20
Create hunting rule
Author:Florian Roth
Description:Detects XMRIG crypto coin miners
Reference:https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Rule name:XMRIG_Miner
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe e8c4bcdcf46f101cc7126f7bde6955f6a971d06dc2bea9f6499594b475b091e2

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/168040/
  
URLhaus
https://urlhaus.abuse.ch/url/1394663/

Comments