MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eff8a484eafd5ebdf57845e6a656793520bdddf5469ea4a95eaa578e8bca6c50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eff8a484eafd5ebdf57845e6a656793520bdddf5469ea4a95eaa578e8bca6c50
SHA3-384 hash: b4b882e119e33b7ff42278e859aaa4c916cd479ba337f139988260fca02cf38271d874ab6b7db3013c73b3159f09078a
SHA1 hash: cff2a6b3b726455b9ed898aa766f2363189642bc
MD5 hash: 844b7e033c078ed67b52558b5d891741
humanhash: seventeen-montana-hydrogen-friend
File name:844b7e033c078ed67b52558b5d891741
Download: download sample
Signature CoinMiner
Create hunting rule
File size:207'360 bytes
First seen:2021-09-26 15:31:30 UTC
Last seen:2021-09-26 16:30:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d8015d2a3e764c340a134c25fbcfa53b (1 x CoinMiner)
ssdeep 6144:xiqISqZfg//N7V8mIrf8y7ABqYWqjTf1ECB/N1:xz7zVRLix7ABwq/fmk3
Threatray 8 similar samples on MalwareBazaar
TLSH T1D5142386436C83F7C653537C1DBAC828EB192CB492CD27A9672C74B34676EA31DAC512
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
251
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
96dce028459cf26be5816b14c6b14484.exe
Verdict:
Malicious activity
Analysis date:
2021-09-26 14:43:46 UTC
Tags:
trojan rat redline stealer loader
Link:
https://app.any.run/tasks/8efd27ba-e5f1-4fb4-922f-5a4c0df81c7f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/191804/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.47036876.11686.4165.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/5992776a-4988-466f-9bde-edc8574beed4
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/858466
Signature
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Creates files in the system32 config directory
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Xmrig
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses netsh to modify the Windows network and firewall settings
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 490892 Sample: XwfWWIkABj Startdate: 26/09/2021 Architecture: WINDOWS Score: 100 60 94.130.165.87, 4444, 49713 HETZNER-ASDE Germany 2->60 62 pool.minexmr.com 2->62 74 Sigma detected: Xmrig 2->74 76 Multi AV Scanner detection for dropped file 2->76 78 Multi AV Scanner detection for submitted file 2->78 82 7 other signatures 2->82 12 XwfWWIkABj.exe 40 2->12         started        17 svchost.exe 2->17         started        19 svchost.exe 2->19         started        21 3 other processes 2->21 signatures3 80 Detected Stratum mining protocol 60->80 process4 dnsIp5 68 iplogger.org 88.99.66.31, 443, 49693, 49694 HETZNER-ASDE Germany 12->68 70 bitbucket.org 104.192.141.1, 443, 49695, 49697 AMAZON-02US United States 12->70 72 4 other IPs or domains 12->72 52 C:\ProgramData\UpSys.exe, PE32+ 12->52 dropped 54 C:\ProgramData\Systemd\Microsoft_Edge.exe, PE32+ 12->54 dropped 56 C:\ProgramData\MicrosoftNetwork\System.exe, PE32+ 12->56 dropped 58 11 other files (1 malicious) 12->58 dropped 96 May check the online IP address of the machine 12->96 98 Modifies the windows firewall 12->98 100 Adds a directory exclusion to Windows Defender 12->100 23 Microsoft_Edge.exe 12->23         started        26 Microsoft_Edge.exe 12->26         started        29 Microsoft_Edge.exe 12->29         started        31 35 other processes 12->31 102 Changes security center settings (notifications, updates, antivirus, firewall) 17->102 file6 signatures7 process8 dnsIp9 84 Query firmware table information (likely to detect VMs) 23->84 86 Tries to detect sandboxes and other dynamic analysis tools (window names) 23->86 88 Hides threads from debuggers 23->88 64 51.254.84.37, 4444, 49705 OVHFR France 26->64 66 pool.minexmr.com 26->66 90 Tries to detect sandboxes / dynamic malware analysis system (registry check) 26->90 92 Uses netsh to modify the Windows network and firewall settings 31->92 33 UpSys.exe 31->33         started        35 taskkill.exe 31->35         started        37 conhost.exe 31->37         started        39 44 other processes 31->39 signatures10 94 Detected Stratum mining protocol 64->94 process11 process12 41 UpSys.exe 33->41         started        43 conhost.exe 35->43         started        process13 45 UpSys.exe 41->45         started        process14 47 powershell.exe 45->47         started        signatures15 104 Creates files in the system32 config directory 47->104 50 conhost.exe 47->50         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eff8a484eafd5ebdf57845e6a656793520bdddf5469ea4a95eaa578e8bca6c50/
Threat name:
Win64.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2021-09-24 22:35:00 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=574kjbhk7vpl35lyixtkmvtzguql3xpvi2pkjkk6vjly5c6knria._file
Verdict:
malicious
Similar samples:
16c3925debeb733f58c941bf756a6c247992dafa4dbfa8f7f1d5337b0f96fdf1
CoinMiner
25149614d2732a9db3e86ee490064f943cef5747b19d937d2f3cc2d7e13d29b7
CoinMiner
25259833bb95deec56711cb26d5301d9f7975730655d314e50ddeccf986777ef
CoinMiner
2f802aab0b83ba927a253910e4fb2a071f39c5515d08e29be2c2a687771be0d5
CoinMiner
6cf4d60af4e22f92096f64bdc0be0722ba53f589922c1f171c4c4faac0ce711f
CoinMiner
7a5a953b328eddffbd69d55bc2d6626c353bcef9a9a9f4efec49cdaa7ac601ac
CoinMiner
8497b714d64bbe043d4ef481a213eca88cc48a1dc98ad43443433c35e4af211a
CoinMiner
8ae8b54bc449ebeb94ba2ad9e0fe136404dec237f612459282ef465e5df59160
CoinMiner
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion themida trojan upx
Link:
https://tria.ge/reports/210926-synrpafah9/
Behaviour
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Drops startup file
Loads dropped DLL
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
UPX packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies security service
Unpacked files
SH256 hash:
eff8a484eafd5ebdf57845e6a656793520bdddf5469ea4a95eaa578e8bca6c50
MD5 hash:
844b7e033c078ed67b52558b5d891741
SHA1 hash:
cff2a6b3b726455b9ed898aa766f2363189642bc
Link:
https://www.unpac.me/results/b2ac16c1-4846-4e06-ba5a-07307ae89967/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eff8a484eafd5ebdf57845e6a656793520bdddf5469ea4a95eaa578e8bca6c50

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe eff8a484eafd5ebdf57845e6a656793520bdddf5469ea4a95eaa578e8bca6c50

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/191804/

Comments


Avatar
zbet commented on 2021-09-26 15:31:31 UTC

url : hxxp://sherence.ru/Zenar.exe