MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f520eb5804ae1b26974fabee5403470f1aa97b837fdd9856b3a5f252199a07f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f520eb5804ae1b26974fabee5403470f1aa97b837fdd9856b3a5f252199a07f4
SHA3-384 hash: 72fb093c845e401d766f85d593715d84c740dd4ea09032d84adaf5139ed21509be455b3c9007a3fad25dfa6e062ce4fa
SHA1 hash: a423f61c97f26b09aa85d96935d226f8df6e5d02
MD5 hash: a56e4ddc5dd0e6f0fd17011334868e43
humanhash: washington-mango-coffee-single
File name:services64.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:31'464'960 bytes
First seen:2024-01-08 21:37:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 02549ff92b49cce693542fc9afb10102 (89 x CoinMiner, 2 x CoinMiner.XMRig, 1 x AgentTesla)
ssdeep 786432:owtqBfF8Xk67VcgNuSQLCpo/26wLRf0dnlemSGZRVU:owtqDWkccNSjo/w50nemPXVU
TLSH T11F67332B6B5B1C0BE13543FD4441EABA97431FD83522D30A82F1ECE3F9DA6466C966D0
TrID 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable Generic (2000/1)
dhash icon 597170f0f9f9b19c (1 x njrat, 1 x CoinMiner)
Reporter smica83
Tags:CoinMiner exe HUN XMRIG

Intelligence

File Origin
# of uploads :
1
# of downloads :
467
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f520eb5804ae1b26974fabee5403470f1aa97b837fdd9856b3a5f252199a07f4.exe
Verdict:
No threats detected
Analysis date:
2024-01-08 21:43:56 UTC
Tags:
miner
Link:
https://app.any.run/tasks/60ec5298-83c3-46c5-aa7c-49f957a9cf12

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a process from a recently created file
Creating a process with a hidden window
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
donut packed
Link:
https://www.filescan.io/uploads/659c6b3c3c61cd5b424d7a44/reports/2abe0ae9-5d86-4402-8755-efcc8aee379c/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/f520eb5804ae1b26974fabee5403470f1aa97b837fdd9856b3a5f252199a07f4
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1371497
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Detected Stratum mining protocol
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Xmrig
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1371497 Sample: services64.exe Startdate: 08/01/2024 Architecture: WINDOWS Score: 100 61 mine.bmpool.org 2->61 71 Sigma detected: Xmrig 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 Antivirus / Scanner detection for submitted sample 2->75 77 3 other signatures 2->77 12 services64.exe 2->12         started        15 services64.exe 2->15         started        signatures3 process4 signatures5 95 Writes to foreign memory regions 12->95 97 Allocates memory in foreign processes 12->97 99 Creates a thread in another existing process (thread injection) 12->99 17 conhost.exe 5 12->17         started        101 Antivirus detection for dropped file 15->101 103 Multi AV Scanner detection for dropped file 15->103 105 Machine Learning detection for dropped file 15->105 20 conhost.exe 4 15->20         started        process6 file7 55 C:\Users\user\AppData\...\services64.exe, PE32+ 17->55 dropped 23 cmd.exe 1 17->23         started        25 cmd.exe 1 17->25         started        79 Writes to foreign memory regions 20->79 81 Modifies the context of a thread in another process (thread injection) 20->81 83 Injects a PE file into a foreign processes 20->83 28 sihost64.exe 20->28         started        30 svchost.exe 20->30         started        signatures8 process9 signatures10 32 services64.exe 23->32         started        35 conhost.exe 23->35         started        85 Uses schtasks.exe or at.exe to add and modify task schedules 25->85 37 conhost.exe 25->37         started        39 schtasks.exe 1 25->39         started        87 Writes to foreign memory regions 28->87 89 Allocates memory in foreign processes 28->89 91 Creates a thread in another existing process (thread injection) 28->91 41 conhost.exe 2 28->41         started        93 Query firmware table information (likely to detect VMs) 30->93 process11 signatures12 65 Writes to foreign memory regions 32->65 67 Allocates memory in foreign processes 32->67 69 Creates a thread in another existing process (thread injection) 32->69 43 conhost.exe 5 32->43         started        process13 file14 57 C:\Users\user\AppData\...\sihost64.exe, PE32+ 43->57 dropped 59 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 43->59 dropped 107 Writes to foreign memory regions 43->107 109 Modifies the context of a thread in another process (thread injection) 43->109 111 Sample is not signed and drops a device driver 43->111 113 Injects a PE file into a foreign processes 43->113 47 sihost64.exe 43->47         started        50 svchost.exe 43->50         started        signatures15 process16 dnsIp17 115 Antivirus detection for dropped file 47->115 117 Machine Learning detection for dropped file 47->117 119 Writes to foreign memory regions 47->119 125 2 other signatures 47->125 53 conhost.exe 2 47->53         started        63 mine.bmpool.org 5.252.178.30, 49729, 49730, 6004 MIVOCLOUDMD Moldova Republic of 50->63 121 Query firmware table information (likely to detect VMs) 50->121 signatures18 123 Detected Stratum mining protocol 63->123 process19
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f520eb5804ae1b26974fabee5403470f1aa97b837fdd9856b3a5f252199a07f4
Gathering data
Threat name:
Win64.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2024-01-08 21:38:14 UTC
File Type:
PE+ (Exe)
Extracted files:
2
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6uqowwaevynsnf2pvpxfia2hb4nks64dp7ozqvvtuxzfegm2a72a._file
Verdict:
malicious
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/240108-1g3hhscdbr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
XMRig Miner payload
xmrig
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f520eb5804ae/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f520eb5804ae1b26974fabee5403470f1aa97b837fdd9856b3a5f252199a07f4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments