MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f60ee59dc9b055fa1d144a448f76fd85a68129c3a34dcda79a0a56adf38ce797. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f60ee59dc9b055fa1d144a448f76fd85a68129c3a34dcda79a0a56adf38ce797
SHA3-384 hash: f8235d143e18df2eda08057a97a96ba53483e209d4ca44f4454cf07d1e1cfd0558ec31bff15a77af3d0cf26d3c6f0a5b
SHA1 hash: a4ed593ff27a13a08b0c11b6e7c73597289e5df0
MD5 hash: d264d399af65b515987e08dfd197d238
humanhash: green-massachusetts-floor-indigo
File name:d264d399af65b515987e08dfd197d238
Download: download sample
Signature CoinMiner
Create hunting rule
File size:65'536 bytes
First seen:2022-06-12 12:09:32 UTC
Last seen:2022-06-12 12:34:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 768:NmSUckOgOa1TSfIHSrn5ljL2k827BbBNoaGi1nW9XrcJcXLZJpV:cnc4ufIyr5ljLZ88bBpGi1nW/XhV
Threatray 1'021 similar samples on MalwareBazaar
TLSH T17253FC9D765076DFC86BC8728AA82C74EA60747B531BD203A05316ED9A0D9DBCF181F3
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter zbetcheckin
Tags:32 CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
470
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d264d399af65b515987e08dfd197d238
Verdict:
No threats detected
Analysis date:
2022-06-12 12:10:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8318c52f-3cb5-427f-9d9a-358b1d28b16e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CoinMiner02
Create hunting rule
Link:
https://www.capesandbox.com/analysis/279084/
Detection(s):
SecuriteInfo.com.Variant.Lazy.160244.29415.26653.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Running batch commands
Launching a process
Creating a file
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a process from a recently created file
Forced system process termination
Searching for synchronization primitives
Adding an access-denied ACE
Searching for the window
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed wacatac
Link:
https://www.filescan.io/uploads/62a5d7d6a454cbb2f2f60d47/reports/fdd2b98e-b597-4e0c-9306-245a5785f50c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f2889b91-ac84-45b7-9cca-d10761eea8fa
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1011604
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Obfuscated command line found
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f60ee59dc9b055fa1d144a448f76fd85a68129c3a34dcda79a0a56adf38ce797/
Threat name:
Win32.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2022-06-01 13:37:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6yholhojwbk7uhiujjci65x5qwtickodung43j42bjlk344m46lq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3b70b57af7fcdfb9d0c83217e58d6acd5fafe898f11a815b88b444ecfadb57ab
CoinMiner
3deefd1f1f776cc14993508ae21a6434b496b48d7c1c85ec892572e2a56473ab
CoinMiner
5baf945d45a2a4c472499e7a56ef81b265574d41ffc72f72b6bb6f0ea6173f18
CoinMiner
5c131d192bb0f86309fb424ecd58f929aee48a3244b3a49ce6a8422158b7a154
CoinMiner
604d21a93ab88cdc9d0b609e73766a13e5959644eb35c7bc4fa8967378846004
CoinMiner
a2b55ffb492faeced1033c534e4f462d3c0ac9f914f991361ba67067538a05d1
CoinMiner
a5e6cd875238850ec701202134a00d276574d623ac52383f4a96e26650ceac77
CoinMiner
ac0cd27c71d75b6ea298c5169f845ab40e4b5750cb76368c5364f29178e0594d
CoinMiner
de85e7754cdb6c18d93f074d58406b4b4e91466cb53e82f962535452ebc2b9d9
CoinMiner
+ 1'011 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner persistence
Link:
https://tria.ge/reports/220612-pb17qaahhm/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
a5abb6601ca6e834862de53a87a9bd8fda1cbe5a74b7a6a8a49fd489f5bf69a1
MD5 hash:
cd66bae020c78f60d9d71ed3dbc978ee
SHA1 hash:
157831ea5deea436cd43f49eaaf7155e939d68e6
Link:
https://www.unpac.me/results/36e34c2c-ee36-45d6-a171-5758dd8fdff0/
SH256 hash:
f60ee59dc9b055fa1d144a448f76fd85a68129c3a34dcda79a0a56adf38ce797
MD5 hash:
d264d399af65b515987e08dfd197d238
SHA1 hash:
a4ed593ff27a13a08b0c11b6e7c73597289e5df0
Link:
https://www.unpac.me/results/36e34c2c-ee36-45d6-a171-5758dd8fdff0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f60ee59dc9b055fa1d144a448f76fd85a68129c3a34dcda79a0a56adf38ce797

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe f60ee59dc9b055fa1d144a448f76fd85a68129c3a34dcda79a0a56adf38ce797

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/279084/
  
URLhaus
https://urlhaus.abuse.ch/url/2235136/

Comments


Avatar
zbet commented on 2022-06-12 12:09:38 UTC

url : hxxps://file155.gofile.io/download/direct/2128119a-9713-4a23-aa29-6b5f6387952d/buildminerraccoon.exe