MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f63921129822475dd132a116b11312ebbb0cdc8b54f188aabeb7cf7a8c9065fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f63921129822475dd132a116b11312ebbb0cdc8b54f188aabeb7cf7a8c9065fd
SHA3-384 hash: 0cc8962c8132538a28b02375f29e31e23179dd3b8b8f96a9eaf25ce286b30b9ad04e1467d34fa93da06fdfbddb1316c0
SHA1 hash: fe5c0686830f3e5f6b244cda15561a3b65e95b75
MD5 hash: 22a9265676ffebc71d888f0c57af9fd1
humanhash: helium-avocado-island-east
File name:22a9265676ffebc71d888f0c57af9fd1.bin
Download: download sample
Signature CoinMiner
Create hunting rule
File size:4'353'552 bytes
First seen:2023-02-20 12:39:26 UTC
Last seen:2023-02-20 14:30:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2a9a8afe0c4589826f3e83ff7470eb91 (1 x CoinMiner)
ssdeep 98304:IgJL8qIwELol83T8QhbXLISpFPTVElvzPSp/2e:IikwjQJXLImVSPSF
Threatray 1'196 similar samples on MalwareBazaar
TLSH T1DA16027BF251DEFDC046CAB458D296B05931BD641A71138752CD330E2AB2E902EAD7CE
TrID 37.3% (.EXE) InstallShield setup (43053/19/16)
36.0% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
9.1% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter abuse_ch
Tags:bin CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
279
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
22a9265676ffebc71d888f0c57af9fd1.bin
Verdict:
Malicious activity
Analysis date:
2023-02-20 12:41:19 UTC
Tags:
installer
Link:
https://app.any.run/tasks/e241fdec-6a19-45a8-8ca7-b8fe488b5f69

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/368421/
Detection(s):
SecuriteInfo.com.FileRepMalware.29789.653.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %temp% directory
Searching for the window
Sending a custom TCP request
DNS request
Creating a window
Creating a file in the Windows subdirectories
Query of malicious DNS domain
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/71841/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug bedep dllhost.exe donut overlay packed regsvr32.exe replace.exe rundll32.exe shell32.dll virus virut
Link:
https://www.filescan.io/uploads/63f36a25d385ee58584e1fc5/reports/46dc413e-d999-4d0e-9827-5a0e4c7ce126/overview
Verdict:
Malicious
Labled as:
Virus.Win64.Virut
Link:
https://www.hybrid-analysis.com/sample/f63921129822475dd132a116b11312ebbb0cdc8b54f188aabeb7cf7a8c9065fd
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/2d4ac4f7-96d7-41c1-8624-6336841561e4
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.troj.spyw.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1179200
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Creates a thread in another existing process (thread injection)
Creates files in the system32 config directory
Detected Stratum mining protocol
Detected unpacking (overwrites its own PE header)
Hides threads from debuggers
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Powershell drops PE file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
Suspicious powershell command line found
Uses powercfg.exe to modify the power settings
Very long command line found
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 812028 Sample: FE5onznH3d.exe Startdate: 20/02/2023 Architecture: WINDOWS Score: 100 82 Snort IDS alert for network traffic 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 Antivirus detection for dropped file 2->86 88 5 other signatures 2->88 7 FE5onznH3d.exe 2 2->7         started        10 mshta.exe 2 2->10         started        12 cmd.exe 1 2->12         started        14 8 other processes 2->14 process3 signatures4 90 Detected unpacking (overwrites its own PE header) 7->90 92 Writes to foreign memory regions 7->92 94 Allocates memory in foreign processes 7->94 104 2 other signatures 7->104 16 rundll32.exe 2 7->16         started        20 powershell.exe 7 7->20         started        96 Suspicious powershell command line found 10->96 22 powershell.exe 20 10->22         started        98 Uses powercfg.exe to modify the power settings 12->98 100 Modifies power options to not sleep / hibernate 12->100 24 conhost.exe 12->24         started        26 powercfg.exe 12->26         started        28 powercfg.exe 12->28         started        32 2 other processes 12->32 102 Creates files in the system32 config directory 14->102 30 MpCmdRun.exe 1 14->30         started        34 2 other processes 14->34 process5 file6 48 C:\Users\user\AppData\Local\...\evb4CF9.tmp, PE32+ 16->48 dropped 64 Writes to foreign memory regions 16->64 66 Allocates memory in foreign processes 16->66 68 Hides threads from debuggers 16->68 80 2 other signatures 16->80 36 conhost.exe 15 27 16->36         started        70 Very long command line found 20->70 72 Powershell drops PE file 20->72 39 conhost.exe 20->39         started        50 C:\Windows\Temp\dqjjvhqz.tmp, PE32+ 22->50 dropped 52 C:\Windows\System32\config\...\WR64.sys, PE32+ 22->52 dropped 74 Creates files in the system32 config directory 22->74 76 Modifies the context of a thread in another process (thread injection) 22->76 78 Sample is not signed and drops a device driver 22->78 42 dwm.exe 22->42         started        44 conhost.exe 22->44         started        46 conhost.exe 30->46         started        signatures7 process8 dnsIp9 54 api.ip.sb 36->54 56 void.cat 51.255.78.49, 443, 49713 OVHFR France 36->56 58 iplogger.com 148.251.234.93, 443, 49717 HETZNER-ASDE Germany 36->58 106 May check the online IP address of the machine 39->106 60 179.43.154.176, 49724, 49726, 7000 PLI-ASCH Panama 42->60 62 snippet.host 192.144.37.43, 443, 49725 SERVERUM-ASRU Russian Federation 42->62 108 Query firmware table information (likely to detect VMs) 42->108 110 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 42->110 signatures10 112 Detected Stratum mining protocol 60->112
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f63921129822475dd132a116b11312ebbb0cdc8b54f188aabeb7cf7a8c9065fd/
Threat name:
Win64.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2023-02-20 12:40:11 UTC
File Type:
PE+ (Exe)
Extracted files:
31
AV detection:
10 of 25 (40.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6y4sceuyejdv3ujsuellceys5o5qzxelktyyrkv6w7hxvdeqmx6q._file
Verdict:
unknown
Similar samples:
09056fe941466c4b7c6b88b7c4690e630ae68f0c3583da06f56f50ef961dd75c
CoinMiner
0f6084e2d90e3429b34cc2950ca31fde03ffcceb0b1470935e89116d9ed04e1f
CoinMiner
2f70a1335ed3513ccf2996cf0ed45442692f79a4f9d8ea08e400d0f257c17394
CoinMiner
4883c8f935d8c8397ffb003f72e4e515501820ebd37ca079c478ba5b7ed7b3d4
CoinMiner
51a274f436ef7b5d8174010a4d6dd0938c1a8e9c10d9adc422a1111665ffac0c
CoinMiner
ad973e02add316a10df7e49e9c0ad30879ca8ef658731f1ccb9101be5efe6972
CoinMiner
ed3b91ec20184139f90c2432c7d90567dc9c47afc45a87bb4d72fa4a6c64edd9
CoinMiner
f3de4ce2a7e7d27e8dcfc9b38b0e55631181393e673a37a57bd97e218a797cfe
CoinMiner
+ 1'186 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner upx
Link:
https://tria.ge/reports/230220-pv7tlsae2x/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Loads dropped DLL
UPX packed file
XMRig Miner payload
Suspicious use of NtCreateUserProcessOtherParentProcess
xmrig
Unpacked files
SH256 hash:
f63921129822475dd132a116b11312ebbb0cdc8b54f188aabeb7cf7a8c9065fd
MD5 hash:
22a9265676ffebc71d888f0c57af9fd1
SHA1 hash:
fe5c0686830f3e5f6b244cda15561a3b65e95b75
Link:
https://www.unpac.me/results/7af3f9b1-c27c-4df1-afca-70dd5db97453/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f63921129822/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f63921129822475dd132a116b11312ebbb0cdc8b54f188aabeb7cf7a8c9065fd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Enigma
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Enigma

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/368421/

Comments