MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f72cc34394c1d4ce63a6151c1effe973e44cc65043df34de98f82a127c6225d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 9

Intelligence 9 IOCs YARA 11 File information Comments

SHA256 hash:	f72cc34394c1d4ce63a6151c1effe973e44cc65043df34de98f82a127c6225d1
SHA3-384 hash:	9357e93fc3b535c32e049bbbe8c7da9a6ebff5810ec45e733bbd57b1855eb1e657e7fd749e23a47d49da476c680b6768
SHA1 hash:	175edd3cff914f092f089ace0537d8bfdad377f2
MD5 hash:	96a7f708dc26987653bb55cf9ee7afdd
humanhash:	berlin-quiet-fix-potato
File name:	xmrig
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	8'895'728 bytes
First seen:	2023-06-18 09:34:57 UTC
Last seen:	2023-06-18 09:35:41 UTC
File type:	elf
MIME type:	application/x-executable
ssdeep	196608:MPYnvBnzA0RvEqrVc0FcjYEpD71TnfD1fl5T7s:MPYnvBnzA0RvESVcscjDRTn71flt
TLSH	T1D4969E07F9A318FDC5DAC970472BD3A3BA30785842257A7B3694D9302E53FA05B2EB51
telfhash	t12ac30a65082dc94bcc716a29aebd6e6647ca06cbb310fdd4afe4c01c9f40c9da2e754d
TrID	50.1% (.) ELF Executable and Linkable format (Linux) (4022/12) 49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Reporter	ULTRAFRAUD
Tags:	CoinMiner elf XMRIG

Intelligence

File Origin

# of uploads :

# of downloads :

199

Origin country :

Vendor Threat Intelligence

Detection(s):

PUA.Unix.Coinminer.XMRig-6683890-0

Multios.Coinminer.Miner-6781728-2

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

coinminer monero packed virus xmrig

Link:

https://www.filescan.io/uploads/648ecfc7df8f39f125fea124/reports/f84dd82f-52fc-48ba-811a-7fc2c146d6de/overview

Verdict:

Malicious

Uses P2P?:

false

Uses anti-vm?:

true

Architecture:

x86

Packer:

not packed

Botnet:

unknown

Number of open files:

Number of processes launched:

Processes remaning?

false

Remote TCP ports scanned:

not identified

Full report:

https://elfdigest.com/brief/f72cc34394c1d4ce63a6151c1effe973e44cc65043df34de98f82a127c6225d1

Behaviour

Anti-VM

Botnet C2s

TCP botnet C2(s):

not identified

UDP botnet C2(s):

not identified

Result

Verdict:

MALICIOUS

Malware family:

XMRig Miner

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b5e79c84-5533-4e83-9c1b-c1700db770ae

Result

Threat name:

Xmrig

Detection:

malicious

Classification:

troj.mine

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1256814

Signature

Antivirus / Scanner detection for submitted sample

Contains symbols with names commonly found in malware

Found strings related to Crypto-Mining

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sample reads /proc/mounts (often used for finding a writable filesystem)

Stdout / stderr contain strings indicative of a mining client

Yara detected Xmrig cryptocurrency miner

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f72cc34394c1d4ce63a6151c1effe973e44cc65043df34de98f82a127c6225d1/

Threat name:

Linux.Trojan.Miner

Status:

Malicious

First seen:

2023-04-04 04:54:00 UTC

File Type:

ELF64 Little (Exe)

AV detection:

22 of 37 (59.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=64wmgq4uyhkm4y5gcuob577jopsezrsqipptjxuy7avbe7dcexiq._file

Result

Malware family:

xmrig_linux

Score:

10/10

Tags:

family:xmrig family:xmrig_linux antivm linux miner

Link:

https://tria.ge/reports/230618-lkb3eaee63/

Behaviour

Enumerates kernel/hardware configuration

Reads runtime system information

Checks CPU configuration

Checks hardware identifiers (DMI)

Reads CPU attributes

Reads hardware information

xmrig

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.30

Link:

https://yomi.yoroi.company/submissions/f72cc34394c1d4ce63a6151c1effe973e44cc65043df34de98f82a127c6225d1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	enterpriseapps2 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Enterprise apps

Rule name:	F01_s1ckrule Create hunting rule
Author:	s1ckb017

Rule name:	Linux_Cryptominer_Camelot_209b02dd Create hunting rule
Author:	Elastic Security

Rule name:	Linux_Cryptominer_Camelot_cdd631c1 Create hunting rule
Author:	Elastic Security

Rule name:	Linux_Cryptominer_Xmrminer_67bf4b54 Create hunting rule
Author:	Elastic Security

Rule name:	Linux_Trojan_Pornoasset_927f314f Create hunting rule
Author:	Elastic Security

Rule name:	MacOS_Cryptominer_Generic_333129b7 Create hunting rule
Author:	Elastic Security

Rule name:	MacOS_Cryptominer_Xmrig_241780a1 Create hunting rule
Author:	Elastic Security

Rule name:	setsockopt Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Hunts for setsockopt() red flags

Rule name:	unixredflags3 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Hunts for UNIX red flags

Rule name:	XMRIG_Monero_Miner Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Monero mining software
Reference:	https://github.com/xmrig/xmrig/releases

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

elf f72cc34394c1d4ce63a6151c1effe973e44cc65043df34de98f82a127c6225d1

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2665346/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample