MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb49ad3836c334d8d06a36a45994eaa52d7629ecbf765fe46aa53825aef56e56. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fb49ad3836c334d8d06a36a45994eaa52d7629ecbf765fe46aa53825aef56e56
SHA3-384 hash: 2649dd664664a3a2c168aea7764cfca242b5761a9d58596678044e9b5fa0d62416e61e275931f250782af8ed37d03a52
SHA1 hash: 29b088bc617ce93293700232ba864ecc4e5c5493
MD5 hash: ddd1b892cae78b0b9759353bc4f0b2c6
humanhash: emma-oxygen-vermont-pluto
File name:ddd1b892cae78b0b9759353bc4f0b2c6
Download: download sample
Signature CoinMiner
Create hunting rule
File size:178'176 bytes
First seen:2021-07-07 17:05:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 3072:+9vtF0Ozk97zkoF7FlKJvtNK/Iqr3ZbgMwxHHUtoGO2SDb:O4lLHUjK/3DOfs
Threatray 62 similar samples on MalwareBazaar
TLSH T1D5046D1D5F8BB8DBE4240AB558A7E7D1076DEFA5F1E1069C30E9BE3CB7924748500BA0
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
295
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ddd1b892cae78b0b9759353bc4f0b2c6
Verdict:
No threats detected
Analysis date:
2021-07-07 17:08:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b7672fdc-f69c-4aca-9456-e77dc3f8928c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170261/
Detection(s):
Win.Dropper.Generic-7113183-0
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6cf25c03-685b-4fcc-9851-04a643a9dd74
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813040
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to a pastebin service (likely for C&C)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Schedule system process
Sigma detected: Xmrig
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 445451 Sample: Lr2Hm9rVac Startdate: 07/07/2021 Architecture: WINDOWS Score: 100 70 Sigma detected: Xmrig 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Yara detected Xmrig cryptocurrency miner 2->74 76 5 other signatures 2->76 8 Lr2Hm9rVac.exe 9 2->8         started        12 svchost.exe 2->12         started        14 svchost.exe 9 1 2->14         started        17 8 other processes 2->17 process3 dnsIp4 54 C:\Users\user\AppData\...\smssmanagment.exe, PE32+ 8->54 dropped 56 C:\...\smssmanagment.exe:Zone.Identifier, ASCII 8->56 dropped 58 C:\Users\user\AppData\...\Lr2Hm9rVac.exe.log, ASCII 8->58 dropped 60 C:\Users\user\AppData\...\sihost64.exe, PE32+ 8->60 dropped 88 Sample is not signed and drops a device driver 8->88 19 smssmanagment.exe 14 5 8->19         started        23 cmd.exe 1 8->23         started        25 sihost64.exe 1 8->25         started        90 Changes security center settings (notifications, updates, antivirus, firewall) 12->90 27 MpCmdRun.exe 12->27         started        68 127.0.0.1 unknown unknown 14->68 file5 signatures6 process7 dnsIp8 64 194.147.142.230, 42040, 49717, 49720 PTPEU unknown 19->64 78 Machine Learning detection for dropped file 19->78 80 Injects code into the Windows Explorer (explorer.exe) 19->80 82 Writes to foreign memory regions 19->82 86 3 other signatures 19->86 29 explorer.exe 19->29         started        33 cmd.exe 1 19->33         started        84 Uses schtasks.exe or at.exe to add and modify task schedules 23->84 35 cmd.exe 23->35         started        37 conhost.exe 23->37         started        39 schtasks.exe 1 23->39         started        41 smssmanagment.exe 3 25->41         started        44 conhost.exe 27->44         started        signatures9 process10 dnsIp11 66 pastebin.com 104.23.98.190, 443, 49721 CLOUDFLARENETUS United States 29->66 92 System process connects to network (likely due to code injection or exploit) 29->92 94 Query firmware table information (likely to detect VMs) 29->94 96 Tries to detect sandboxes and other dynamic analysis tools (window names) 29->96 46 conhost.exe 33->46         started        48 schtasks.exe 1 33->48         started        50 conhost.exe 35->50         started        52 schtasks.exe 35->52         started        62 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 41->62 dropped file12 signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fb49ad3836c334d8d06a36a45994eaa52d7629ecbf765fe46aa53825aef56e56/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-07-07 17:06:06 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ne22obwym2nrudkg2sftfhkuuwxmkpmx53f7zdkuu4cllxvnzla._file
Verdict:
malicious
Similar samples:
06ae265d022abb3efb56a9aaf1b4cbee322817434b6dbebd93afa4e2869a2236
CoinMiner
1ed5337566938228ee9afcad29b1f722d55f4f8172a3157af4d4ad913541b2ea
CoinMiner
357a1d94af889c7d73ca1a767222066f3550e007c7f52d3f83895fc5bf2e17b6
CoinMiner
64ddaec35ffff60526ab760aea8d1a631a5c1b77c18d6054a1d36e95a7e4c8b1
CoinMiner
995ab2c020f8d8ac61c6c5e2bfdd383f2134a6463ea2ba218337b80b639e13cd
CoinMiner
a8288077dd8efe988232bbcc8519f636f097795cd34d87963ea61ac712336d1a
CoinMiner
e8c4bcdcf46f101cc7126f7bde6955f6a971d06dc2bea9f6499594b475b091e2
CoinMiner
f89110f497e2a39c3fc34329b16e5528564bae652fda61cd07410b27e046fdf3
CoinMiner
f970fb9186f287b64997d76b1d4ddc5121b42e4bf697734ae1855a641e95b923
CoinMiner
feb12de92aa1536ba75f69b41bf74cc3bd8438df7eb0f0705ebbd1de73994624
CoinMiner
+ 52 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/210707-gp1fnt4w4a/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Executes dropped EXE
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
fb49ad3836c334d8d06a36a45994eaa52d7629ecbf765fe46aa53825aef56e56
MD5 hash:
ddd1b892cae78b0b9759353bc4f0b2c6
SHA1 hash:
29b088bc617ce93293700232ba864ecc4e5c5493
Link:
https://www.unpac.me/results/0116cd28-b465-4baa-8935-5a938d0452e9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fb49ad3836c334d8d06a36a45994eaa52d7629ecbf765fe46aa53825aef56e56

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:Reverse_text_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Reverse text detected

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe fb49ad3836c334d8d06a36a45994eaa52d7629ecbf765fe46aa53825aef56e56

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1094014/
Cape
Cape
https://www.capesandbox.com/analysis/170261/

Comments


Avatar
zbet commented on 2021-07-07 17:05:35 UTC

url : hxxp://194.147.142.230/download/activation.exe