We noticed honeyhashx86.exe (32 bit) in Task Manager running in the background and did not recognize it. It seems too obvious to be malware but we did find more than one website which claimed it was a “Trojan Coin Miner”. They were wrong.
What is Honeyhashx86.exe?
honeyhashx86.exe is not malware. honeyhashx86.exe is program that stores meaningless fake user credentials in memory which is easily monitored by malware detection software. If the malware detection software sees a program trying access those credentials in memory, it knows the program is malicious and will kill it. If any program or user tries to use those credentials it will block them and raise an alert that something malicious just happened so IT admins and investigate further.
Honeyhash is what the security industry calls a Honey Pot.
What is a Honey Pot?
A Honey Pot is something put out in the open for malware and hackers to attack and when they do, malware detection software stops that program’s processes and usually prevents it from starting up again.
What Software Uses Honeyhash?
Honeyhash could be used by many antivirus, malware detection companies but we have only seen it in Stealthbits (now Netwrix) and Rapid7.
If you look at THIS article you will see they have dozens of honeyhashx86.exe versions listed and that they all point for a Rapid7 folder:
C:\Program Files\Rapid7\Insight Agent\components\insight_agent\[version number]\honeyhashx86.exe
Is HoneyHashx86 A Virus / Malware / Malicious?
It is unlikely that honeyhash is a virus or malware but it could be. Hackers often use the names of known programs to obfuscate their programs. To decide if your honeyhashx86 is malware or not, you need to determine where it is running from:
- Open TASK MANAGER
- On the PROCESSES tab, scroll down until you find honeyhashx86.exe
- RIGHT CLICK on honeyhashx86.exe
- select OPEN FILE LOCATION to see the folder it is running in
If honeyhash is running from a folder you expect, like Rapid7 or McAfee then it is likely not malware. If honeyhash is running from a temp folder or some other questionable location, it probably is malware.
0 Comments