We noticed honeyhashx86.exe (32 bit) in Task Manager running in the background and did not recognize it. It seems too obvious to be malware but we did find more than one website which claimed it was a “Trojan Coin Miner”. They were wrong.
honeyhashx86.exe is not malware. honeyhashx86.exe is program that stores meaningless fake user credentials in memory which is easily monitored by malware detection software. If the malware detection software sees a program trying access those credentials in memory, it knows the program is malicious and will kill it. If any program or user tries to use those credentials it will block them and raise an alert that something malicious just happened so IT admins and investigate further.
Honeyhash is what the security industry calls a Honey Pot.
A Honey Pot is something put out in the open for malware and hackers to attack and when they do, malware detection software stops that program’s processes and usually prevents it from starting up again.
Honeyhash could be used by many antivirus, malware detection companies but we have only seen it in Stealthbits (now Netwrix) and Rapid7.
If you look at THIS article you will see they have dozens of honeyhashx86.exe versions listed and that they all point for a Rapid7 folder:
C:\Program Files\Rapid7\Insight Agent\components\insight_agent\[version number]\honeyhashx86.exe
It is unlikely that honeyhash is a virus or malware but it could be. Hackers often use the names of known programs to obfuscate their programs. To decide if your honeyhashx86 is malware or not, you need to determine where it is running from:
If honeyhash is running from a folder you expect, like Rapid7 or McAfee then it is likely not malware. If honeyhash is running from a temp folder or some other questionable location, it probably is malware.
This website uses cookies.
