MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02a6c3107c222062f0102daa96954f22d2af742dfecf45477478a243799301a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02a6c3107c222062f0102daa96954f22d2af742dfecf45477478a243799301a0
SHA3-384 hash: 04f044ae87e7e292fe3fff08c6c4a48d0e1902b881ee0cf3f74e797545581bcc7c3d251ac03245f6cc9fc5ba4d67d3eb
SHA1 hash: cd1daceca01eb35e55163df7da35eb3727bb8e24
MD5 hash: f5eacf2d72f9e9b7d263ddb7b2417180
humanhash: johnny-arkansas-blossom-oranges
File name:f5eacf2d72f9e9b7d263ddb7b2417180
Download: download sample
Signature CoinMiner
Create hunting rule
File size:87'040 bytes
First seen:2022-01-02 18:19:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 1536:lT7xlGO3Tn6+G6IlI0mb8Pa6WDSYwADP5yK/9qo2vwsN0:lT7xgOj6+Gp5WDSuDti+
Threatray 38 similar samples on MalwareBazaar
TLSH T132834C2E3615C5E4F84C83B56B26DB0B168F7C432242052639B2B7B94B387D7C95F9D8
File icon (PE):PE icon
dhash icon 8883b69d19c6c3c0 (38 x GuLoader, 6 x RemcosRAT, 6 x VIPKeylogger)
Reporter zbetcheckin
Tags:32 CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
246
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f5eacf2d72f9e9b7d263ddb7b2417180
Verdict:
Suspicious activity
Analysis date:
2022-01-02 18:20:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/45d040e3-d47f-4a00-8bc4-6008a36f77cd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CoinMiner02
Create hunting rule
Link:
https://www.capesandbox.com/analysis/217097/
Detection(s):
SecuriteInfo.com.Variant.Strictor.267254.26069.10292.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
DNS request
Сreating synchronization primitives
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61d1ec9b7837ada941a82fec/reports/0eab8eb3-2f14-43e3-999d-68dcccf5a546/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6276fe33-bf9c-40e7-baf6-5671ef8a93db
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/914666
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Creates multiple autostart registry keys
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Used To Disable Windows Defender AV Security Monitoring
Sigma detected: Windows Crypto Mining Indicators
Sigma detected: Xmrig
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 547144 Sample: p9rcfiyHw8 Startdate: 02/01/2022 Architecture: WINDOWS Score: 100 77 cdn.discordapp.com 2->77 103 Sigma detected: Xmrig 2->103 105 Malicious sample detected (through community Yara rule) 2->105 107 Multi AV Scanner detection for dropped file 2->107 109 10 other signatures 2->109 9 p9rcfiyHw8.exe 15 6 2->9         started        14 svchost.exe 2->14         started        16 DriversUpdateProcess_x64.exe 2->16         started        18 13 other processes 2->18 signatures3 process4 dnsIp5 85 cdn.discordapp.com 162.159.133.233, 443, 49743, 49779 CLOUDFLARENETUS United States 9->85 69 C:\Users\user\AppData\...\p9rcfiyHw8.exe, PE32 9->69 dropped 71 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 9->71 dropped 73 C:\Users\...\p9rcfiyHw8.exe:Zone.Identifier, ASCII 9->73 dropped 75 C:\Users\user\AppData\...\p9rcfiyHw8.exe.log, ASCII 9->75 dropped 119 Writes to foreign memory regions 9->119 121 Allocates memory in foreign processes 9->121 123 Injects a PE file into a foreign processes 9->123 20 p9rcfiyHw8.exe 2 12 9->20         started        25 AdvancedRun.exe 1 9->25         started        27 AdvancedRun.exe 1 9->27         started        125 Changes security center settings (notifications, updates, antivirus, firewall) 14->125 29 MpCmdRun.exe 1 14->29         started        87 192.168.2.1 unknown unknown 18->87 file6 signatures7 process8 dnsIp9 79 checkip.dyndns.org 20->79 81 checkip.dyndns.com 132.226.8.169, 49777, 80 UTMEMUS United States 20->81 83 2 other IPs or domains 20->83 61 C:\Users\user\...\System_Settings_Broker.exe, PE32+ 20->61 dropped 63 C:\...\Antimalware_Service_Executable.exe, PE32 20->63 dropped 65 C:\Users\user\AppData\...\Anti_Invoker.exe, PE32+ 20->65 dropped 67 2 other malicious files 20->67 dropped 111 Multi AV Scanner detection for dropped file 20->111 113 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->113 115 May check the online IP address of the machine 20->115 117 2 other signatures 20->117 31 System_Settings_Broker.exe 20->31         started        35 Antimalware_Service_Executable.exe 20->35         started        37 cmd.exe 20->37         started        45 3 other processes 20->45 39 AdvancedRun.exe 25->39         started        41 AdvancedRun.exe 27->41         started        43 conhost.exe 29->43         started        file10 signatures11 process12 dnsIp13 89 xmr.2miners.com 51.89.96.41, 2222, 49782 OVHFR France 31->89 91 Antivirus detection for dropped file 31->91 93 Multi AV Scanner detection for dropped file 31->93 95 Query firmware table information (likely to detect VMs) 31->95 47 conhost.exe 31->47         started        97 Machine Learning detection for dropped file 35->97 99 Uses schtasks.exe or at.exe to add and modify task schedules 37->99 49 conhost.exe 37->49         started        51 schtasks.exe 37->51         started        53 conhost.exe 45->53         started        55 schtasks.exe 45->55         started        57 conhost.exe 45->57         started        59 schtasks.exe 45->59         started        signatures14 101 Detected Stratum mining protocol 89->101 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/02a6c3107c222062f0102daa96954f22d2af742dfecf45477478a243799301a0/
Threat name:
ByteCode-MSIL.Trojan.Quasar
Create hunting rule
Status:
Malicious
First seen:
2022-01-01 21:50:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aktmged4eiqgf4aqfwvjnfkpeljk65bn73hukr3upcreg6mtagqa._file
Verdict:
malicious
Similar samples:
0b47f2153c7dc74c974cb865e32c121133a7c1740d0e09ee819a4823c0712241
CoinMiner
0e16268b5f26f1f7314bb1b21bb246b99ee4fd6e000818edc94f7efa67964a4d
CoinMiner
2cfa6e09ec6ebc184774238d6a497df43c5eed8c2c03e86e830400c8b7fc4ced
CoinMiner
3023261456361410fc8e6f5ec4c22d0c2aa7d02fd62148de20819945e99a86a3
CoinMiner
381e9692044f46f9a850f2f35b26473a63eec1a6486585fa49f4564c21c20cd6
CoinMiner
5b8f3956ac2be07fe773d9c294e5cbad0968e7fa99c5f6fd5d184caa512c5106
CoinMiner
6be8541f9acb169414f3b10de5619404ebdf7845c21fc4451ba2dd18d1602dc1
CoinMiner
a4afda24bd6c4b504a7ff9c3cb1b54f1ecb899b8bc136809bf038afe41a44dba
CoinMiner
d6bd9bd06afd6e3464c43547fe5c41de9702c44cc21b765cf8fb41eb365b37dd
CoinMiner
+ 28 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:stormkitty family:xmrig evasion miner persistence stealer trojan
Link:
https://tria.ge/reports/220102-wx64esaff2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Windows security modification
Disables Task Manager via registry modification
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Detected Stratum cryptominer command
Nirsoft
XMRig Miner Payload
Modifies Windows Defender Real-time Protection settings
StormKitty
StormKitty Payload
xmrig
Unpacked files
SH256 hash:
02a6c3107c222062f0102daa96954f22d2af742dfecf45477478a243799301a0
MD5 hash:
f5eacf2d72f9e9b7d263ddb7b2417180
SHA1 hash:
cd1daceca01eb35e55163df7da35eb3727bb8e24
Link:
https://www.unpac.me/results/2caf2671-c339-4836-ab96-f4cff1a243d0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/02a6c3107c222062f0102daa96954f22d2af742dfecf45477478a243799301a0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_PE_Discord_Attachment_Oct21_1
Create hunting rule
Author:Florian Roth
Description:Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 02a6c3107c222062f0102daa96954f22d2af742dfecf45477478a243799301a0

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1944253/
Cape
Cape
https://www.capesandbox.com/analysis/217097/

Comments


Avatar
zbet commented on 2022-01-02 18:19:03 UTC

url : hxxp://data-host-coin-8.com/files/5189_1640998873_9495.exe