MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03d65713f4af0362ffbabf2ac5a0eedbbb640e47b501e939d08080c86d083afd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 03d65713f4af0362ffbabf2ac5a0eedbbb640e47b501e939d08080c86d083afd
SHA3-384 hash: 66c1567bd1286dbaab73789a35822989f6d6fb8d770b4c8f246d290306a56f1695ed68f9d8beeda95957bd03d33ca741
SHA1 hash: f5a3eba9b5a59b4f385db489578a4315988f426d
MD5 hash: fc59789c6a2c12296150feaa71405291
humanhash: papa-magnesium-west-robert
File name:fc59789c6a2c12296150feaa71405291
Download: download sample
Signature CoinMiner
Create hunting rule
File size:4'514'907 bytes
First seen:2022-06-17 17:38:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 98304:pYk1173Zyi7kg1FxNxwQHu4AOeeLVs4GN041pHC4ucztobtGHd2wGERg2:7kGFCQWOe7N04W49MPTER7
TLSH T14A262301B1D48032E2E677351F20E7705B3A7D906A38C61AA3F85D5BB7BF5836A31762
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 34b4038998000180 (5 x CoinMiner)
Reporter zbetcheckin
Tags:32 CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
391
Origin country :
n/a
Vendor Threat Intelligence
Detection:
CoinMiner02
Create hunting rule
Link:
https://www.capesandbox.com/analysis/281039/
Detection(s):
SecuriteInfo.com.BackDoor.SiggenNET.5.27436.8753.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Sending a custom TCP request
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Launching a process
DNS request
Creating a file in the %AppData% directory
Creating a service
Launching a service
Loading a system driver
Launching a tool to kill processes
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/21757/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/62acbc1d473553ed319a138e/reports/4ca22f81-ba21-41c8-8e9c-c2be720076f0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0919e371-6eb2-43f9-a7aa-f4f1a2523d1e
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
adwa.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1015401
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Detected Stratum mining protocol
Detected unpacking (overwrites its own PE header)
Drops PE files to the startup folder
Drops PE files with benign system names
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 647897 Sample: 6LcKWBGpsJ Startdate: 17/06/2022 Architecture: WINDOWS Score: 100 62 www-bing-com.dual-a-0001.a-msedge.net 2->62 64 soloformin.linkpc.net 2->64 66 dual-a-0001.dc-msedge.net 2->66 70 Malicious sample detected (through community Yara rule) 2->70 72 Antivirus detection for URL or domain 2->72 74 Antivirus detection for dropped file 2->74 76 10 other signatures 2->76 11 6LcKWBGpsJ.exe 3 22 2->11         started        15 svchost.exe 2->15         started        17 svchost.exe 2->17         started        20 7 other processes 2->20 signatures3 process4 dnsIp5 52 C:\Users\user\AppData\Roaming\...\wininit.exe, PE32+ 11->52 dropped 54 C:\Users\user\AppData\...\services.exe, PE32 11->54 dropped 56 C:\Users\user\AppData\...\WinRing0x64.sys, PE32+ 11->56 dropped 58 2 other malicious files 11->58 dropped 78 Sample is not signed and drops a device driver 11->78 80 Drops PE files with benign system names 11->80 22 wscript.exe 1 11->22         started        82 Changes security center settings (notifications, updates, antivirus, firewall) 15->82 24 MpCmdRun.exe 15->24         started        60 127.0.0.1 unknown unknown 17->60 file6 signatures7 process8 process9 26 cmd.exe 2 22->26         started        28 conhost.exe 24->28         started        process10 30 services.exe 26->30         started        33 AudioClip.exe 26->33         started        36 wscript.exe 26->36         started        38 13 other processes 26->38 file11 94 Antivirus detection for dropped file 30->94 96 Multi AV Scanner detection for dropped file 30->96 98 Machine Learning detection for dropped file 30->98 104 3 other signatures 30->104 40 cvtres.exe 30->40         started        50 C:\Users\user\AppData\...\AudioClip.exe, PE32 33->50 dropped 100 Detected unpacking (overwrites its own PE header) 33->100 102 Drops PE files to the startup folder 33->102 42 cmd.exe 36->42         started        signatures12 process13 process14 44 wininit.exe 42->44         started        48 conhost.exe 42->48         started        dnsIp15 68 updatebss.linkpc.net 64.235.37.55, 3333, 49748 PREMIANETUS United States 44->68 84 Antivirus detection for dropped file 44->84 86 Multi AV Scanner detection for dropped file 44->86 88 Query firmware table information (likely to detect VMs) 44->88 90 Machine Learning detection for dropped file 44->90 signatures16 92 Detected Stratum mining protocol 68->92
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/03d65713f4af0362ffbabf2ac5a0eedbbb640e47b501e939d08080c86d083afd/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2022-06-10 06:41:41 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aplfoe7uv4bwf752x4vmliho3o5widshwua6sooqqcamq3iihl6q._file
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner persistence upx
Link:
https://tria.ge/reports/220617-v7qczscggl/
Behaviour
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Deletes itself
Drops startup file
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
UPX packed file
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
5cdcc543edc61ca41c2688f6e6c4d34de130082843b8e9fc98f82e76ca8cf987
MD5 hash:
d788f3d85fbf82b0be3eef97bf794394
SHA1 hash:
4d06766af550825d7bba89c1e8943d51cfdaa728
Link:
https://www.unpac.me/results/59c08607-e257-43ff-92fe-2ed12257fecc/
SH256 hash:
c6c9fa85c00f39e65e4c138769d548ffd82a7baa5a999ab4cbf1ee1f03140742
MD5 hash:
3cd4761209f02dea4a09aeaa8e3ff554
SHA1 hash:
a750d5958976661d082d5df133587aa2c5db3f88
Link:
https://www.unpac.me/results/59c08607-e257-43ff-92fe-2ed12257fecc/
SH256 hash:
03d65713f4af0362ffbabf2ac5a0eedbbb640e47b501e939d08080c86d083afd
MD5 hash:
fc59789c6a2c12296150feaa71405291
SHA1 hash:
f5a3eba9b5a59b4f385db489578a4315988f426d
Link:
https://www.unpac.me/results/59c08607-e257-43ff-92fe-2ed12257fecc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/03d65713f4af0362ffbabf2ac5a0eedbbb640e47b501e939d08080c86d083afd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 03d65713f4af0362ffbabf2ac5a0eedbbb640e47b501e939d08080c86d083afd

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2242484/
Cape
Cape
https://www.capesandbox.com/analysis/281039/

Comments


Avatar
zbet commented on 2022-06-17 17:38:14 UTC

url : hxxp://web1705.ath.cx/01actfinal5.exe