MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 05ab3b9e248a30ce63b15ff929a8ba5f7099f5cc3618ea9f297515d59cb004e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 05ab3b9e248a30ce63b15ff929a8ba5f7099f5cc3618ea9f297515d59cb004e6
SHA3-384 hash: 1adea952f90ce7447abfe000f5e7fbf2f273f5c90f2dda7bb2501925799f3ceebcbf746bac71b2b98dc2610715057be1
SHA1 hash: 6cd5ba1c6dbf988cdef111a21ba4f5bfabb2ae30
MD5 hash: dc1db19dc72e4fc4dd1b96d694d37eca
humanhash: hawaii-bacon-minnesota-gee
File name:dc1db19dc72e4fc4dd1b96d694d37eca
Download: download sample
Signature CoinMiner
Create hunting rule
File size:4'608 bytes
First seen:2021-11-11 01:37:41 UTC
Last seen:2021-11-11 05:24:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4bfde1223391e32fec766cd1d41fa3e7 (7 x CoinMiner, 1 x BitRAT, 1 x QuasarRAT)
ssdeep 48:6X++ZGWjJaqoTogDK/ZC045XVnymSjtEp334fe9M0tKerZv8B13aLlzUR:2ZGmQqoTV+kPSC5YCkv3aLlYR
Threatray 44 similar samples on MalwareBazaar
TLSH T16691D8DBEA588E3AC11B40363E324635A7B2C363254047B7E69C18B5DBC4C559C1B30C
Reporter zbetcheckin
Tags:32 CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://u.to/_fO7Gw
Verdict:
Malicious activity
Analysis date:
2021-11-10 22:09:42 UTC
Tags:
trojan rat redline stealer loader raccoon
Link:
https://app.any.run/tasks/73748987-0c5f-4cba-a717-59c92427f623

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/204897/
Detection(s):
SecuriteInfo.com.Variant.Zusy.401118.31846.3824.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/618c7400dec3347825a1a495/reports/ce1231da-cb89-4ae8-88f5-3d47075cc737/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1155a5d0-fd9b-44b8-b141-acb5bb173eeb
Result
Threat name:
BitCoin Miner
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/887207
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected Telegram Recon
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 519680 Sample: 7KojtbUld6 Startdate: 11/11/2021 Architecture: WINDOWS Score: 100 89 Multi AV Scanner detection for domain / URL 2->89 91 Antivirus detection for URL or domain 2->91 93 Sigma detected: Powershell download and execute file 2->93 95 6 other signatures 2->95 12 7KojtbUld6.exe 2->12         started        15 services32.exe 2->15         started        process3 signatures4 129 Adds a directory exclusion to Windows Defender 12->129 17 cmd.exe 1 12->17         started        131 Multi AV Scanner detection for dropped file 15->131 133 Writes to foreign memory regions 15->133 135 Allocates memory in foreign processes 15->135 137 Creates a thread in another existing process (thread injection) 15->137 20 conhost.exe 15->20         started        process5 file6 81 Suspicious powershell command line found 17->81 83 Tries to download and execute files (via powershell) 17->83 85 Adds a directory exclusion to Windows Defender 17->85 23 powershell.exe 17->23         started        25 powershell.exe 17->25         started        27 powershell.exe 24 17->27         started        32 4 other processes 17->32 73 C:\Windows\System32\...\sihost32.exe, PE32+ 20->73 dropped 87 Drops executables to the windows directory (C:\Windows) and starts them 20->87 30 sihost32.exe 20->30         started        signatures7 process8 dnsIp9 36 kolop.exe 23->36         started        39 kolopp.exe 25->39         started        117 Uses schtasks.exe or at.exe to add and modify task schedules 27->117 119 Powershell drops PE file 27->119 121 Multi AV Scanner detection for dropped file 30->121 123 Writes to foreign memory regions 30->123 125 Allocates memory in foreign processes 30->125 127 Creates a thread in another existing process (thread injection) 30->127 42 conhost.exe 30->42         started        75 antivirf.ru 81.177.141.85, 443, 49741, 49742 RTCOMM-ASRU Russian Federation 32->75 69 C:\Users\user\AppData\Roaming\kolopp.exe, PE32 32->69 dropped 71 C:\Users\user\AppData\Roaming\kolop.exe, PE32+ 32->71 dropped 44 conhost.exe 32->44         started        46 schtasks.exe 32->46         started        file10 signatures11 process12 dnsIp13 97 Multi AV Scanner detection for dropped file 36->97 99 Writes to foreign memory regions 36->99 101 Allocates memory in foreign processes 36->101 103 Creates a thread in another existing process (thread injection) 36->103 48 conhost.exe 36->48         started        77 ip-api.com 208.95.112.1, 49745, 80 TUT-ASUS United States 39->77 79 api.telegram.org 149.154.167.220, 443, 49746 TELEGRAMRU United Kingdom 39->79 105 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 39->105 107 May check the online IP address of the machine 39->107 51 conhost.exe 39->51         started        signatures14 process15 file16 67 C:\Windows\System32\services32.exe, PE32+ 48->67 dropped 53 cmd.exe 48->53         started        56 cmd.exe 48->56         started        process17 signatures18 109 Drops executables to the windows directory (C:\Windows) and starts them 53->109 58 services32.exe 53->58         started        61 conhost.exe 53->61         started        process19 signatures20 111 Writes to foreign memory regions 58->111 113 Allocates memory in foreign processes 58->113 115 Creates a thread in another existing process (thread injection) 58->115 63 conhost.exe 58->63         started        65 BackgroundTransferHost.exe 58->65         started        process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/05ab3b9e248a30ce63b15ff929a8ba5f7099f5cc3618ea9f297515d59cb004e6/
Threat name:
Win32.Trojan.Bsymem
Create hunting rule
Status:
Malicious
First seen:
2021-11-08 17:32:08 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
097798527e285d8896d8099ec86d8e5105b0f135337efc8cd4e3e1e3ec6532e1
CoinMiner
1aec33c9dc704ad71932eee6e128c9eb0908cab49d85f5a0f788484777a68a57
CoinMiner
44d35218b3d50c6bde65093678b72db54e9a89fc28dfe391abb3e128571cec44
CoinMiner
56e4f127f991f0ff867fc403eb857ee685c3c4b67c52695d5b8194e085aa1502
CoinMiner
5f5650987c9810c4cc59a467650844179c1349ded7b2fa0f1b00edbbf648612c
CoinMiner
995b8ffae8a66e17203565b09cbc2dc46d3e9ae0e61c31de29a3653430f4eda5
CoinMiner
a6e69af95b2cfafbdc192c5c34d065b8e51925534824be3d432c1e2a17375289
CoinMiner
+ 34 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/211111-b2d8zsaef9/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Looks up external IP address via web service
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Malware Config
Dropper Extraction:
https://antivirf.ru/kolop.exe
https://antivirf.ru/kolopp.exe
Unpacked files
SH256 hash:
05ab3b9e248a30ce63b15ff929a8ba5f7099f5cc3618ea9f297515d59cb004e6
MD5 hash:
dc1db19dc72e4fc4dd1b96d694d37eca
SHA1 hash:
6cd5ba1c6dbf988cdef111a21ba4f5bfabb2ae30
Link:
https://www.unpac.me/results/0f62cd8a-9eea-4163-8195-aea1001d0a89/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/05ab3b9e248a30ce63b15ff929a8ba5f7099f5cc3618ea9f297515d59cb004e6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 05ab3b9e248a30ce63b15ff929a8ba5f7099f5cc3618ea9f297515d59cb004e6

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1775154/
Cape
Cape
https://www.capesandbox.com/analysis/204897/

Comments


Avatar
zbet commented on 2021-11-11 01:37:42 UTC

url : hxxp://antivirf.ru/kolopl.exe