MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06a9de0b7a1ce8a57375a10ea12f030a618e5f56d695f7e582c6ff79e7554757. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06a9de0b7a1ce8a57375a10ea12f030a618e5f56d695f7e582c6ff79e7554757
SHA3-384 hash: bc39e78c4dcb7ced98371e1e0ce94fbded65d4361c6623cd57164d3e73845d8480e12f391d4bd249c239b01626459cba
SHA1 hash: 4942a26f4ee884b8b1a6468a1632af2bad4bec8e
MD5 hash: 5cd14942d071d4913f27b73dc36c7a11
humanhash: fruit-cup-quiet-hydrogen
File name:77system.vbs
Download: download sample
Signature CoinMiner
Create hunting rule
File size:4'810 bytes
First seen:2024-04-16 22:31:54 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:4h/lhaRdU4v0rLp9dct0BLptfK00LpNtb0rLpOgJ0JLpqL9AZ/R08LpC9JMHiM3j:AOuNrN/BNj0NNtYrNOnJNqLiZ/u8NC8L
TLSH T15CA10D0AEC05BFB36D03ABA88B1B4A119DBDF83F12295045BB4CDD445F32BB061207E6
Reporter smica83
Tags:CoinMiner UKR vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
110
Origin country :
HU HU
Vendor Threat Intelligence
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/06a9de0b7a1ce8a57375a10ea12f030a618e5f56d695f7e582c6ff79e7554757
Result
Verdict:
MALICIOUS
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1427081
Signature
.NET source code contains process injector
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates files in the system32 config directory
Found strings related to Crypto-Mining
Found suspicious powershell code related to unpacking or dynamic code loading
Found Tor onion address
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Potential malicious VBS script found (has network functionality)
Potential malicious VBS script found (suspicious strings)
Query firmware table information (likely to detect VMs)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Uses known network protocols on non-standard ports
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1427081 Sample: 77system.vbs Startdate: 17/04/2024 Architecture: WINDOWS Score: 100 76 dsahgduoi.ddns.net 2->76 78 fp2e7a.wpc.phicdn.net 2->78 80 fp2e7a.wpc.2be4.phicdn.net 2->80 92 Malicious sample detected (through community Yara rule) 2->92 94 Antivirus detection for URL or domain 2->94 96 Multi AV Scanner detection for submitted file 2->96 100 20 other signatures 2->100 9 powershell.exe 2 15 2->9         started        12 wscript.exe 1 2->12         started        signatures3 98 Uses dynamic DNS services 76->98 process4 signatures5 102 Writes to foreign memory regions 9->102 104 Modifies the context of a thread in another process (thread injection) 9->104 106 Found suspicious powershell code related to unpacking or dynamic code loading 9->106 108 Injects a PE file into a foreign processes 9->108 14 dllhost.exe 1 4 9->14         started        17 conhost.exe 9->17         started        110 Benign windows process drops PE files 12->110 112 VBScript performs obfuscated calls to suspicious functions 12->112 114 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->114 19 wscript.exe 8 12->19         started        process6 dnsIp7 132 Injects code into the Windows Explorer (explorer.exe) 14->132 134 Writes to foreign memory regions 14->134 136 Creates a thread in another existing process (thread injection) 14->136 146 2 other signatures 14->146 23 $77tor.exe 12 14->23         started        28 $77xmrig.exe 1 14->28         started        30 winlogon.exe 14->30 injected 40 23 other processes 14->40 82 dsahgduoi.ddns.net 45.88.90.68, 49705, 5000 LVLT-10753US Bulgaria 19->82 60 C:\Users\Public\Documents\...\Install.exe, PE32 19->60 dropped 62 C:\Users\Public\Documents\...\$77xmrig.exe, PE32+ 19->62 dropped 64 C:\Users\Public\Documents\...\$77tor.exe, PE32+ 19->64 dropped 66 3 other files (1 malicious) 19->66 dropped 138 System process connects to network (likely due to code injection or exploit) 19->138 140 Found strings related to Crypto-Mining 19->140 142 Found Tor onion address 19->142 144 Windows Scripting host queries suspicious COM object (likely to drop second stage) 19->144 32 Install.exe 1 19->32         started        34 cmd.exe 1 19->34         started        36 cmd.exe 1 19->36         started        38 cmd.exe 1 19->38         started        file8 signatures9 process10 dnsIp11 84 64.31.55.213 LIMESTONENETWORKSUS United States 23->84 86 37.27.30.181 UNINETAZ Iran (ISLAMIC Republic Of) 23->86 90 5 other IPs or domains 23->90 68 C:\...\unverified-microdesc-consensus.tmp, ASCII 23->68 dropped 70 C:\Windows\System32\config\...\state.tmp, ASCII 23->70 dropped 72 C:\Windows\System32\...\cached-microdescs.new, ASCII 23->72 dropped 74 2 other malicious files 23->74 dropped 116 Creates files in the system32 config directory 23->116 42 conhost.exe 23->42         started        88 127.0.0.1 unknown unknown 28->88 118 Antivirus detection for dropped file 28->118 120 Query firmware table information (likely to detect VMs) 28->120 44 conhost.exe 28->44         started        122 Multi AV Scanner detection for dropped file 32->122 124 Machine Learning detection for dropped file 32->124 126 Contains functionality to inject code into remote processes 32->126 128 Injects a PE file into a foreign processes 32->128 58 4 other processes 32->58 130 Uses cmd line tools excessively to alter registry or file data 34->130 46 conhost.exe 34->46         started        48 reg.exe 1 1 34->48         started        50 conhost.exe 36->50         started        52 reg.exe 1 1 36->52         started        54 conhost.exe 38->54         started        56 reg.exe 1 1 38->56         started        file12 signatures13 process14
Score:
7%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/06a9de0b7a1ce8a57375a10ea12f030a618e5f56d695f7e582c6ff79e7554757
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/06a9de0b7a1ce8a57375a10ea12f030a618e5f56d695f7e582c6ff79e7554757/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2024-04-16 11:27:02 UTC
File Type:
Text (VBS)
AV detection:
7 of 23 (30.43%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a2u54c32dtukk43vuehkclydbjqy4x2w22k7pzmcy37xtz2vi5lq._file
Verdict:
malicious
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/240416-2fx23sfh71/
Behaviour
Modifies data under HKEY_USERS
Modifies registry key
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Suspicious use of NtCreateUserProcessOtherParentProcess
XMRig Miner payload
xmrig
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/06a9de0b7a1ce8a57375a10ea12f030a618e5f56d695f7e582c6ff79e7554757

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Visual Basic Script (vbs) vbs 06a9de0b7a1ce8a57375a10ea12f030a618e5f56d695f7e582c6ff79e7554757

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2814197/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2814198/

Comments