MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 097ba0ebd6a50a4d1ab371359c0e5a0e5270a8b224c8264e48ac26b4f0e3bb81. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 097ba0ebd6a50a4d1ab371359c0e5a0e5270a8b224c8264e48ac26b4f0e3bb81
SHA3-384 hash: d622ff9b93844af612450cc0215b96a9c29b5585623c26093b50ec0180b7e391a5adb2137184bc5e5d664c9b35109d82
SHA1 hash: a25bfb7e6e83aebd04aa2faea8decca35c9aa857
MD5 hash: 0a9248bdc0e371db9abd778e5e8f1072
humanhash: august-comet-romeo-hotel
File name:0a9248bdc0e371db9abd778e5e8f1072
Download: download sample
Signature CoinMiner
Create hunting rule
File size:3'273'672 bytes
First seen:2022-03-23 01:46:59 UTC
Last seen:2022-03-25 07:00:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4e4095a0d90406c8428c5d9a9c6b05b7 (26 x CoinMiner, 4 x CoinMiner.XMRig)
ssdeep 49152:Z2vghz1M12jMPYXFsS3UYbQrUmIpOVKOb22FCZ/mfRolq6tVzusdATsB/jJ7NJtr:ZhJQ2jMPWRCCIhjUHATE7NHbH
Threatray 49 similar samples on MalwareBazaar
TLSH T14CE501FD6248336CC05A88788533FD05B1B6921F4AE5D4AA76DBBAC07BDF400DA46F46
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
271
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/255229/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.39319383.31505.15363.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Launching a process
Creating a process with a hidden window
DNS request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  0/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/10585/overview
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/623a7c1bb94fb38cb4d461c3/reports/4c32f4b5-3d3e-42ed-a1ed-429da5881479/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f5343d72-301a-4c21-bee1-029d07607df8
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/962260
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 594737 Sample: ky6v4BBJMN Startdate: 23/03/2022 Architecture: WINDOWS Score: 100 101 easyproducts.org 2->101 113 Multi AV Scanner detection for domain / URL 2->113 115 Antivirus detection for URL or domain 2->115 117 Antivirus detection for dropped file 2->117 119 5 other signatures 2->119 11 ky6v4BBJMN.exe 1 5 2->11         started        16 RegHost.exe 1 2->16         started        signatures3 process4 dnsIp5 111 185.137.234.33, 49772, 49773, 49774 SELECTELRU Russian Federation 11->111 89 C:\Users\user\AppData\...\RegModule.exe, PE32+ 11->89 dropped 91 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 11->91 dropped 93 C:\Users\user\AppData\Roaming\...\RegData.exe, PE32+ 11->93 dropped 95 C:\Users\user\AppData\...\OneDrive.exe, PE32+ 11->95 dropped 121 Injects code into the Windows Explorer (explorer.exe) 11->121 123 Writes to foreign memory regions 11->123 125 Allocates memory in foreign processes 11->125 18 explorer.exe 2 11->18         started        20 bfsvc.exe 1 11->20         started        22 conhost.exe 11->22         started        127 Multi AV Scanner detection for dropped file 16->127 129 Modifies the context of a thread in another process (thread injection) 16->129 131 Injects a PE file into a foreign processes 16->131 24 explorer.exe 2 16->24         started        26 bfsvc.exe 1 16->26         started        28 conhost.exe 16->28         started        file6 signatures7 process8 process9 30 RegHost.exe 18->30         started        33 curl.exe 18->33         started        36 curl.exe 1 18->36         started        46 11 other processes 18->46 38 conhost.exe 20->38         started        40 RegHost.exe 24->40         started        42 curl.exe 24->42         started        48 6 other processes 24->48 44 conhost.exe 26->44         started        dnsIp10 133 Injects code into the Windows Explorer (explorer.exe) 30->133 135 Writes to foreign memory regions 30->135 137 Allocates memory in foreign processes 30->137 50 explorer.exe 30->50         started        58 2 other processes 30->58 60 2 other processes 33->60 52 conhost.exe 36->52         started        139 Modifies the context of a thread in another process (thread injection) 40->139 141 Injects a PE file into a foreign processes 40->141 54 explorer.exe 40->54         started        62 2 other processes 40->62 56 conhost.exe 42->56         started        97 easyproducts.org 193.233.48.63 NETIS-ASRU Russian Federation 46->97 64 10 other processes 46->64 99 192.168.2.1 unknown unknown 48->99 66 5 other processes 48->66 signatures11 process12 process13 68 curl.exe 50->68         started        71 curl.exe 50->71         started        73 conhost.exe 50->73         started        75 curl.exe 54->75         started        77 curl.exe 54->77         started        79 conhost.exe 54->79         started        81 conhost.exe 58->81         started        83 conhost.exe 60->83         started        85 conhost.exe 62->85         started        dnsIp14 103 easyproducts.org 68->103 87 conhost.exe 68->87         started        105 easyproducts.org 71->105 107 easyproducts.org 75->107 109 easyproducts.org 77->109 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/097ba0ebd6a50a4d1ab371359c0e5a0e5270a8b224c8264e48ac26b4f0e3bb81/
Threat name:
Win64.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2022-03-22 16:01:28 UTC
File Type:
PE+ (Exe)
AV detection:
18 of 25 (72.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
06dbbdd3df2de3fba52f72cbac4c5d1e06f794de90a29fa7ea2f449e3a4fc37d
CoinMiner
18d3c86e8cf3eef27c596430279fade1c4c46b3ed4e59de2912ef2c803e13e32
CoinMiner
206965feae3c8aa99bf38f625be1e674771faef044c013def41981e7af9bd403
CoinMiner
3e1a6299d80d53a831c2e6759ce2ac41e6d9aa6603cb2a1df7efbfb86debefa5
CoinMiner
c47c10545767892ba8fdaa1ba682295251016938318d807fe40736e5ae832322
CoinMiner
f563d62dbc6bcf5f8c0f977bcd3bc66d39ee43cc5abdd63d3de105755dab3f91
CoinMiner
f963d6ed43903b4373d77c78e09e2fd0b8232290add918bbaf16cfa9ecb2f5c2
CoinMiner
+ 39 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/220323-b7j2esdeh3/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Downloads MZ/PE file
UPX packed file
Unpacked files
SH256 hash:
097ba0ebd6a50a4d1ab371359c0e5a0e5270a8b224c8264e48ac26b4f0e3bb81
MD5 hash:
0a9248bdc0e371db9abd778e5e8f1072
SHA1 hash:
a25bfb7e6e83aebd04aa2faea8decca35c9aa857
Link:
https://www.unpac.me/results/a5da2a30-7414-4f5a-b2e1-64670d01b277/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/097ba0ebd6a5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.30
Link:
https://yomi.yoroi.company/submissions/097ba0ebd6a50a4d1ab371359c0e5a0e5270a8b224c8264e48ac26b4f0e3bb81

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 097ba0ebd6a50a4d1ab371359c0e5a0e5270a8b224c8264e48ac26b4f0e3bb81

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2111551/
Cape
Cape
https://www.capesandbox.com/analysis/255229/
  
URLhaus
https://urlhaus.abuse.ch/url/2111780/

Comments


Avatar
zbet commented on 2022-03-23 01:47:03 UTC

url : hxxp://37.120.222.60/mysite/catimages/207.exe