MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1201c943fabde039739daecfd658863ed78a2d11b316e0b1ad88d7ef8f55327f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	1201c943fabde039739daecfd658863ed78a2d11b316e0b1ad88d7ef8f55327f
SHA3-384 hash:	d457dbf528a880421ae18a34c3f7fa774c9dd631e20c25ae073eec81b53354a30b315cd28fcd68bdede66019856c24e8
SHA1 hash:	aff664522ae7f3e98bd910024e44ae129923614e
MD5 hash:	aa8c990ed985ae56fb091a93b6ea1b46
humanhash:	april-river-muppet-mike
File name:	aa8c990ed985ae56fb091a93b6ea1b46.exe
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	840'704 bytes
First seen:	2021-12-28 07:02:31 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a1a237efae7b52cae198b97621780788 (1 x CoinMiner)
ssdeep	24576:3sB3aLfXxvntN8tGtLy+24TFr7BHyWEYy:3sB3aLfXxvtWtGVLrTnNEY
Threatray	602 similar samples on MalwareBazaar
TLSH	T115059FE1317D83E3D0A58DB10F8A86B07AF175BC98D05B0EA1F59B2D97D23501C9C6EA
File icon (PE):
dhash icon	d4a6a494a48484a4 (65 x AgentTesla, 39 x Formbook, 8 x RemcosRAT)
Reporter	abuse_ch
Tags:	CoinMiner exe

Intelligence

File Origin

# of uploads :

# of downloads :

182

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

aa8c990ed985ae56fb091a93b6ea1b46.exe

Verdict:

No threats detected

Analysis date:

2021-12-28 07:03:34 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c8b20b8a-a59a-4587-ae8b-45057f06a9f3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/216650/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the Program Files subdirectories

Сreating synchronization primitives

Modifying an executable file

Launching a service

Searching for synchronization primitives

Creating a file in the Windows subdirectories

Modifying a system executable file

Launching a process

DNS request

Loading a system driver

Sending an HTTP POST request

Modifying a system file

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Changing a file

Creating a file

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Enabling autorun for a service

Enabling autorun with the shell\open\command registry branches

Creating a file in the mass storage device

Infecting executable files

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/3379/overview

Behaviour

MalwareBazaar

MeasuringTime

CPUID_Instruction

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/61cab6a9ec6c6c14a9f88242/reports/853ebf29-ac66-47f7-9980-e17cf15a9ee7/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1f379631-3252-4dfb-99ee-9880e010c8b8

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spre

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/913372

Signature

Drops executable to a common third party application directory

Infects executable files (exe, dll, sys, html)

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1201c943fabde039739daecfd658863ed78a2d11b316e0b1ad88d7ef8f55327f/

Threat name:

Win64.Trojan.Kryplod

Status:

Malicious

First seen:

2021-12-27 21:59:22 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

6 of 43 (13.95%)

Threat level:

5/5

Verdict:

malicious

CoinMiner

56c0dbbb56ab9b63c997eb80beb6392b50d507e4dc08ce617d32b8563fbd54ce

CoinMiner

82576d0e8b54901d195af6f1f724e7689bdf1b3edac3aa51e118637163eed8f4

CoinMiner

cb6a51b8a047de08fb4bfa7031bd1c917600e55c28f941a1da520e622c29f6a5

CoinMiner

cdea3bc26665eb9e8656cf107f611f5da08afa12dc9dae129696762d959eb6dc

CoinMiner

f60d8bd3ca821e7de945f17d646654b7c0f25949aa8c6f780313925076444fc2

CoinMiner

fcf1bd355e8599b68f43b368a9fac32d5a2dbeee4dba39d13464f86dc2eac9be

CoinMiner

+ 592 additional samples on MalwareBazaar

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:xmrig miner persistence spyware stealer

Link:

https://tria.ge/reports/211228-hvc6nsdee3/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Drops file in Windows directory

Drops file in System32 directory

Adds Run key to start application

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

xmrig

Unpacked files

SH256 hash:

1201c943fabde039739daecfd658863ed78a2d11b316e0b1ad88d7ef8f55327f

MD5 hash:

aa8c990ed985ae56fb091a93b6ea1b46

SHA1 hash:

aff664522ae7f3e98bd910024e44ae129923614e

Link:

https://www.unpac.me/results/9d729725-1f85-4477-8461-ff8383440391/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1201c943fabde039739daecfd658863ed78a2d11b316e0b1ad88d7ef8f55327f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

exe 1201c943fabde039739daecfd658863ed78a2d11b316e0b1ad88d7ef8f55327f

(this sample)

Cape

https://www.capesandbox.com/analysis/216650/

URLhaus

https://urlhaus.abuse.ch/url/1927643/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample