MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1505d3b595d18d1b255253b080bed85334916ff81174a5685a6f3f3433cbe746. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1505d3b595d18d1b255253b080bed85334916ff81174a5685a6f3f3433cbe746
SHA3-384 hash: d8d88f3531d1e9bdfe40016571c5c909b78d76ed57c9df6110b8bcc874f37c94da1030699c94ccedd1e50786b852ce5a
SHA1 hash: dd1ee71da13d4eb2a36f6188a0db07e0e3db5dc2
MD5 hash: 728c676809c6175ee22bf4fc45ae2462
humanhash: one-carolina-nevada-island
File name:FPSbust.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:66'560 bytes
First seen:2021-10-24 15:46:43 UTC
Last seen:2021-10-24 17:12:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 27516fd8750f40bdecf52a1420a0296a (12 x CoinMiner)
ssdeep 1536:HOm6ExdlvKMXaqzzdIicCNEMTLvZ/WCMazt4Oyhw:IERvpaKIicChD/MkF
Threatray 78 similar samples on MalwareBazaar
TLSH T12B53F1A637468D86C57D3CF582E8B0BCB386B3C5211463E981786E76AC8FC50661E34F
Reporter tech_skeech
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
373
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/199665/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.18314.19473.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching a process
Creating a process from a recently created file
Creating a process with a hidden window
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dfb90d81-b131-489a-9388-c837a9a5e171
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/875822
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Drops PE files to the user root directory
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 508255 Sample: FPSbust.exe Startdate: 24/10/2021 Architecture: WINDOWS Score: 76 91 Multi AV Scanner detection for submitted file 2->91 93 Sigma detected: Powershell Defender Exclusion 2->93 11 FPSbust.exe 2->11         started        14 services32.exe 2->14         started        process3 signatures4 121 Writes to foreign memory regions 11->121 123 Allocates memory in foreign processes 11->123 125 Creates a thread in another existing process (thread injection) 11->125 16 conhost.exe 4 11->16         started        20 conhost.exe 14 5 14->20         started        process5 dnsIp6 71 C:\Users\user\services32.exe, PE32+ 16->71 dropped 87 Drops PE files to the user root directory 16->87 89 Adds a directory exclusion to Windows Defender 16->89 23 cmd.exe 1 16->23         started        25 cmd.exe 1 16->25         started        28 cmd.exe 1 16->28         started        75 github.com 140.82.121.4, 443, 49744, 49745 GITHUBUS United States 20->75 77 185.199.108.133, 443, 49747 FASTLYUS Netherlands 20->77 79 3 other IPs or domains 20->79 30 sihost32.exe 20->30         started        32 cmd.exe 1 20->32         started        file7 signatures8 process9 signatures10 34 services32.exe 23->34         started        37 conhost.exe 23->37         started        103 Uses schtasks.exe or at.exe to add and modify task schedules 25->103 105 Adds a directory exclusion to Windows Defender 25->105 39 powershell.exe 22 25->39         started        41 powershell.exe 23 25->41         started        43 conhost.exe 25->43         started        49 2 other processes 28->49 107 Writes to foreign memory regions 30->107 109 Allocates memory in foreign processes 30->109 111 Creates a thread in another existing process (thread injection) 30->111 45 conhost.exe 30->45         started        47 powershell.exe 21 32->47         started        51 2 other processes 32->51 process11 signatures12 95 Writes to foreign memory regions 34->95 97 Allocates memory in foreign processes 34->97 99 Creates a thread in another existing process (thread injection) 34->99 53 conhost.exe 4 34->53         started        process13 dnsIp14 81 raw.githubusercontent.com 185.199.111.133, 443, 49746 FASTLYUS Netherlands 53->81 83 sanctam.net 53->83 85 github.com 53->85 73 C:\Users\user\AppData\...\sihost32.exe, PE32+ 53->73 dropped 101 Adds a directory exclusion to Windows Defender 53->101 58 sihost32.exe 53->58         started        61 cmd.exe 1 53->61         started        file15 signatures16 process17 signatures18 113 Writes to foreign memory regions 58->113 115 Allocates memory in foreign processes 58->115 117 Creates a thread in another existing process (thread injection) 58->117 63 conhost.exe 58->63         started        119 Adds a directory exclusion to Windows Defender 61->119 65 conhost.exe 61->65         started        67 powershell.exe 61->67         started        69 powershell.exe 61->69         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1505d3b595d18d1b255253b080bed85334916ff81174a5685a6f3f3433cbe746/
Threat name:
Win64.Hacktool.Wovdnut
Create hunting rule
Status:
Malicious
First seen:
2021-10-24 15:47:05 UTC
AV detection:
17 of 45 (37.78%)
Threat level:
  1/5
Verdict:
malicious
Similar samples:
12439fc7c876b8bf881db4e97ed57827c1c4f2fd0ebccc29a4e197b19c80488b
CoinMiner
139c83b8cf3674d992e04f9e4a047c3a7ad5279b2f6b8bf18c39603f82bca16d
CoinMiner
40387bebfe97eea9c90425caf5519019dfc0e7425bb238246ec9f7bb5d621293
CoinMiner
4428c955f11bf14ee87a1c6540314b9f24f6adbe848724dab4029242fef22137
CoinMiner
9b8c70d1c0537d946bf7233df72a7e0ebdff2cb70404a69ee6a2419730973462
CoinMiner
b41455dfe45bf98bd2f1acec07d7a0df02a3c83e1fdecfb403df3984ab794761
CoinMiner
e558134f888d403ba60d7db59978502a9071951528cd4873bd4702921012d69e
CoinMiner
e7b94b42550145f6653edad5a47879f3bad1abe865f065d7036ca942c572e842
CoinMiner
fbf130705ed4de523fd2e38a6c64848af5d6e1ce6a268251e7b6d6e3f8089957
CoinMiner
fd6996eab709c3ed21ef140958d9a9147902336b85b47bc896372a18e469a6fc
CoinMiner
+ 68 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/211024-s77k6afdgm/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
1505d3b595d18d1b255253b080bed85334916ff81174a5685a6f3f3433cbe746
MD5 hash:
728c676809c6175ee22bf4fc45ae2462
SHA1 hash:
dd1ee71da13d4eb2a36f6188a0db07e0e3db5dc2
Link:
https://www.unpac.me/results/d8b537a1-55a4-4bf4-ad06-f91028cbd1a5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1505d3b595d1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.10
Link:
https://yomi.yoroi.company/submissions/1505d3b595d18d1b255253b080bed85334916ff81174a5685a6f3f3433cbe746

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 1505d3b595d18d1b255253b080bed85334916ff81174a5685a6f3f3433cbe746

(this sample)

anyrun
any.run
https://app.any.run/tasks/85161676-c1b5-4d54-9bca-ad82c00d0041
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/199665/

Comments