MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1701171f89917e432739335ca3db9960f49bf7616a3832b4951df3215ceb0334. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1701171f89917e432739335ca3db9960f49bf7616a3832b4951df3215ceb0334
SHA3-384 hash: c850c084d500e6606f0881bf6e36dc361cb142cd78c827b1b14ef6024de9a7bb91896d787f664c3d74dddb99b991227b
SHA1 hash: 50362ce1235a4d8b54266faff59c189006654bf4
MD5 hash: 9a7f754f0c578f171db6eb4f61798d84
humanhash: eight-virginia-crazy-ten
File name:9a7f754f0c578f171db6eb4f61798d84
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'043'904 bytes
First seen:2021-12-24 19:36:24 UTC
Last seen:2021-12-24 21:57:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 02549ff92b49cce693542fc9afb10102 (84 x CoinMiner, 2 x CoinMiner.XMRig, 1 x AgentTesla)
ssdeep 49152:OFcxEmJ97jCY0LedC3dpvmGqiRTWKQ0ahy:kchJxT0LVtrqiRTWu2y
Threatray 190 similar samples on MalwareBazaar
TLSH T1029533EA060D20A3D97B3B37F3238564A393B57C583DBE564039E7362C3258AD194B5B
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9a7f754f0c578f171db6eb4f61798d84
Verdict:
No threats detected
Analysis date:
2021-12-24 19:39:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4905435f-e9f1-431f-bc10-d10edfd9fd29

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/216256/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.25200.11720.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a process from a recently created file
Creating a process with a hidden window
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3149/overview
Behaviour
MalwareBazaar
CallSleep
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/61c621638991ba72b3960bf9/reports/6d6b0fda-a39e-4db3-a08b-6970968f2ea0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ad474fb2-0d2e-4e15-b83f-ba61233dddb1
Result
Threat name:
BitCoin Miner
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/912587
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Svchost Process
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 545065 Sample: 8Or3BOXDU1 Startdate: 24/12/2021 Architecture: WINDOWS Score: 96 81 Multi AV Scanner detection for submitted file 2->81 83 Yara detected BitCoin Miner 2->83 85 Sigma detected: Powershell Defender Exclusion 2->85 87 Sigma detected: Suspicious Svchost Process 2->87 11 8Or3BOXDU1.exe 2->11         started        14 qwfqwfsf.exe 2->14         started        process3 signatures4 111 Writes to foreign memory regions 11->111 113 Allocates memory in foreign processes 11->113 115 Creates a thread in another existing process (thread injection) 11->115 16 conhost.exe 5 11->16         started        117 Multi AV Scanner detection for dropped file 14->117 20 conhost.exe 4 14->20         started        process5 file6 73 C:\Windows\System32\qwfqwfsf.exe, PE32+ 16->73 dropped 75 C:\Windows\...\qwfqwfsf.exe:Zone.Identifier, ASCII 16->75 dropped 79 Adds a directory exclusion to Windows Defender 16->79 22 cmd.exe 1 16->22         started        25 cmd.exe 1 16->25         started        27 cmd.exe 1 16->27         started        29 svchost.exe 16->29         started        31 sihost32.exe 20->31         started        33 cmd.exe 1 20->33         started        35 cmd.exe 20->35         started        signatures7 process8 signatures9 95 Drops executables to the windows directory (C:\Windows) and starts them 22->95 37 qwfqwfsf.exe 22->37         started        40 conhost.exe 22->40         started        97 Uses schtasks.exe or at.exe to add and modify task schedules 25->97 99 Adds a directory exclusion to Windows Defender 25->99 42 powershell.exe 22 25->42         started        44 powershell.exe 20 25->44         started        46 conhost.exe 25->46         started        50 2 other processes 27->50 101 Writes to foreign memory regions 31->101 103 Allocates memory in foreign processes 31->103 105 Creates a thread in another existing process (thread injection) 31->105 48 conhost.exe 31->48         started        52 3 other processes 33->52 54 2 other processes 35->54 process10 signatures11 89 Writes to foreign memory regions 37->89 91 Allocates memory in foreign processes 37->91 93 Creates a thread in another existing process (thread injection) 37->93 56 conhost.exe 4 37->56         started        process12 file13 77 C:\Windows\System32\...\sihost32.exe, PE32+ 56->77 dropped 107 Drops executables to the windows directory (C:\Windows) and starts them 56->107 109 Adds a directory exclusion to Windows Defender 56->109 60 sihost32.exe 56->60         started        63 cmd.exe 1 56->63         started        signatures14 process15 signatures16 119 Multi AV Scanner detection for dropped file 60->119 121 Writes to foreign memory regions 60->121 123 Allocates memory in foreign processes 60->123 125 Creates a thread in another existing process (thread injection) 60->125 65 conhost.exe 60->65         started        127 Adds a directory exclusion to Windows Defender 63->127 67 powershell.exe 22 63->67         started        69 conhost.exe 63->69         started        71 powershell.exe 63->71         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1701171f89917e432739335ca3db9960f49bf7616a3832b4951df3215ceb0334/
Threat name:
Win64.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2021-12-24 18:25:55 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
25 of 43 (58.14%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1fd73d2549cb9a36d4a27fd7ed6f9ba7aa0ff0e1103b4b96821de901152b118e
CoinMiner
28f5fb04e33ee8f3257b1a2c6f4ade3f281b0d474eea4bdde2abe622a1b11994
CoinMiner
2cd29b8b5c71f0f7df5dd0bcedbb134977d9c6269861dddd65db1db203194c08
CoinMiner
38a2144651bd3980612f92a1cd2308adf10dd630d618ee05232bf1a8cf76444c
CoinMiner
92d30855da0de535afe7d2b432108880f5d3766767c09c493defcb6c05c10448
CoinMiner
bcb32ac45b1ed10696c9b50fefda160fca340ac43fda723411be99bb47445746
CoinMiner
c0efa247a497b4d9d721d0f54e30e44007c5e53882cf822ade5c3b8f9dd6bbaf
CoinMiner
eb82ace4891074a9c78d6a73f08e2cde43f7db5cc8eb1aab442337210cb411a2
CoinMiner
f12f4f8064e33f458acd1cb2c6c0aed335987385cf8541e71c096fe22a7b7e9c
CoinMiner
f89908f8594a0dccfb5e52b295075ff63be86c0f5584f990d39dfe2b2c2f9c08
CoinMiner
+ 180 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/211224-ybs1saeadl/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Loads dropped DLL
Executes dropped EXE
xmrig
Unpacked files
SH256 hash:
1701171f89917e432739335ca3db9960f49bf7616a3832b4951df3215ceb0334
MD5 hash:
9a7f754f0c578f171db6eb4f61798d84
SHA1 hash:
50362ce1235a4d8b54266faff59c189006654bf4
Link:
https://www.unpac.me/results/85154e7d-e846-4dfb-bf44-6a2a0f732e82/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.10
Link:
https://yomi.yoroi.company/submissions/1701171f89917e432739335ca3db9960f49bf7616a3832b4951df3215ceb0334

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 1701171f89917e432739335ca3db9960f49bf7616a3832b4951df3215ceb0334

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1918082/
Cape
Cape
https://www.capesandbox.com/analysis/216256/

Comments


Avatar
zbet commented on 2021-12-24 19:36:25 UTC

url : hxxp://data-file-data-7.com/files/8199_1640356676_2926.exe