MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 200fade8a686306db978fb4092b3dff5793f6fbafdfd216b2c3973393aa2619a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 200fade8a686306db978fb4092b3dff5793f6fbafdfd216b2c3973393aa2619a
SHA3-384 hash: 77ce674b23bbf6b949837c279886e2b27fac702227b984f14afe9d1cfaa81f3dfb0ecedcc9bd5d806af4a913664b0dbb
SHA1 hash: 12fefeb64f3b4baa52b0c65c46b8300362f9a3d1
MD5 hash: be8ead9cbbf77df8a6f7162457b4d02f
humanhash: blossom-kilo-tango-eighteen
File name:67050114.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:4'879'360 bytes
First seen:2022-03-23 04:49:58 UTC
Last seen:2022-03-23 07:11:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 02549ff92b49cce693542fc9afb10102 (84 x CoinMiner, 2 x CoinMiner.XMRig, 1 x AgentTesla)
ssdeep 98304:FSp3x8nLNKywGJtre3C+ES0zzIui3qrIKRIrSWadiTAsAm3GWQx:0phULNKNOtreylDXY3CfIrSWvAm3GWQx
Threatray 2'037 similar samples on MalwareBazaar
TLSH T1A73633E91287227FCAD142B5FA826B2160259A5F0037B24F35DDBD8D18A79F0D690BF4
Reporter adm1n_usa32
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
244
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/255300/
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.19010.29538.10409.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Running batch commands
Using the Windows Management Instrumentation requests
Creating a file
Creating a file in the %temp% subdirectories
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Possible injection to a system process
Unauthorized injection to a system process
Enabling autorun by creating a file
Using obfuscated Powershell scripts
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/10634/overview
Behaviour
MalwareBazaar
CallSleep
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/623aa7070cd58dbd92dcbc16/reports/43f27bca-8dd4-4a31-890e-4e59e30b0822/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
BitCoin Miner
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/962364
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Creates files in the system32 config directory
Drops PE files with benign system names
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Potential dropper URLs found in powershell memory
Sigma detected: File Created with System Process Name
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Sigma detected: System File Execution Location Anomaly
Uses nslookup.exe to query domains
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Writes to foreign memory regions
Yara detected BitCoin Miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 594844 Sample: 67050114.exe Startdate: 23/03/2022 Architecture: WINDOWS Score: 100 76 Antivirus / Scanner detection for submitted sample 2->76 78 Multi AV Scanner detection for submitted file 2->78 80 Yara detected BitCoin Miner 2->80 82 10 other signatures 2->82 11 67050114.exe 2->11         started        14 powershell.exe 20 2->14         started        16 services.exe 2->16         started        18 powershell.exe 6 2->18         started        process3 signatures4 100 Uses nslookup.exe to query domains 11->100 102 Writes to foreign memory regions 11->102 104 Allocates memory in foreign processes 11->104 20 nslookup.exe 7 11->20         started        106 Creates files in the system32 config directory 14->106 108 Modifies the context of a thread in another process (thread injection) 14->108 110 Found suspicious powershell code related to unpacking or dynamic code loading 14->110 112 Injects a PE file into a foreign processes 14->112 24 dllhost.exe 14->24         started        26 conhost.exe 14->26         started        114 Antivirus detection for dropped file 16->114 116 Multi AV Scanner detection for dropped file 16->116 118 Creates a thread in another existing process (thread injection) 16->118 28 nslookup.exe 16->28         started        30 conhost.exe 18->30         started        process5 file6 72 C:\Users\user\AppData\Local\...\services.exe, PE32+ 20->72 dropped 74 C:\Users\...\services.exe:Zone.Identifier, ASCII 20->74 dropped 90 Uses nslookup.exe to query domains 20->90 92 Modifies the context of a thread in another process (thread injection) 20->92 94 Drops PE files with benign system names 20->94 32 cmd.exe 20->32         started        34 cmd.exe 1 20->34         started        37 cmd.exe 20->37         started        43 2 other processes 20->43 96 Writes to foreign memory regions 24->96 98 Injects a PE file into a foreign processes 24->98 39 winlogon.exe 24->39 injected 41 conhost.exe 28->41         started        signatures7 process8 signatures9 45 services.exe 32->45         started        48 conhost.exe 32->48         started        84 Encrypted powershell cmdline option found 34->84 86 Uses schtasks.exe or at.exe to add and modify task schedules 34->86 50 powershell.exe 23 34->50         started        52 powershell.exe 18 34->52         started        54 conhost.exe 34->54         started        56 conhost.exe 37->56         started        58 schtasks.exe 37->58         started        process10 signatures11 120 Uses nslookup.exe to query domains 45->120 122 Writes to foreign memory regions 45->122 124 Allocates memory in foreign processes 45->124 126 Creates a thread in another existing process (thread injection) 45->126 60 nslookup.exe 45->60         started        process12 process13 62 cmd.exe 60->62         started        65 conhost.exe 60->65         started        signatures14 128 Encrypted powershell cmdline option found 62->128 67 powershell.exe 62->67         started        70 conhost.exe 62->70         started        process15 signatures16 88 Found suspicious powershell code related to unpacking or dynamic code loading 67->88
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/200fade8a686306db978fb4092b3dff5793f6fbafdfd216b2c3973393aa2619a/
Threat name:
Win64.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2022-03-03 17:27:50 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
27 of 42 (64.29%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
3a40d13ba6b30c31d8d5380b61806ec76355f4c10a3c242eff71ddc020907be7
CoinMiner
4533be3c5e3a43774233b4c8216cf5723f2968adc86f33a20bc487566bc69375
CoinMiner
596b8d2ea9be082c0eea726b7217597fe293eef85069a8dd03a6024b48c7a199
CoinMiner
6f8683626e582db605ecdcafea662267c998b5f7066759867aa4f7db5dc71599
CoinMiner
90daff6ddaed3c5624b21e62f402c98e46d1fac4839ea42cc85ed7cfb50e95a0
CoinMiner
955bce112c0abfd0b1c695f51f3300bc2ff9cfc85bcae914abd435d564432c86
CoinMiner
af5c1edc2e290ba4ecafee0f7f5b02182e5df7672ce8004ba3bafd320f2592f3
CoinMiner
b3af5a1af48b27b5ac7647d5bf81941c9abf6be899372119cb5eb887026e1409
CoinMiner
d48303d7682c1be689d10541e6b1976cff2a0f1af7423d47213ed877cdd0feaf
CoinMiner
ff8f62e6964487e861a3ed16e6cb69438a9a33e2d47c1ebe966aa116b7a82258
CoinMiner
+ 2'027 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220323-fga32sbhdq/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
200fade8a686306db978fb4092b3dff5793f6fbafdfd216b2c3973393aa2619a
MD5 hash:
be8ead9cbbf77df8a6f7162457b4d02f
SHA1 hash:
12fefeb64f3b4baa52b0c65c46b8300362f9a3d1
Link:
https://www.unpac.me/results/ae154574-d64b-4709-8a26-cc40f1cb5ed8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.26
Link:
https://yomi.yoroi.company/submissions/200fade8a686306db978fb4092b3dff5793f6fbafdfd216b2c3973393aa2619a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 200fade8a686306db978fb4092b3dff5793f6fbafdfd216b2c3973393aa2619a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2072824/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/255300/

Comments