MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7
SHA3-384 hash: 9b0db86f30c9b2ca84f78f54569e120a6022f320621eb3399fb78480bdbccceba1937677649a4c907831d4b756f0682b
SHA1 hash: 9a71a33e87bae9a612acdbc3c149bd587370cea9
MD5 hash: be582c09e0366fe632e8608a5d6f562e
humanhash: uncle-december-pennsylvania-delaware
File name:be582c09e0366fe632e8608a5d6f562e
Download: download sample
Signature CoinMiner
Create hunting rule
File size:9'354'064 bytes
First seen:2021-12-03 22:56:57 UTC
Last seen:2021-12-04 00:54:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ca1bc56825379f5b034a1b6092fa2cee (3 x CoinMiner)
ssdeep 196608:JMHNyf35OO6921Qd5Xv7aSXvfhi1yRqFCLlXdgyGDEW3HqVOAm55tav/:JSA35769B5XJfwm5RdgXqVO55u
Threatray 381 similar samples on MalwareBazaar
TLSH T1E89623FDA5A4331CC41EC834D037AC04B2B9521F12EBD9A976CFBAE02B67435DA45B46
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
270
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
be582c09e0366fe632e8608a5d6f562e
Verdict:
No threats detected
Analysis date:
2021-12-03 22:58:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7376e672-86d6-4a74-95f7-7abe7e859873

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/211135/
Detection(s):
SecuriteInfo.com.Trojan.Win64.Donut.4c.32204.30306.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Running batch commands
Launching a process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/703/overview
Behaviour
AntidebugCommonApi
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint greyware overlay packed stealer
Link:
https://www.filescan.io/uploads/61aaa0c14d8e6f3a5e0e342c/reports/4baa884d-46cd-4d63-8bea-438fdd7c6648/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d6c6682e-d53e-487c-941a-4dfa5e1f0098
Result
Threat name:
BitCoin Miner Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/901204
Signature
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Creates a thread in another existing process (thread injection)
Detected Stratum mining protocol
DNS related to crypt mining pools
Found strings related to Crypto-Mining
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to detect debuggers (CloseHandle check)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 533682 Sample: eB0bVEM89x Startdate: 03/12/2021 Architecture: WINDOWS Score: 100 62 Malicious sample detected (through community Yara rule) 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 Yara detected BitCoin Miner 2->66 68 6 other signatures 2->68 8 eB0bVEM89x.exe 5 2->8         started        12 NvcDispCore.exe 7 2->12         started        15 svchost.exe 2->15         started        17 10 other processes 2->17 process3 dnsIp4 46 C:\Users\user\AppData\...46vcDispCore.exe, PE32+ 8->46 dropped 48 C:\Users\...48vcDispCore.exe:Zone.Identifier, ASCII 8->48 dropped 50 C:\Users\user\AppData\...\eB0bVEM89x.exe.log, ASCII 8->50 dropped 80 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->80 82 Tries to evade analysis by execution special instruction which cause usermode exception 8->82 84 Tries to detect debuggers (CloseHandle check) 8->84 96 2 other signatures 8->96 19 cmd.exe 1 8->19         started        21 cmd.exe 1 8->21         started        60 192.168.2.1 unknown unknown 12->60 52 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 12->52 dropped 86 Multi AV Scanner detection for dropped file 12->86 88 Machine Learning detection for dropped file 12->88 90 Sample is not signed and drops a device driver 12->90 24 sihost64.exe 12->24         started        92 Changes security center settings (notifications, updates, antivirus, firewall) 15->92 26 MpCmdRun.exe 1 15->26         started        94 System process connects to network (likely due to code injection or exploit) 17->94 file5 signatures6 process7 signatures8 28 NvcDispCore.exe 4 19->28         started        32 conhost.exe 19->32         started        70 Uses schtasks.exe or at.exe to add and modify task schedules 21->70 34 conhost.exe 21->34         started        36 schtasks.exe 1 21->36         started        72 Multi AV Scanner detection for dropped file 24->72 74 Writes to foreign memory regions 24->74 76 Allocates memory in foreign processes 24->76 78 Creates a thread in another existing process (thread injection) 24->78 38 conhost.exe 2 24->38         started        40 conhost.exe 26->40         started        process9 file10 54 C:\Users\user\AppData\...\sihost64.exe, PE32+ 28->54 dropped 102 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 28->102 104 Writes to foreign memory regions 28->104 106 Modifies the context of a thread in another process (thread injection) 28->106 108 3 other signatures 28->108 42 svchost.exe 28->42         started        signatures11 process12 dnsIp13 56 51.15.55.162, 14444, 49745 OnlineSASFR France 42->56 58 xmr-eu2.nanopool.org 42->58 98 Query firmware table information (likely to detect VMs) 42->98 signatures14 100 Detected Stratum mining protocol 56->100
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7/
Threat name:
Win64.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2021-11-28 04:25:48 UTC
File Type:
PE+ (Exe)
AV detection:
16 of 45 (35.56%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0028d3b936c329c8bb2a7c17d677d9808eed4f46c123048100050819d1657464
CoinMiner
2b0cd91072bc81875fba4d9dc3b293500f110b57dd9d37028556fdb296705fb0
CoinMiner
3aca6ead27ffa0e7384af61f022b180f305bca729e8cc4b29390b5067b673fcc
CoinMiner
4becf5486e15b31584038444e3cee0ac9c4e3770b6f9fd03a0288d997e2d9608
CoinMiner
7e6b525d20c679bb8241177f2e307bb9c5b9070e4846a033640eb45eafcf64ea
CoinMiner
833990804d459870448fdb9a0f74f6b8f5c59d395a71da86f347cf7a74f858d2
CoinMiner
b37e87a30c379dd3d84b2f9b5819cb32335d7230156d3ea01a7309502e9e6d0d
CoinMiner
cdb8a234c896df8b45ee7bc0d69ecdaec0bfce73cacdb376048bcd3abb85a75d
CoinMiner
e67db91b7e8bcf1cf40735c556df7971af493cfd6b0fe4ffd25774ca7c31e070
CoinMiner
fa1a41ff82f9d6ca0473f9ac67f0d46e9576dd6608f9682d245f48ea872a3859
CoinMiner
+ 371 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/211203-2w85aahecm/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7
MD5 hash:
be582c09e0366fe632e8608a5d6f562e
SHA1 hash:
9a71a33e87bae9a612acdbc3c149bd587370cea9
Link:
https://www.unpac.me/results/a6212a7a-b2d5-4672-ac98-fa9d0d43c97e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/25d7abfa8b11/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1849890/
Cape
Cape
https://www.capesandbox.com/analysis/211135/

Comments


Avatar
zbet commented on 2021-12-03 22:56:58 UTC

url : hxxp://oniondq7shlx5o67t64ljuzisyp34s3n7vepnhc5ijt5hjh107.com/miexciuz.exe