MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2636b0f988e2d2129d014b870101be731b72d39e4f8ff12156b1b523a5c36c6a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2636b0f988e2d2129d014b870101be731b72d39e4f8ff12156b1b523a5c36c6a
SHA3-384 hash: 6392d12e8f0e2e22149f6c4632578eb262c9cfaa9b60cffb52bd23195df81e1ffe727b1bbe24701cad8d512fee85ea8b
SHA1 hash: dbb32fc2c9e50ef42f4691ff21bd2b2c44d85fb5
MD5 hash: 9488b446052990dfb70a62e3efa57477
humanhash: whiskey-nitrogen-don-bakerloo
File name:9488b446052990dfb70a62e3efa57477
Download: download sample
Signature CoinMiner
Create hunting rule
File size:4'197'888 bytes
First seen:2021-10-14 19:22:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 43801be8f5954e7259ebb6bc7f6dfe40 (3 x CoinMiner, 2 x RedLineStealer, 1 x njrat)
ssdeep 98304:HAknLbcQV0ktE08wFOsTrBgVipXrdZqWzBk7VWOEBsKy1dhl:HXnn1rsk+GZZqambK2L
Threatray 268 similar samples on MalwareBazaar
TLSH T1CC16334544C26B9AE72AAFB7108901EDFD70F4E32D4E922EB8425033D4DAB6ECBD5171
Reporter zbetcheckin
Tags:32 CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
398
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9488b446052990dfb70a62e3efa57477
Verdict:
No threats detected
Analysis date:
2021-10-14 19:35:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0d459101-f04b-4737-8274-dc03937f3e56

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/197624/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.17498.1690.30724.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a file in the %temp% directory
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
donut nitol packed powershell tiny
Link:
https://www.filescan.io/uploads/616883621c2d58ba7406dab4/reports/5756fcff-97d5-47d7-bd98-a3b55e882f30/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ca696405-e43d-4631-ab03-5dda46dbc785
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/870739
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Creates a thread in another existing process (thread injection)
Detected Stratum mining protocol
Drops executables to the windows directory (C:\Windows) and starts them
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Powershell Defender Exclusion
Sigma detected: Xmrig
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 503167 Sample: wpXW8288lr Startdate: 14/10/2021 Architecture: WINDOWS Score: 100 123 Sigma detected: Xmrig 2->123 125 Malicious sample detected (through community Yara rule) 2->125 127 Multi AV Scanner detection for submitted file 2->127 129 4 other signatures 2->129 13 wpXW8288lr.exe 2 2->13         started        17 services64.exe 2->17         started        19 services32.exe 2->19         started        21 9 other processes 2->21 process3 file4 111 C:\Users\user\AppData\...\monero-bandit.exe, PE32+ 13->111 dropped 113 C:\Users\user\AppData\Local\...\bloodteam.exe, PE32+ 13->113 dropped 173 Adds a directory exclusion to Windows Defender 13->173 23 cmd.exe 1 13->23         started        25 cmd.exe 1 13->25         started        27 cmd.exe 1 13->27         started        175 Writes to foreign memory regions 17->175 177 Allocates memory in foreign processes 17->177 179 Creates a thread in another existing process (thread injection) 17->179 30 conhost.exe 17->30         started        33 conhost.exe 19->33         started        181 Changes security center settings (notifications, updates, antivirus, firewall) 21->181 35 MpCmdRun.exe 21->35         started        signatures5 process6 file7 37 monero-bandit.exe 23->37         started        40 conhost.exe 23->40         started        42 bloodteam.exe 25->42         started        44 conhost.exe 25->44         started        155 Adds a directory exclusion to Windows Defender 27->155 46 powershell.exe 25 27->46         started        48 powershell.exe 24 27->48         started        50 conhost.exe 27->50         started        115 C:\Windows\System32\Microsoft\Libs\WR64.sys, PE32+ 30->115 dropped 52 conhost.exe 35->52         started        signatures8 process9 signatures10 139 Multi AV Scanner detection for dropped file 37->139 141 Writes to foreign memory regions 37->141 143 Allocates memory in foreign processes 37->143 54 conhost.exe 4 37->54         started        145 Creates a thread in another existing process (thread injection) 42->145 57 conhost.exe 3 42->57         started        process11 file12 107 C:\Windows\System32\services64.exe, PE32+ 54->107 dropped 59 cmd.exe 54->59         started        62 cmd.exe 1 54->62         started        109 C:\Windows\System32\services32.exe, PE32+ 57->109 dropped 64 cmd.exe 57->64         started        66 cmd.exe 1 57->66         started        process13 signatures14 157 Drops executables to the windows directory (C:\Windows) and starts them 59->157 68 services64.exe 59->68         started        71 conhost.exe 59->71         started        159 Uses schtasks.exe or at.exe to add and modify task schedules 62->159 73 conhost.exe 62->73         started        75 schtasks.exe 62->75         started        77 services32.exe 64->77         started        79 conhost.exe 64->79         started        81 conhost.exe 66->81         started        83 schtasks.exe 66->83         started        process15 signatures16 131 Multi AV Scanner detection for dropped file 68->131 133 Writes to foreign memory regions 68->133 135 Allocates memory in foreign processes 68->135 85 conhost.exe 68->85         started        137 Creates a thread in another existing process (thread injection) 77->137 89 conhost.exe 77->89         started        process17 file18 103 C:\Windows\System32\...\sihost64.exe, PE32+ 85->103 dropped 147 Drops executables to the windows directory (C:\Windows) and starts them 85->147 149 Writes to foreign memory regions 85->149 151 Modifies the context of a thread in another process (thread injection) 85->151 153 2 other signatures 85->153 91 sihost64.exe 85->91         started        94 cmd.exe 85->94         started        105 C:\Windows\System32\...\sihost32.exe, PE32+ 89->105 dropped 97 sihost32.exe 89->97         started        signatures19 process20 dnsIp21 161 Multi AV Scanner detection for dropped file 91->161 163 Writes to foreign memory regions 91->163 165 Allocates memory in foreign processes 91->165 99 conhost.exe 91->99         started        117 192.110.160.114, 49752, 5555 IOFLOODUS United States 94->117 119 pool.supportxmr.com 94->119 121 pool-nyc.supportxmr.com 94->121 167 Query firmware table information (likely to detect VMs) 94->167 169 Creates a thread in another existing process (thread injection) 97->169 101 conhost.exe 97->101         started        signatures22 171 Detected Stratum mining protocol 117->171 process23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2636b0f988e2d2129d014b870101be731b72d39e4f8ff12156b1b523a5c36c6a/
Threat name:
Win32.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2021-10-14 16:24:32 UTC
AV detection:
28 of 45 (62.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ey3lb6mi4ljbfhibjodqcan6omnxfu46j6h7cikwwg2shjodnrva._file
Verdict:
malicious
Similar samples:
046976da5783b0425976084bc16ababee1094e98a1f0648fc10c91dcf49bc395
CoinMiner
31f0308a25262c3c2f7e58d60d2c861d73fd4fee2822af6ce393a7676453d3a4
CoinMiner
a07677ebabaa7fc3993f565f32d9299a8c9c1b59e6eb19fe7138c19eef219655
CoinMiner
b55bf0c98c34bb3ca46a7bb08598ffc1a97c9ad7bb47191cd1280b609322267f
CoinMiner
bcc7c88a78159d256da9838d8148b61bf92057b71eabf3bed83ed650d723562c
CoinMiner
e558134f888d403ba60d7db59978502a9071951528cd4873bd4702921012d69e
CoinMiner
ef25bb229ec8ca7d7b2e3d4e23036b74bdc8b9154bb4c5b532e7ea2a0a7c8ee6
CoinMiner
f399f4852c2b6d13cc6424cd73d55ae56c4b6be7161f06e0383a18c024f2db55
CoinMiner
f4ec629473fbe96fa82fe1c1e30e6784144163d662e1c977acf5bc1d62b20c0b
CoinMiner
f84c1b53daf8279593ae9a9f6d8590ceb488318ce70a09bf25bfbf494398a83c
CoinMiner
+ 258 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/211014-x28y9aabh4/
Unpacked files
SH256 hash:
2636b0f988e2d2129d014b870101be731b72d39e4f8ff12156b1b523a5c36c6a
MD5 hash:
9488b446052990dfb70a62e3efa57477
SHA1 hash:
dbb32fc2c9e50ef42f4691ff21bd2b2c44d85fb5
Link:
https://www.unpac.me/results/799c1a69-052b-4d40-a3f6-c86b47a1ca0a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/2636b0f988e2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2636b0f988e2d2129d014b870101be731b72d39e4f8ff12156b1b523a5c36c6a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 2636b0f988e2d2129d014b870101be731b72d39e4f8ff12156b1b523a5c36c6a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1678374/
Cape
Cape
https://www.capesandbox.com/analysis/197624/

Comments


Avatar
zbet commented on 2021-10-14 19:22:06 UTC

url : hxxp://co70765.tmweb.ru/update.exe