MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2810a9fa32147187f8b2d9af9b68da218b784e00845c2f3ab213dad58d3173a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2810a9fa32147187f8b2d9af9b68da218b784e00845c2f3ab213dad58d3173a1
SHA3-384 hash: 1f02bb58ea82d9a9e1f48650b8ecb298ffa079f045afde4d1f4297861463493f19358d1c174ec1bb031c9e8226af4132
SHA1 hash: 930c67c6a2ac1b6631269f4728e90cdd0003a881
MD5 hash: f5ccac71d5c92b321f4a9bc4922cb4db
humanhash: robin-don-kentucky-saturn
File name:f5ccac71d5c92b321f4a9bc4922cb4db
Download: download sample
Signature CoinMiner
Create hunting rule
File size:29'184 bytes
First seen:2021-12-05 08:41:53 UTC
Last seen:2021-12-05 10:29:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 768:+MY3RQNHxL/Mft+Xn9wG7FSvdRDW2gYsr90gTuF9NnWLyr:nkyHhaw6WFG6Y0XyF9zr
Threatray 277 similar samples on MalwareBazaar
TLSH T13AD2CF20738C9115F9390F3E5AF1935617B5FE617461EF6D7AC0020D9E90B04E6A3E7A
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
289
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://game4486.worldhosts.fun/yyskmy.exe
Verdict:
Malicious activity
Analysis date:
2021-12-05 04:38:42 UTC
Tags:
loader
Link:
https://app.any.run/tasks/9cfa2211-817c-41b5-8b32-19d98d217533

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/211446/
Detection(s):
SecuriteInfo.com.Trojan.MulDropNET.46.28033.18191.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Running batch commands
Launching a process
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Сreating synchronization primitives
Sending a custom TCP request
Creating a process with a hidden window
Creating a file
Creating a process from a recently created file
Creating a file in the system32 directory
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61ac7b5dfa72c81b5b0c64b6/reports/c06d7468-bd22-41c5-adbd-c9caa7a1012d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CoinMiner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6df1d3c7-5009-4faa-82bb-bd19841d3483
Result
Threat name:
BitCoin Miner
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/901667
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected BitCoin Miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 534141 Sample: aB94sTRV4T Startdate: 05/12/2021 Architecture: WINDOWS Score: 100 83 Antivirus / Scanner detection for submitted sample 2->83 85 Multi AV Scanner detection for submitted file 2->85 87 Yara detected BitCoin Miner 2->87 89 3 other signatures 2->89 10 aB94sTRV4T.exe 5 2->10         started        14 services32.exe 3 2->14         started        process3 file4 79 C:\Users\user\AppData\Local\...\svchost32.exe, PE32+ 10->79 dropped 81 C:\Users\user\AppData\...\aB94sTRV4T.exe.log, ASCII 10->81 dropped 103 Adds a directory exclusion to Windows Defender 10->103 16 cmd.exe 1 10->16         started        18 cmd.exe 1 10->18         started        105 Antivirus detection for dropped file 14->105 107 Multi AV Scanner detection for dropped file 14->107 109 Machine Learning detection for dropped file 14->109 21 cmd.exe 14->21         started        23 cmd.exe 14->23         started        signatures5 process6 signatures7 25 svchost32.exe 6 16->25         started        29 conhost.exe 16->29         started        91 Uses schtasks.exe or at.exe to add and modify task schedules 18->91 93 Adds a directory exclusion to Windows Defender 18->93 31 powershell.exe 23 18->31         started        33 conhost.exe 18->33         started        35 powershell.exe 18->35         started        41 2 other processes 18->41 37 conhost.exe 21->37         started        43 4 other processes 21->43 39 conhost.exe 23->39         started        process8 file9 75 C:\Windows\System32\services32.exe, PE32+ 25->75 dropped 77 C:\Windows\...\services32.exe:Zone.Identifier, ASCII 25->77 dropped 97 Antivirus detection for dropped file 25->97 99 Machine Learning detection for dropped file 25->99 101 Drops executables to the windows directory (C:\Windows) and starts them 25->101 45 services32.exe 4 25->45         started        48 cmd.exe 1 25->48         started        50 cmd.exe 25->50         started        signatures10 process11 signatures12 111 Adds a directory exclusion to Windows Defender 45->111 52 cmd.exe 45->52         started        55 cmd.exe 45->55         started        57 conhost.exe 48->57         started        59 schtasks.exe 1 48->59         started        61 conhost.exe 50->61         started        63 choice.exe 50->63         started        process13 signatures14 95 Adds a directory exclusion to Windows Defender 52->95 65 conhost.exe 52->65         started        67 powershell.exe 52->67         started        69 powershell.exe 52->69         started        73 2 other processes 52->73 71 conhost.exe 55->71         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2810a9fa32147187f8b2d9af9b68da218b784e00845c2f3ab213dad58d3173a1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-04 23:55:07 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
3
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
24ea17a2c73edd5668c90344844c696e8bfddb72bf605feeea1a0dcc054f246f
CoinMiner
25fa15664bb857af7bd264779f9d1d7b898cae1afcb992e0e3a6923f0c1d1992
CoinMiner
3a4b5c0c302fdd8b9980e6d497ea2477ecc10357dcc73108d62f3a0f97fd356b
CoinMiner
493bfdb9e04607e49f6ead719b51e9c25cc8c4fa76bcb79c2f8e9225bb46e659
CoinMiner
65bbafc229aa726d189d7607d03b1c6835ddcdf8ad6ac90017749b051f6b0770
CoinMiner
74f077e0666f913cf2a797270b7f9f9747f822c61c896b3314e0a247960d4e01
CoinMiner
75359481a80ae7253f5a8859cc9d899020a24af197b95f8ef2716a9f011dc3b1
CoinMiner
92d222fc274d0c981a595327cf103960535339a655ae240f9267a84aedba7f41
CoinMiner
a80e58ef1c5a06c712d21814ad9d003f6f9482f5e7375ec15e5d2363f99b7c12
CoinMiner
bdbf24537950b4bb8ca32e92dc5934fd651792db3452c748d7893da61aca1710
CoinMiner
+ 267 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/211205-kl1xgscbhp/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
2810a9fa32147187f8b2d9af9b68da218b784e00845c2f3ab213dad58d3173a1
MD5 hash:
f5ccac71d5c92b321f4a9bc4922cb4db
SHA1 hash:
930c67c6a2ac1b6631269f4728e90cdd0003a881
Link:
https://www.unpac.me/results/cf351add-c9be-485b-afdb-6bd071cfe61c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/2810a9fa3214/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2810a9fa32147187f8b2d9af9b68da218b784e00845c2f3ab213dad58d3173a1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 2810a9fa32147187f8b2d9af9b68da218b784e00845c2f3ab213dad58d3173a1

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1853764/
Cape
Cape
https://www.capesandbox.com/analysis/211446/

Comments


Avatar
zbet commented on 2021-12-05 08:41:55 UTC

url : hxxp://game4486.worldhosts.fun/yyskmy.exe