MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2980402300cdd466b4dd068c4352fde25c5d9edd68536b8a8911603e9a10cc94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2980402300cdd466b4dd068c4352fde25c5d9edd68536b8a8911603e9a10cc94
SHA3-384 hash: 4d1a0eeb54219e26effc2fd50810ff2abebfa17fcc3a2efc11b920ddf57232ed3826dde446043c2c81d78b94463697b6
SHA1 hash: ff6d350a63f27d0e7bc50c4e4996c77023999fe5
MD5 hash: 84f89bdea67399db223c2be083287a8f
humanhash: quebec-victor-neptune-berlin
File name:SecuriteInfo.com.Trojan.Generic.31723764.31681.24539
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'277'376 bytes
First seen:2022-09-25 10:28:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a1e1db4ddf300b66a3afa3056ec32bfd (14 x CoinMiner, 2 x PripyatMiner)
ssdeep 49152:+oFW8fx8RU09drZcvi65sidu6rFpxdPr:+oFWOibZsdu6Jpxd
Threatray 12 similar samples on MalwareBazaar
TLSH T1B5B52239A36354FDC5278171C3EBA6B2FA71FC141331AA2E0F58CF352E65C604AAE564
TrID 43.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
27.6% (.EXE) Win64 Executable (generic) (10523/12/4)
13.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) OS/2 Executable (generic) (2029/13)
5.2% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter SecuriteInfoCom
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
328
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/313159/
Detection(s):
SecuriteInfo.com.Trojan.Generic.31723764.31681.24539.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Launching a process
Using the Windows Management Instrumentation requests
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Running batch commands
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/38973/overview
Behaviour
MalwareBazaar
CallSleep
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug packed shell32.dll
Link:
https://www.filescan.io/uploads/63302db7fbcd636ef7474a19/reports/a5ee424f-35a9-4ffc-b60b-baf4d36a1335/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d6cec480-0c8d-4692-976f-3433911f68d4
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1076836
Signature
Antivirus detection for dropped file
Creates files in the system32 config directory
Detected Stratum mining protocol
Found hidden mapped module (file has been removed from disk)
Found strings related to Crypto-Mining
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 709378 Sample: SecuriteInfo.com.Trojan.Gen... Startdate: 25/09/2022 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic 2->47 49 Antivirus detection for dropped file 2->49 51 Multi AV Scanner detection for dropped file 2->51 53 6 other signatures 2->53 7 updater.exe 3 2->7         started        11 SecuriteInfo.com.Trojan.Generic.31723764.31681.24539.exe 1 2->11         started        process3 file4 37 C:\Windows\Temp\5318.tmp, PE32+ 7->37 dropped 39 C:\Program Filesbehaviorgraphoogle\Libs\WR64.sys, PE32+ 7->39 dropped 55 Writes to foreign memory regions 7->55 57 Modifies the context of a thread in another process (thread injection) 7->57 59 Maps a DLL or memory area into another process 7->59 61 Sample is not signed and drops a device driver 7->61 13 powershell.exe 34 7->13         started        16 cmd.exe 3 7->16         started        18 conhost.exe 7->18         started        41 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 11->41 dropped 21 powershell.exe 34 11->21         started        23 powershell.exe 13 11->23         started        signatures5 process6 dnsIp7 63 Creates files in the system32 config directory 13->63 25 conhost.exe 13->25         started        27 WMIC.exe 1 16->27         started        29 conhost.exe 16->29         started        43 136.244.80.197, 49698, 80 AS-CHOOPAUS United States 18->43 45 pool.hashvault.pro 18->45 65 Uses schtasks.exe or at.exe to add and modify task schedules 21->65 31 conhost.exe 21->31         started        33 conhost.exe 23->33         started        35 schtasks.exe 1 23->35         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2980402300cdd466b4dd068c4352fde25c5d9edd68536b8a8911603e9a10cc94/
Threat name:
Win64.Trojan.CobaltStrike
Create hunting rule
Status:
Malicious
First seen:
2022-09-25 10:29:15 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
25 of 41 (60.98%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fgaeaiyazxkgnng5a2gegux54jof3hw5nbjwxcujcfqd5gqqzska._file
Verdict:
malicious
Similar samples:
02aeff4e07664864d428440cab4be050ddc1504ff997ce0fef7068899139318d
CoinMiner
30979d6192d60158768f4bf3955399bf3289592403b4899fe7fe5de57d6e664a
CoinMiner
5850d3b23060abb351ae9dafecfe7c19c9e890004f4c14f8ee7d164838fc356b
CoinMiner
6cfd239899f3900e6eaa1c1b2a11ddb8b082ee224fb1014bdc9baadb61611135
CoinMiner
6d0429bb3533ea8cd3b10d207ec5505ac0d38692f7f4cd1375db7cd1aba0be6e
CoinMiner
713b5821fb297bf6fda93ad5fe11dabebc2cba0aa38f4c66d02c75703a0d0bce
CoinMiner
b8c1ef5da202475f7113c36a014ebeda72a235c4ed16b2ba0244ee95c6e44053
CoinMiner
ce07b1122ef0305ce0dd1588394295073545df0b5a91c63f6ab6eaf5b7f74091
CoinMiner
ce309a2f5d17fa9dc0957947d401699492ca6f9d63206486d947aea54c65c589
CoinMiner
de85e7754cdb6c18d93f074d58406b4b4e91466cb53e82f962535452ebc2b9d9
CoinMiner
+ 2 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner upx
Link:
https://tria.ge/reports/220925-mh8h9sfefn/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
UPX packed file
XMRig Miner payload
xmrig
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a1683bb3-857f-4525-bb0a-1560b95067fe
Unpacked files
SH256 hash:
2980402300cdd466b4dd068c4352fde25c5d9edd68536b8a8911603e9a10cc94
MD5 hash:
84f89bdea67399db223c2be083287a8f
SHA1 hash:
ff6d350a63f27d0e7bc50c4e4996c77023999fe5
Link:
https://www.unpac.me/results/c01fa3ec-ee1e-4f36-affb-aa8f309f541d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2980402300cd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2980402300cdd466b4dd068c4352fde25c5d9edd68536b8a8911603e9a10cc94

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 2980402300cdd466b4dd068c4352fde25c5d9edd68536b8a8911603e9a10cc94

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2313308/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/313159/

Comments