MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c049deedbc83923abdd41580faa07c98037f09b5fabe98f97a9239a0b6e3542. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2c049deedbc83923abdd41580faa07c98037f09b5fabe98f97a9239a0b6e3542
SHA3-384 hash: 7c2c9e1ce1aa04864c245de29895b929c9068b64964eb02452aaea6a4139a0eda7009588a09a854f6c09751cc38f54a6
SHA1 hash: 3c6c45b4669086d4477aff8ec771a7340cd989fe
MD5 hash: 09610d47f3239b2371ad6e82e9a60e6b
humanhash: gee-alpha-foxtrot-muppet
File name:BTG.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:5'688'320 bytes
First seen:2022-06-10 08:29:57 UTC
Last seen:2022-06-10 09:50:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0dc6c5e06e22bd9f0c79c55ec1c09b01 (4 x CoinMiner)
ssdeep 98304:FiShUNKAsTGQrErbI4UZ4LoyOSe9tSgvdUr4zQkLvr4hnLsyPJV5kpv8Cvgroq1i:MnpsTGrbIyFlgvI4MWMhLs6UkCmr1x
Threatray 165 similar samples on MalwareBazaar
TLSH T11B463315099763BCCD23EB39F2A64F1A5A3035D89ED3688FF54453E62DB4288E5E043B
TrID 48.1% (.EXE) Win32 EXE PECompact compressed (v2.x) (59069/9/14)
33.8% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
5.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.6% (.EXE) Win32 Executable (generic) (4505/5/1)
dhash icon 8eb2c096b080c28c (8 x CoinMiner, 2 x Downloader.Upatre, 1 x SystemBC)
Reporter obfusor
Tags:CoinMiner exe miner

Intelligence

File Origin
# of uploads :
2
# of downloads :
678
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BTG.exe
Verdict:
No threats detected
Analysis date:
2022-06-10 09:31:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/87eea7e6-50bf-4c76-b00b-28237d7d918b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/278604/
Detection(s):
PUA.Win.Packer.PECompact-2
Create hunting rule

PUA.Win.Packer.PecompactRetail-1
Create hunting rule

PUA.Win.Packer.PECompact-1
Create hunting rule

PUA.Win.Packer.PecompactRetail-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Creating a file in the Windows subdirectories
DNS request
Sending an HTTP GET request
Creating a service
Launching a service
Creating a process from a recently created file
Creating a file in the Windows directory
Loading a system driver
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Creating a file
Searching for the window
Forced system process termination
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Enabling autorun for a service
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Moving of the original file
Unauthorized injection to a recently created process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62a3014bf944eda443fd4670/reports/89d8e77d-2395-4cf9-865d-bde58c363f5f/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
lolminer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b3af6464-a832-4e5f-81ca-574459f38bd7
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1010674
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Tries to detect virtualization through RDTSC time measurements
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 643170 Sample: BTG.exe Startdate: 10/06/2022 Architecture: WINDOWS Score: 100 76 Antivirus detection for dropped file 2->76 78 Antivirus / Scanner detection for submitted sample 2->78 80 Multi AV Scanner detection for dropped file 2->80 82 6 other signatures 2->82 8 NVIDIAContainer.exe 1 2->8         started        13 BTG.exe 16 2->13         started        15 svchost.exe 2->15         started        17 10 other processes 2->17 process3 dnsIp4 60 C:\Windows\RTsdfcWL.dat, PE32+ 8->60 dropped 96 Antivirus detection for dropped file 8->96 98 Multi AV Scanner detection for dropped file 8->98 100 Machine Learning detection for dropped file 8->100 102 Tries to detect virtualization through RDTSC time measurements 8->102 19 cmd.exe 1 8->19         started        21 cmd.exe 8->21         started        24 cmd.exe 1 8->24         started        35 14 other processes 8->35 72 lianjie666.ddns.me 119.96.97.235, 49744, 49747, 49748 CHINATELECOM-HUBEI-IDCCHINANETHubeiprovincenetworkCN China 13->72 62 C:\Windows\SysWOW64\BTG\start.exe, PE32 13->62 dropped 64 C:\Windows\SysWOW64\BTG\lolMiner.exe, PE32+ 13->64 dropped 66 C:\Windows\SysWOW64\BTG66VIDIAContainer.exe, PE32 13->66 dropped 68 C:\Users\user\...\install_wim_tweak.exe, PE32 13->68 dropped 104 Detected unpacking (changes PE section rights) 13->104 106 Moves itself to temp directory 13->106 108 Drops executables to the windows directory (C:\Windows) and starts them 13->108 26 start.exe 2 1 13->26         started        29 cmd.exe 1 13->29         started        110 Changes security center settings (notifications, updates, antivirus, firewall) 15->110 31 MpCmdRun.exe 15->31         started        74 127.0.0.1 unknown unknown 17->74 33 WerFault.exe 17->33         started        file5 signatures6 process7 file8 37 lolMiner.exe 19->37         started        40 conhost.exe 19->40         started        42 cmd.exe 1 19->42         started        84 Drops executables to the windows directory (C:\Windows) and starts them 21->84 50 3 other processes 21->50 52 3 other processes 24->52 70 C:\ProgramData\Microsoft\...\start.exe, PE32 26->70 dropped 86 Antivirus detection for dropped file 26->86 88 Machine Learning detection for dropped file 26->88 90 Drops PE files to the startup folder 26->90 44 install_wim_tweak.exe 1 29->44         started        46 conhost.exe 29->46         started        48 conhost.exe 31->48         started        54 25 other processes 35->54 signatures9 process10 signatures11 92 Antivirus detection for dropped file 37->92 94 Multi AV Scanner detection for dropped file 37->94 56 WerFault.exe 20 9 44->56         started        58 WerFault.exe 44->58         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2c049deedbc83923abdd41580faa07c98037f09b5fabe98f97a9239a0b6e3542/
Threat name:
Win32.PUA.MiscX
Create hunting rule
Status:
Malicious
First seen:
2022-06-10 08:31:57 UTC
File Type:
PE (Exe)
Extracted files:
254
AV detection:
19 of 26 (73.08%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fqcj33w3za4shk65ifma7kqhzgadp4e3l6v6td4xverzuc3ogvba._file
Verdict:
malicious
Similar samples:
10835966177c277d70fae42109ddacccea06ab0c576709e9a68ec768840882ae
CoinMiner
1948cbc56b010af69cab63977edb0dfb76de1520291fd9eac8777a887f006adc
CoinMiner
3bae281a122628561deb145beffcb3b2c1b8ab51e0c96818ef7a1203738af5d4
CoinMiner
5430394ea19a7c57dea6d2d07c389bb5fd12bb4e3e64f98911148ae0f870dfdf
CoinMiner
56133c0d017af35f49253926e3583cf72c36146ab7faa65b6058971685166652
CoinMiner
75b388003cc32b680abc3d9b41bc6c435af723de235eaab36a323fddcb906f62
CoinMiner
799b7395c9f279d8cd1cd24657788ecb37db7ae03c0dddeb3344a95a551d1325
CoinMiner
d003e8350d5dc3823f7c415c4b901a24c5731307bb3d0f464b3630bb1e0cb2ba
CoinMiner
e6902e5efb53a1de2af93809a5103603aa8115e0f80fa95ade2461947bff4c7e
CoinMiner
fdb6ea9de0be18ad1f1418aa6dd3ce73db50d6abab7b27d274eeb15940a3bc31
CoinMiner
+ 155 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
bootkit persistence upx
Link:
https://tria.ge/reports/220610-kd568sdeh9/
Behaviour
Modifies data under HKEY_USERS
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Writes to the Master Boot Record (MBR)
Loads dropped DLL
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
afbf22880d0129f8b11b1a5876f175c874f52c8572cb5c4beda3c528241a8e6c
MD5 hash:
ba352663c76c86c10a8d5c7b7a47f3c5
SHA1 hash:
61337aec0dad3d993f862a2d6499a185cbe46431
Link:
https://www.unpac.me/results/87b9c777-33e0-4b4f-b097-4970016f61ff/
SH256 hash:
64a2e3833ce7d199b7d5e86fe4de87568234218f461247ba3bc06b113ce51aaa
MD5 hash:
07b69eb7129f50e7aa3f02837b1dff70
SHA1 hash:
51f55db6dec5016844c3fd6d46fb920c349c49e0
Link:
https://www.unpac.me/results/87b9c777-33e0-4b4f-b097-4970016f61ff/
SH256 hash:
2c049deedbc83923abdd41580faa07c98037f09b5fabe98f97a9239a0b6e3542
MD5 hash:
09610d47f3239b2371ad6e82e9a60e6b
SHA1 hash:
3c6c45b4669086d4477aff8ec771a7340cd989fe
Link:
https://www.unpac.me/results/87b9c777-33e0-4b4f-b097-4970016f61ff/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2c049deedbc83923abdd41580faa07c98037f09b5fabe98f97a9239a0b6e3542

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/278604/

Comments