MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d908fba420926ebb4fd1ce3637938fca06bc45c23425674435433a814009f9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d908fba420926ebb4fd1ce3637938fca06bc45c23425674435433a814009f9d
SHA3-384 hash: 462ff13caab6501f8aed8e4dc682aa168dab9f5e1868c54bf95821093526e6246fa3cc02b9539eec7436dafd58659199
SHA1 hash: 7cf7bee8edd10c79d152dbe2feee854596170f68
MD5 hash: ad66f35b417643bb5a4840f11d4d7301
humanhash: autumn-item-bacon-nevada
File name:ad66f35b417643bb5a4840f11d4d7301
Download: download sample
Signature CoinMiner
Create hunting rule
File size:6'286'544 bytes
First seen:2023-09-08 15:50:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f7505c167603909b7180406402fef19e (36 x CoinMiner, 3 x PripyatMiner)
ssdeep 98304:tx5+/DsqFXubn614gByduvDEe91dKyWUwqoyBj4fdEVWamPFB1aXMaZq+g1s4hwf:t1qFXW611BHvX1dKyWHBEV0GZqru
Threatray 111 similar samples on MalwareBazaar
TLSH T1B156CF443DF18392F04A4D35530A3874743B8E3F58CE07BAA152B62677B77C68B859BA
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10523/12/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f08cccaa8a8c8cf0 (1 x CoinMiner)
Reporter zbetcheckin
Tags:64 CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
314
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ad66f35b417643bb5a4840f11d4d7301
Verdict:
Malicious activity
Analysis date:
2023-09-08 16:08:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0e6c2103-fcd3-4494-9d9f-d38dd1361206

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/447553/
Detection(s):
SecuriteInfo.com.Trojan.Siggen21.26096.17273.27521.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Launching a process
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process from a recently created file
Enabling autorun by creating a file
Gathering data
Gathering data
Verdict:
Malicious
Labled as:
Molotov.IM.39.Generic
Link:
https://www.hybrid-analysis.com/sample/2d908fba420926ebb4fd1ce3637938fca06bc45c23425674435433a814009f9d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3d8b1c52-04b2-4891-ab10-22d60de86582
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1306347
Signature
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Drops PE files to the startup folder
Found hidden mapped module (file has been removed from disk)
Found strings related to Crypto-Mining
Injects code into the Windows Explorer (explorer.exe)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Self deletion via cmd or bat file
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1306347 Sample: J2YYVJDL1f.exe Startdate: 08/09/2023 Architecture: WINDOWS Score: 100 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for URL or domain 2->52 54 Multi AV Scanner detection for dropped file 2->54 56 6 other signatures 2->56 6 updater.exe 5 2->6         started        10 J2YYVJDL1f.exe 1 2->10         started        12 updater.exe 2->12         started        14 11 other processes 2->14 process3 file4 30 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 6->30 dropped 32 C:\Users\user\AppData\...\ftovpbbfnigz.tmp, PE32+ 6->32 dropped 58 Uses cmd line tools excessively to alter registry or file data 6->58 60 Injects code into the Windows Explorer (explorer.exe) 6->60 62 Writes to foreign memory regions 6->62 72 3 other signatures 6->72 16 explorer.exe 6->16         started        20 conhost.exe 6->20         started        34 C:\Users\user\AppData\Roaming\...\updater.exe, PE32+ 10->34 dropped 64 Suspicious powershell command line found 10->64 66 Self deletion via cmd or bat file 10->66 68 Drops PE files to the startup folder 10->68 70 Found strings related to Crypto-Mining 12->70 22 conhost.exe 14->22         started        24 conhost.exe 14->24         started        26 conhost.exe 14->26         started        28 6 other processes 14->28 signatures5 process6 dnsIp7 36 spoff.findeverything.xyz 104.21.78.103, 443, 49741, 49768 CLOUDFLARENETUS United States 16->36 38 172.67.220.56, 443, 49756 CLOUDFLARENETUS United States 16->38 40 3 other IPs or domains 16->40 42 System process connects to network (likely due to code injection or exploit) 16->42 44 Query firmware table information (likely to detect VMs) 16->44 46 Performs DNS queries to domains with low reputation 16->46 48 Uses cmd line tools excessively to alter registry or file data 20->48 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2d908fba420926ebb4fd1ce3637938fca06bc45c23425674435433a814009f9d/
Threat name:
Win64.Trojan.Molotov
Create hunting rule
Status:
Malicious
First seen:
2023-09-01 20:20:57 UTC
File Type:
PE+ (Exe)
Extracted files:
19
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fwii7oscbetoxnh5dtrwg6jy7sqgxrc4enbfm5cdkqz2qfaat6oq._file
Verdict:
malicious
Similar samples:
1ee660ee24030f3bef36495ab2f47c7a05c9796ebad4105e649f2f5de284f715
CoinMiner
3dbfc85922adcc72d86d8c50d0e027efeb71bc9b0b4f8c7bba7be5348a7d0d5d
CoinMiner
6fdca0731e0caed266b154e06c49a2abc7224fd273a47c8d6529f86310afdefb
CoinMiner
82371deb6f662135074478092d27ad6639da25dbda6971e8037326cb8907b8c0
CoinMiner
ac3af6bd3139c444e8e146a6d48c110ae33c09d23c84b7b02f3d7af9eaa49c84
CoinMiner
d540f75897495102dd30eaa924623ac40415e8a716bdcbadf7d7c9a00feb5c97
CoinMiner
e0e267a1da22b796f4f8a7b84a81d0f0a461183cdc03d267a75e34d9fc497ccd
CoinMiner
e5ec05d1f59933949c166e82457c251e49146bb42bc4b9017a9fc625c6a13dff
CoinMiner
fbeedd4502c93c093a8aaaa4a5e0609713cbecd10d15291741b3fa6e5f174581
CoinMiner
+ 101 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/230908-tagtxadd61/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Drops file in System32 directory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Drops startup file
Executes dropped EXE
Loads dropped DLL
XMRig Miner payload
Suspicious use of NtCreateUserProcessOtherParentProcess
xmrig
Unpacked files
SH256 hash:
2d908fba420926ebb4fd1ce3637938fca06bc45c23425674435433a814009f9d
MD5 hash:
ad66f35b417643bb5a4840f11d4d7301
SHA1 hash:
7cf7bee8edd10c79d152dbe2feee854596170f68
Link:
https://www.unpac.me/results/a46588e2-a724-459e-b9aa-429c9f04b166/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2d908fba4209/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2d908fba420926ebb4fd1ce3637938fca06bc45c23425674435433a814009f9d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 2d908fba420926ebb4fd1ce3637938fca06bc45c23425674435433a814009f9d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2710611/
Cape
Cape
https://www.capesandbox.com/analysis/447553/
  
URLhaus
https://urlhaus.abuse.ch/url/2710800/

Comments


Avatar
zbet commented on 2023-09-08 15:50:15 UTC

url : hxxp://81.161.229.120/raw/a/VCheck.exe