MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36a143318fa67627e0b9351d7add36540248fc73b147a83cff6d97f2c39b63c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36a143318fa67627e0b9351d7add36540248fc73b147a83cff6d97f2c39b63c0
SHA3-384 hash: a07eae7fd0381e02529db646898639b6a2c23ed8167301ea9a3f1afa4b344d56effe49a566e06261f57236b57b8aeea6
SHA1 hash: 37cea147b0c434ef7ebeb996d73cc97cf833ead0
MD5 hash: 378a6329ab371c06b9889621892e843c
humanhash: nitrogen-purple-oregon-aspen
File name:378a6329ab371c06b9889621892e843c.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'043'392 bytes
First seen:2022-01-02 07:46:55 UTC
Last seen:2022-01-02 09:34:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 02549ff92b49cce693542fc9afb10102 (84 x CoinMiner, 2 x CoinMiner.XMRig, 1 x AgentTesla)
ssdeep 49152:IeD1hqYd/mATLqOYmQLh3fsXav+/m9Z5OEVu:FH3FqHZkbWm
Threatray 380 similar samples on MalwareBazaar
TLSH T1329533C3EAEA57F9F7714179437200F997A0D84C49E01711A0C7CE9EC89AC7A6A217B3
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
356
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://cdn.discordapp.com/attachments/922941056193036402/925158606326882334/retrik.exe
Verdict:
Suspicious activity
Analysis date:
2021-12-28 04:12:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/013c98df-3e51-4ac7-a394-0951b1a16a57

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/217066/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.15970.14079.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Creating a process from a recently created file
Creating a process with a hidden window
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3673/overview
Behaviour
MalwareBazaar
CallSleep
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/61d1587cec6c6c14a904fdaf/reports/a7557a67-8925-43c7-a68a-0805d0eaa660/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/61341b87-4ad4-44fe-a79a-aa2bb224fe0f
Result
Threat name:
BitCoin Miner SilentXMRMiner
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/914595
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected SilentXMRMiner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 547073 Sample: O3Q0liMMTj.exe Startdate: 02/01/2022 Architecture: WINDOWS Score: 100 76 Multi AV Scanner detection for submitted file 2->76 78 Yara detected SilentXMRMiner 2->78 80 Yara detected BitCoin Miner 2->80 82 Sigma detected: Powershell Defender Exclusion 2->82 11 O3Q0liMMTj.exe 2->11         started        14 gdics.exe 2->14         started        process3 signatures4 108 Writes to foreign memory regions 11->108 110 Allocates memory in foreign processes 11->110 112 Creates a thread in another existing process (thread injection) 11->112 16 conhost.exe 5 11->16         started        114 Multi AV Scanner detection for dropped file 14->114 20 conhost.exe 5 14->20         started        process5 file6 66 C:\Windows\System32\gdics.exe, PE32+ 16->66 dropped 68 C:\Windows\...\gdics.exe:Zone.Identifier, ASCII 16->68 dropped 72 Adds a directory exclusion to Windows Defender 16->72 22 cmd.exe 1 16->22         started        25 cmd.exe 1 16->25         started        27 cmd.exe 1 16->27         started        29 BackgroundTransferHost.exe 16->29         started        70 C:\Windows\System32\...\sihost32.exe, PE32+ 20->70 dropped 74 Drops executables to the windows directory (C:\Windows) and starts them 20->74 31 sihost32.exe 20->31         started        33 cmd.exe 1 20->33         started        signatures7 process8 signatures9 90 Drops executables to the windows directory (C:\Windows) and starts them 22->90 35 gdics.exe 22->35         started        38 conhost.exe 22->38         started        92 Uses schtasks.exe or at.exe to add and modify task schedules 25->92 94 Adds a directory exclusion to Windows Defender 25->94 40 powershell.exe 23 25->40         started        42 conhost.exe 25->42         started        44 powershell.exe 25->44         started        50 2 other processes 27->50 96 Multi AV Scanner detection for dropped file 31->96 98 Writes to foreign memory regions 31->98 100 Allocates memory in foreign processes 31->100 102 Creates a thread in another existing process (thread injection) 31->102 46 conhost.exe 31->46         started        48 powershell.exe 20 33->48         started        52 2 other processes 33->52 process10 signatures11 84 Writes to foreign memory regions 35->84 86 Allocates memory in foreign processes 35->86 88 Creates a thread in another existing process (thread injection) 35->88 54 conhost.exe 2 35->54         started        process12 signatures13 104 Adds a directory exclusion to Windows Defender 54->104 57 cmd.exe 54->57         started        process14 signatures15 106 Adds a directory exclusion to Windows Defender 57->106 60 conhost.exe 57->60         started        62 powershell.exe 57->62         started        64 powershell.exe 57->64         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/36a143318fa67627e0b9351d7add36540248fc73b147a83cff6d97f2c39b63c0/
Threat name:
Win64.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2021-12-29 19:38:58 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1701171f89917e432739335ca3db9960f49bf7616a3832b4951df3215ceb0334
CoinMiner
29c21dfbd286de4e1ef151053a40b5de880607c0edf38f5b77a5721b1342bb61
CoinMiner
2fa8fb2ee024e1a7c5a27fd07f4892b5e4c13c1d71624086ef3594a0644ceffb
CoinMiner
7387dda5e2f645e2bdb9c2b366b4917a52a0535800580deb50f28e6790418ec9
CoinMiner
92561a2126c31ee34edef41557d2c312a3e1f4b9909c99d8ca23d3cae19ee173
CoinMiner
ade44175f9769fe9eb39588ce0d33707f75ea44ea15cb1e7823ff49725ac24aa
CoinMiner
b4a3cafc8553c06b17131e6b3afb38971312a4d91ae3349d2d118bdfc3d8de94
CoinMiner
c3ce14cd6129b778bf9aeb26799fa3387e122cede177d2b85f85fea9af5ff6cc
CoinMiner
e59a89138d5d7d96b4336b9323be581e35b3056180cc4fcf2844027534d5c189
CoinMiner
f3940f6c65cda4da86d1f9712223b8a278cd0dc90f701938a38a61ff74c66c66
CoinMiner
+ 370 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/220102-jmh8dsggbp/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Loads dropped DLL
Executes dropped EXE
xmrig
Unpacked files
SH256 hash:
36a143318fa67627e0b9351d7add36540248fc73b147a83cff6d97f2c39b63c0
MD5 hash:
378a6329ab371c06b9889621892e843c
SHA1 hash:
37cea147b0c434ef7ebeb996d73cc97cf833ead0
Link:
https://www.unpac.me/results/91fe293f-73b8-4dcd-b6fa-62ccfa61d27d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.10
Link:
https://yomi.yoroi.company/submissions/36a143318fa67627e0b9351d7add36540248fc73b147a83cff6d97f2c39b63c0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 36a143318fa67627e0b9351d7add36540248fc73b147a83cff6d97f2c39b63c0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1941616/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/217066/

Comments