MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 370623f3b732194c8497a12cfc2e906755f145c61ab8715c22d98f6fd7cf66d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 370623f3b732194c8497a12cfc2e906755f145c61ab8715c22d98f6fd7cf66d4
SHA3-384 hash: 7c98f2d7414e6eb435206c83dd075552c7edfd24b14804232c2e7b3443ef0a583bab25e3f4cbe15c6a7d637d4e72a8dd
SHA1 hash: 863c3faace90bba1563a97dfa788f15799032192
MD5 hash: f64ccb9df2b5df5287485f13c727d9dd
humanhash: delaware-robin-oscar-pluto
File name:f64ccb9df2b5df5287485f13c727d9dd.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:4'575'232 bytes
First seen:2021-10-12 08:55:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash eca9e2758b11f815ab34f11a0fdb4a51 (1 x CoinMiner)
ssdeep 98304:B7AJbg4GyrPsJG9Ey+K6JJkoyw4di0agX1Bv0CsG12iNM/:B7AJbgJyrr+KwV/G71F0LclNM
Threatray 67 similar samples on MalwareBazaar
TLSH T1842612EA7140232CC42E81348837F985F6F6941E1EDA95AAB2DFBBD43B77420D542F46
File icon (PE):PE icon
dhash icon fe7ee68292b292c6 (1 x CoinMiner)
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f64ccb9df2b5df5287485f13c727d9dd.exe
Verdict:
No threats detected
Analysis date:
2021-10-12 08:59:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d8db5ec6-7679-40b5-8874-aff03b282e94

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/196859/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.17309.13384.30014.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching a process
Creating a process from a recently created file
Creating a process with a hidden window
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61654da69fb4d8593d624abe/reports/ff74739d-c501-4c15-9c70-1cf9cfaac452/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/6c53b942-4236-4771-bd96-52fd86465566
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/868442
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Detected VMProtect packer
Drops PE files to the user root directory
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Powershell Defender Exclusion
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 500870 Sample: rd0dYznNdR.exe Startdate: 12/10/2021 Architecture: WINDOWS Score: 100 82 Multi AV Scanner detection for submitted file 2->82 84 Detected VMProtect packer 2->84 86 Machine Learning detection for sample 2->86 88 Sigma detected: Powershell Defender Exclusion 2->88 11 rd0dYznNdR.exe 2->11         started        14 services32.exe 2->14         started        process3 signatures4 106 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->106 108 Writes to foreign memory regions 11->108 110 Tries to detect virtualization through RDTSC time measurements 11->110 16 conhost.exe 4 11->16         started        112 Multi AV Scanner detection for dropped file 14->112 114 Machine Learning detection for dropped file 14->114 116 Creates a thread in another existing process (thread injection) 14->116 20 conhost.exe 14->20         started        process5 file6 68 C:\Users\user\services32.exe, PE32+ 16->68 dropped 78 Drops PE files to the user root directory 16->78 80 Adds a directory exclusion to Windows Defender 16->80 22 cmd.exe 1 16->22         started        24 cmd.exe 1 16->24         started        27 cmd.exe 1 16->27         started        29 cmd.exe 20->29         started        signatures7 process8 signatures9 31 services32.exe 22->31         started        34 conhost.exe 22->34         started        102 Uses schtasks.exe or at.exe to add and modify task schedules 24->102 104 Adds a directory exclusion to Windows Defender 24->104 36 powershell.exe 23 24->36         started        38 powershell.exe 22 24->38         started        40 conhost.exe 24->40         started        42 conhost.exe 27->42         started        44 schtasks.exe 1 27->44         started        46 conhost.exe 29->46         started        48 2 other processes 29->48 process10 signatures11 118 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 31->118 120 Writes to foreign memory regions 31->120 122 Creates a thread in another existing process (thread injection) 31->122 50 conhost.exe 31->50         started        process12 dnsIp13 72 github.com 140.82.121.3, 443, 49753 GITHUBUS United States 50->72 74 raw.githubusercontent.com 185.199.108.133, 443, 49754 FASTLYUS Netherlands 50->74 76 sanctam.net 50->76 70 C:\Users\user\AppData\...\sihost32.exe, PE32+ 50->70 dropped 90 Adds a directory exclusion to Windows Defender 50->90 55 sihost32.exe 50->55         started        58 cmd.exe 50->58         started        file14 signatures15 process16 signatures17 92 Multi AV Scanner detection for dropped file 55->92 94 Writes to foreign memory regions 55->94 96 Allocates memory in foreign processes 55->96 98 Creates a thread in another existing process (thread injection) 55->98 60 conhost.exe 55->60         started        100 Adds a directory exclusion to Windows Defender 58->100 62 conhost.exe 58->62         started        64 powershell.exe 58->64         started        66 powershell.exe 58->66         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/370623f3b732194c8497a12cfc2e906755f145c61ab8715c22d98f6fd7cf66d4/
Threat name:
Win64.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2021-10-11 22:01:14 UTC
AV detection:
5 of 28 (17.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0fecc31110c98a487e301d783c61d7f0e3e607854b5b94a01a96c73b07a99272
CoinMiner
23f725498a107dd110eccfa4c8728fbeb6073b7c207a4509f19057082d82e6f3
CoinMiner
329903818d07ba0d9e6e77b1a334e7adc0be9ca594d122ee592257b34d4e8208
CoinMiner
5221a9886df44c6e76d7a6d770ffe811d68cb8e6b96267e5ef40393ac675f6ff
CoinMiner
73c1188d93bd4318a830cb6d891aae7580a61c396ce37ba3676a321bbd3a137e
CoinMiner
7feb71e0bcd24d21e20f423434b4c9971c174c9e1aafedab36e2ecab1ff3a5bf
CoinMiner
9b8c70d1c0537d946bf7233df72a7e0ebdff2cb70404a69ee6a2419730973462
CoinMiner
c178858bc5b0763eaadbffe1d432de85a73c6f8ba4b7ce7f7bc98dc119532297
CoinMiner
de74006a23319ed5aa596ee8e047df2a6823fecdb9e0f4a5298418e665b56564
CoinMiner
e7b94b42550145f6653edad5a47879f3bad1abe865f065d7036ca942c572e842
CoinMiner
+ 57 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
vmprotect
Link:
https://tria.ge/reports/211012-kv2kdabhgl/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Loads dropped DLL
Executes dropped EXE
VMProtect packed file
Unpacked files
SH256 hash:
370623f3b732194c8497a12cfc2e906755f145c61ab8715c22d98f6fd7cf66d4
MD5 hash:
f64ccb9df2b5df5287485f13c727d9dd
SHA1 hash:
863c3faace90bba1563a97dfa788f15799032192
Link:
https://www.unpac.me/results/4ef85870-23b6-4842-bddd-dc6c53865e31/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/370623f3b732/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/370623f3b732194c8497a12cfc2e906755f145c61ab8715c22d98f6fd7cf66d4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 370623f3b732194c8497a12cfc2e906755f145c61ab8715c22d98f6fd7cf66d4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1667903/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/196859/

Comments