MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a40d13ba6b30c31d8d5380b61806ec76355f4c10a3c242eff71ddc020907be7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a40d13ba6b30c31d8d5380b61806ec76355f4c10a3c242eff71ddc020907be7
SHA3-384 hash: 58a9cdfb2f76d1380dafa6bc40b6651b54500e6d245a6ea6bc6e827de22f039bb58e9f04fbc4d8a8f09dfb0b9ebccfe4
SHA1 hash: a9927651f269bfa69cd0951a8ba359767aa4750a
MD5 hash: 883557643041ae74c5c2234b669440b8
humanhash: red-lamp-enemy-salami
File name:883557643041ae74c5c2234b669440b8
Download: download sample
Signature CoinMiner
Create hunting rule
File size:4'761'600 bytes
First seen:2022-02-01 18:35:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 02549ff92b49cce693542fc9afb10102 (84 x CoinMiner, 2 x CoinMiner.XMRig, 1 x AgentTesla)
ssdeep 98304:rH2G2UsErDSZ1AbvMuYVbwGXARb5LQkqYGNSzaM/6+zqB4db:6G2Vl6gugheb9DnF
Threatray 1'934 similar samples on MalwareBazaar
TLSH T1A32633454B0A9D39F13104347423ACD9B486FF649B7D8B13A93D966381E2F88EE367E1
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
256
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/229290/
Detection(s):
SecuriteInfo.com.Variant.Kryptik.177.4560.10836.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Launching a process
Running batch commands
Using the Windows Management Instrumentation requests
Creating a file
Creating a file in the Windows subdirectories
Creating a file in the system32 subdirectories
Forced system process termination
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Setting browser functions hooks
Possible injection to a system process
Unauthorized injection to a system process
Enabling autorun by creating a file
Using obfuscated Powershell scripts
Unauthorized injection to a browser process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/5716/overview
Behaviour
MalwareBazaar
CallSleep
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/61f97d9ba0f6a794b331265b/reports/02b115de-9fea-4f31-b019-445ef35b4bb4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c4bcffa0-0db7-446d-a56c-cc22203778e9
Result
Threat name:
BitCoin Miner Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/931975
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Creates files in the system32 config directory
DNS related to crypt mining pools
Drops PE files with benign system names
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Performs many domain queries via nslookup
Potential dropper URLs found in powershell memory
Sample is not signed and drops a device driver
Sigma detected: Accessing WinAPI in PowerShell. Code Injection.
Sigma detected: File Created with System Process Name
Sigma detected: Suspicious Remote Thread Created
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Uses nslookup.exe to query domains
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 564456 Sample: zR3p802kfX Startdate: 01/02/2022 Architecture: WINDOWS Score: 100 103 xmr-eu1.nanopool.org 2->103 105 Malicious sample detected (through community Yara rule) 2->105 107 Antivirus / Scanner detection for submitted sample 2->107 109 Multi AV Scanner detection for submitted file 2->109 111 11 other signatures 2->111 13 zR3p802kfX.exe 2->13         started        16 powershell.exe 19 2->16         started        18 services.exe 2->18         started        20 powershell.exe 21 2->20         started        signatures3 process4 signatures5 155 Uses nslookup.exe to query domains 13->155 157 Writes to foreign memory regions 13->157 159 Allocates memory in foreign processes 13->159 161 Performs many domain queries via nslookup 13->161 22 nslookup.exe 7 13->22         started        163 Creates files in the system32 config directory 16->163 165 Modifies the context of a thread in another process (thread injection) 16->165 167 Injects a PE file into a foreign processes 16->167 26 dllhost.exe 1 16->26         started        28 conhost.exe 16->28         started        169 Antivirus detection for dropped file 18->169 171 Multi AV Scanner detection for dropped file 18->171 173 Creates a thread in another existing process (thread injection) 18->173 30 nslookup.exe 3 18->30         started        32 conhost.exe 20->32         started        process6 file7 95 C:\Users\user\AppData\...\services.exe, PE32+ 22->95 dropped 97 C:\Users\...\services.exe:Zone.Identifier, ASCII 22->97 dropped 125 Uses nslookup.exe to query domains 22->125 127 Modifies the context of a thread in another process (thread injection) 22->127 129 Performs many domain queries via nslookup 22->129 131 Drops PE files with benign system names 22->131 34 cmd.exe 1 22->34         started        36 cmd.exe 1 22->36         started        39 cmd.exe 1 22->39         started        49 2 other processes 22->49 133 Writes to foreign memory regions 26->133 135 Creates a thread in another existing process (thread injection) 26->135 137 Injects a PE file into a foreign processes 26->137 41 winlogon.exe 26->41 injected 43 lsass.exe 26->43 injected 51 3 other processes 26->51 45 cmd.exe 1 30->45         started        47 conhost.exe 30->47         started        signatures8 process9 signatures10 53 services.exe 34->53         started        56 conhost.exe 34->56         started        113 Encrypted powershell cmdline option found 36->113 115 Uses schtasks.exe or at.exe to add and modify task schedules 36->115 58 powershell.exe 24 36->58         started        60 powershell.exe 18 36->60         started        62 conhost.exe 36->62         started        64 conhost.exe 39->64         started        66 schtasks.exe 1 39->66         started        68 conhost.exe 45->68         started        70 2 other processes 45->70 process11 signatures12 117 Uses nslookup.exe to query domains 53->117 119 Writes to foreign memory regions 53->119 121 Allocates memory in foreign processes 53->121 123 2 other signatures 53->123 72 nslookup.exe 8 53->72         started        process13 file14 99 C:\Users\user\AppData\...\sihost64.exe, PE32+ 72->99 dropped 101 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 72->101 dropped 139 Uses nslookup.exe to query domains 72->139 141 Sample is not signed and drops a device driver 72->141 143 Performs many domain queries via nslookup 72->143 76 sihost64.exe 72->76         started        79 cmd.exe 1 72->79         started        81 conhost.exe 72->81         started        83 nslookup.exe 72->83         started        signatures15 process16 signatures17 145 Antivirus detection for dropped file 76->145 147 Uses nslookup.exe to query domains 76->147 149 Writes to foreign memory regions 76->149 153 3 other signatures 76->153 85 nslookup.exe 76->85         started        151 Encrypted powershell cmdline option found 79->151 87 powershell.exe 18 79->87         started        89 conhost.exe 79->89         started        91 powershell.exe 79->91         started        process18 process19 93 conhost.exe 85->93         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3a40d13ba6b30c31d8d5380b61806ec76355f4c10a3c242eff71ddc020907be7/
Threat name:
Win64.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2022-02-01 18:36:14 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
51037666d1982db93e3123e88594d409805d3f1d970e9f926dcadb99f77f50f6
CoinMiner
596b8d2ea9be082c0eea726b7217597fe293eef85069a8dd03a6024b48c7a199
CoinMiner
888497ac8f3cb030dc34d198ef8e307fab6b129f31f4fc9c41ea78f94d831529
CoinMiner
90daff6ddaed3c5624b21e62f402c98e46d1fac4839ea42cc85ed7cfb50e95a0
CoinMiner
95654525c7022015e1177ff2e8eba84837f6808b6568bccd87af3e55a3c1f481
CoinMiner
b3af5a1af48b27b5ac7647d5bf81941c9abf6be899372119cb5eb887026e1409
CoinMiner
d48303d7682c1be689d10541e6b1976cff2a0f1af7423d47213ed877cdd0feaf
CoinMiner
eb639e9d45ed4d4cf911195b7ef53d61897dd8f826c542ae411854ddec3aea87
CoinMiner
ff8f62e6964487e861a3ed16e6cb69438a9a33e2d47c1ebe966aa116b7a82258
CoinMiner
+ 1'924 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion
Link:
https://tria.ge/reports/220201-w8lxmaagc2/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Modifies security service
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
3a40d13ba6b30c31d8d5380b61806ec76355f4c10a3c242eff71ddc020907be7
MD5 hash:
883557643041ae74c5c2234b669440b8
SHA1 hash:
a9927651f269bfa69cd0951a8ba359767aa4750a
Link:
https://www.unpac.me/results/7aaea971-23ad-47a2-ad7d-3b18ce3ae97d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3a40d13ba6b30c31d8d5380b61806ec76355f4c10a3c242eff71ddc020907be7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 3a40d13ba6b30c31d8d5380b61806ec76355f4c10a3c242eff71ddc020907be7

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2021891/
Cape
Cape
https://www.capesandbox.com/analysis/229290/

Comments