MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a4b5c0c302fdd8b9980e6d497ea2477ecc10357dcc73108d62f3a0f97fd356b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a4b5c0c302fdd8b9980e6d497ea2477ecc10357dcc73108d62f3a0f97fd356b
SHA3-384 hash: 2539e4479544f52a9288ea0e4d79c74f57a9d14c58c2370267fe6a309c4952ff565bf5011b65e0643163223eaa725db6
SHA1 hash: 92ee737f936b3b8d811c8169839415cb6f97142b
MD5 hash: 605299ab524fe98acbe5628e341482e3
humanhash: item-angel-hawaii-wisconsin
File name:605299ab524fe98acbe5628e341482e3
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'000'896 bytes
First seen:2021-10-01 10:18:36 UTC
Last seen:2021-10-01 10:50:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 49152:xXtwsK2HRX7vcpf2wv9a5gUQPk0WFeyN3HRYphX:912pf2wQOUD0WFeE3xKd
Threatray 206 similar samples on MalwareBazaar
TLSH T1F295330C794FCF64D2770F73BA190B092835625A1F25E2DFA5E16F0DA1F831A64A9F48
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
GTAFiveMModMenuInstallerV4.6.exe
Verdict:
Malicious activity
Analysis date:
2021-10-01 06:05:53 UTC
Tags:
trojan rat redline stealer loader
Link:
https://app.any.run/tasks/de43659d-18d0-46e2-ba02-de4ef952887f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/193958/
Detection(s):
SecuriteInfo.com.Trojan.MulDropNET.46.31722.21360.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching a process
Creating a file in the %temp% directory
Creating a process with a hidden window
Creating a process from a recently created file
Creating a file in the system32 directory
Deleting a recently created file
Replacing files
Creating a file in the system32 subdirectories
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Malware family:
CoinMiner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ba91e2d7-244a-45de-a9fb-738e72bc8102
Result
Threat name:
BitCoin Miner
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/862643
Signature
Adds a directory exclusion to Windows Defender
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected BitCoin Miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 495071 Sample: qPSF4pzzsd Startdate: 01/10/2021 Architecture: WINDOWS Score: 92 77 Multi AV Scanner detection for submitted file 2->77 79 Yara detected BitCoin Miner 2->79 81 Machine Learning detection for sample 2->81 83 2 other signatures 2->83 10 qPSF4pzzsd.exe 5 2->10         started        14 bsdedit.exe 3 2->14         started        process3 file4 73 C:\Users\user\AppData\Local\...\svchost32.exe, PE32+ 10->73 dropped 75 C:\Users\user\AppData\...\qPSF4pzzsd.exe.log, ASCII 10->75 dropped 97 Adds a directory exclusion to Windows Defender 10->97 16 cmd.exe 1 10->16         started        18 cmd.exe 1 10->18         started        99 Multi AV Scanner detection for dropped file 14->99 101 Machine Learning detection for dropped file 14->101 21 cmd.exe 1 14->21         started        signatures5 process6 signatures7 23 svchost32.exe 6 16->23         started        27 conhost.exe 16->27         started        85 Uses schtasks.exe or at.exe to add and modify task schedules 18->85 87 Adds a directory exclusion to Windows Defender 18->87 29 powershell.exe 23 18->29         started        31 powershell.exe 18 18->31         started        33 conhost.exe 18->33         started        39 2 other processes 18->39 35 conhost.exe 21->35         started        37 powershell.exe 21->37         started        41 3 other processes 21->41 process8 file9 69 C:\Windows\System32\bsdedit.exe, PE32+ 23->69 dropped 71 C:\Windows\...\bsdedit.exe:Zone.Identifier, ASCII 23->71 dropped 91 Multi AV Scanner detection for dropped file 23->91 93 Machine Learning detection for dropped file 23->93 95 Drops executables to the windows directory (C:\Windows) and starts them 23->95 43 bsdedit.exe 2 23->43         started        46 cmd.exe 1 23->46         started        48 cmd.exe 1 23->48         started        signatures10 process11 signatures12 103 Adds a directory exclusion to Windows Defender 43->103 50 cmd.exe 43->50         started        53 conhost.exe 46->53         started        55 choice.exe 46->55         started        57 conhost.exe 48->57         started        59 schtasks.exe 1 48->59         started        process13 signatures14 89 Adds a directory exclusion to Windows Defender 50->89 61 conhost.exe 50->61         started        63 powershell.exe 50->63         started        65 powershell.exe 50->65         started        67 2 other processes 50->67 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3a4b5c0c302fdd8b9980e6d497ea2477ecc10357dcc73108d62f3a0f97fd356b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-10-01 07:31:05 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1b4d9981e15438e889193b4272e5bc6d07d0b8984e95741eb36f7cad3dec66e6
CoinMiner
25fa15664bb857af7bd264779f9d1d7b898cae1afcb992e0e3a6923f0c1d1992
CoinMiner
65bbafc229aa726d189d7607d03b1c6835ddcdf8ad6ac90017749b051f6b0770
CoinMiner
75359481a80ae7253f5a8859cc9d899020a24af197b95f8ef2716a9f011dc3b1
CoinMiner
7b483b575f88d063ec7d84405be25d5d29579133e9951e5f7b5e2b0d9632472f
CoinMiner
833ab773ed2c4e4cd2581d1e42bc5471f0621786007a8846aaf6cdfeccb198c2
CoinMiner
92d222fc274d0c981a595327cf103960535339a655ae240f9267a84aedba7f41
CoinMiner
b64e4dd4b90a918e87571b990801eb1e33444e3108fceca963aed1bd27f1890c
CoinMiner
c074e0bdbf7af4d6bde127e16997f8a208666fc74f10f516352fea3fd255650b
CoinMiner
d99ac72301d4d4c55ee0c6e33ad4e4551bac90b71f80515eea1a3dfe426abf23
CoinMiner
+ 196 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/211001-mchqnabecm/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Loads dropped DLL
Executes dropped EXE
xmrig
Unpacked files
SH256 hash:
3a4b5c0c302fdd8b9980e6d497ea2477ecc10357dcc73108d62f3a0f97fd356b
MD5 hash:
605299ab524fe98acbe5628e341482e3
SHA1 hash:
92ee737f936b3b8d811c8169839415cb6f97142b
Link:
https://www.unpac.me/results/828a7825-45c0-4ad2-ae21-d3e8be14aa24/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3a4b5c0c302fdd8b9980e6d497ea2477ecc10357dcc73108d62f3a0f97fd356b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 3a4b5c0c302fdd8b9980e6d497ea2477ecc10357dcc73108d62f3a0f97fd356b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1650286/
Cape
Cape
https://www.capesandbox.com/analysis/193958/

Comments


Avatar
zbet commented on 2021-10-01 10:18:37 UTC

url : hxxp://f0571088.xsph.ru/bsdedit.exe