MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c0d109d4035df93cc57dfb1b82a705a0b87b47f96686b7f8cf4f0cb05bfb3cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c0d109d4035df93cc57dfb1b82a705a0b87b47f96686b7f8cf4f0cb05bfb3cf
SHA3-384 hash: 4e0bd6067471a3f176712aa2d045cbd8ea41043e9b51dc41f877f49f33ccbf2e6b4b6256bf890c600037d13a22345861
SHA1 hash: f28b8c24d055d30305efa5dc6d09df99a10342c1
MD5 hash: 2f74cc1d61f4e0f8433d7c1388cc2257
humanhash: maryland-fourteen-pasta-maryland
File name:RepairTool.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:8'192 bytes
First seen:2022-01-09 14:04:25 UTC
Last seen:2022-01-09 15:35:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 192:QN4XDSp8LaYL3V5pzxkLSLrL+MSdaUif5Eyz:QQmp8LNLDpzxkLSLrL+MkaPf5Ey
Threatray 219 similar samples on MalwareBazaar
TLSH T199F1D722A7F8C635E9374F3258E352105B79E356AD13DB2ED486110FAE6331106E2FB6
Reporter JaffaCakes118
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
316
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RepairTool.exe
Verdict:
Malicious activity
Analysis date:
2022-01-09 14:02:44 UTC
Tags:
loader
Link:
https://app.any.run/tasks/2c57f14d-bdc0-4ceb-8c94-64e9ee6c6505

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/217905/
Detection(s):
SecuriteInfo.com.MSIL.Downloadergen9.25104.12536.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file
Creating a process from a recently created file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
60%
Tags:
donut obfuscated packed
Link:
https://www.filescan.io/uploads/61daeb911c0d769df9dbc9ae/reports/abb5c5b8-f541-4abd-83c2-e2c1bcc42273/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d94b4298-d88d-4aba-9b6f-0ee40612f44e
Result
Threat name:
BitCoin Miner SilentXMRMiner
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/917297
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected SilentXMRMiner
Yara detected Telegram Recon
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 549775 Sample: RepairTool.exe Startdate: 09/01/2022 Architecture: WINDOWS Score: 100 89 Multi AV Scanner detection for domain / URL 2->89 91 Antivirus detection for URL or domain 2->91 93 Multi AV Scanner detection for submitted file 2->93 95 6 other signatures 2->95 12 RepairTool.exe 15 5 2->12         started        16 services32.exe 2->16         started        process3 dnsIp4 79 data-host-coin-8.com 47.251.44.201, 49744, 49745, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 12->79 67 C:\ProgramData\9767_1641718617_443.exe, PE32 12->67 dropped 69 C:\ProgramData\2066_1641718536_9683.exe, PE32+ 12->69 dropped 19 2066_1641718536_9683.exe 12->19         started        22 9767_1641718617_443.exe 14 4 12->22         started        25 WerFault.exe 23 9 12->25         started        81 Antivirus detection for dropped file 16->81 83 Multi AV Scanner detection for dropped file 16->83 85 Detected unpacking (changes PE section rights) 16->85 87 5 other signatures 16->87 28 conhost.exe 2 16->28         started        file5 signatures6 process7 dnsIp8 97 Antivirus detection for dropped file 19->97 99 Multi AV Scanner detection for dropped file 19->99 101 Detected unpacking (changes PE section rights) 19->101 107 5 other signatures 19->107 30 conhost.exe 4 19->30         started        73 ip-api.com 208.95.112.1, 49746, 80 TUT-ASUS United States 22->73 75 api.telegram.org 149.154.167.220, 443, 49747 TELEGRAMRU United Kingdom 22->75 103 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->103 105 May check the online IP address of the machine 22->105 33 conhost.exe 22->33         started        77 192.168.2.1 unknown unknown 25->77 65 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 25->65 dropped 35 cmd.exe 28->35         started        file9 signatures10 process11 file12 71 C:\Users\user\AppData\...\services32.exe, PE32+ 30->71 dropped 37 cmd.exe 1 30->37         started        39 cmd.exe 1 30->39         started        42 conhost.exe 35->42         started        44 taskkill.exe 35->44         started        process13 signatures14 46 services32.exe 37->46         started        49 conhost.exe 37->49         started        109 Uses schtasks.exe or at.exe to add and modify task schedules 39->109 51 conhost.exe 39->51         started        53 schtasks.exe 1 39->53         started        process15 signatures16 117 Writes to foreign memory regions 46->117 119 Allocates memory in foreign processes 46->119 121 Hides threads from debuggers 46->121 123 Creates a thread in another existing process (thread injection) 46->123 55 conhost.exe 5 46->55         started        process17 file18 63 C:\Users\user\AppData\...\sihost32.exe, PE32+ 55->63 dropped 58 sihost32.exe 55->58         started        process19 signatures20 111 Writes to foreign memory regions 58->111 113 Allocates memory in foreign processes 58->113 115 Creates a thread in another existing process (thread injection) 58->115 61 conhost.exe 58->61         started        process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3c0d109d4035df93cc57dfb1b82a705a0b87b47f96686b7f8cf4f0cb05bfb3cf/
Threat name:
ByteCode-MSIL.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2022-01-09 14:05:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1bdfcfa2faaa7f70ad6b29dc77711dde848a9ffc5c63da8502ea2b1b9dc2aa06
CoinMiner
6467af2474360133a3d9fd753097c250d5673f5a6a8b58fd5ac773486cd1ae7c
CoinMiner
73942b1b5a8146090a40fe50a67c7c86c739329506db9ff5adc638ed7bb1654e
CoinMiner
aea2cbc32b7925ab28e619b8deb5c540ea8e61ad631b02e348be04b87f44627a
CoinMiner
b689c4e4aee7ffba62e202f76a8af8091632a5afb0b229c7d945eb55090d54b8
CoinMiner
c14c17020a470e53754dc2654847e9fbc6fa6f0326e515d10c6a581ad2c8825f
CoinMiner
d85729ff4ca88aa327cddaa027645f17a18bdce1ac9fa6555766e009c80897a6
CoinMiner
e2193af798b2f5bcc674474c9d1f655ea69f209268722c96f2c5dcc3d030a0e3
CoinMiner
f2a654fdff13b9c6acfbfc7b7df98cfe1a2378989941b262391f2a0869e01919
CoinMiner
+ 209 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220109-rdt8asded6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Looks up external IP address via web service
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
3c0d109d4035df93cc57dfb1b82a705a0b87b47f96686b7f8cf4f0cb05bfb3cf
MD5 hash:
2f74cc1d61f4e0f8433d7c1388cc2257
SHA1 hash:
f28b8c24d055d30305efa5dc6d09df99a10342c1
Link:
https://www.unpac.me/results/c93d4fbc-a553-45fe-a7f3-ca23aa0886db/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3c0d109d4035/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/3c0d109d4035df93cc57dfb1b82a705a0b87b47f96686b7f8cf4f0cb05bfb3cf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 3c0d109d4035df93cc57dfb1b82a705a0b87b47f96686b7f8cf4f0cb05bfb3cf

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/217905/

Comments