MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3deb1c82c0d030534d168b9857c7ed13815917146448e1ab6844f4a90edc2a7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3deb1c82c0d030534d168b9857c7ed13815917146448e1ab6844f4a90edc2a7d
SHA3-384 hash: 295b9c9397a60317721e27c05c3a4d983b245160127c5314418ed972555fa1b04a65516365622a55f85f7018a0472c37
SHA1 hash: 45daae9fbc40e84523ff7bf15742f6bf7bac1462
MD5 hash: 831c0b3184feb755997ee1ec5e474ca8
humanhash: eight-chicken-rugby-white
File name:831c0b3184feb755997ee1ec5e474ca8
Download: download sample
Signature CoinMiner
Create hunting rule
File size:3'598'848 bytes
First seen:2024-10-07 22:13:13 UTC
Last seen:2024-10-08 00:20:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'843 x AgentTesla, 19'775 x Formbook, 12'297 x SnakeKeylogger)
ssdeep 49152:xgK8x6tinpu5GmV7HC7uaKZuJ/daqcn+kq2M6uFCnyEcv+mBnruY3+A3DbtBbgS:WK8xdIwubZu6q+eCBsruYp3X
Threatray 7 similar samples on MalwareBazaar
TLSH T175F533B7944DBA98EB1584F7C2F50370813C7F29A4B79260BA090BE95968783F84F46D
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter zbetcheckin
Tags:32 CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
361
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
831c0b3184feb755997ee1ec5e474ca8
Verdict:
Malicious activity
Analysis date:
2024-10-07 22:19:31 UTC
Tags:
susp-powershell
Link:
https://app.any.run/tasks/4181eeb4-c2db-42d5-abc2-96105df4a5e4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packed.ConfuserEx-6582917-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67045d31a69182ddbe5cccfb
Tags:
Powershell Autorun Gumen
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
confuser confuserex packed packed
Link:
https://www.filescan.io/uploads/67045d2d06f0c2314b42be8d/reports/8b0695b4-d44f-4b44-8863-072b6438aae6/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/3deb1c82c0d030534d168b9857c7ed13815917146448e1ab6844f4a90edc2a7d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8871908a-2e04-4aa6-be0f-a88347d397f7
Result
Threat name:
BitCoin Miner, SilentXMRMiner, UACMe, Xm
Create hunting rule
Detection:
malicious
Classification:
expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1528492
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Detected Stratum mining protocol
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Xmrig
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected SilentXMRMiner
Yara detected UACMe UAC Bypass tool
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528492 Sample: GcqJPBLD2Q.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 93 pool.hashvault.pro 2->93 117 Sigma detected: Xmrig 2->117 119 Malicious sample detected (through community Yara rule) 2->119 121 Antivirus / Scanner detection for submitted sample 2->121 123 11 other signatures 2->123 15 GcqJPBLD2Q.exe 7 2->15         started        19 services64.exe 2->19         started        21 svchost.exe 2->21         started        23 svchost.exe 2->23         started        signatures3 process4 file5 87 C:\Users\user\AppData\...\DccwBypassUAC.exe, PE32+ 15->87 dropped 89 C:\Users\user\AppData\Local\Temp\Cool.exe, PE32+ 15->89 dropped 91 C:\Users\user\AppData\...behaviorgraphcqJPBLD2Q.exe.log, CSV 15->91 dropped 97 Encrypted powershell cmdline option found 15->97 25 Cool.exe 15->25         started        28 powershell.exe 23 15->28         started        30 DccwBypassUAC.exe 1 15->30         started        99 Antivirus detection for dropped file 19->99 101 Machine Learning detection for dropped file 19->101 103 Writes to foreign memory regions 19->103 105 2 other signatures 19->105 32 conhost.exe 3 19->32         started        34 WerFault.exe 21->34         started        signatures6 process7 signatures8 143 Antivirus detection for dropped file 25->143 145 Machine Learning detection for dropped file 25->145 147 Writes to foreign memory regions 25->147 151 2 other signatures 25->151 36 conhost.exe 4 25->36         started        149 Loading BitLocker PowerShell Module 28->149 39 conhost.exe 28->39         started        41 WmiPrvSE.exe 28->41         started        43 conhost.exe 28->43         started        45 sihost64.exe 32->45         started        process9 file10 85 C:\Users\user\AppData\...\services64.exe, PE32+ 36->85 dropped 48 cmd.exe 1 36->48         started        50 cmd.exe 1 36->50         started        159 Writes to foreign memory regions 45->159 161 Allocates memory in foreign processes 45->161 163 Creates a thread in another existing process (thread injection) 45->163 53 conhost.exe 45->53         started        signatures11 process12 signatures13 55 services64.exe 48->55         started        58 conhost.exe 48->58         started        115 Uses schtasks.exe or at.exe to add and modify task schedules 50->115 60 conhost.exe 50->60         started        62 schtasks.exe 1 50->62         started        process14 signatures15 137 Writes to foreign memory regions 55->137 139 Allocates memory in foreign processes 55->139 141 Creates a thread in another existing process (thread injection) 55->141 64 conhost.exe 6 55->64         started        process16 file17 81 C:\Users\user\AppData\...\sihost64.exe, PE32+ 64->81 dropped 83 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 64->83 dropped 107 Found strings related to Crypto-Mining 64->107 109 Injects code into the Windows Explorer (explorer.exe) 64->109 111 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 64->111 113 4 other signatures 64->113 68 sihost64.exe 64->68         started        71 explorer.exe 64->71         started        signatures18 process19 dnsIp20 125 Antivirus detection for dropped file 68->125 127 Machine Learning detection for dropped file 68->127 129 Writes to foreign memory regions 68->129 135 2 other signatures 68->135 74 conhost.exe 3 68->74         started        95 pool.hashvault.pro 45.76.89.70, 49759, 80 AS-CHOOPAUS United States 71->95 131 System process connects to network (likely due to code injection or exploit) 71->131 133 Query firmware table information (likely to detect VMs) 71->133 signatures21 process22 process23 76 services64.exe 74->76         started        signatures24 153 Writes to foreign memory regions 76->153 155 Allocates memory in foreign processes 76->155 157 Creates a thread in another existing process (thread injection) 76->157 79 conhost.exe 3 76->79         started        process25
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3deb1c82c0d030534d168b9857c7ed13815917146448e1ab6844f4a90edc2a7d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3deb1c82c0d030534d168b9857c7ed13815917146448e1ab6844f4a90edc2a7d/
Threat name:
ByteCode-MSIL.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2024-10-07 22:14:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hxvrzawa2ayfgtiwromfpr7ncoavsfyumreodk3iit2ksdw4fj6q._file
Verdict:
malicious
Label(s):
donutloader
Create hunting rule
Similar samples:
0a412e07ceb7cf6f3eee9d30226f29afce7552778efdab9cb5dc4e4a5f50fa91
CoinMiner
808d7814528d034dffd63b977536dd00fbfb7799232855f870e9e31d1af98020
CoinMiner
9196c33d47bc1528ea02d002a5d36c7cdde619d8f0530a7508e06ca58b742bc0
CoinMiner
b153bb6a5f560dae6880d9b08c49bd35991b64cbdc0bdb453c0dc062f1480798
CoinMiner
error
CoinMiner
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig defense_evasion miner
Link:
https://tria.ge/reports/241007-15nn9szbrd/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Suspicious use of SetThreadContext
Obfuscated Files or Information: Command Obfuscation
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
XMRig Miner payload
xmrig
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e96869e8-248a-4df6-9c8b-f774ed453b4e
Unpacked files
SH256 hash:
c41e02cdc0203c4ed41abf43c9a8722e872c0ddcd61fe45820d748f98857a83b
MD5 hash:
609aed1e6de4efe21ff9d0d8e3a674a6
SHA1 hash:
3ddda6196c90f7202e4d4ee08a015b673c632a68
Link:
https://www.unpac.me/results/5a1360e8-1d18-472c-9f32-764646fd63e2/
SH256 hash:
3deb1c82c0d030534d168b9857c7ed13815917146448e1ab6844f4a90edc2a7d
MD5 hash:
831c0b3184feb755997ee1ec5e474ca8
SHA1 hash:
45daae9fbc40e84523ff7bf15742f6bf7bac1462
Detections:
SUSP_OBF_NET_ConfuserEx_Packer_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/5a1360e8-1d18-472c-9f32-764646fd63e2/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3deb1c82c0d0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3deb1c82c0d030534d168b9857c7ed13815917146448e1ab6844f4a90edc2a7d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 3deb1c82c0d030534d168b9857c7ed13815917146448e1ab6844f4a90edc2a7d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3224069/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments


Avatar
zbet commented on 2024-10-07 22:13:14 UTC

url : hxxp://51.79.158.135/Tester.exe