MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f17869890959881875aa76921e47b1385937d7a5f7318d05271457c878ceac7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f17869890959881875aa76921e47b1385937d7a5f7318d05271457c878ceac7
SHA3-384 hash: 5c3d98f80008f54b4e4a53773afe565a2b6fd2f01410052bd6f5d3aef7528a386580505a2669acb0b1ec88eef834b804
SHA1 hash: 0656c6188b1e5f230f5ff3985b3942cd522936b3
MD5 hash: 0d2465c80d04980a142dfe7843bbaa2f
humanhash: colorado-sad-william-eighteen
File name:0d2465c80d04980a142dfe7843bbaa2f
Download: download sample
Signature CoinMiner
Create hunting rule
File size:11'570'488 bytes
First seen:2021-12-21 00:29:50 UTC
Last seen:2021-12-21 03:05:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash dc12932426806b6b47a373d7ae42c21d (12 x CoinMiner, 1 x StealeriumStealer)
ssdeep 196608:FHBG7FJ00pwPDTotvU/u349JK77AYjvCVwPFJcPcppXD7dsNvnYt:T4+DUts2SM7BrCVwPTcPcppXD7dWfU
Threatray 17 similar samples on MalwareBazaar
TLSH T160C6BEE621C6A6EDC416C67BC713FD7FC98F70364B26A4F39058A2129C66CC43676E09
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
217
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0d2465c80d04980a142dfe7843bbaa2f
Verdict:
No threats detected
Analysis date:
2021-12-21 06:10:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ed94eea7-be6d-4b6e-8fa5-27b5a410eba5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/215549/
Detection(s):
SecuriteInfo.com.Trojan.Siggen16.13496.3431.2689.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Using the Windows Management Instrumentation requests
Running batch commands
Launching a process
DNS request
Creating a file in the %AppData% subdirectories
Creating a file
Creating a process from a recently created file
Сreating synchronization primitives
Creating a process with a hidden window
Creating a service
Launching a service
Loading a system driver
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun for a service
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  0/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2801/overview
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm overlay packed
Link:
https://www.filescan.io/uploads/61c1200e8991ba72b38f5050/reports/e6908964-9fd5-4afd-a7b8-cafada4fbd3c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CoinMiner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1120f712-38db-4be7-a15f-0fc23aee1ad7
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/910690
Signature
Allocates memory in foreign processes
Detected unpacking (changes PE section rights)
Drops PE files with benign system names
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 543166 Sample: lyq6P6xmA9 Startdate: 21/12/2021 Architecture: WINDOWS Score: 100 58 Malicious sample detected (through community Yara rule) 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 Yara detected Xmrig cryptocurrency miner 2->62 64 3 other signatures 2->64 8 lyq6P6xmA9.exe 5 2->8         started        12 svchost.exe 1 1 2->12         started        15 svchost.exe 1 2->15         started        17 3 other processes 2->17 process3 dnsIp4 40 C:\Users\user\AppData\...\services.exe, PE32+ 8->40 dropped 42 C:\Users\...\services.exe:Zone.Identifier, ASCII 8->42 dropped 44 C:\Users\user\AppData\...\lyq6P6xmA9.exe.log, ASCII 8->44 dropped 76 Detected unpacking (changes PE section rights) 8->76 78 Tries to detect virtualization through RDTSC time measurements 8->78 80 Drops PE files with benign system names 8->80 19 cmd.exe 1 8->19         started        21 cmd.exe 1 8->21         started        54 127.0.0.1 unknown unknown 12->54 56 192.168.2.1 unknown unknown 12->56 file5 signatures6 process7 signatures8 24 services.exe 8 19->24         started        28 conhost.exe 19->28         started        74 Uses schtasks.exe or at.exe to add and modify task schedules 21->74 30 conhost.exe 21->30         started        32 schtasks.exe 1 21->32         started        process9 file10 46 C:\Users\user\AppData\...\sihost64.exe, PE32+ 24->46 dropped 48 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 24->48 dropped 82 Multi AV Scanner detection for dropped file 24->82 84 Writes to foreign memory regions 24->84 86 Allocates memory in foreign processes 24->86 88 4 other signatures 24->88 34 notepad.exe 24->34         started        38 sihost64.exe 2 24->38         started        signatures11 process12 dnsIp13 50 136.243.49.177, 443, 49746 HETZNER-ASDE Germany 34->50 52 pool.minexmr.com 34->52 66 System process connects to network (likely due to code injection or exploit) 34->66 68 Query firmware table information (likely to detect VMs) 34->68 70 Multi AV Scanner detection for dropped file 38->70 72 Tries to detect sandboxes and other dynamic analysis tools (window names) 38->72 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3f17869890959881875aa76921e47b1385937d7a5f7318d05271457c878ceac7/
Threat name:
Win64.Trojan.Fsysna
Create hunting rule
Status:
Malicious
First seen:
2021-12-20 23:56:26 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
16 of 27 (59.26%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
20906f345b3c3cefe54adc059792cfa4c098f0547df80c8c7e70ff79c914ae38
CoinMiner
29b10facf712978e41161daf15235a8d74ef5cf16318a5887e39ee1e8cff297b
CoinMiner
81f4c01d5065f9332a7777b3fb6e5d3113560b68ddaea6da547c5533fc6c5bfb
CoinMiner
831ba6efa4a49eb1c7ff749fe442b393c5a614f383bf1efb52512a183b4362fc
CoinMiner
9debd5d7a5f7cf87a37d1f1432878baa0ac7cf6ecca5b4bfdcfa1163f07a6953
CoinMiner
9f387190a5ac2872f67933759c544031a1485727d41329d9c4740c2358c54fe0
CoinMiner
da5edd26691ace1af31cfc1e1ae61de36e1c82f02aba24835ca566fe0c9b71a0
CoinMiner
df0bc1a4eb32d964f7405e8238e28d4c67e33e8552c708247a4cd654a30b836d
CoinMiner
f8915227c25c5ac552d66f3708f615cd517363953829d3715f38666d7dfa9770
CoinMiner
fd50e5ce3b80417115401a4cc61ba7efd5c4d6f13d9166c26cc456b111d39fbb
CoinMiner
+ 7 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/211221-athe1achcm/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks BIOS information in registry
Loads dropped DLL
Executes dropped EXE
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
3f17869890959881875aa76921e47b1385937d7a5f7318d05271457c878ceac7
MD5 hash:
0d2465c80d04980a142dfe7843bbaa2f
SHA1 hash:
0656c6188b1e5f230f5ff3985b3942cd522936b3
Link:
https://www.unpac.me/results/5bd6201f-97dd-48fe-8be0-8efde9c543bb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/3f17869890959881875aa76921e47b1385937d7a5f7318d05271457c878ceac7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 3f17869890959881875aa76921e47b1385937d7a5f7318d05271457c878ceac7

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1905177/
Cape
Cape
https://www.capesandbox.com/analysis/215549/

Comments


Avatar
zbet commented on 2021-12-21 00:29:53 UTC

url : hxxp://data-file-data-7.com/files/779_1640017135_5300.exe