MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f455ca76b835252edbdf8af27c5065a4218fba19cb6392a319a4572658d846b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f455ca76b835252edbdf8af27c5065a4218fba19cb6392a319a4572658d846b
SHA3-384 hash: e9cd0aabbbb5a86302fb2dafdcf3e34e07bae746dca7eea4f8aff5af8d24ecd0265069989a4ea0d72df01cb963a441b7
SHA1 hash: 5438f63756efd6ab6f9c97de352e054c0546ba30
MD5 hash: a1ba7ac735b4bea143d86985876c9a0b
humanhash: jersey-river-echo-nine
File name:a1ba7ac735b4bea143d86985876c9a0b
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'042'880 bytes
First seen:2021-11-01 02:02:25 UTC
Last seen:2021-11-01 04:15:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 02549ff92b49cce693542fc9afb10102 (84 x CoinMiner, 2 x CoinMiner.XMRig, 1 x AgentTesla)
ssdeep 49152:TT4y52Dn2Gc9uovxwk9M+l7QhKuosRaaXGkxmHsMi/R3:/Ma19lIKuo2aSmrwh
TLSH T1229533960E17DC7BF204C47D9A7308EA3E6372AE0EAC961F6788B2B0926537D5741F05
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
174
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://a0594839.xsph.ru/22.exe
Verdict:
No threats detected
Analysis date:
2021-10-30 22:52:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a8ff8ad2-ef26-4e62-91aa-bc8fe632a2d6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.2155.23482.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching a process
Creating a process from a recently created file
Creating a process with a hidden window
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9900a979-75ff-4b38-9966-4040cf553589
Result
Threat name:
BitCoin Miner
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/880097
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 512531 Sample: 3V07zOUsHD Startdate: 01/11/2021 Architecture: WINDOWS Score: 80 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected BitCoin Miner 2->50 9 services32.exe 2->9         started        12 3V07zOUsHD.exe 2->12         started        process3 signatures4 62 Multi AV Scanner detection for dropped file 9->62 64 Writes to foreign memory regions 9->64 66 Allocates memory in foreign processes 9->66 14 conhost.exe 5 9->14         started        68 Creates a thread in another existing process (thread injection) 12->68 18 conhost.exe 5 12->18         started        process5 dnsIp6 46 192.168.2.1 unknown unknown 14->46 40 C:\Users\user\AppData\...\sihost32.exe, PE32+ 14->40 dropped 20 sihost32.exe 14->20         started        42 C:\Users\user\AppData\...\services32.exe, PE32+ 18->42 dropped 44 C:\Users\...\services32.exe:Zone.Identifier, ASCII 18->44 dropped 23 cmd.exe 1 18->23         started        25 cmd.exe 1 18->25         started        file7 process8 signatures9 52 Multi AV Scanner detection for dropped file 20->52 54 Writes to foreign memory regions 20->54 56 Allocates memory in foreign processes 20->56 58 Creates a thread in another existing process (thread injection) 20->58 27 conhost.exe 2 20->27         started        29 services32.exe 23->29         started        32 conhost.exe 23->32         started        60 Uses schtasks.exe or at.exe to add and modify task schedules 25->60 34 conhost.exe 25->34         started        36 schtasks.exe 1 25->36         started        process10 signatures11 70 Writes to foreign memory regions 29->70 72 Allocates memory in foreign processes 29->72 74 Creates a thread in another existing process (thread injection) 29->74 38 conhost.exe 2 29->38         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3f455ca76b835252edbdf8af27c5065a4218fba19cb6392a319a4572658d846b/
Threat name:
Win64.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2021-10-30 20:32:44 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/211101-cgpdwsgfd2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
3f455ca76b835252edbdf8af27c5065a4218fba19cb6392a319a4572658d846b
MD5 hash:
a1ba7ac735b4bea143d86985876c9a0b
SHA1 hash:
5438f63756efd6ab6f9c97de352e054c0546ba30
Link:
https://www.unpac.me/results/81548d45-e805-408a-a4b1-c20590b7e3c7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/3f455ca76b835252edbdf8af27c5065a4218fba19cb6392a319a4572658d846b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 3f455ca76b835252edbdf8af27c5065a4218fba19cb6392a319a4572658d846b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1734382/

Comments


Avatar
zbet commented on 2021-11-01 02:02:26 UTC

url : hxxp://a0594839.xsph.ru/22.exe