MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44d35218b3d50c6bde65093678b72db54e9a89fc28dfe391abb3e128571cec44. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 44d35218b3d50c6bde65093678b72db54e9a89fc28dfe391abb3e128571cec44
SHA3-384 hash: 376463a42c376b65f059b5798d80af65d5ff34720da43f30cdfcf2991d95ebd8fa9f80140ed0489fba3b7de1562459ca
SHA1 hash: 2c5d6b3d542461156ba214ee1b636124f9bab18d
MD5 hash: c69a436220ad459a2d95b676b2117ed4
humanhash: tennis-stairway-ceiling-delta
File name:c69a436220ad459a2d95b676b2117ed4
Download: download sample
Signature CoinMiner
Create hunting rule
File size:4'608 bytes
First seen:2021-11-11 01:37:27 UTC
Last seen:2021-11-11 05:24:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4bfde1223391e32fec766cd1d41fa3e7 (7 x CoinMiner, 1 x BitRAT, 1 x QuasarRAT)
ssdeep 48:6bO+Z8WTJ6KIoqQUrWOdG0prYmzpc+AZv8B13aLlzUR:2Z82QK5qQCkGvUkv3aLlYR
Threatray 43 similar samples on MalwareBazaar
TLSH T1B991D7E7E7B8DE2DC59B1475277302056BB683B311D247BBE76808FAAB868115C0E30D
Reporter zbetcheckin
Tags:32 CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
187
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/204895/
Detection(s):
SecuriteInfo.com.Variant.Zusy.401118.19032.1132.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  2/10
Confidence:
67%
Tags:
nitol tiny zusy
Link:
https://www.filescan.io/uploads/618c73fda00afa9663a38359/reports/f5d40ce4-fd2d-41cb-bae8-40a8f96d497d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0bb8ceee-192c-4a71-808b-34909022219c
Result
Threat name:
BitCoin Miner
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/887209
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected Telegram Recon
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 519682 Sample: Jvm7SawBcY Startdate: 11/11/2021 Architecture: WINDOWS Score: 100 91 Multi AV Scanner detection for domain / URL 2->91 93 Antivirus detection for URL or domain 2->93 95 Sigma detected: Powershell download and execute file 2->95 97 6 other signatures 2->97 12 Jvm7SawBcY.exe 2->12         started        15 services32.exe 2->15         started        process3 signatures4 121 Adds a directory exclusion to Windows Defender 12->121 17 cmd.exe 1 12->17         started        123 Multi AV Scanner detection for dropped file 15->123 125 Writes to foreign memory regions 15->125 127 Allocates memory in foreign processes 15->127 129 Creates a thread in another existing process (thread injection) 15->129 20 conhost.exe 15->20         started        process5 file6 83 Suspicious powershell command line found 17->83 85 Tries to download and execute files (via powershell) 17->85 87 Adds a directory exclusion to Windows Defender 17->87 23 powershell.exe 17->23         started        25 powershell.exe 17->25         started        27 powershell.exe 16 17->27         started        34 4 other processes 17->34 67 C:\Windows\System32\...\sihost32.exe, PE32+ 20->67 dropped 89 Drops executables to the windows directory (C:\Windows) and starts them 20->89 31 sihost32.exe 20->31         started        signatures7 process8 dnsIp9 36 man.exe 23->36         started        39 mann.exe 25->39         started        69 C:\Users\user\AppData\Local\Temp\mann.exe, PE32 27->69 dropped 131 Multi AV Scanner detection for dropped file 31->131 133 Writes to foreign memory regions 31->133 135 Allocates memory in foreign processes 31->135 137 Creates a thread in another existing process (thread injection) 31->137 42 conhost.exe 31->42         started        81 antivirf.ru 81.177.141.85, 443, 49735, 49746 RTCOMM-ASRU Russian Federation 34->81 71 C:\Users\user\AppData\Roaming\man.exe, PE32+ 34->71 dropped 139 Powershell drops PE file 34->139 file10 signatures11 process12 dnsIp13 103 Multi AV Scanner detection for dropped file 36->103 105 Writes to foreign memory regions 36->105 107 Allocates memory in foreign processes 36->107 109 Creates a thread in another existing process (thread injection) 36->109 44 conhost.exe 36->44         started        47 backgroundTaskHost.exe 36->47         started        75 ip-api.com 208.95.112.1, 49761, 80 TUT-ASUS United States 39->75 77 api.telegram.org 149.154.167.220, 443, 49762 TELEGRAMRU United Kingdom 39->77 79 192.168.2.1 unknown unknown 39->79 111 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 39->111 113 May check the online IP address of the machine 39->113 49 conhost.exe 39->49         started        signatures14 process15 file16 73 C:\Windows\System32\services32.exe, PE32+ 44->73 dropped 51 cmd.exe 44->51         started        54 cmd.exe 44->54         started        process17 signatures18 99 Drops executables to the windows directory (C:\Windows) and starts them 51->99 56 services32.exe 51->56         started        59 conhost.exe 51->59         started        101 Uses schtasks.exe or at.exe to add and modify task schedules 54->101 61 conhost.exe 54->61         started        63 schtasks.exe 54->63         started        process19 signatures20 115 Writes to foreign memory regions 56->115 117 Allocates memory in foreign processes 56->117 119 Creates a thread in another existing process (thread injection) 56->119 65 conhost.exe 56->65         started        process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/44d35218b3d50c6bde65093678b72db54e9a89fc28dfe391abb3e128571cec44/
Threat name:
Win32.Trojan.Bsymem
Create hunting rule
Status:
Malicious
First seen:
2021-11-06 23:20:49 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
097798527e285d8896d8099ec86d8e5105b0f135337efc8cd4e3e1e3ec6532e1
CoinMiner
1aec33c9dc704ad71932eee6e128c9eb0908cab49d85f5a0f788484777a68a57
CoinMiner
56e4f127f991f0ff867fc403eb857ee685c3c4b67c52695d5b8194e085aa1502
CoinMiner
5f5650987c9810c4cc59a467650844179c1349ded7b2fa0f1b00edbbf648612c
CoinMiner
995b8ffae8a66e17203565b09cbc2dc46d3e9ae0e61c31de29a3653430f4eda5
CoinMiner
a6e69af95b2cfafbdc192c5c34d065b8e51925534824be3d432c1e2a17375289
CoinMiner
dc9787f1ca396af3c6a84f52c1f4a1969b7d33999507f2093480071fc22e9d63
CoinMiner
+ 33 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/211111-b2d8zsaef8/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Looks up external IP address via web service
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Malware Config
Dropper Extraction:
https://antivirf.ru/man.exe
https://antivirf.ru/mann.exe
Unpacked files
SH256 hash:
44d35218b3d50c6bde65093678b72db54e9a89fc28dfe391abb3e128571cec44
MD5 hash:
c69a436220ad459a2d95b676b2117ed4
SHA1 hash:
2c5d6b3d542461156ba214ee1b636124f9bab18d
Link:
https://www.unpac.me/results/9135f71a-7de5-4451-9399-155ba22887ea/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/44d35218b3d50c6bde65093678b72db54e9a89fc28dfe391abb3e128571cec44

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 44d35218b3d50c6bde65093678b72db54e9a89fc28dfe391abb3e128571cec44

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1775155/
Cape
Cape
https://www.capesandbox.com/analysis/204895/

Comments


Avatar
zbet commented on 2021-11-11 01:37:28 UTC

url : hxxp://antivirf.ru/mani.exe