MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47a48d10d6a249bab803c4927358ea78e97f42232667fde0f5a65bc642928ef1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 47a48d10d6a249bab803c4927358ea78e97f42232667fde0f5a65bc642928ef1
SHA3-384 hash: 73bab9f352efeb76cbbc5ad7c4477dbe7a9caf35424d06fa09a0847fb164752d4cd991b986bced095130c9ee14735026
SHA1 hash: 249112ed1201a3f2aeab23c9f80c519ab9cc6578
MD5 hash: 7f23a024a1ee93b094169210dbc5a612
humanhash: wolfram-glucose-papa-idaho
File name:7f23a024a1ee93b094169210dbc5a612
Download: download sample
Signature CoinMiner
Create hunting rule
File size:3'340'288 bytes
First seen:2021-12-14 04:13:53 UTC
Last seen:2021-12-14 06:49:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61c3df730291850fea0c9a7171786100 (13 x CoinMiner)
ssdeep 49152:2PS5ymy6Ri+UeqqJFxrcKtTqvbXVubrlNkX5G6kgINlckE7jjFDxCPbaAxTjT4sL:2Pyz0J4Fc4brKI6slckE7/PXAHaW
TLSH T129F533C3F48FDEF9D10708B7AA156214AB2E08728EF79521C74CA74EB1D3913139BA56
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
183
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://92.255.85.131/dashboard/img/rundll32.exe
Verdict:
Malicious activity
Analysis date:
2021-12-14 01:29:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3174bdbf-58a4-45ac-8f83-93041a6fcf2c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/213806/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.47646196.27024.11923.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Running batch commands
Creating a process from a recently created file
Launching a process
Creating a process with a hidden window
Searching for the window
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/1878/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
enigma packed
Link:
https://www.filescan.io/uploads/61b81a118a1c0aab6a87548c/reports/9d9e31ba-9321-4285-b978-a4eba961a715/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/64cd7504-3c20-4820-8de9-b12e3876ffdf
Result
Threat name:
Phoenix Miner
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/906846
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Writes to foreign memory regions
Yara detected Phoenix Miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 539324 Sample: NFUfFYzj98 Startdate: 14/12/2021 Architecture: WINDOWS Score: 100 102 raw.githubusercontent.com 2->102 104 github.com 2->104 124 Antivirus detection for dropped file 2->124 126 Multi AV Scanner detection for dropped file 2->126 128 Multi AV Scanner detection for submitted file 2->128 130 4 other signatures 2->130 12 NFUfFYzj98.exe 1 22 2->12         started        17 RegHost.exe 16 2->17         started        signatures3 process4 dnsIp5 118 github.com 140.82.121.4, 443, 49759, 49760 GITHUBUS United States 12->118 120 raw.githubusercontent.com 185.199.108.133, 443, 49761, 49764 FASTLYUS Netherlands 12->120 94 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 12->94 dropped 96 C:\Users\user\AppData\Roaming\...\7z.exe, PE32+ 12->96 dropped 98 C:\Users\user\AppData\Roaming\...\7z.dll, PE32+ 12->98 dropped 100 2 other files (none is malicious) 12->100 dropped 148 Detected unpacking (changes PE section rights) 12->148 150 Detected unpacking (overwrites its own PE header) 12->150 152 Injects code into the Windows Explorer (explorer.exe) 12->152 160 4 other signatures 12->160 19 explorer.exe 1 12->19         started        22 bfsvc.exe 1 12->22         started        24 cmd.exe 1 12->24         started        32 2 other processes 12->32 122 185.199.110.133, 443, 49773, 49776 FASTLYUS Netherlands 17->122 154 Multi AV Scanner detection for dropped file 17->154 156 Machine Learning detection for dropped file 17->156 158 Writes to foreign memory regions 17->158 26 bfsvc.exe 1 17->26         started        28 cmd.exe 1 17->28         started        30 cmd.exe 1 17->30         started        34 2 other processes 17->34 file6 signatures7 process8 dnsIp9 132 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 19->132 37 RegHost.exe 17 19->37         started        134 Hides threads from debuggers 22->134 41 conhost.exe 22->41         started        43 7z.exe 2 24->43         started        46 conhost.exe 24->46         started        48 conhost.exe 26->48         started        50 7z.exe 2 28->50         started        52 conhost.exe 28->52         started        54 2 other processes 30->54 56 2 other processes 32->56 106 192.168.2.1 unknown unknown 34->106 signatures10 process11 dnsIp12 108 140.82.121.3, 443, 49796, 49797 GITHUBUS United States 37->108 110 raw.githubusercontent.com 37->110 112 github.com 37->112 136 Injects code into the Windows Explorer (explorer.exe) 37->136 138 Writes to foreign memory regions 37->138 140 Allocates memory in foreign processes 37->140 142 3 other signatures 37->142 58 bfsvc.exe 37->58         started        62 explorer.exe 37->62         started        64 cmd.exe 37->64         started        66 2 other processes 37->66 90 C:\Users\user\AppData\...\RegHost_Temp.exe, PE32+ 43->90 dropped 92 C:\Users\user\AppData\...\RegData_Temp.exe, PE32+ 50->92 dropped file13 signatures14 process15 file16 88 \Device\ConDrv, ASCII 58->88 dropped 146 Hides threads from debuggers 58->146 68 conhost.exe 58->68         started        70 RegHost.exe 62->70         started        74 conhost.exe 64->74         started        76 7z.exe 64->76         started        78 conhost.exe 66->78         started        80 7z.exe 66->80         started        signatures17 process18 dnsIp19 114 raw.githubusercontent.com 70->114 116 github.com 70->116 144 Hides threads from debuggers 70->144 82 cmd.exe 70->82         started        84 conhost.exe 70->84         started        signatures20 process21 process22 86 conhost.exe 82->86         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/47a48d10d6a249bab803c4927358ea78e97f42232667fde0f5a65bc642928ef1/
Threat name:
Win64.Trojan.Vimditator
Create hunting rule
Status:
Malicious
First seen:
2021-12-14 04:14:21 UTC
File Type:
PE+ (Exe)
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/211214-etpljagagp/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
47a48d10d6a249bab803c4927358ea78e97f42232667fde0f5a65bc642928ef1
MD5 hash:
7f23a024a1ee93b094169210dbc5a612
SHA1 hash:
249112ed1201a3f2aeab23c9f80c519ab9cc6578
Link:
https://www.unpac.me/results/1c5a3d35-360b-4943-bc2c-4c7a683b88c3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/47a48d10d6a249bab803c4927358ea78e97f42232667fde0f5a65bc642928ef1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 47a48d10d6a249bab803c4927358ea78e97f42232667fde0f5a65bc642928ef1

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1882483/
Cape
Cape
https://www.capesandbox.com/analysis/213806/

Comments


Avatar
zbet commented on 2021-12-14 04:13:54 UTC

url : hxxp://92.255.85.131/dashboard/img/rundll32.exe