MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4becf5486e15b31584038444e3cee0ac9c4e3770b6f9fd03a0288d997e2d9608. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4becf5486e15b31584038444e3cee0ac9c4e3770b6f9fd03a0288d997e2d9608
SHA3-384 hash: 813bf41c249bec32e5e6e9a1b657a3d022606a7c6d646e23736f5f1161c2a031022b2012472eaaa4782c2908e94ba5e1
SHA1 hash: 4dc4c0a8856e4666cbeba4da541da4f982d08904
MD5 hash: 1d923f302e663e4a6241cd398c85934e
humanhash: sink-chicken-ceiling-fruit
File name:ProtonVPNcrackV212.13.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:9'288'192 bytes
First seen:2021-11-17 17:24:58 UTC
Last seen:2021-11-17 19:17:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 889336afd01a952ba79d1e90fb751739 (14 x CoinMiner)
ssdeep 196608:XUHIwWAr3tYVXVkdfjQSfFLb0eXTvFeCVDOKGJKfMEKQ:EHIi/jZfFPLDfUEp
Threatray 304 similar samples on MalwareBazaar
TLSH T1E29623BA218D3718C80EC4B45533A98A73B6171E47F8966AF6DFB7806BDF444E612F04
Reporter JaffaCakes118
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
176
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/206947/
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.44191.23927.24155.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Running batch commands
Launching a process
Using the Windows Management Instrumentation requests
Creating a file
Creating a process from a recently created file
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/61953af043e8f62b66975c2a/reports/2d203d10-84e0-4f06-b363-929139254904/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3e4efb71-d44d-4256-b898-6bb9b2905447
Result
Threat name:
BitCoin Miner Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/891394
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Creates files with lurking names (e.g. Crack.exe)
Detected Stratum mining protocol
Detected VMProtect packer
Encrypted powershell cmdline option found
Found strings related to Crypto-Mining
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Potential dropper URLs found in powershell memory
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
System process connects to network (likely due to code injection or exploit)
Tries to detect debuggers (CloseHandle check)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 523867 Sample: ProtonVPNcrackV212.13.exe Startdate: 17/11/2021 Architecture: WINDOWS Score: 100 91 Malicious sample detected (through community Yara rule) 2->91 93 Antivirus / Scanner detection for submitted sample 2->93 95 Multi AV Scanner detection for submitted file 2->95 97 6 other signatures 2->97 9 ProtonVPNcrackV212.13.exe 6 2->9         started        13 services64.exe 2->13         started        15 svchost.exe 2->15         started        18 3 other processes 2->18 process3 dnsIp4 67 C:\Users\user\Microsoft\services64.exe, PE32+ 9->67 dropped 69 C:\Users\...\services64.exe:Zone.Identifier, ASCII 9->69 dropped 71 C:\Users\...\ProtonVPNcrackV212.13.exe.log, ASCII 9->71 dropped 117 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->117 119 Creates files with lurking names (e.g. Crack.exe) 9->119 121 Tries to evade analysis by execution special instruction which cause usermode exception 9->121 129 2 other signatures 9->129 20 backgroundTaskHost.exe 1 14 9->20         started        22 cmd.exe 1 9->22         started        25 cmd.exe 9->25         started        27 cmd.exe 9->27         started        123 Antivirus detection for dropped file 13->123 125 Multi AV Scanner detection for dropped file 13->125 127 Tries to detect debuggers (CloseHandle check) 13->127 29 cmd.exe 13->29         started        81 192.168.2.1 unknown unknown 15->81 file5 signatures6 process7 signatures8 31 services64.exe 20->31         started        35 conhost.exe 20->35         started        113 Encrypted powershell cmdline option found 22->113 115 Uses schtasks.exe or at.exe to add and modify task schedules 22->115 37 powershell.exe 22 22->37         started        39 powershell.exe 22 22->39         started        41 conhost.exe 22->41         started        43 conhost.exe 25->43         started        45 schtasks.exe 25->45         started        47 conhost.exe 29->47         started        49 2 other processes 29->49 process9 file10 73 C:\Users\user\AppData\...\sihost64.exe, PE32+ 31->73 dropped 75 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 31->75 dropped 83 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 31->83 85 Injects code into the Windows Explorer (explorer.exe) 31->85 87 Writes to foreign memory regions 31->87 89 5 other signatures 31->89 51 sihost64.exe 31->51         started        54 explorer.exe 31->54         started        57 cmd.exe 31->57         started        signatures11 process12 dnsIp13 99 Antivirus detection for dropped file 51->99 101 Writes to foreign memory regions 51->101 103 Allocates memory in foreign processes 51->103 105 Creates a thread in another existing process (thread injection) 51->105 59 conhost.exe 51->59         started        77 168.119.38.182, 49815, 80 HETZNER-ASDE Germany 54->77 79 pool.hashvault.pro 54->79 107 System process connects to network (likely due to code injection or exploit) 54->107 109 Query firmware table information (likely to detect VMs) 54->109 111 Encrypted powershell cmdline option found 57->111 61 conhost.exe 57->61         started        63 powershell.exe 57->63         started        65 powershell.exe 57->65         started        signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4becf5486e15b31584038444e3cee0ac9c4e3770b6f9fd03a0288d997e2d9608/
Threat name:
Win64.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2021-11-17 17:25:05 UTC
AV detection:
15 of 27 (55.56%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0028d3b936c329c8bb2a7c17d677d9808eed4f46c123048100050819d1657464
CoinMiner
2b0cd91072bc81875fba4d9dc3b293500f110b57dd9d37028556fdb296705fb0
CoinMiner
3aca6ead27ffa0e7384af61f022b180f305bca729e8cc4b29390b5067b673fcc
CoinMiner
4a2c3f7e489652350d3fd9df4259c52e2a9be9eb507d011779079d1e57e0301d
CoinMiner
66d2fe8e0af50d2d155608a4dfba701aa321fa7b83d5858a91f95f9bbc96f1d1
CoinMiner
7e6b525d20c679bb8241177f2e307bb9c5b9070e4846a033640eb45eafcf64ea
CoinMiner
b37e87a30c379dd3d84b2f9b5819cb32335d7230156d3ea01a7309502e9e6d0d
CoinMiner
cdb8a234c896df8b45ee7bc0d69ecdaec0bfce73cacdb376048bcd3abb85a75d
CoinMiner
e67db91b7e8bcf1cf40735c556df7971af493cfd6b0fe4ffd25774ca7c31e070
CoinMiner
fa1a41ff82f9d6ca0473f9ac67f0d46e9576dd6608f9682d245f48ea872a3859
CoinMiner
+ 294 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner vmprotect
Link:
https://tria.ge/reports/211117-vzabssadcq/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
VMProtect packed file
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
4becf5486e15b31584038444e3cee0ac9c4e3770b6f9fd03a0288d997e2d9608
MD5 hash:
1d923f302e663e4a6241cd398c85934e
SHA1 hash:
4dc4c0a8856e4666cbeba4da541da4f982d08904
Link:
https://www.unpac.me/results/f04f481d-671a-4c4a-94d4-3b439158f0b8/
Malware family:
XMRIG
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4becf5486e15/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4becf5486e15b31584038444e3cee0ac9c4e3770b6f9fd03a0288d997e2d9608

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 4becf5486e15b31584038444e3cee0ac9c4e3770b6f9fd03a0288d997e2d9608

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/206947/

Comments