MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52e8bb888f9035928e87e31b8ada54db336a747f1c7e802d7f7eef9fdc7e1a04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 11


Intelligence 11 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 52e8bb888f9035928e87e31b8ada54db336a747f1c7e802d7f7eef9fdc7e1a04
SHA3-384 hash: 221c511a2ca59fa0171ddeafedd27358c88f93574d938fd5e2b593bb5838442125122c73aa091d1117d3c91435d725d5
SHA1 hash: 19ff9f849be520089fcda8b82823b0e62956af36
MD5 hash: 9ee15d4c37ceab48e76e710b45f03fea
humanhash: delaware-cup-nitrogen-sodium
File name:9ee15d4c37ceab48e76e710b45f03fea.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:4'069'417 bytes
First seen:2023-10-11 19:31:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d5e0355f8764c235b38759b860077ceb (1 x Adware.QQpass, 1 x CoinMiner)
ssdeep 98304:K30RhUp9Jyo6dVAngZAPnTOMoUAjx+mGxzBWOx:e0XUpHyo6LAn1PnTvj+5wzBjx
Threatray 12 similar samples on MalwareBazaar
TLSH T19916333109DB17A7CAACD03295CA6D75D8A420147652513BEA297E86FCFC18AFF307E1
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4505/5/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon a661d572b3b0f0f2 (1 x Adware.QQpass, 1 x CoinMiner)
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
318
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9ee15d4c37ceab48e76e710b45f03fea.exe
Verdict:
Malicious activity
Analysis date:
2023-10-11 20:00:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e7f9a680-d8e1-4257-a915-3c59f361ee46

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/453490/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Malware.Flystudio-6937682-0
Create hunting rule

Win.Trojan.Agent-111655
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Сreating synchronization primitives
Sending an HTTP GET request
Creating a file
Sending a custom TCP request
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
aspack overlay packed packed
Link:
https://www.filescan.io/uploads/6526f83724a90472670976c1/reports/c3223061-69ab-4054-8d46-ea402bdf06ba/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/52e8bb888f9035928e87e31b8ada54db336a747f1c7e802d7f7eef9fdc7e1a04
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CoinMiner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/895d8337-b920-439d-a3d1-15cfe376619b
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1324085
Signature
Antivirus detection for URL or domain
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has a writeable .text section
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1324085 Sample: kDTGTVIHAr.exe Startdate: 11/10/2023 Architecture: WINDOWS Score: 60 24 xui.ptlogin2.qq.com 2->24 26 ui.ptlogin2.qq.com 2->26 28 21 other IPs or domains 2->28 46 Antivirus detection for URL or domain 2->46 48 Machine Learning detection for sample 2->48 50 Machine Learning detection for dropped file 2->50 52 PE file has a writeable .text section 2->52 7 kDTGTVIHAr.exe 4 60 2->7         started        11 chrome.exe 1 2->11         started        signatures3 process4 dnsIp5 30 gsylhj3x.ovslegodl.sched.ovscdns.com 101.33.20.249, 443, 49763, 49775 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 7->30 32 ins-ck07kq9h.ias.tencent-cloud.net 129.226.103.162, 443, 49758, 49759 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN Singapore 7->32 38 8 other IPs or domains 7->38 16 C:\Users\user\AppData\Local\...\xplib.fne, PE32 7->16 dropped 18 C:\Users\user\AppData\Local\Temp\...\spec.fne, PE32 7->18 dropped 20 C:\Users\user\AppData\Local\...\shell.fne, PE32 7->20 dropped 22 16 other malicious files 7->22 dropped 34 192.168.2.4, 138, 443, 49354 unknown unknown 11->34 36 239.255.255.250 unknown Reserved 11->36 13 chrome.exe 11->13         started        file6 process7 dnsIp8 40 best.ovslegodl.sched.ovscdns.com 128.14.247.115, 443, 49805 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK United States 13->40 42 101.33.17.48, 443, 49852, 49853 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 13->42 44 33 other IPs or domains 13->44
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/52e8bb888f9035928e87e31b8ada54db336a747f1c7e802d7f7eef9fdc7e1a04/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2023-10-11 13:57:07 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
19 of 36 (52.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=klulxcepsa2zfduh4mnyvwsu3mzwu5d7dr7iall7p3xz7xd6dica._file
Verdict:
malicious
Similar samples:
0c3fe692a41411694e7bf89729008d344351da7961755f0d7ba9c58249b37aa1
CoinMiner
149741274dbc5dc82d83766d39bcfb918f8ac5757e0002b1ab5c56f6e6648074
CoinMiner
1c2ffcdacc67ed928064e5eea666a7e09e635854b6daa07c41ceeb7033ed923e
CoinMiner
20f50b240a1aaea2b5a962a03e4b07db415a7c8149e7777f608f32705761681c
CoinMiner
341cd2df1ecb5f27225c1f53bcc38cec2e5e94503f0b3c2040b93a01b7721aea
CoinMiner
63ca43cb57d0f7cd204631a9e9ae8e9856787fb246b84bd99ec3561f5adb24ca
CoinMiner
729b9c38e2230f41260beef114d0a3714da4914642f99b383e7b0c909620b664
CoinMiner
738ff1b734f45db5f96fcf7cf44bc19be88ae922ef08a4b1952bdc3b12e86090
CoinMiner
a92ef3003ca08593ac9552ca1f4a3b8e9586b9177c4cdf7a13b008d4e2eed9de
CoinMiner
bd0d884649509aece899372e0bea6f6dbe833b463e35206753dae69a0bc60632
CoinMiner
+ 2 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
aspackv2
Link:
https://tria.ge/reports/231011-x8zn6aha2v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
ASPack v2.12-2.42
Loads dropped DLL
Unpacked files
SH256 hash:
0216a0f6d6d5360ab487e696b26a39eb81a1e2c8cd7f59c054c90ab99a858daf
MD5 hash:
d2a9c02acb735872261d2abc6aff7e45
SHA1 hash:
fce6c2cf2465856168ea55ccd806155199a6f181
Link:
https://www.unpac.me/results/4b5695d9-eda3-4354-9f73-16fb87794a5f/
SH256 hash:
fd672602ed6371ee5ec7d4d1c0311c4326ff075316c91dd628b075b046fae682
MD5 hash:
1a4d03ebc83a1fc3150c4bc9fd597b45
SHA1 hash:
dd7b3aead6f38ebfa3a3439b39beab3de1d0513b
Link:
https://www.unpac.me/results/4b5695d9-eda3-4354-9f73-16fb87794a5f/
SH256 hash:
2e9769ace867c79d5fcdda0eb2660c52b5e062c69b36add42d22eb0dddc4b3ee
MD5 hash:
f9a994df4d407bc79f7c84886fe7a654
SHA1 hash:
c93e4be70794164b7b339218cc832ac94074d08e
Link:
https://www.unpac.me/results/4b5695d9-eda3-4354-9f73-16fb87794a5f/
SH256 hash:
a8b14f31098a191631696db5ddc77e029b48999542e0ec15b63df02220c66d37
MD5 hash:
dba5fdbe7ec94463b3f6fdf2162c9f95
SHA1 hash:
a97137b4f2b77166b2a23da1f58e0bdb7365f4f2
Link:
https://www.unpac.me/results/4b5695d9-eda3-4354-9f73-16fb87794a5f/
Parent samples :
05cc7a32e5a0023f9e1c790f97b069ccd27ada59ea8b9864f7f9069e3049663c
0def3cbaec84dc2729761b4a47590d888cf93ed2097d6dfd6dda7d3b29471ef3
0b2a852742c7d974fe16a45a7c6fb5efcf7b03f19e7029f9c43284a2ea5be84f
b59199454fb6665bfd64c5a88d13532eb56b22735b83ba262cc643dd290d5f97
e30a9bee5ee26e31edbdd2654969551cbabd2694b8703539f768c04b53c19be0
SH256 hash:
d1a1c6bac6a498adccdafab9d600a372aa9d5b826a33cfa06aaa9f75357c5b23
MD5 hash:
8f385e7c8cf1f8ebdae0448473977cc7
SHA1 hash:
942bf465e29a5e5f85580eb30aa9510b92f802d7
Link:
https://www.unpac.me/results/4b5695d9-eda3-4354-9f73-16fb87794a5f/
SH256 hash:
25ed7ed1a08c63f40da1d378c9922efd0db9627e2856848469961bf64a86e40d
MD5 hash:
af60aac7484ba84bfb6d5a39aea349a3
SHA1 hash:
7e4862c0735ac4f881de87317fc3e864eaa33cce
Link:
https://www.unpac.me/results/4b5695d9-eda3-4354-9f73-16fb87794a5f/
SH256 hash:
53483523c316ad8c022c2b07a5cabfff3339bc5cb5e4ac24c3260eea4f4d9731
MD5 hash:
7c1ff88991f5eafab82b1beaefc33a42
SHA1 hash:
5ea338434c4c070aaf4e4e3952b4b08b551267bc
Link:
https://www.unpac.me/results/4b5695d9-eda3-4354-9f73-16fb87794a5f/
SH256 hash:
1b28d05c306b575319c6fb9b08276b2204a7b569d9e540879ce67c8d17640990
MD5 hash:
f6a2a92194fc69858ffa9aa1557454da
SHA1 hash:
47dbb9abb4d83e2d21c6107c11244f8daae0cc5d
Link:
https://www.unpac.me/results/4b5695d9-eda3-4354-9f73-16fb87794a5f/
SH256 hash:
19b4d189a73b79a73c2ddd678ed5ff7357d92494cf76a21372a58e3dce075d50
MD5 hash:
e5e521468e2a9f9b314e06e29116b5a9
SHA1 hash:
4044a4efd7998e8c4245e632b18056b089f0aa53
Link:
https://www.unpac.me/results/4b5695d9-eda3-4354-9f73-16fb87794a5f/
SH256 hash:
4bed8a6e4e1548fddee40927b438132b47ef2aca6e9beb06b89fcf7714726310
MD5 hash:
1eece63319e7c5f6718562129b1572f1
SHA1 hash:
089ea3a605639eb1292f6a2a9720f0b2801b0b6e
Link:
https://www.unpac.me/results/4b5695d9-eda3-4354-9f73-16fb87794a5f/
SH256 hash:
590c9ba4cad5a401c071f89f8468c45031a637f1c137ca320d9dbe82e4beabd6
MD5 hash:
2b86ad8cd1903916ae5a3cd7ec2f1b9e
SHA1 hash:
0240b4f0795ed3bf24748954fee6751901f26f2c
Link:
https://www.unpac.me/results/4b5695d9-eda3-4354-9f73-16fb87794a5f/
SH256 hash:
bff26ea9c196da75ef694c3b6309945cae3a8ad196762eb23c1695e1aca0c2e9
MD5 hash:
38d373a95796d876b878bd24d58c6ac6
SHA1 hash:
3ad5b29350a2425b357876743167f60707334d14
Link:
https://www.unpac.me/results/4b5695d9-eda3-4354-9f73-16fb87794a5f/
SH256 hash:
52e8bb888f9035928e87e31b8ada54db336a747f1c7e802d7f7eef9fdc7e1a04
MD5 hash:
9ee15d4c37ceab48e76e710b45f03fea
SHA1 hash:
19ff9f849be520089fcda8b82823b0e62956af36
Link:
https://www.unpac.me/results/4b5695d9-eda3-4354-9f73-16fb87794a5f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/52e8bb888f9035928e87e31b8ada54db336a747f1c7e802d7f7eef9fdc7e1a04

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ASPackv212AlexeySolodovnikov
Create hunting rule
Author:malware-lu
Rule name:ASProtectV2XDLLAlexeySolodovnikov
Create hunting rule
Author:malware-lu
Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:SUSP_XORed_URL_In_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 52e8bb888f9035928e87e31b8ada54db336a747f1c7e802d7f7eef9fdc7e1a04

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2301795/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/453490/

Comments