MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5611f533697e92daed847764a46dc86420c4876a0977e79969d3ea9f26bcfc27. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5611f533697e92daed847764a46dc86420c4876a0977e79969d3ea9f26bcfc27
SHA3-384 hash: 71df59942bf44502310733d80b09f775c8798b5535c4797e09afe3c25052ded2b33d6e85512b1a2ff4cad5a2f5cd11d3
SHA1 hash: 6365bfe275ffc434776a04d2d4b92c961ef4ca06
MD5 hash: 34c6baee4af65140954977232098ccdc
humanhash: thirteen-carbon-arkansas-missouri
File name:34c6baee4af65140954977232098ccdc
Download: download sample
Signature CoinMiner
Create hunting rule
File size:1'999'360 bytes
First seen:2021-08-28 21:51:12 UTC
Last seen:2021-08-29 00:22:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 49152:jo5R67U98hPD2tbR4pDjTWgXjdsMnuwHTkfBwmdaFz++R:F7UR4k4iMVzkfBWz+
Threatray 43 similar samples on MalwareBazaar
TLSH T13A9533F1A8F3D6CAD0250734EE975939A3793BBE03C3A66541D98137A0C9DDF18126AC
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
209
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
34c6baee4af65140954977232098ccdc
Verdict:
No threats detected
Analysis date:
2021-08-28 21:51:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/400f32e9-7dab-40e2-a1b7-d2c25d8e9f7e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/183162/
Detection(s):
SecuriteInfo.com.Trojan.MulDropNET.46.10286.1072.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching a process
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Creating a process with a hidden window
Creating a file
Creating a process from a recently created file
Creating a file in the system32 directory
Sending a UDP request
Creating a file in the system32 subdirectories
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/29c29486-874e-4813-a5f5-b341f02ca878
Result
Threat name:
BitCoin Miner
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/840897
Signature
Adds a directory exclusion to Windows Defender
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected BitCoin Miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 473324 Sample: 3tqBWU4JJc Startdate: 29/08/2021 Architecture: WINDOWS Score: 92 77 Multi AV Scanner detection for submitted file 2->77 79 Yara detected BitCoin Miner 2->79 81 Machine Learning detection for sample 2->81 83 2 other signatures 2->83 10 3tqBWU4JJc.exe 5 2->10         started        14 services32.exe 3 2->14         started        process3 file4 73 C:\Users\user\AppData\Local\...\svchost32.exe, PE32+ 10->73 dropped 75 C:\Users\user\AppData\...\3tqBWU4JJc.exe.log, ASCII 10->75 dropped 97 Adds a directory exclusion to Windows Defender 10->97 16 cmd.exe 1 10->16         started        18 cmd.exe 1 10->18         started        99 Multi AV Scanner detection for dropped file 14->99 101 Machine Learning detection for dropped file 14->101 21 cmd.exe 14->21         started        signatures5 process6 signatures7 23 svchost32.exe 6 16->23         started        27 conhost.exe 16->27         started        85 Uses schtasks.exe or at.exe to add and modify task schedules 18->85 87 Adds a directory exclusion to Windows Defender 18->87 29 powershell.exe 21 18->29         started        31 powershell.exe 22 18->31         started        33 conhost.exe 18->33         started        39 2 other processes 18->39 35 conhost.exe 21->35         started        37 powershell.exe 21->37         started        41 3 other processes 21->41 process8 file9 69 C:\Windows\System32\services32.exe, PE32+ 23->69 dropped 71 C:\Windows\...\services32.exe:Zone.Identifier, ASCII 23->71 dropped 91 Multi AV Scanner detection for dropped file 23->91 93 Machine Learning detection for dropped file 23->93 95 Drops executables to the windows directory (C:\Windows) and starts them 23->95 43 services32.exe 23->43         started        46 cmd.exe 1 23->46         started        48 cmd.exe 23->48         started        signatures10 process11 signatures12 103 Adds a directory exclusion to Windows Defender 43->103 50 cmd.exe 43->50         started        53 conhost.exe 46->53         started        55 schtasks.exe 1 46->55         started        57 conhost.exe 48->57         started        59 choice.exe 48->59         started        process13 signatures14 89 Adds a directory exclusion to Windows Defender 50->89 61 conhost.exe 50->61         started        63 powershell.exe 50->63         started        65 powershell.exe 50->65         started        67 2 other processes 50->67 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5611f533697e92daed847764a46dc86420c4876a0977e79969d3ea9f26bcfc27/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-28 21:52:07 UTC
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kyi7km3jp2jnv3meo5ski3oimqqmjb3kbf36pglj2pvj6jv47qtq._file
Verdict:
unknown
Similar samples:
0633bc4885fc8eb9c2f8bcd8110bff69e47444e68f4beb6757b23b2a2d59d3f7
CoinMiner
4569c2ca16175dd869475526af97004f47e2918edb583043b609fceb86b35161
CoinMiner
50fcaa0ac7219a10cadfce715ba25a2f30fe3939fa3d4e1c899d321e397daa0d
CoinMiner
561b3cf57b33e115cabbb36756579d7fb15ae90656b826cbd286673b2eaef227
CoinMiner
587328521840c2d6fc72391af9027ddba0489878c7bb287058cbad683f6e0191
CoinMiner
9dbdfabbc99542e1c94b7a29eaf437b7fa4c898c4add1a677b126257ae54f94e
CoinMiner
d99ac72301d4d4c55ee0c6e33ad4e4551bac90b71f80515eea1a3dfe426abf23
CoinMiner
e481e934466d3e768442331a3c3af50c4d430b6ed14059afbe661925338ef531
CoinMiner
f2dc381b529cbc75c03ca8bf1886b0ee6b1e2622f8918a27a876c50889e2ae7e
CoinMiner
+ 33 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210828-23r7pvfmbs/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
5611f533697e92daed847764a46dc86420c4876a0977e79969d3ea9f26bcfc27
MD5 hash:
34c6baee4af65140954977232098ccdc
SHA1 hash:
6365bfe275ffc434776a04d2d4b92c961ef4ca06
Link:
https://www.unpac.me/results/cc9c65b3-1217-47f1-a77a-1a0ac1486c1c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/5611f533697e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5611f533697e92daed847764a46dc86420c4876a0977e79969d3ea9f26bcfc27

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 5611f533697e92daed847764a46dc86420c4876a0977e79969d3ea9f26bcfc27

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1573333/
Cape
Cape
https://www.capesandbox.com/analysis/183162/

Comments


Avatar
zbet commented on 2021-08-28 21:51:13 UTC

url : hxxp://a0574956.xsph.ru/pink.exe