MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56cb118f4caa1f3d0461faba24d9cb575843177b2a756622533ba00dbac10a2a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 2
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56cb118f4caa1f3d0461faba24d9cb575843177b2a756622533ba00dbac10a2a
SHA3-384 hash: e736c90424f95654136b8dbeb525548a8a74db99d7daf38d4ffb26464425b0bf01d2c95b09c77cca6753ff306cae8dd9
SHA1 hash: d0a455250331a626436f86818b8b3f428eb6aa03
MD5 hash: 5bf6dda87c399945bfdae0c390523f6c
humanhash: sink-fillet-juliet-north
File name:5bf6dda87c399945bfdae0c390523f6c
Download: download sample
Signature CoinMiner
Create hunting rule
File size:407'552 bytes
First seen:2023-05-07 18:14:07 UTC
Last seen:2023-05-17 10:02:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 91f084f48f1a7d46fb0c1c59aeb26b0a (1 x CoinMiner, 1 x DarkVisionRAT)
ssdeep 6144:n34ElVxx2j9kwTX1/AmOK79elWexzUf/rBwIN2tiNsEj2OrAh5RYlyzro:Iy2j9F/AxYlk
TLSH T1C5841947AB6585F4CC76D078CAA26623FA7178594334EBDB87508E131F23BE1A93E710
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
292
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5bf6dda87c399945bfdae0c390523f6c
Verdict:
Malicious activity
Analysis date:
2023-05-07 18:16:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/98e269e7-68e9-40b1-89e7-90745a119a0a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/387339/
Detection(s):
SecuriteInfo.com.Variant.Lazy.324547.26906.8772.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Searching for synchronization primitives
Creating a file
Launching a process
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Forced system process termination
Deleting a recently created file
Using the Windows Management Instrumentation requests
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/82977/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware shell32.dll update.exe
Link:
https://www.filescan.io/uploads/6457eaa870f3c757d074eddc/reports/695c5a86-766f-4a8f-b01a-07e9a4fa6528/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/56cb118f4caa1f3d0461faba24d9cb575843177b2a756622533ba00dbac10a2a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkVision RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c6db925a-698f-4cca-a0ce-7baeaa3fb8f8
Result
Threat name:
Discord Token Stealer, Xmrig
Create hunting rule
Detection:
malicious
Classification:
rans.evad.troj.adwa.spyw.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1227853
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Benign windows process drops PE files
Creates a thread in another existing process (thread injection)
DLL side loading technique detected
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain checking for user administrative privileges
Found hidden mapped module (file has been removed from disk)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sigma detected: Stop multiple services
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Discord Token Stealer
Yara detected PersistenceViaHiddenTask
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 860817 Sample: NBLe3nmUpT.exe Startdate: 07/05/2023 Architecture: WINDOWS Score: 100 124 petchx.com 2->124 126 raw.githubusercontent.com 2->126 128 3 other IPs or domains 2->128 142 Malicious sample detected (through community Yara rule) 2->142 144 Multi AV Scanner detection for dropped file 2->144 146 Multi AV Scanner detection for submitted file 2->146 148 11 other signatures 2->148 11 NBLe3nmUpT.exe 2 3 2->11         started        15 update.exe 2->15         started        17 cmd.exe 1 2->17         started        19 5 other processes 2->19 signatures3 process4 file5 122 C:\ProgramData\Chrome\update.exe, PE32+ 11->122 dropped 192 Found evasive API chain (may stop execution after checking mutex) 11->192 194 Adds a directory exclusion to Windows Defender 11->194 196 Maps a DLL or memory area into another process 11->196 198 Found evasive API chain checking for user administrative privileges 11->198 21 explorer.exe 33 11->21         started        26 cmd.exe 1 11->26         started        200 Multi AV Scanner detection for dropped file 15->200 202 Machine Learning detection for dropped file 15->202 28 Conhost.exe 15->28         started        204 Modifies power options to not sleep / hibernate 17->204 30 conhost.exe 17->30         started        38 4 other processes 17->38 32 cmd.exe 1 19->32         started        34 conhost.exe 1 19->34         started        36 conhost.exe 19->36         started        40 9 other processes 19->40 signatures6 process7 dnsIp8 130 pylox.petchx.com 103.30.126.242, 4444, 49682, 49683 METRABYTE-TH453LadplacoutJorakhaebuaTH Thailand 21->130 132 petchx.com 27.254.86.109, 443, 49681 CSLOX-IDC-AS-APCSLOXINFOPublicCompanyLimitedTH Thailand 21->132 134 cdn.discordapp.com 162.159.130.233 CLOUDFLARENETUS United States 21->134 96 C:\Users\user\AppData\...\febgzredya.EXE, PE32+ 21->96 dropped 98 C:\Users\user\AppData\...\abycunljdo.EXE, PE32+ 21->98 dropped 100 C:\...\{F3B12E6D-7C5F-4C5F-80F1-23A975A87015}, data 21->100 dropped 102 26 other malicious files 21->102 dropped 150 System process connects to network (likely due to code injection or exploit) 21->150 152 Benign windows process drops PE files 21->152 154 Found evasive API chain (may stop execution after checking mutex) 21->154 156 Writes many files with high entropy 21->156 42 febgzredya.EXE 21->42         started        46 abycunljdo.EXE 4 21->46         started        158 Uses cmd line tools excessively to alter registry or file data 26->158 160 Uses powercfg.exe to modify the power settings 26->160 162 Adds a directory exclusion to Windows Defender 26->162 164 Modifies power options to not sleep / hibernate 26->164 48 powershell.exe 19 26->48         started        50 conhost.exe 26->50         started        52 update.exe 32->52         started        file9 signatures10 process11 file12 108 C:\Users\...\_quoting_c.cp310-win_amd64.pyd, PE32+ 42->108 dropped 110 C:\Users\user\AppData\Local\...\win32ui.pyd, PE32+ 42->110 dropped 112 C:\Users\user\AppData\...\win32trace.pyd, PE32+ 42->112 dropped 120 85 other malicious files 42->120 dropped 178 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 42->178 180 May check the online IP address of the machine 42->180 182 Writes many files with high entropy 42->182 54 febgzredya.EXE 42->54         started        114 C:\Users\user\AppData\Roaming\...\updater.exe, PE32+ 46->114 dropped 116 C:\Users\user\AppData\...\yumtvzryzkwe.tmp, PE32+ 46->116 dropped 118 C:\Windows\System32\drivers\etc\hosts, ASCII 46->118 dropped 184 Writes to foreign memory regions 46->184 186 Modifies the context of a thread in another process (thread injection) 46->186 188 Modifies the hosts file 46->188 190 3 other signatures 46->190 59 dialer.exe 1 46->59         started        signatures13 process14 dnsIp15 136 api4.ipify.org 173.231.16.77 WEBNXUS United States 54->136 138 64.185.227.155 WEBNXUS United States 54->138 140 4 other IPs or domains 54->140 106 C:\Users\user\AppData\Roaming\...\dat.txt, PE32+ 54->106 dropped 168 Tries to harvest and steal browser information (history, passwords, etc) 54->168 61 cmd.exe 54->61         started        64 cmd.exe 54->64         started        66 cmd.exe 54->66         started        68 cmd.exe 54->68         started        170 Injects code into the Windows Explorer (explorer.exe) 59->170 172 Uses schtasks.exe or at.exe to add and modify task schedules 59->172 174 Writes to foreign memory regions 59->174 176 3 other signatures 59->176 70 updater.exe 59->70         started        73 lsass.exe 59->73 injected 75 svchost.exe 59->75 injected 77 19 other processes 59->77 file16 signatures17 process18 file19 206 Uses cmd line tools excessively to alter registry or file data 61->206 79 conhost.exe 61->79         started        81 reg.exe 61->81         started        83 conhost.exe 64->83         started        85 reg.exe 64->85         started        87 WMIC.exe 66->87         started        90 conhost.exe 66->90         started        92 conhost.exe 68->92         started        104 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 70->104 dropped 208 Protects its processes via BreakOnTermination flag 70->208 210 Writes to foreign memory regions 70->210 212 Modifies the context of a thread in another process (thread injection) 70->212 214 3 other signatures 70->214 94 conhost.exe 77->94         started        signatures20 process21 signatures22 166 DLL side loading technique detected 87->166
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/56cb118f4caa1f3d0461faba24d9cb575843177b2a756622533ba00dbac10a2a/
Threat name:
Win64.Trojan.Lazy
Create hunting rule
Status:
Malicious
First seen:
2023-05-07 16:02:10 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k3frdd2mvipt2bdb7k5cjwolk5megf33fj2wmisthoqa3owbbiva._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230507-wvwvnsfd72/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Drops startup file
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
56cb118f4caa1f3d0461faba24d9cb575843177b2a756622533ba00dbac10a2a
MD5 hash:
5bf6dda87c399945bfdae0c390523f6c
SHA1 hash:
d0a455250331a626436f86818b8b3f428eb6aa03
Link:
https://www.unpac.me/results/ffa09d96-78d4-4098-9ddf-6c5c3ff309a7/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/56cb118f4caa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/56cb118f4caa1f3d0461faba24d9cb575843177b2a756622533ba00dbac10a2a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 56cb118f4caa1f3d0461faba24d9cb575843177b2a756622533ba00dbac10a2a

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/387339/
  
URLhaus
https://urlhaus.abuse.ch/url/2626644/

Comments


Avatar
commented on 2023-05-17 10:05:23 UTC

DarkVision? Add tag, please

Avatar
zbet commented on 2023-05-07 18:14:17 UTC

url : hxxps://petchx.com/pylox/petch.exe