MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 624238f70f727064dea6756cdf10cf7673ffc2d627f0c5d34099baf910a75ec8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 624238f70f727064dea6756cdf10cf7673ffc2d627f0c5d34099baf910a75ec8
SHA3-384 hash: d1e90ea7ece25735f1787e9089ff03a53bb9da9b61ffe6a81b2575ea0e85ac2021144a122286965beb4a110d59e0bf7d
SHA1 hash: 7d86995a3caf1784d418653b7d276078d8699149
MD5 hash: 5e53bea9bea0679827b6dae5bcccebfb
humanhash: massachusetts-blossom-happy-robin
File name:vape_4.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'615'296 bytes
First seen:2023-04-06 01:10:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7dbd2319b33ed25eb7ad7d0162c2bb3a (18 x CoinMiner, 1 x CoinMiner.XMRig, 1 x XFilesStealer)
ssdeep 49152:NvWxBEICg6GLwD7PSi3NbKWS63yX5mYiYl2yq3vX++4UWC0a/8aZH7:NJgxwDD/KWv3amYiVt3vX+rUIaL
Threatray 45 similar samples on MalwareBazaar
TLSH T1F3C5333C9424D0A4F84D69B6028F28D6949AFC526D76481E26541D38BF3BEBDEE0D3C6
TrID 55.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
16.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.9% (.ICL) Windows Icons Library (generic) (2059/9)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
6.7% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 696a6ee2b2b2c2cc (18 x RedLineStealer, 17 x LummaStealer, 16 x CoinMiner)
Reporter Chainskilabs
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
313
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
vape_4.exe
Verdict:
Malicious activity
Analysis date:
2023-04-06 01:11:18 UTC
Tags:
miner
Link:
https://app.any.run/tasks/df4bef5d-ca87-4159-a1be-85a7ce93d412

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/380465/
Detection(s):
SecuriteInfo.com.Variant.Ser.Lazy.1797.22278.20199.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Sending a custom TCP request
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/76723/overview
Behaviour
MalwareBazaar
CallSleep
Verdict:
No Threat
Threat level:
  2/10
Confidence:
50%
Tags:
packed
Link:
https://www.filescan.io/uploads/642e1c2835c10d8aaf28b02e/reports/3f8e8879-622a-4abc-a691-8486e2b332ad/overview
Verdict:
Malicious
Labled as:
Ser.Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/624238f70f727064dea6756cdf10cf7673ffc2d627f0c5d34099baf910a75ec8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3a21b222-4478-4007-bd47-bedc495a286b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1209317
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Creates files in the system32 config directory
Encrypted powershell cmdline option found
Found potential ransomware demand text
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 842233 Sample: vape_4.exe Startdate: 06/04/2023 Architecture: WINDOWS Score: 100 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus detection for dropped file 2->58 60 Antivirus / Scanner detection for submitted sample 2->60 62 4 other signatures 2->62 8 vape_4.exe 2->8         started        11 updater.exe 2->11         started        process3 signatures4 72 Writes to foreign memory regions 8->72 74 Allocates memory in foreign processes 8->74 76 Creates a thread in another existing process (thread injection) 8->76 13 conhost.exe 6 8->13         started        17 MpCmdRun.exe 1 8->17         started        19 conhost.exe 4 11->19         started        process5 file6 52 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 13->52 dropped 54 C:\...\updater.exe:Zone.Identifier, ASCII 13->54 dropped 78 Encrypted powershell cmdline option found 13->78 21 cmd.exe 1 13->21         started        24 cmd.exe 1 13->24         started        26 powershell.exe 36 13->26         started        28 powershell.exe 19 13->28         started        30 conhost.exe 17->30         started        32 powershell.exe 19->32         started        signatures7 process8 signatures9 64 Uses schtasks.exe or at.exe to add and modify task schedules 21->64 66 Uses powercfg.exe to modify the power settings 21->66 68 Modifies power options to not sleep / hibernate 21->68 34 conhost.exe 21->34         started        36 powercfg.exe 1 21->36         started        38 powercfg.exe 1 21->38         started        50 2 other processes 21->50 40 conhost.exe 24->40         started        42 schtasks.exe 1 24->42         started        44 conhost.exe 26->44         started        46 conhost.exe 28->46         started        70 Creates files in the system32 config directory 32->70 48 conhost.exe 32->48         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/624238f70f727064dea6756cdf10cf7673ffc2d627f0c5d34099baf910a75ec8/
Threat name:
Win64.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2023-04-06 01:11:10 UTC
File Type:
PE+ (Exe)
Extracted files:
13
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mjbdr5ypojygjxvgovwn6egpozz77qwwe7ymlu2atg5psefhl3ea._file
Verdict:
malicious
Similar samples:
456a46109fb5c42e3223592853934a52aa1cebeae6757e0e3792282c07750f32
CoinMiner
4a918ffe62fbbf1e196ed10be9a772a9a7889c43056ae8b3ebd16ece60a3b589
CoinMiner
4e47aacea0a261d290baf16b29636e778a5de66deff6e5bc3fbf04c88f77a05a
CoinMiner
56275650856a05ae50a775dd760aeccb0cd67b4ab8c039c6a9ffafd4f09c8e5a
CoinMiner
6d47f8ada452dc27e95a28f8a81289605e672ccc37535ead55be796bd1eb861f
CoinMiner
a20d62110e3e9d2659ee55299033ff3542bdce0b669f299dad18dddce4ddc1af
CoinMiner
a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96
CoinMiner
aac1a251a0246a8271d3a6274fce25e29608bd15cb1c3382232384923b6700c8
CoinMiner
d560cfb59c61c87d0d4b33aecc98b74c58475c6dd8a3cf6f3bcff2ee05d4c45f
CoinMiner
eb5573984eac228c2ad2009a61debb47656e3a36e30f2a5ee02d62afdf689cb1
CoinMiner
+ 35 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/230406-bjx85sce9t/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
XMRig Miner payload
xmrig
Unpacked files
SH256 hash:
624238f70f727064dea6756cdf10cf7673ffc2d627f0c5d34099baf910a75ec8
MD5 hash:
5e53bea9bea0679827b6dae5bcccebfb
SHA1 hash:
7d86995a3caf1784d418653b7d276078d8699149
Link:
https://www.unpac.me/results/5f5ffc6b-83c7-476d-bbfd-e46b130b24f8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/624238f70f72/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.10
Link:
https://yomi.yoroi.company/submissions/624238f70f727064dea6756cdf10cf7673ffc2d627f0c5d34099baf910a75ec8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 624238f70f727064dea6756cdf10cf7673ffc2d627f0c5d34099baf910a75ec8

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/380465/

Comments