MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65a90f7ce88c21097bde9575109000efa1832a51d0cbd9c47ef701838884ca4f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 65a90f7ce88c21097bde9575109000efa1832a51d0cbd9c47ef701838884ca4f
SHA3-384 hash: 86296558ed38838ad36203cf5eab091692832f806bdef8ebd17380708b8b5d830d043e634bb4d3bc1fe86b0d221a72bc
SHA1 hash: dc320d23d3e672bfe7368f36435c346165dbfc7c
MD5 hash: 0767fb874bf23423f828694e1845dd52
humanhash: whiskey-colorado-hotel-mango
File name:0767fb874bf23423f828694e1845dd52
Download: download sample
Signature CoinMiner
Create hunting rule
File size:9'290'240 bytes
First seen:2021-11-26 08:55:54 UTC
Last seen:2021-11-26 11:56:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ca1bc56825379f5b034a1b6092fa2cee (3 x CoinMiner)
ssdeep 196608:iuLar9NWDfqx9PSJe+SLUBvGIZWl5kDG8jvpwLM7QN/LyC:rmnWD2hccLsG+WAp2M7g/L
Threatray 353 similar samples on MalwareBazaar
TLSH T12B9623AD6298335CC41EC4B4D427FC49F1F6531E19F58ABA70DBBAC07BDA824D502B1A
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0767fb874bf23423f828694e1845dd52
Verdict:
No threats detected
Analysis date:
2021-11-26 08:57:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fea794cd-c19f-4066-b9d0-6acfa0a2e19b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Variant.Tedy.16260.24923.11646.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Using the Windows Management Instrumentation requests
Running batch commands
Launching a process
Creating a file in the %AppData% subdirectories
Creating a file
Creating a process from a recently created file
Сreating synchronization primitives
Creating a process with a hidden window
Connecting to a cryptocurrency mining pool
Sending a custom TCP request
Creating a service
Launching a service
Loading a system driver
Creating a file in the Windows subdirectories
Enabling autorun for a service
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61a0a128f36138de3f3e8b6d/reports/94dcb24b-3d10-48eb-9fc1-bb0192af657f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7a9b4d9e-ad57-4689-b252-ce1c6381b797
Result
Threat name:
BitCoin Miner Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/896546
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Creates a thread in another existing process (thread injection)
Detected VMProtect packer
Drops PE files with benign system names
Found strings related to Crypto-Mining
Hides threads from debuggers
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: System File Execution Location Anomaly
Tries to detect debuggers (CloseHandle check)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Uses nslookup.exe to query domains
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 529024 Sample: sVPwlCDNLC Startdate: 26/11/2021 Architecture: WINDOWS Score: 100 63 Malicious sample detected (through community Yara rule) 2->63 65 Antivirus / Scanner detection for submitted sample 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 5 other signatures 2->69 9 sVPwlCDNLC.exe 5 2->9         started        13 services.exe 8 2->13         started        15 svchost.exe 2->15         started        17 6 other processes 2->17 process3 file4 49 C:\Users\user\AppData\...\services.exe, PE32+ 9->49 dropped 51 C:\Users\...\services.exe:Zone.Identifier, ASCII 9->51 dropped 53 C:\Users\user\AppData\...\sVPwlCDNLC.exe.log, ASCII 9->53 dropped 87 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->87 89 Tries to evade analysis by execution special instruction which cause usermode exception 9->89 91 Tries to detect debuggers (CloseHandle check) 9->91 103 3 other signatures 9->103 19 cmd.exe 1 9->19         started        21 cmd.exe 1 9->21         started        55 C:\Users\user\AppData\...\sihost64.exe, PE32+ 13->55 dropped 57 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 13->57 dropped 93 Antivirus detection for dropped file 13->93 95 Multi AV Scanner detection for dropped file 13->95 97 Uses nslookup.exe to query domains 13->97 99 Sample is not signed and drops a device driver 13->99 24 sihost64.exe 13->24         started        101 Changes security center settings (notifications, updates, antivirus, firewall) 15->101 26 MpCmdRun.exe 1 15->26         started        signatures5 process6 signatures7 28 services.exe 3 19->28         started        31 conhost.exe 19->31         started        71 Uses schtasks.exe or at.exe to add and modify task schedules 21->71 33 conhost.exe 21->33         started        35 schtasks.exe 1 21->35         started        73 Writes to foreign memory regions 24->73 75 Allocates memory in foreign processes 24->75 77 Creates a thread in another existing process (thread injection) 24->77 37 conhost.exe 2 24->37         started        39 conhost.exe 26->39         started        process8 signatures9 105 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 28->105 107 Uses nslookup.exe to query domains 28->107 109 Writes to foreign memory regions 28->109 111 4 other signatures 28->111 41 sihost64.exe 28->41         started        44 nslookup.exe 28->44         started        process10 dnsIp11 79 Writes to foreign memory regions 41->79 81 Allocates memory in foreign processes 41->81 83 Creates a thread in another existing process (thread injection) 41->83 47 conhost.exe 2 41->47         started        59 pool.hashvault.pro 168.119.38.182, 49741, 80 HETZNER-ASDE Germany 44->59 61 kolyagdx.beget.tech 5.101.153.235, 49782, 80 BEGET-ASRU Russian Federation 44->61 85 Query firmware table information (likely to detect VMs) 44->85 signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/65a90f7ce88c21097bde9575109000efa1832a51d0cbd9c47ef701838884ca4f/
Threat name:
Win64.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2021-11-26 07:50:22 UTC
File Type:
PE+ (Exe)
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0028d3b936c329c8bb2a7c17d677d9808eed4f46c123048100050819d1657464
CoinMiner
2b0cd91072bc81875fba4d9dc3b293500f110b57dd9d37028556fdb296705fb0
CoinMiner
3aca6ead27ffa0e7384af61f022b180f305bca729e8cc4b29390b5067b673fcc
CoinMiner
4a2c3f7e489652350d3fd9df4259c52e2a9be9eb507d011779079d1e57e0301d
CoinMiner
66d2fe8e0af50d2d155608a4dfba701aa321fa7b83d5858a91f95f9bbc96f1d1
CoinMiner
7e6b525d20c679bb8241177f2e307bb9c5b9070e4846a033640eb45eafcf64ea
CoinMiner
b37e87a30c379dd3d84b2f9b5819cb32335d7230156d3ea01a7309502e9e6d0d
CoinMiner
cdb8a234c896df8b45ee7bc0d69ecdaec0bfce73cacdb376048bcd3abb85a75d
CoinMiner
e67db91b7e8bcf1cf40735c556df7971af493cfd6b0fe4ffd25774ca7c31e070
CoinMiner
fa1a41ff82f9d6ca0473f9ac67f0d46e9576dd6608f9682d245f48ea872a3859
CoinMiner
+ 343 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner vmprotect
Link:
https://tria.ge/reports/211126-kv2v5sbddl/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
VMProtect packed file
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
65a90f7ce88c21097bde9575109000efa1832a51d0cbd9c47ef701838884ca4f
MD5 hash:
0767fb874bf23423f828694e1845dd52
SHA1 hash:
dc320d23d3e672bfe7368f36435c346165dbfc7c
Link:
https://www.unpac.me/results/8a2e443b-541b-4bf4-8e1f-a97262b6c3be/
Malware family:
XMRIG
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/65a90f7ce88c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/65a90f7ce88c21097bde9575109000efa1832a51d0cbd9c47ef701838884ca4f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 65a90f7ce88c21097bde9575109000efa1832a51d0cbd9c47ef701838884ca4f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1819382/
Cape
Cape
https://www.capesandbox.com/analysis/209615/

Comments


Avatar
zbet commented on 2021-11-26 08:55:55 UTC

url : hxxp://kolyagdx.beget.tech/Services32.exe