MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69c3aa9651a8fbff9bb671965c487748da86334da51a2136b2d8cd23716c5177. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 69c3aa9651a8fbff9bb671965c487748da86334da51a2136b2d8cd23716c5177
SHA3-384 hash: 7e31159fd2d60474ca01e55e783fa4d63d1e9f2c5f138083031d5a3a6a3f2adf9bdcaad053ffbad1aed56005235d8194
SHA1 hash: 67037357c9a86a30c47cd41b375a02f43ec98ca5
MD5 hash: 3dc99168e6c3f1b7ba51cb69acd13cd1
humanhash: johnny-triple-mike-salami
File name:3dc99168e6c3f1b7ba51cb69acd13cd1
Download: download sample
Signature CoinMiner
Create hunting rule
File size:7'336'448 bytes
First seen:2021-09-01 15:45:44 UTC
Last seen:2021-09-01 17:25:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 196608:8YfDUnzxlAemrwFa2khlJKi2dXCtvJ4szPeV0W3cLC+T:8+DAzxlAe4wX0LX2dX6OsM3g
Threatray 106 similar samples on MalwareBazaar
TLSH T1D8763337B3810E92DDA80972D8A3817013D2EE97A2F5E6063FC476C65E617A44F1F798
dhash icon d898baba9888e470 (1 x RedLineStealer, 1 x CoinMiner)
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
251
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2021-09-01 13:07:31 UTC
Tags:
evasion trojan rat redline loader stealer raccoon opendir vidar
Link:
https://app.any.run/tasks/0f67e3ad-fc87-4188-ab8c-c12bacc7ff9f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/184514/
Detection(s):
SecuriteInfo.com.Variant.Bulz.288534.10854.5287.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a window
Launching a service
DNS request
Connection attempt
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Creating a service
Loading a system driver
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Unauthorized injection to a system process
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c62f4439-4ec1-46f4-be05-34e9f6f7c822
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/843475
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Detected Stratum mining protocol
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Xmrig
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 475906 Sample: t1YS17PfeB Startdate: 01/09/2021 Architecture: WINDOWS Score: 100 35 xmr.2miners.com 2->35 45 Sigma detected: Xmrig 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected Xmrig cryptocurrency miner 2->49 51 4 other signatures 2->51 8 t1YS17PfeB.exe 25 8 2->8         started        13 DriversService.exe 1 2->13         started        15 svchost.exe 2->15         started        17 13 other processes 2->17 signatures3 process4 dnsIp5 39 discord.com 162.159.138.232, 443, 49708 CLOUDFLARENETUS United States 8->39 41 httpbin.org 54.156.165.4, 443, 49707 AMAZON-AESUS United States 8->41 33 C:\Users\user\AppData\...\DriversService.exe, PE32+ 8->33 dropped 57 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->57 59 Writes to foreign memory regions 8->59 61 Modifies the context of a thread in another process (thread injection) 8->61 63 Injects a PE file into a foreign processes 8->63 19 InstallUtil.exe 1 8->19         started        23 powershell.exe 1 19 8->23         started        65 Multi AV Scanner detection for dropped file 13->65 67 Machine Learning detection for dropped file 13->67 69 Changes security center settings (notifications, updates, antivirus, firewall) 15->69 25 MpCmdRun.exe 15->25         started        43 127.0.0.1 unknown unknown 17->43 27 conhost.exe 17->27         started        file6 signatures7 process8 dnsIp9 37 xmr.2miners.com 51.89.96.41, 2222, 49711, 49719 OVHFR France 19->37 53 Query firmware table information (likely to detect VMs) 19->53 29 conhost.exe 19->29         started        31 conhost.exe 23->31         started        signatures10 55 Detected Stratum mining protocol 37->55 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/69c3aa9651a8fbff9bb671965c487748da86334da51a2136b2d8cd23716c5177/
Threat name:
Win64.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2021-09-01 14:48:34 UTC
AV detection:
11 of 27 (40.74%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0741c36ad10f51f858eefc2e2f0879c9ef1ae90af61d766bd50ebcc67f4d5579
CoinMiner
51e6527daa5a10028c434c7ceaed1570ddd95e1de0eafa702f77860cec3d0b7c
CoinMiner
766d8e9d2d0de0a0ba2440a847e7eb7da3e69d51331e15a61ec1d25d3d92fc3e
CoinMiner
7e4bc5c98691dd99d7c856dc26110113c15d72fb5b8a73db75a9c9b2bee021e2
CoinMiner
831d7b676bb75c44df50f40798fe739cb07d4c0b1ee217a7e8fea443f7b00346
CoinMiner
b9c0b6dd76212644b551d5b8ea745b3f14f6c92365e767836382a4c8ea54906b
CoinMiner
d0b4b43432238e361c9f553caa05df5c34c462d55bb18a6db5e076faaaf05da9
CoinMiner
ffec1862f56857ad722abbcb98be7af86f2cf0763371bcb40273f0d884157c32
CoinMiner
+ 96 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/210901-kwyr8lmhne/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
UPX packed file
Unpacked files
SH256 hash:
69c3aa9651a8fbff9bb671965c487748da86334da51a2136b2d8cd23716c5177
MD5 hash:
3dc99168e6c3f1b7ba51cb69acd13cd1
SHA1 hash:
67037357c9a86a30c47cd41b375a02f43ec98ca5
Link:
https://www.unpac.me/results/5e2edc15-7e2d-4e35-905c-01772beec877/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/69c3aa9651a8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/69c3aa9651a8fbff9bb671965c487748da86334da51a2136b2d8cd23716c5177

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 69c3aa9651a8fbff9bb671965c487748da86334da51a2136b2d8cd23716c5177

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1583741/
Cape
Cape
https://www.capesandbox.com/analysis/184514/

Comments


Avatar
zbet commented on 2021-09-01 15:45:46 UTC

url : hxxp://45.150.115.32/Pluton.exe