MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6aa5078347357a441ef4427f92696b1d87bca4602c34ce794dbb051463e137f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6aa5078347357a441ef4427f92696b1d87bca4602c34ce794dbb051463e137f1
SHA3-384 hash: b6ae035487fd132adad207a3ccb48e6222ec4bab9cd678cf9d5ac0fb32e51969025f149dd25dd8f090ba0a9615f993cf
SHA1 hash: 5f2dbfe08511ae4c977479725e557037a56fbb01
MD5 hash: 015d09a33b40ddb33e0813a80f9c5543
humanhash: april-harry-friend-oklahoma
File name:015d09a33b40ddb33e0813a80f9c5543
Download: download sample
Signature CoinMiner
Create hunting rule
File size:207'360 bytes
First seen:2022-03-23 01:47:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 3072:KII+2rjytB1LxgFzTB6ENlJMO1n0lZXyiHG+kn82xwjzI5G7XHoY6BWbnBb3R8Ps:KJ+5KFPkEbF8Z++k82i0MXHoYOUBzc
Threatray 18 similar samples on MalwareBazaar
TLSH T1CB1412003EECB952DE3116FCD596EFC00964822A2053DBCB38A1219F99533E6C7955EB
Reporter zbetcheckin
Tags:32 CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
300
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/255231/
Detection(s):
PUA.Win.Packed.ConfuserEx-6582917-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Creating a process with a hidden window
Searching for synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/623a7c5c0cd58dbd92db7c55/reports/df6776c1-7d5e-4770-b989-4f0226c7450c/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c9d71093-458f-4bad-a16a-d5d7a2a31e4a
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/962258
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Blacklisted process start detected (Windows program)
Detected Stratum mining protocol
DNS related to crypt mining pools
Found strings related to Crypto-Mining
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Notepad Making Network Connection
Sigma detected: Suspicious Process Parents
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 594735 Sample: CLfJwbcYiG Startdate: 23/03/2022 Architecture: WINDOWS Score: 100 67 easyproducts.org 2->67 83 Antivirus detection for URL or domain 2->83 85 Antivirus detection for dropped file 2->85 87 Multi AV Scanner detection for dropped file 2->87 89 10 other signatures 2->89 9 RegHost.exe 1 3 2->9         started        13 CLfJwbcYiG.exe 1 2->13         started        signatures3 process4 file5 53 C:\Users\user\AppData\Roaming\...\RegData.exe, PE32+ 9->53 dropped 55 C:\Users\user\AppData\...\OneDrive.exe, PE32+ 9->55 dropped 91 Hijacks the control flow in another process 9->91 93 Injects code into the Windows Explorer (explorer.exe) 9->93 95 Writes to foreign memory regions 9->95 97 3 other signatures 9->97 15 notepad.exe 1 9->15         started        19 explorer.exe 1 9->19         started        21 bfsvc.exe 1 9->21         started        23 conhost.exe 9->23         started        57 C:\Users\user\AppData\...\CLfJwbcYiG.exe.log, ASCII 13->57 dropped 25 RegAsm.exe 15 5 13->25         started        signatures6 process7 dnsIp8 71 51.15.69.136 OnlineSASFR France 15->71 73 xmr-eu1.nanopool.org 15->73 77 System process connects to network (likely due to code injection or exploit) 15->77 79 Query firmware table information (likely to detect VMs) 15->79 81 Blacklisted process start detected (Windows program) 15->81 28 conhost.exe 15->28         started        30 curl.exe 1 19->30         started        32 curl.exe 1 19->32         started        34 conhost.exe 19->34         started        36 curl.exe 19->36         started        38 conhost.exe 21->38         started        75 file-coin-coin-10.com 94.103.87.199, 49725, 80 VDSINA-ASRU Russian Federation 25->75 59 C:\ProgramData\7662_1647965655_5515.exe, PE32+ 25->59 dropped 40 7662_1647965655_5515.exe 1 3 25->40         started        file9 signatures10 process11 dnsIp12 44 conhost.exe 30->44         started        46 conhost.exe 32->46         started        69 185.137.234.33, 49728, 49729, 49730 SELECTELRU Russian Federation 40->69 61 C:\Users\user\AppData\...\RegModule.exe, PE32+ 40->61 dropped 63 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 40->63 dropped 48 WerFault.exe 20 9 40->48         started        51 conhost.exe 40->51         started        file13 process14 dnsIp15 65 192.168.2.1 unknown unknown 48->65
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6aa5078347357a441ef4427f92696b1d87bca4602c34ce794dbb051463e137f1/
Threat name:
ByteCode-MSIL.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2022-03-22 21:42:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
22 of 25 (88.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
06dbbdd3df2de3fba52f72cbac4c5d1e06f794de90a29fa7ea2f449e3a4fc37d
CoinMiner
097ba0ebd6a50a4d1ab371359c0e5a0e5270a8b224c8264e48ac26b4f0e3bb81
CoinMiner
18d3c86e8cf3eef27c596430279fade1c4c46b3ed4e59de2912ef2c803e13e32
CoinMiner
3e1a6299d80d53a831c2e6759ce2ac41e6d9aa6603cb2a1df7efbfb86debefa5
CoinMiner
7b22171c0b658644bc40537f768933245325434e8d597e06c20f2e1437dd3b1d
CoinMiner
96b3aa4520797806ccaf670897eaead29ac9dd3f9a6add879e2d93f7e2557513
CoinMiner
c47c10545767892ba8fdaa1ba682295251016938318d807fe40736e5ae832322
CoinMiner
f563d62dbc6bcf5f8c0f977bcd3bc66d39ee43cc5abdd63d3de105755dab3f91
CoinMiner
+ 8 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/220323-b76kesdfa3/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
e245c4a7d41e095b5c5136a89e698bd11e452594d864e250607cff2b2efadbab
MD5 hash:
6c991f5490cd23d8df31d89864395b21
SHA1 hash:
a6e3fde5d6f72fce36c5a8955a6025d92efb4356
Link:
https://www.unpac.me/results/054bb687-6ea8-43dd-b253-0e22b4700e44/
SH256 hash:
0a22910114e6e126b23ae9a83b2f925f82e761bcf1e3255e8b174f9d24903bfa
MD5 hash:
d713ab8a992f7c96844bb75160ff9ae9
SHA1 hash:
47a6e6afe2c1de05af8ddae6494b71c403c696fe
Link:
https://www.unpac.me/results/054bb687-6ea8-43dd-b253-0e22b4700e44/
SH256 hash:
6aa5078347357a441ef4427f92696b1d87bca4602c34ce794dbb051463e137f1
MD5 hash:
015d09a33b40ddb33e0813a80f9c5543
SHA1 hash:
5f2dbfe08511ae4c977479725e557037a56fbb01
Link:
https://www.unpac.me/results/054bb687-6ea8-43dd-b253-0e22b4700e44/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6aa507834735/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/6aa5078347357a441ef4427f92696b1d87bca4602c34ce794dbb051463e137f1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 6aa5078347357a441ef4427f92696b1d87bca4602c34ce794dbb051463e137f1

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2111552/
Cape
Cape
https://www.capesandbox.com/analysis/255231/

Comments


Avatar
zbet commented on 2022-03-23 01:47:40 UTC

url : hxxp://37.120.222.60/mysite/catimages/209.exe