MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77e702d254b785a06bcf595edf09601d6cffc172cf019646145c7631091e20a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77e702d254b785a06bcf595edf09601d6cffc172cf019646145c7631091e20a9
SHA3-384 hash: d101cd6d79b90703ac7ee7b3892c70eb36f12519340cb10f0f1d3ee86d1d92c21515ba9e5140c589cdb2461d262b29e5
SHA1 hash: 935ad4c746965e5a92a7d82d8c0b96cffc4fde08
MD5 hash: 99f51633e0f6419c6310a9e08d3626a1
humanhash: massachusetts-arizona-emma-monkey
File name:99f51633e0f6419c6310a9e08d3626a1
Download: download sample
Signature CoinMiner
Create hunting rule
File size:6'520'832 bytes
First seen:2021-10-05 10:19:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9a9e6c9ce6105ad0da2a6340043f0b25 (1 x CoinMiner)
ssdeep 196608:vg+4e5gFmXm5lxO8nTg0S4Two7zex35w:vg+FWLOpzqzeE
Threatray 26 similar samples on MalwareBazaar
TLSH T1EA6623F97288376CC01FCC749833E945A2B5520E5BE8966E78CFB7C03BAB610D646B45
File icon (PE):PE icon
dhash icon 74e0c4c4c4ccccd4 (4 x RedLineStealer, 1 x CoinMiner, 1 x LummaStealer)
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
230
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
recrypt.exe
Verdict:
Malicious activity
Analysis date:
2021-09-30 12:29:00 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/d029920a-c744-4427-810b-97d53d82ab82

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/194979/
Detection(s):
Win.Malware.Razy-9897559-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Sending an HTTP GET request
Launching the process to change network settings
Launching a service
Creating a file
Launching the default Windows debugger (dwwin.exe)
Blocking Windows Firewall launch
Firewall traversal
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/615c2ba4b95458900cdc61c1/reports/1612370b-37c3-485b-8e08-bb1f4cf400ca/overview
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/78e530a2-8658-420f-8f5e-90e120cb2b1d
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/864679
Signature
Adds a directory exclusion to Windows Defender
Creates files in the system32 config directory
Found strings related to Crypto-Mining
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Powershell Defender Exclusion
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 497107 Sample: qcodAS8DHq Startdate: 05/10/2021 Architecture: WINDOWS Score: 100 80 Multi AV Scanner detection for dropped file 2->80 82 Multi AV Scanner detection for submitted file 2->82 84 Yara detected Xmrig cryptocurrency miner 2->84 86 5 other signatures 2->86 11 qcodAS8DHq.exe 41 2->11         started        process3 dnsIp4 64 iplogger.org 88.99.66.31, 443, 49751, 49752 HETZNER-ASDE Germany 11->64 66 bitbucket.org 104.192.141.1, 443, 49746, 49753 AMAZON-02US United States 11->66 68 3 other IPs or domains 11->68 56 C:\ProgramData\UpSys.exe, PE32+ 11->56 dropped 58 C:\ProgramData\Systemd\WinRing0x64.sys, PE32+ 11->58 dropped 60 C:\ProgramData\Systemd\SecurityHealth.exe, PE32+ 11->60 dropped 62 9 other files (2 malicious) 11->62 dropped 90 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->90 92 May check the online IP address of the machine 11->92 94 Modifies the windows firewall 11->94 96 3 other signatures 11->96 16 SecurityHealth.exe 11->16         started        19 SecurityHealth.exe 11->19         started        21 SecurityHealth.exe 11->21         started        23 54 other processes 11->23 file5 signatures6 process7 signatures8 70 Query firmware table information (likely to detect VMs) 16->70 72 Tries to detect sandboxes and other dynamic analysis tools (window names) 16->72 74 Hides threads from debuggers 16->74 76 Tries to detect sandboxes / dynamic malware analysis system (registry check) 19->76 25 conhost.exe 19->25         started        27 taskkill.exe 19->27         started        29 conhost.exe 21->29         started        31 taskkill.exe 21->31         started        78 Uses netsh to modify the Windows network and firewall settings 23->78 33 UpSys.exe 23->33         started        35 taskkill.exe 23->35         started        37 taskkill.exe 23->37         started        39 67 other processes 23->39 process9 process10 41 UpSys.exe 33->41         started        43 conhost.exe 35->43         started        45 taskkill.exe 35->45         started        47 conhost.exe 37->47         started        process11 49 UpSys.exe 41->49         started        process12 51 powershell.exe 49->51         started        signatures13 88 Creates files in the system32 config directory 51->88 54 conhost.exe 51->54         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/77e702d254b785a06bcf595edf09601d6cffc172cf019646145c7631091e20a9/
Threat name:
Win64.Trojan.Miner
Create hunting rule
Status:
Malicious
First seen:
2021-09-28 01:06:48 UTC
AV detection:
23 of 45 (51.11%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0dfcf4d5f66310de87c2e422d7804e66279fe3e3cd6a27723225aecf214e9b00
CoinMiner
1b189602123e4dba4522d442877fb0862a8fbbc4cc6d187954ba27039bea7d9c
CoinMiner
70c64a3f46820c47b44e30d3925165340735c7ce62ad124268820335ecc808be
CoinMiner
7608d92da7de2b284264bf62c82d0070a328cb70a068a5232f10c849f19b96ac
CoinMiner
8344424b2ab65b90171d02df7f9f8625308284c4b25e0e489c005f9c164784c2
CoinMiner
8ba1e5eee3a0264e8ff37c37e28f7d37d02ec4fe7ba21a1c643e0d978289888c
CoinMiner
af9ef6c6b1415663825f1f3b3e5e9c46c3511d887688f3e16d58813fbd63db1b
CoinMiner
f1a3450c51cec5011ca54d7b3eb5eb43067f583a0a211898497f849a3d15dc2e
CoinMiner
+ 16 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence themida trojan
Link:
https://tria.ge/reports/211005-mc6sgsheh8/
Behaviour
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Drops startup file
Loads dropped DLL
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies security service
Unpacked files
SH256 hash:
77e702d254b785a06bcf595edf09601d6cffc172cf019646145c7631091e20a9
MD5 hash:
99f51633e0f6419c6310a9e08d3626a1
SHA1 hash:
935ad4c746965e5a92a7d82d8c0b96cffc4fde08
Link:
https://www.unpac.me/results/14595937-6300-45c0-9374-2e76c1fa7bd9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/77e702d254b785a06bcf595edf09601d6cffc172cf019646145c7631091e20a9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 77e702d254b785a06bcf595edf09601d6cffc172cf019646145c7631091e20a9

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/194979/
  
URLhaus
https://urlhaus.abuse.ch/url/1655477/

Comments


Avatar
zbet commented on 2021-10-05 10:19:09 UTC

url : hxxp://kdr.zarkada.ru/507913557.exe