MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79f54a550f13781f7b9b3589c83295608d9e89b25deb2ffca656f406862aa8b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79f54a550f13781f7b9b3589c83295608d9e89b25deb2ffca656f406862aa8b9
SHA3-384 hash: 78fc90c9753ab1a86538dd3f013941943e5755eeeea76098d6287d453952d1d3c10dd8dfe2c91670f852922734ca4283
SHA1 hash: 5eb3ab523222a1e1b0ac419a18e0bb5ec32e5dd4
MD5 hash: dc9c507060466984b5ab2c58ad4f31f0
humanhash: uranus-georgia-fourteen-salami
File name:YZF2.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:29'184 bytes
First seen:2021-10-13 17:53:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 768:Fhg7d73RBqrq3qcbf3xu4dn5DHff5V7CS8F9FD6O:E7xRsuHtu4dn5dVV8F9J6O
Threatray 237 similar samples on MalwareBazaar
TLSH T18FD2D0212B58C052E4BB8B354CF3634256B3BD9A2096878EF8C5432C3CD6366DEB5739
Reporter Anonymous
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
235
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Fromix.exe
Verdict:
Malicious activity
Analysis date:
2021-10-13 17:40:37 UTC
Tags:
installer loader
Link:
https://app.any.run/tasks/b12bf1d5-d834-40c8-8b66-e3b96bc8a0a0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/197343/
Detection(s):
SecuriteInfo.com.Trojan.MulDropNET.46.22208.28622.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching a process
Creating a file in the %temp% directory
Creating a process with a hidden window
Creating a process from a recently created file
Creating a file in the system32 directory
Deleting a recently created file
Replacing files
Creating a file in the system32 subdirectories
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending a custom TCP request
Query of malicious DNS domain
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61671d3e9fb4d8593d63e13b/reports/5d31177e-f6e0-409a-acc5-55a6db8c75a5/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/47d4e289-26d4-485d-9447-87d06d33470a
Result
Threat name:
BitCoin Miner
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/869948
Signature
Adds a directory exclusion to Windows Defender
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected BitCoin Miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 502377 Sample: YZF2.exe Startdate: 13/10/2021 Architecture: WINDOWS Score: 84 80 Multi AV Scanner detection for submitted file 2->80 82 Yara detected BitCoin Miner 2->82 84 Machine Learning detection for sample 2->84 86 2 other signatures 2->86 10 YZF2.exe 5 2->10         started        15 services32.exe 3 2->15         started        process3 dnsIp4 78 192.168.2.1 unknown unknown 10->78 74 C:\Users\user\AppData\Local\...\svchost32.exe, PE32+ 10->74 dropped 76 C:\Users\user\AppData\Local\...\YZF2.exe.log, ASCII 10->76 dropped 98 Adds a directory exclusion to Windows Defender 10->98 17 cmd.exe 1 10->17         started        19 cmd.exe 1 10->19         started        100 Machine Learning detection for dropped file 15->100 22 cmd.exe 1 15->22         started        file5 signatures6 process7 signatures8 24 svchost32.exe 6 17->24         started        28 conhost.exe 17->28         started        88 Uses schtasks.exe or at.exe to add and modify task schedules 19->88 90 Adds a directory exclusion to Windows Defender 19->90 30 powershell.exe 23 19->30         started        32 conhost.exe 19->32         started        34 powershell.exe 19->34         started        40 2 other processes 19->40 36 conhost.exe 22->36         started        38 powershell.exe 22->38         started        42 3 other processes 22->42 process9 file10 70 C:\Windows\System32\services32.exe, PE32+ 24->70 dropped 72 C:\Windows\...\services32.exe:Zone.Identifier, ASCII 24->72 dropped 94 Machine Learning detection for dropped file 24->94 96 Drops executables to the windows directory (C:\Windows) and starts them 24->96 44 services32.exe 2 24->44         started        47 cmd.exe 1 24->47         started        49 cmd.exe 1 24->49         started        signatures11 process12 signatures13 102 Adds a directory exclusion to Windows Defender 44->102 51 cmd.exe 1 44->51         started        54 conhost.exe 47->54         started        56 choice.exe 47->56         started        58 conhost.exe 49->58         started        60 schtasks.exe 1 49->60         started        process14 signatures15 92 Adds a directory exclusion to Windows Defender 51->92 62 conhost.exe 51->62         started        64 powershell.exe 51->64         started        66 powershell.exe 51->66         started        68 2 other processes 51->68 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/79f54a550f13781f7b9b3589c83295608d9e89b25deb2ffca656f406862aa8b9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-10-13 17:57:14 UTC
AV detection:
15 of 35 (42.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
010e5cf08f24b0b769747b20d38324e7ea5b3633cc72832a07cb8769b126dd0f
CoinMiner
0f5d2516bb90d08755178e51a894001e6a1c14912e0e990d7ac8e4f935df7a39
CoinMiner
24ea17a2c73edd5668c90344844c696e8bfddb72bf605feeea1a0dcc054f246f
CoinMiner
338624127da652feafe2bb0f900026b970815cd68001921dd62f0877acdb2058
CoinMiner
370623f3b732194c8497a12cfc2e906755f145c61ab8715c22d98f6fd7cf66d4
CoinMiner
b5ec12c4a9c4110b60db7766315641497ad11f31ecaf9de0cc71b605256771d9
CoinMiner
bcc7c88a78159d256da9838d8148b61bf92057b71eabf3bed83ed650d723562c
CoinMiner
e481e934466d3e768442331a3c3af50c4d430b6ed14059afbe661925338ef531
CoinMiner
e7b94b42550145f6653edad5a47879f3bad1abe865f065d7036ca942c572e842
CoinMiner
fdaae3b3560efecbdf76d5a6751c1d7c5964bb0186b81575fedce4b394a8fe0a
CoinMiner
+ 227 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/211013-wgwbzsehd9/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
79f54a550f13781f7b9b3589c83295608d9e89b25deb2ffca656f406862aa8b9
MD5 hash:
dc9c507060466984b5ab2c58ad4f31f0
SHA1 hash:
5eb3ab523222a1e1b0ac419a18e0bb5ec32e5dd4
Link:
https://www.unpac.me/results/15ced9da-3cec-4337-a20a-161b64b79b5d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/79f54a550f13/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/79f54a550f13781f7b9b3589c83295608d9e89b25deb2ffca656f406862aa8b9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 79f54a550f13781f7b9b3589c83295608d9e89b25deb2ffca656f406862aa8b9

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/197343/

Comments