MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a9a5d9e658b0978ed46091f7b7e62ca5f994eb3c3a76867b7f82a965cc336a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a9a5d9e658b0978ed46091f7b7e62ca5f994eb3c3a76867b7f82a965cc336a4
SHA3-384 hash: b653af8bd5141b1fe6c13fcaa54285eeee6b8fef55cdabc262c542474f5632dfd6f28538677895ae530ee1c4c97961cd
SHA1 hash: 5fc6556b721855169ba57b668edf79ab07272a73
MD5 hash: 84c23d26753d0e37805940f21dd41835
humanhash: romeo-bacon-friend-zebra
File name:84c23d26753d0e37805940f21dd41835
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'038'784 bytes
First seen:2021-10-13 02:21:32 UTC
Last seen:2021-10-13 02:56:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 27516fd8750f40bdecf52a1420a0296a (12 x CoinMiner)
ssdeep 49152:myjbVHCWI3XqNhuFcDyUn/Bt1uLZKpuzXTnXxf6bG:LbFeHs4FYyUnZjicpSXj
Threatray 25 similar samples on MalwareBazaar
TLSH T18695335E61BD5247FE26C4392925D7E02A4B3D375050F3282A1BA63B8FD09DC63C5B3A
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
302
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://bit.ly/3myLtvG
Verdict:
Malicious activity
Analysis date:
2021-10-09 00:12:34 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/c9684833-ffa8-4040-8295-0becc6df494a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/197061/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.28796.25044.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching a process
Creating a process from a recently created file
Creating a process with a hidden window
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
donut packed
Link:
https://www.filescan.io/uploads/616642cefd35fe780c3c1a04/reports/01a1b2fe-213a-4619-a68e-b6ba13c90217/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1f3ae3ff-291f-456d-84d6-302b4d8a76b0
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/869231
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 501655 Sample: Di07fAZt55 Startdate: 13/10/2021 Architecture: WINDOWS Score: 84 81 Multi AV Scanner detection for submitted file 2->81 83 Sigma detected: Powershell Defender Exclusion 2->83 11 Di07fAZt55.exe 2->11         started        14 chromee.exe 2->14         started        process3 signatures4 105 Writes to foreign memory regions 11->105 107 Allocates memory in foreign processes 11->107 109 Creates a thread in another existing process (thread injection) 11->109 16 conhost.exe 4 11->16         started        111 Multi AV Scanner detection for dropped file 14->111 20 conhost.exe 3 14->20         started        process5 file6 69 C:\Windows\System32\chromee.exe, PE32+ 16->69 dropped 73 Adds a directory exclusion to Windows Defender 16->73 22 cmd.exe 1 16->22         started        25 cmd.exe 1 16->25         started        27 cmd.exe 1 16->27         started        29 cmd.exe 1 20->29         started        31 cmd.exe 20->31         started        signatures7 process8 signatures9 89 Drops executables to the windows directory (C:\Windows) and starts them 22->89 33 chromee.exe 22->33         started        36 conhost.exe 22->36         started        91 Uses schtasks.exe or at.exe to add and modify task schedules 25->91 93 Adds a directory exclusion to Windows Defender 25->93 38 powershell.exe 20 25->38         started        40 powershell.exe 21 25->40         started        42 conhost.exe 25->42         started        46 2 other processes 27->46 44 powershell.exe 29->44         started        48 2 other processes 29->48 50 2 other processes 31->50 process10 signatures11 75 Writes to foreign memory regions 33->75 77 Allocates memory in foreign processes 33->77 79 Creates a thread in another existing process (thread injection) 33->79 52 conhost.exe 4 33->52         started        process12 file13 71 C:\Windows\System32\...\sihost32.exe, PE32+ 52->71 dropped 85 Drops executables to the windows directory (C:\Windows) and starts them 52->85 87 Adds a directory exclusion to Windows Defender 52->87 56 sihost32.exe 52->56         started        59 cmd.exe 1 52->59         started        signatures14 process15 signatures16 95 Multi AV Scanner detection for dropped file 56->95 97 Writes to foreign memory regions 56->97 99 Allocates memory in foreign processes 56->99 101 Creates a thread in another existing process (thread injection) 56->101 61 conhost.exe 56->61         started        103 Adds a directory exclusion to Windows Defender 59->103 63 conhost.exe 59->63         started        65 powershell.exe 59->65         started        67 powershell.exe 59->67         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a9a5d9e658b0978ed46091f7b7e62ca5f994eb3c3a76867b7f82a965cc336a4/
Threat name:
Win64.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2021-10-07 16:44:00 UTC
AV detection:
24 of 45 (53.33%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0fecc31110c98a487e301d783c61d7f0e3e607854b5b94a01a96c73b07a99272
CoinMiner
12439fc7c876b8bf881db4e97ed57827c1c4f2fd0ebccc29a4e197b19c80488b
CoinMiner
370623f3b732194c8497a12cfc2e906755f145c61ab8715c22d98f6fd7cf66d4
CoinMiner
5221a9886df44c6e76d7a6d770ffe811d68cb8e6b96267e5ef40393ac675f6ff
CoinMiner
5f5650987c9810c4cc59a467650844179c1349ded7b2fa0f1b00edbbf648612c
CoinMiner
9535b07e3af3a051c0de3169f11aed4e5f7dd52d651e739f16db250bc631def5
CoinMiner
9b8c70d1c0537d946bf7233df72a7e0ebdff2cb70404a69ee6a2419730973462
CoinMiner
b41455dfe45bf98bd2f1acec07d7a0df02a3c83e1fdecfb403df3984ab794761
CoinMiner
e558134f888d403ba60d7db59978502a9071951528cd4873bd4702921012d69e
CoinMiner
e7b94b42550145f6653edad5a47879f3bad1abe865f065d7036ca942c572e842
CoinMiner
+ 15 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/211013-ctkw8sdeb6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Loads dropped DLL
Executes dropped EXE
xmrig
Unpacked files
SH256 hash:
7a9a5d9e658b0978ed46091f7b7e62ca5f994eb3c3a76867b7f82a965cc336a4
MD5 hash:
84c23d26753d0e37805940f21dd41835
SHA1 hash:
5fc6556b721855169ba57b668edf79ab07272a73
Link:
https://www.unpac.me/results/da042b21-204d-48b4-ae4c-28ca2b94e5a8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7a9a5d9e658b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7a9a5d9e658b0978ed46091f7b7e62ca5f994eb3c3a76867b7f82a965cc336a4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 7a9a5d9e658b0978ed46091f7b7e62ca5f994eb3c3a76867b7f82a965cc336a4

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1672592/
Cape
Cape
https://www.capesandbox.com/analysis/197061/

Comments


Avatar
zbet commented on 2021-10-13 02:21:33 UTC

url : hxxp://yedfg.jelikob.ru/1778143978.exe