MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b7f95f14f47910c2f521f88d2cda0a3186ac569dc7f2ce0ec7c069e7981827c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b7f95f14f47910c2f521f88d2cda0a3186ac569dc7f2ce0ec7c069e7981827c
SHA3-384 hash: 5c829b9cd5c6a04a024c782a25a38079cf49e9be538eb3eb598d3aa0ae652417f6596c83ff0931a08db35adad4bac4f2
SHA1 hash: a3f8aec70387ae08c2bca68d58af06b70b6ea030
MD5 hash: a321faa906868cd24bdf15c5784b4577
humanhash: william-winner-pluto-autumn
File name:a321faa906868cd24bdf15c5784b4577
Download: download sample
Signature CoinMiner
Create hunting rule
File size:7'620'608 bytes
First seen:2021-08-29 12:02:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d910780e43eb6473c6ca334d8a16a8af (1 x CoinMiner, 1 x GoGoogle, 1 x Kimsuky)
ssdeep 98304:0ZysEvVakqa62xjoG9eHYgu4dOX7F2fqZDxzoHBeXs0q4cGw/bsLn/66Url7:WybbH6oou6OhZFzQMs0LcBben0rl7
Threatray 3 similar samples on MalwareBazaar
TLSH T1577623F861A0379CC45AC9309133DE08A3F6551DD6FAD59AB1C7BEA07F9F820D912B42
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a321faa906868cd24bdf15c5784b4577
Verdict:
No threats detected
Analysis date:
2021-08-29 12:04:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2d016876-1603-41bc-aa3b-b438cd4c3ab1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/183252/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Running batch commands
Creating a file
Sending a UDP request
Using the Windows Management Instrumentation requests
Searching for the window
Creating a process from a recently created file
Query of malicious DNS domain
Connection attempt to an infection source
Launching a tool to kill processes
Moving of the original file
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Deleting of the original file
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fab16b21-d206-4daa-9cb3-bb5b9b7bb96d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/841040
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Detected VMProtect packer
Drops or copies procdump.exe (to dump process memory)
Dumps the memory of LSASS, likely to steal the SAM database
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
Sigma detected: LSASS Memory Dumping
Sigma detected: Suspicious Use of Procdump
Sigma detected: Suspicious Use of Procdump on LSASS
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 473471 Sample: DUOQR4ckbS Startdate: 29/08/2021 Architecture: WINDOWS Score: 100 86 Sigma detected: Suspicious Use of Procdump on LSASS 2->86 88 Multi AV Scanner detection for domain / URL 2->88 90 Antivirus detection for URL or domain 2->90 92 7 other signatures 2->92 8 DUOQR4ckbS.exe 11 2->8         started        13 svchost.exe 2->13         started        15 svchost.exe 9 1 2->15         started        17 7 other processes 2->17 process3 dnsIp4 76 m.windowsupdatesupport.org 195.123.246.179, 49716, 80 GREENFLOID-ASUA Bulgaria 8->76 60 C:\Users\user\Desktop\updater.exe, PE32+ 8->60 dropped 62 C:\Users\user\Desktop\runtime.dll, PE32+ 8->62 dropped 64 C:\Users\user\Desktop\inj.exe, PE32+ 8->64 dropped 66 3 other malicious files 8->66 dropped 108 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->108 110 Tries to detect virtualization through RDTSC time measurements 8->110 19 autoupdate.exe 2 8->19         started        24 updater.exe 3 8->24         started        26 cmd.exe 1 8->26         started        30 5 other processes 8->30 112 Changes security center settings (notifications, updates, antivirus, firewall) 13->112 28 MpCmdRun.exe 13->28         started        78 127.0.0.1 unknown unknown 15->78 80 192.168.2.1 unknown unknown 17->80 file5 signatures6 process7 dnsIp8 68 mail.windowsupdatesupport.org 23.227.196.15 HVC-ASUS United States 19->68 70 m.windowsupdatesupport.org 19->70 58 C:\Users\user\Desktop\procdump.exe, PE32 19->58 dropped 94 Antivirus detection for dropped file 19->94 96 Multi AV Scanner detection for dropped file 19->96 98 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 19->98 106 3 other signatures 19->106 32 procdump.exe 1 2 19->32         started        72 93.95.227.42 THE-1984-ASIS Iceland 24->72 74 m.windowsupdatesupport.org 24->74 100 Query firmware table information (likely to detect VMs) 24->100 102 Tries to detect virtualization through RDTSC time measurements 24->102 36 conhost.exe 24->36         started        104 Uses schtasks.exe or at.exe to add and modify task schedules 26->104 38 conhost.exe 26->38         started        40 schtasks.exe 1 26->40         started        42 conhost.exe 28->42         started        44 conhost.exe 30->44         started        46 conhost.exe 30->46         started        48 conhost.exe 30->48         started        50 2 other processes 30->50 file9 signatures10 process11 file12 56 C:\Users\user\Desktop\procdump64.exe, PE32+ 32->56 dropped 82 Drops or copies procdump.exe (to dump process memory) 32->82 84 Dumps the memory of LSASS, likely to steal the SAM database 32->84 52 procdump64.exe 2 32->52         started        54 conhost.exe 32->54         started        signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7b7f95f14f47910c2f521f88d2cda0a3186ac569dc7f2ce0ec7c069e7981827c/
Threat name:
Win64.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2021-08-27 07:29:04 UTC
AV detection:
10 of 28 (35.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pn7zl4kpi6iqyl2sd6enftnaummgvrlj3r7szyhmpqdj46mbqj6a._file
Verdict:
unknown
Similar samples:
7ac0238cad41d79e2fa25d52f32f6d670aeacdbc995de3125c657ebfd9edad2a
CoinMiner
f7e6624608baa448bc50289fb4450fc0def87d9e12f5ad9e8c8262837cdfbfd3
CoinMiner
fc51957298f981557d270415f537221f6ed34313a7ff59982e1a1f8366f30b48
CoinMiner
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:golang_generic_botnet family:mimikatz family:xmrig botnet evasion miner spyware stealer suricata vmprotect
Link:
https://tria.ge/reports/210829-ceq54ma1wx/
Behaviour
Creates scheduled task(s)
GoLang User-Agent
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Sets file to hidden
VMProtect packed file
XMRig Miner Payload
mimikatz is an open source tool to dump credentials on Windows
Golang Generic Botnet
Mimikatz
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
xmrig
Unpacked files
SH256 hash:
7b7f95f14f47910c2f521f88d2cda0a3186ac569dc7f2ce0ec7c069e7981827c
MD5 hash:
a321faa906868cd24bdf15c5784b4577
SHA1 hash:
a3f8aec70387ae08c2bca68d58af06b70b6ea030
Link:
https://www.unpac.me/results/2334cbea-55cf-47b5-9a18-88fcbaf3dff5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7b7f95f14f47910c2f521f88d2cda0a3186ac569dc7f2ce0ec7c069e7981827c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 7b7f95f14f47910c2f521f88d2cda0a3186ac569dc7f2ce0ec7c069e7981827c

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/183252/

Comments


Avatar
zbet commented on 2021-08-29 12:02:11 UTC

url : hxxp://m.windowsupdatesupport.org/d/service.exe