MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81fe52e70e3f0562d02591313a49d2b353bedc557fcc09d3d6093160de68f3d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 81fe52e70e3f0562d02591313a49d2b353bedc557fcc09d3d6093160de68f3d0
SHA3-384 hash: fc786d10a78a81983eaceb0dbb4e1e1ecfa22a3b99a45de5200cfa3c193094940be76500b24022c918819ccb63768db4
SHA1 hash: e14c205d486af944b1909549db5f62bfec739e7e
MD5 hash: d3f2cbcaac871314b6923e9c31a2b2e1
humanhash: nineteen-five-august-bulldog
File name:d3f2cbcaac871314b6923e9c31a2b2e1
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'776'064 bytes
First seen:2021-12-31 18:32:19 UTC
Last seen:2021-12-31 20:57:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 49738ad0bee20b817dabab783acdf71c (2 x DCRat, 1 x CoinMiner)
ssdeep 49152:XkD0+cjlJ6yyVt4rY/HYAit4kwPuG2ULx+A0E9jtfUOU94V5hY2iTkk:UMWDCrY/4Ait4kwWGzxN59jtfUOI2b9k
Threatray 370 similar samples on MalwareBazaar
TLSH T1BFD523043EE858E9D922493C8C518575A672BC110E3DD66BEBD07B1FCE37290AC2B797
File icon (PE):PE icon
dhash icon ecb26965731392e8 (7 x Fabookie, 3 x CoinMiner, 2 x RemcosRAT)
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
314
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d3f2cbcaac871314b6923e9c31a2b2e1
Verdict:
No threats detected
Analysis date:
2021-12-31 18:34:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/93b7e2d5-5975-4e6c-8622-c193f937e77a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CoinMiner02
Create hunting rule
Link:
https://www.capesandbox.com/analysis/216962/
Detection(s):
SecuriteInfo.com.Malware.AI.4046192562.9015.10156.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3590/overview
Behaviour
MalwareBazaar
CallSleep
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61cf4ce3ec6c6c14a9010f80/reports/947644a1-6c87-441a-83ac-3e33383165f5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8f914f83-859b-409a-a196-713784649a8c
Result
Threat name:
BitCoin Miner SilentXMRMiner Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/914353
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Execution from Suspicious Folder
Sigma detected: Powershell Defender Exclusion
Sigma detected: Windows Crypto Mining Indicators
Sigma detected: Xmrig
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected SilentXMRMiner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 546831 Sample: IO11QGTU2c Startdate: 31/12/2021 Architecture: WINDOWS Score: 100 152 Sigma detected: Xmrig 2->152 154 Malicious sample detected (through community Yara rule) 2->154 156 Multi AV Scanner detection for submitted file 2->156 158 7 other signatures 2->158 14 IO11QGTU2c.exe 2 2->14         started        17 services64.exe 2->17         started        20 svchost.exe 2->20         started        22 8 other processes 2->22 process3 dnsIp4 110 C:\Users\Public\Videos\hgfdfds.exe, PE32+ 14->110 dropped 25 hgfdfds.exe 14->25         started        136 Writes to foreign memory regions 17->136 138 Allocates memory in foreign processes 17->138 140 Creates a thread in another existing process (thread injection) 17->140 28 conhost.exe 5 17->28         started        142 Changes security center settings (notifications, updates, antivirus, firewall) 20->142 31 MpCmdRun.exe 20->31         started        116 127.0.0.1 unknown unknown 22->116 file5 signatures6 process7 file8 176 Writes to foreign memory regions 25->176 178 Allocates memory in foreign processes 25->178 180 Creates a thread in another existing process (thread injection) 25->180 33 conhost.exe 4 25->33         started        106 C:\Windows\System32\...\sihost64.exe, PE32+ 28->106 dropped 182 Injects code into the Windows Explorer (explorer.exe) 28->182 184 Modifies the context of a thread in another process (thread injection) 28->184 186 Adds a directory exclusion to Windows Defender 28->186 188 Injects a PE file into a foreign processes 28->188 37 sihost64.exe 28->37         started        39 explorer.exe 28->39         started        42 cmd.exe 1 28->42         started        44 conhost.exe 31->44         started        signatures9 process10 dnsIp11 104 C:\Windows\System32\services64.exe, PE32+ 33->104 dropped 160 Adds a directory exclusion to Windows Defender 33->160 46 cmd.exe 1 33->46         started        48 cmd.exe 1 33->48         started        51 cmd.exe 1 33->51         started        162 Writes to foreign memory regions 37->162 164 Allocates memory in foreign processes 37->164 166 Creates a thread in another existing process (thread injection) 37->166 53 conhost.exe 37->53         started        118 pool.hashvault.pro 131.153.56.98, 49770, 80 CWIEUS United States 39->118 168 System process connects to network (likely due to code injection or exploit) 39->168 170 Query firmware table information (likely to detect VMs) 39->170 55 powershell.exe 19 42->55         started        57 conhost.exe 42->57         started        59 powershell.exe 42->59         started        file12 signatures13 process14 signatures15 61 services64.exe 46->61         started        64 conhost.exe 46->64         started        120 Uses schtasks.exe or at.exe to add and modify task schedules 48->120 122 Adds a directory exclusion to Windows Defender 48->122 66 powershell.exe 21 48->66         started        68 conhost.exe 48->68         started        70 powershell.exe 48->70         started        72 conhost.exe 51->72         started        74 schtasks.exe 1 51->74         started        process16 signatures17 190 Writes to foreign memory regions 61->190 192 Allocates memory in foreign processes 61->192 194 Creates a thread in another existing process (thread injection) 61->194 76 conhost.exe 61->76         started        process18 file19 108 C:\Windows\System32\Microsoft\Libs\WR64.sys, PE32+ 76->108 dropped 196 Injects code into the Windows Explorer (explorer.exe) 76->196 198 Drops executables to the windows directory (C:\Windows) and starts them 76->198 200 Writes to foreign memory regions 76->200 202 4 other signatures 76->202 80 sihost64.exe 76->80         started        83 explorer.exe 76->83         started        86 cmd.exe 76->86         started        signatures20 process21 dnsIp22 124 Writes to foreign memory regions 80->124 126 Allocates memory in foreign processes 80->126 128 Creates a thread in another existing process (thread injection) 80->128 88 conhost.exe 80->88         started        112 131.153.142.106, 49764, 80 SSASN2US United States 83->112 114 pool.hashvault.pro 83->114 130 System process connects to network (likely due to code injection or exploit) 83->130 132 Query firmware table information (likely to detect VMs) 83->132 134 Adds a directory exclusion to Windows Defender 86->134 91 conhost.exe 86->91         started        93 powershell.exe 86->93         started        95 powershell.exe 86->95         started        signatures23 process24 signatures25 172 Drops executables to the windows directory (C:\Windows) and starts them 88->172 174 Adds a directory exclusion to Windows Defender 88->174 97 services64.exe 88->97         started        100 cmd.exe 88->100         started        process26 signatures27 144 Writes to foreign memory regions 97->144 146 Allocates memory in foreign processes 97->146 148 Creates a thread in another existing process (thread injection) 97->148 150 Adds a directory exclusion to Windows Defender 100->150 102 conhost.exe 100->102         started        process28
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/81fe52e70e3f0562d02591313a49d2b353bedc557fcc09d3d6093160de68f3d0/
Threat name:
Win64.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2021-12-31 18:33:16 UTC
File Type:
PE+ (Exe)
Extracted files:
33
AV detection:
14 of 27 (51.85%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
22b0ba08a07f8fd3029cc598f338b78cfe2ccdad4dc422d8dbe856ad11f24c70
CoinMiner
38a2144651bd3980612f92a1cd2308adf10dd630d618ee05232bf1a8cf76444c
CoinMiner
48eee6e4eedb7291e09cd68d3ff4f1608df7fb538be806d785a4e99cb77a9da2
CoinMiner
865baa577a2cdad80e6daefdd7b9bf06d4f9c5007d3bc17e98d13ca8d620feb6
CoinMiner
9230d8e8791a48bcca68a199b29e0be82d17d4079bbe715953ca35a2101b6d6b
CoinMiner
92d30855da0de535afe7d2b432108880f5d3766767c09c493defcb6c05c10448
CoinMiner
b4a3cafc8553c06b17131e6b3afb38971312a4d91ae3349d2d118bdfc3d8de94
CoinMiner
c0efa247a497b4d9d721d0f54e30e44007c5e53882cf822ade5c3b8f9dd6bbaf
CoinMiner
d57a368085b26a9704093e1937aa4ebdae2e0f6b04fc09155169f139fdda2d70
CoinMiner
f3940f6c65cda4da86d1f9712223b8a278cd0dc90f701938a38a61ff74c66c66
CoinMiner
+ 360 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/211231-w67fjshbc8/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
81fe52e70e3f0562d02591313a49d2b353bedc557fcc09d3d6093160de68f3d0
MD5 hash:
d3f2cbcaac871314b6923e9c31a2b2e1
SHA1 hash:
e14c205d486af944b1909549db5f62bfec739e7e
Link:
https://www.unpac.me/results/8441866a-39d0-44a8-878e-1ebcdd3c61d9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/81fe52e70e3f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/81fe52e70e3f0562d02591313a49d2b353bedc557fcc09d3d6093160de68f3d0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 81fe52e70e3f0562d02591313a49d2b353bedc557fcc09d3d6093160de68f3d0

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1939254/
Cape
Cape
https://www.capesandbox.com/analysis/216962/

Comments


Avatar
zbet commented on 2021-12-31 18:32:21 UTC

url : hxxp://data-host-coin-8.com/files/8994_1640876864_4460.exe