MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ab1540601fb81b1cd944c35892222fc58bf62c475f966f3d7eb61ea5d23816d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8ab1540601fb81b1cd944c35892222fc58bf62c475f966f3d7eb61ea5d23816d
SHA3-384 hash: 256603f5ebc6e2972399fc8a36be121a4bf80391bbc542c1e27c1f13a81d32852b2ffa1fcf9ca88087cad74084eff531
SHA1 hash: 18d61fa6e70e89c2476556fa67bc313884468114
MD5 hash: 65b03e046178e221163ffce721489026
humanhash: oklahoma-golf-hamper-charlie
File name:9876543234567898765.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:1'747'472 bytes
First seen:2021-12-15 09:13:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 98f67c550a7da65513e63ffd998f6b2e (60 x Worm.Mofksys, 21 x SnakeKeylogger, 13 x MassLogger)
ssdeep 24576:K5xolYQY60s+TBovPpsTVv6dn969BbdEJIW2tFpJizVosuLIiq1Ww9iBriuoRcxy:dYS+eyq969AJWFpkmW6w9iZ5oR9
Threatray 8'737 similar samples on MalwareBazaar
TLSH T1D185121B7E80201FD5A74EB01526B1A6B631AD221B95DD8F26C1778A31B6783F2F131F
File icon (PE):PE icon
dhash icon 00928e8e8686b800 (21 x Mofksys, 9 x CryptOne, 5 x Amadey)
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
196
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9876543234567898765.exe
Verdict:
Malicious activity
Analysis date:
2021-12-15 10:55:21 UTC
Tags:
evasion trojan snakekeylogger keylogger
Link:
https://app.any.run/tasks/0ebf7571-dd3a-4696-8351-8fc1a8f658c0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/214222/
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Win.Malware.Swisyn-7610494-0
Create hunting rule

Win.Virus.Sality-6335700-2
Create hunting rule

Win.Trojan.VBGeneric-6735885-0
Create hunting rule

Win.Virus.Sality-6747602-0
Create hunting rule

Win.Trojan.Kazy-304
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Setting a keyboard event handler
Setting a global event handler
Creating a file in the %AppData% directory
DNS request
Launching a process
Unauthorized injection to a recently created process
Setting a single autorun event
Launching the process to create tasks for the scheduler
Enabling autorun
Enabling a "Do not show hidden files" option
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2102/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware keylogger overlay packed packed swisyn
Link:
https://www.filescan.io/uploads/61b9b1df81d232372002ed0b/reports/18a1ca7f-af38-428b-a871-14fbd96221c1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2a70f93e-d674-4585-b6b2-90042e161ee7
Result
Threat name:
CryptOne Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/907939
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an undocumented autostart registry key
Detected CryptOne packer
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sigma detected: Interactive AT Job
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Sigma detected: Suspicius Add Task From User AppData Temp
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 540418 Sample: 9876543234567898765.exe Startdate: 15/12/2021 Architecture: WINDOWS Score: 100 119 Malicious sample detected (through community Yara rule) 2->119 121 Antivirus detection for dropped file 2->121 123 Antivirus / Scanner detection for submitted sample 2->123 125 19 other signatures 2->125 11 9876543234567898765.exe 1 4 2->11         started        15 explorer.exe 2->15         started        17 svchost.exe 2->17         started        19 5 other processes 2->19 process3 dnsIp4 87 C:\Users\user\...\9876543234567898765.exe, PE32 11->87 dropped 89 C:\Users\user\AppData\Local\icsys.icn.exe, PE32 11->89 dropped 149 Installs a global keyboard hook 11->149 22 icsys.icn.exe 3 11->22         started        26 9876543234567898765.exe 7 11->26         started        151 Changes security center settings (notifications, updates, antivirus, firewall) 17->151 95 127.0.0.1 unknown unknown 19->95 file5 signatures6 process7 file8 75 C:\Windows\System\explorer.exe, PE32 22->75 dropped 129 Antivirus detection for dropped file 22->129 131 Machine Learning detection for dropped file 22->131 133 Drops executables to the windows directory (C:\Windows) and starts them 22->133 139 2 other signatures 22->139 28 explorer.exe 3 16 22->28         started        77 C:\Users\user\AppData\...\eyQEmDPByXb.exe, PE32 26->77 dropped 79 C:\Users\...\eyQEmDPByXb.exe:Zone.Identifier, ASCII 26->79 dropped 81 C:\Users\user\AppData\Local\...\tmpB787.tmp, XML 26->81 dropped 83 C:\Users\...\9876543234567898765.exe .log, ASCII 26->83 dropped 135 Adds a directory exclusion to Windows Defender 26->135 137 Injects a PE file into a foreign processes 26->137 33 9876543234567898765.exe 26->33         started        35 powershell.exe 26->35         started        37 schtasks.exe 26->37         started        signatures9 process10 dnsIp11 97 googlecode.l.googleusercontent.com 142.251.31.82, 49759, 49760, 49762 GOOGLEUS United States 28->97 99 vccmd03.googlecode.com 28->99 107 4 other IPs or domains 28->107 91 C:\Windows\System\spoolsv.exe, PE32 28->91 dropped 93 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 28->93 dropped 153 Antivirus detection for dropped file 28->153 155 System process connects to network (likely due to code injection or exploit) 28->155 157 Creates an undocumented autostart registry key 28->157 165 3 other signatures 28->165 39 spoolsv.exe 2 28->39         started        101 checkip.dyndns.com 132.226.8.169, 49775, 80 UTMEMUS United States 33->101 103 freegeoip.app 104.21.19.200, 443, 49777 CLOUDFLARENETUS United States 33->103 105 checkip.dyndns.org 33->105 159 Tries to steal Mail credentials (via file / registry access) 33->159 161 Tries to harvest and steal ftp login credentials 33->161 163 Tries to harvest and steal browser information (history, passwords, etc) 33->163 43 conhost.exe 35->43         started        45 conhost.exe 37->45         started        file12 signatures13 process14 file15 85 C:\Windows\System\svchost.exe, PE32 39->85 dropped 141 Antivirus detection for dropped file 39->141 143 Machine Learning detection for dropped file 39->143 145 Drops executables to the windows directory (C:\Windows) and starts them 39->145 147 2 other signatures 39->147 47 svchost.exe 3 4 39->47         started        signatures16 process17 dnsIp18 109 192.168.2.1 unknown unknown 47->109 73 C:\Users\user\AppData\Local\stsys.exe, PE32 47->73 dropped 111 Antivirus detection for dropped file 47->111 113 Detected CryptOne packer 47->113 115 Machine Learning detection for dropped file 47->115 117 3 other signatures 47->117 52 spoolsv.exe 47->52         started        55 at.exe 47->55         started        57 at.exe 47->57         started        59 18 other processes 47->59 file19 signatures20 process21 signatures22 127 Installs a global keyboard hook 52->127 61 conhost.exe 55->61         started        63 conhost.exe 57->63         started        65 conhost.exe 59->65         started        67 conhost.exe 59->67         started        69 conhost.exe 59->69         started        71 14 other processes 59->71 process23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8ab1540601fb81b1cd944c35892222fc58bf62c475f966f3d7eb61ea5d23816d/
Threat name:
Win32.Trojan.Swisyn
Create hunting rule
Status:
Malicious
First seen:
2021-12-15 07:39:04 UTC
File Type:
PE (Exe)
Extracted files:
29
AV detection:
27 of 28 (96.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rkyvibqb7oa3dtmujq2ysirc7rml6yweox4wn46x5nq6uxjdqfwq._file
Verdict:
malicious
Similar samples:
258e62e8aaed5cfbb6f02777162fa7b6d951e0c1062d60e99e2052f34404c27f
CoinMiner
57aa81416cfdbd76df2a15cb14810f8529ecab0eea978210a4ef3047f35a225e
CoinMiner
6593812d8bbcdc1f5ab79ff4ac2ec45c686a3706246fc766ba11ee828d9f7f9c
CoinMiner
7631235836aa6c88d58c25b9f4665d0c93c35b767d140ec9847e7c531a5d55aa
CoinMiner
863e79eefbefca07f2b0ff5689d6421ab1ec334b19466e066c744a8ad8495ad6
CoinMiner
9a44822008b9184aa988783e60654bf9d9311cb43fe96711e7cfe7aaf4e7756b
CoinMiner
a6ab3a1ec39d3a4c0660bbfdbe8cbbdd89d9278cca176d7bff77d7aab00dd7ed
CoinMiner
dedad3d7a97da9f0103dd87d86a422e38f581879c41ab07594d141eb303d2de9
CoinMiner
f2f2480af56f120f4d1f6586940ed898766a86509a2de41c5fea7f305d21b6fe
CoinMiner
+ 8'727 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger family:xmrig collection evasion keylogger miner persistence spyware stealer
Link:
https://tria.ge/reports/211215-k7bvgsaafj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Drops desktop.ini file(s)
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Modifies Installed Components in the registry
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
Snake Keylogger
Snake Keylogger Payload
xmrig
Unpacked files
SH256 hash:
f8ee3ec61da05401295cfc650a604dc644a16a8d7afc9f090cd9f7a0d9300317
MD5 hash:
7e9f1e09d0aa634d949c26737c26ff3c
SHA1 hash:
cb6b35efc98d0656148907ce56268a964556664d
Link:
https://www.unpac.me/results/07c0490c-01cb-4326-9dc5-9e058628ab74/
SH256 hash:
e42838a855a1314bec20f5ce9c125162ea58b35314120345d40c3e71f26de1f3
MD5 hash:
62ac881e25db3ac1d5c9c403c32b44d5
SHA1 hash:
8f01939b933a1e50cd02bdbf3d6c38a77b274469
Link:
https://www.unpac.me/results/07c0490c-01cb-4326-9dc5-9e058628ab74/
SH256 hash:
6dd174af11959147512c9a984d3590056b08a8aeca6a421fb378a35e3547cb2d
MD5 hash:
8f1b714fa03b42cb3c77272e783afef2
SHA1 hash:
47244033b78ea6e45dc937895982778740d31ce7
Link:
https://www.unpac.me/results/07c0490c-01cb-4326-9dc5-9e058628ab74/
SH256 hash:
8ab1540601fb81b1cd944c35892222fc58bf62c475f966f3d7eb61ea5d23816d
MD5 hash:
65b03e046178e221163ffce721489026
SHA1 hash:
18d61fa6e70e89c2476556fa67bc313884468114
Link:
https://www.unpac.me/results/07c0490c-01cb-4326-9dc5-9e058628ab74/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8ab1540601fb81b1cd944c35892222fc58bf62c475f966f3d7eb61ea5d23816d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

CoinMiner

Executable exe 8ab1540601fb81b1cd944c35892222fc58bf62c475f966f3d7eb61ea5d23816d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/214222/

Comments