MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90fa2e42dccbe0cee20dc699258245acfcfca155ca771010c68539062f8db414. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90fa2e42dccbe0cee20dc699258245acfcfca155ca771010c68539062f8db414
SHA3-384 hash: baad15397b3f4c26f951a76a1db93384dff4a8a25a8d8d2f4fd6edf538040e9f7c6894419c8406d2f7736b562f06c30a
SHA1 hash: d34c38eed48d8893b234f476023c9cdb5098d82c
MD5 hash: 5c348974148e05088fa00a2eac27b3d7
humanhash: enemy-zebra-floor-low
File name:5c348974148e05088fa00a2eac27b3d7
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'064'896 bytes
First seen:2021-12-05 01:12:02 UTC
Last seen:2021-12-05 03:08:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 49152:vL7RreVmCmRmIS4EDMacLdNzBOFX2Pm6T10dJXElT1:z7YWmIq45XBO92PmUyXER1
Threatray 526 similar samples on MalwareBazaar
TLSH T11DA5330E3134B1DDC557C637EAC90DB49E2074AA9623C11394E7A2EA6F4DA8BCF494D3
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
264
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5c348974148e05088fa00a2eac27b3d7
Verdict:
No threats detected
Analysis date:
2021-12-05 01:14:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e7ad3420-7437-4b27-8490-3edd8cb64da0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/211393/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.712.8834.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Running batch commands
Launching a process
DNS request
Creating a file in the %AppData% subdirectories
Creating a file
Creating a process from a recently created file
Сreating synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61ac12234d8e6f3a5e10cefe/reports/ad2b0e84-6d5c-4838-887b-93a109eed2ca/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1ed4f26b-210e-4292-9aef-a9e184960a1a
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/901542
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found strings related to Crypto-Mining
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 534020 Sample: ulr2oxEkwV Startdate: 05/12/2021 Architecture: WINDOWS Score: 96 36 Antivirus / Scanner detection for submitted sample 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected Xmrig cryptocurrency miner 2->40 42 3 other signatures 2->42 7 runtimebroker32.exe 6 2->7         started        11 ulr2oxEkwV.exe 5 2->11         started        process3 file4 28 C:\Users\user\AppData\...\sihost64.exe, PE32+ 7->28 dropped 44 Antivirus detection for dropped file 7->44 46 Machine Learning detection for dropped file 7->46 13 sihost64.exe 2 7->13         started        30 C:\Users\user\AppData\...\runtimebroker32.exe, PE32+ 11->30 dropped 32 C:\...\runtimebroker32.exe:Zone.Identifier, ASCII 11->32 dropped 34 C:\Users\user\AppData\...\ulr2oxEkwV.exe.log, ASCII 11->34 dropped 16 cmd.exe 1 11->16         started        18 cmd.exe 1 11->18         started        signatures5 process6 signatures7 48 Antivirus detection for dropped file 13->48 50 Uses schtasks.exe or at.exe to add and modify task schedules 16->50 20 conhost.exe 16->20         started        22 schtasks.exe 1 16->22         started        24 runtimebroker32.exe 3 18->24         started        26 conhost.exe 18->26         started        process8
Gathering data
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2021-12-05 05:06:34 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
4
AV detection:
20 of 27 (74.07%)
Threat level:
  2/5
Verdict:
suspicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0028d3b936c329c8bb2a7c17d677d9808eed4f46c123048100050819d1657464
CoinMiner
25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7
CoinMiner
28ae75452f06cfa45dc41a0329aeff5630f92189188523cd6d663b98a4fbccc6
CoinMiner
2b0cd91072bc81875fba4d9dc3b293500f110b57dd9d37028556fdb296705fb0
CoinMiner
4a2c3f7e489652350d3fd9df4259c52e2a9be9eb507d011779079d1e57e0301d
CoinMiner
4ff85ed4a6ed753731533acba81fb31b38923cea1eff55ea524b1a7cbc48bc3b
CoinMiner
65a90f7ce88c21097bde9575109000efa1832a51d0cbd9c47ef701838884ca4f
CoinMiner
833990804d459870448fdb9a0f74f6b8f5c59d395a71da86f347cf7a74f858d2
CoinMiner
cdb8a234c896df8b45ee7bc0d69ecdaec0bfce73cacdb376048bcd3abb85a75d
CoinMiner
f7628c8d79594c4e2a0a231f98df314753206b9298e9c6cb7b589374db192cdb
CoinMiner
+ 516 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/211205-bk36saeeh7/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
90fa2e42dccbe0cee20dc699258245acfcfca155ca771010c68539062f8db414
MD5 hash:
5c348974148e05088fa00a2eac27b3d7
SHA1 hash:
d34c38eed48d8893b234f476023c9cdb5098d82c
Link:
https://www.unpac.me/results/67ebbde3-3486-4c61-9b48-47d08da9badb/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/90fa2e42dccb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/90fa2e42dccbe0cee20dc699258245acfcfca155ca771010c68539062f8db414

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 90fa2e42dccbe0cee20dc699258245acfcfca155ca771010c68539062f8db414

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1852877/
Cape
Cape
https://www.capesandbox.com/analysis/211393/

Comments


Avatar
zbet commented on 2021-12-05 01:12:03 UTC

url : hxxp://host-file-coin-4.com/files/7737_1638647992_9191.exe