MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 92d30855da0de535afe7d2b432108880f5d3766767c09c493defcb6c05c10448. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 92d30855da0de535afe7d2b432108880f5d3766767c09c493defcb6c05c10448
SHA3-384 hash: 2af7302b57cae1a7123791856c472f5be5c05bb9144f50be8bed88cdbc7964ea59a3a40691c26b9aafa4c100bc353bcc
SHA1 hash: 036ec8483edb27f055033709c938d08da5a52a00
MD5 hash: a4b19a7b6636835f2ed27a90699e3151
humanhash: bulldog-alpha-finch-yellow
File name:Cheat_panel_3.04.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:5'651'456 bytes
First seen:2021-12-24 13:37:32 UTC
Last seen:2021-12-24 16:02:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9bfd2dac39af50555ae9789117b36b66 (19 x CoinMiner, 2 x CoinMiner.XMRig)
ssdeep 49152:hBKVupsGuGZhlUexXbMBGpiZk4/CR+E3DdYvY2LbcSQM0foWCFYdvrh2aMMucII0:
Threatray 354 similar samples on MalwareBazaar
TLSH T1394633148FE11AB9C56C833474BF7F1E1BA09FD8408CA5A747E9A8EB036FB010917975
Reporter tech_skeech
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
194
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Cheat_panel_3.04.exe
Verdict:
No threats detected
Analysis date:
2021-12-24 13:39:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ff478df2-9de5-4dea-a32a-00932cd2259b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/216170/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.79964.10455.18268.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Running batch commands
Launching a process
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Creating a file
Creating a process from a recently created file
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3102/overview
Behaviour
MalwareBazaar
CallSleep
OpenProcessWithPrivileges
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
donut
Link:
https://www.filescan.io/uploads/61c5cd3f8991ba72b395963e/reports/09f0e7ee-6ed3-4867-badf-fb7954ed0f1e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4aa296ae-5efd-4d98-b3ca-ee23e7c2ed76
Result
Threat name:
BitCoin Miner Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/912472
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Creates a thread in another existing process (thread injection)
Detected Stratum mining protocol
Drops PE files with benign system names
Encrypted powershell cmdline option found
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Sample is not signed and drops a device driver
Sigma detected: System File Execution Location Anomaly
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 544950 Sample: Cheat_panel_3.04.exe Startdate: 24/12/2021 Architecture: WINDOWS Score: 100 102 Malicious sample detected (through community Yara rule) 2->102 104 Multi AV Scanner detection for submitted file 2->104 106 Yara detected BitCoin Miner 2->106 108 5 other signatures 2->108 11 Cheat_panel_3.04.exe 5 2->11         started        15 services.exe 2->15         started        17 svchost.exe 2->17         started        19 9 other processes 2->19 process3 file4 82 C:\Users\user\AppData\...\services.exe, PE32+ 11->82 dropped 84 C:\Users\...\services.exe:Zone.Identifier, ASCII 11->84 dropped 86 C:\Users\user\...\Cheat_panel_3.04.exe.log, ASCII 11->86 dropped 128 Drops PE files with benign system names 11->128 21 cmd.exe 11->21         started        23 cmd.exe 1 11->23         started        26 cmd.exe 11->26         started        130 Multi AV Scanner detection for dropped file 15->130 132 Very long command line found 15->132 28 cmd.exe 15->28         started        134 Changes security center settings (notifications, updates, antivirus, firewall) 17->134 30 MpCmdRun.exe 17->30         started        signatures5 process6 signatures7 32 services.exe 21->32         started        36 conhost.exe 21->36         started        124 Encrypted powershell cmdline option found 23->124 126 Uses schtasks.exe or at.exe to add and modify task schedules 23->126 38 powershell.exe 19 23->38         started        40 powershell.exe 23 23->40         started        42 conhost.exe 23->42         started        49 2 other processes 26->49 44 powershell.exe 28->44         started        51 2 other processes 28->51 47 conhost.exe 30->47         started        process8 dnsIp9 78 C:\Users\user\AppData\...\sihost64.exe, PE32+ 32->78 dropped 80 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 32->80 dropped 94 Very long command line found 32->94 96 Writes to foreign memory regions 32->96 98 Allocates memory in foreign processes 32->98 100 3 other signatures 32->100 53 sihost64.exe 32->53         started        56 cmd.exe 32->56         started        58 conhost.exe 32->58         started        92 192.168.2.1 unknown unknown 44->92 file10 signatures11 process12 dnsIp13 110 Antivirus detection for dropped file 53->110 112 Writes to foreign memory regions 53->112 114 Allocates memory in foreign processes 53->114 116 Creates a thread in another existing process (thread injection) 53->116 61 conhost.exe 53->61         started        118 Encrypted powershell cmdline option found 56->118 63 conhost.exe 56->63         started        65 powershell.exe 56->65         started        67 powershell.exe 56->67         started        88 136.243.49.177, 4444, 49746 HETZNER-ASDE Germany 58->88 90 pool.minexmr.com 58->90 signatures14 120 Detected Stratum mining protocol 88->120 process15 process16 69 cmd.exe 61->69         started        signatures17 122 Encrypted powershell cmdline option found 69->122 72 conhost.exe 69->72         started        74 powershell.exe 69->74         started        76 powershell.exe 69->76         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/92d30855da0de535afe7d2b432108880f5d3766767c09c493defcb6c05c10448/
Threat name:
Win64.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2021-12-24 13:38:11 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0028d3b936c329c8bb2a7c17d677d9808eed4f46c123048100050819d1657464
CoinMiner
2b0cd91072bc81875fba4d9dc3b293500f110b57dd9d37028556fdb296705fb0
CoinMiner
38a2144651bd3980612f92a1cd2308adf10dd630d618ee05232bf1a8cf76444c
CoinMiner
7e6b525d20c679bb8241177f2e307bb9c5b9070e4846a033640eb45eafcf64ea
CoinMiner
b37e87a30c379dd3d84b2f9b5819cb32335d7230156d3ea01a7309502e9e6d0d
CoinMiner
c0efa247a497b4d9d721d0f54e30e44007c5e53882cf822ade5c3b8f9dd6bbaf
CoinMiner
cdb8a234c896df8b45ee7bc0d69ecdaec0bfce73cacdb376048bcd3abb85a75d
CoinMiner
e67db91b7e8bcf1cf40735c556df7971af493cfd6b0fe4ffd25774ca7c31e070
CoinMiner
f7628c8d79594c4e2a0a231f98df314753206b9298e9c6cb7b589374db192cdb
CoinMiner
fa1a41ff82f9d6ca0473f9ac67f0d46e9576dd6608f9682d245f48ea872a3859
CoinMiner
+ 344 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/211224-qxefhsecd2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
92d30855da0de535afe7d2b432108880f5d3766767c09c493defcb6c05c10448
MD5 hash:
a4b19a7b6636835f2ed27a90699e3151
SHA1 hash:
036ec8483edb27f055033709c938d08da5a52a00
Link:
https://www.unpac.me/results/50738a14-cb0d-4a8b-abcc-07ac86e2056b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/92d30855da0de535afe7d2b432108880f5d3766767c09c493defcb6c05c10448

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 92d30855da0de535afe7d2b432108880f5d3766767c09c493defcb6c05c10448

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/216170/

Comments