MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 967692708e762fda8ecb0b971aa06e33bca0b9d97b22ac7ffe8297df40a136dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 967692708e762fda8ecb0b971aa06e33bca0b9d97b22ac7ffe8297df40a136dd
SHA3-384 hash: 4566906adec48ae49cd17c64f7575a9a9021da54749d58dab5f8605a2a31122e39257bb8759bea6b4adc6bd3d74b718e
SHA1 hash: d0960adb4d7be498b72089a880b94ed305b9d99c
MD5 hash: 3c0f80a2feb1ba9cf781686c98dd6682
humanhash: avocado-emma-winner-emma
File name:967692708e762fda8ecb0b971aa06e33bca0b9d97b22ac7ffe8297df40a136dd
Download: download sample
Signature CoinMiner
Create hunting rule
File size:13'621'760 bytes
First seen:2020-11-15 23:12:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a4c086debcf38f11e988e6eba271f91 (2 x CoinMiner, 1 x Tofsee)
ssdeep 6144:usEBUPfo0U+krlllllllllllllllllllllllllllllllllllllllllllllllllld:c6no0Jk
Threatray 105 similar samples on MalwareBazaar
TLSH 02D64A4889643DCDC72A5E7C2FB3B716AC5CDC672DB28297254778CA29604C8DC50EEB
Reporter seifreed
Tags:CoinMiner

Intelligence

File Origin
# of uploads :
1
# of downloads :
453
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Dropper.Tofsee-7174622-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Moving a file to the Windows subdirectory
Launching a process
Creating a service
Launching the process to change the firewall settings
Launching a service
Creating a process from a recently created file
DNS request
Creating a file in the Windows subdirectories
Sending a custom TCP request
Sending an HTTP GET request
Enabling autorun for a service
Sending a TCP request to an infection source
Unauthorized injection to a system process
Deleting of the original file
Adding exclusions to Windows Defender
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Tofsee Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/537188
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates files in alternative data streams (ADS)
Deletes itself after installation
Detected Stratum mining protocol
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected Tofsee
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 317695 Sample: VLmFsICPqL Startdate: 16/11/2020 Architecture: WINDOWS Score: 100 61 z-p42-instagram.c10r.facebook.com 2->61 63 www.instagram.com 2->63 65 10 other IPs or domains 2->65 79 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->79 81 Malicious sample detected (through community Yara rule) 2->81 83 Antivirus detection for dropped file 2->83 85 13 other signatures 2->85 9 zqjmtgsr.exe 2->9         started        12 VLmFsICPqL.exe 2 2->12         started        15 svchost.exe 9 1 2->15         started        18 7 other processes 2->18 signatures3 process4 dnsIp5 95 Detected unpacking (changes PE section rights) 9->95 97 Detected unpacking (overwrites its own PE header) 9->97 99 Writes to foreign memory regions 9->99 101 2 other signatures 9->101 20 svchost.exe 3 1 9->20         started        53 C:\Users\user\AppData\Local\...\zqjmtgsr.exe, PE32 12->53 dropped 25 netsh.exe 3 12->25         started        27 cmd.exe 1 12->27         started        29 cmd.exe 2 12->29         started        31 3 other processes 12->31 73 127.0.0.1 unknown unknown 15->73 file6 signatures7 process8 dnsIp9 67 185.253.217.20, 419, 49723 PINDC-ASRU Ukraine 20->67 69 ip.pr-cy.hacklix.com 163.172.32.74 OnlineSASFR United Kingdom 20->69 71 26 other IPs or domains 20->71 51 C:\Windows\SysWOW64\...\systemprofile:.repos, data 20->51 dropped 87 System process connects to network (likely due to code injection or exploit) 20->87 89 Creates files in alternative data streams (ADS) 20->89 91 Deletes itself after installation 20->91 93 Injects a PE file into a foreign processes 20->93 33 svchost.exe 1 20->33         started        37 conhost.exe 25->37         started        39 conhost.exe 27->39         started        41 conhost.exe 29->41         started        43 conhost.exe 31->43         started        45 conhost.exe 31->45         started        47 conhost.exe 31->47         started        file10 signatures11 process12 dnsIp13 55 ip02.gntl.co.uk 83.151.238.34, 40005, 49731 CERBERUSNETWORKS-ASGB United Kingdom 33->55 57 msr.pool.gntl.co.uk 33->57 59 pool.gntl.co.uk 33->59 75 System process connects to network (likely due to code injection or exploit) 33->75 49 conhost.exe 33->49         started        signatures14 77 Detected Stratum mining protocol 55->77 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/967692708e762fda8ecb0b971aa06e33bca0b9d97b22ac7ffe8297df40a136dd/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2020-11-15 23:14:24 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sz3je4eooyx5vdwlbolrvidogo6kboozpmrky776qkl56qfbg3oq._file
Verdict:
malicious
Similar samples:
075cd3a54a392266904da82ce77ad7f5f33c84e55357a1c6d9d35aadeed88132
CoinMiner
18661d2789da0d3f419d56ee265a29da03d6e46d510ce43d95c4e142dae1ef66
CoinMiner
1871587dfeba4fe175b8b51e8f9fc27c1df99fef0a16f09da1594542ee8ee1cb
CoinMiner
575a4ea0536e74d52c4dbd55a5f55563cf04e9f553d9a433caf0dc651800d022
CoinMiner
7914e269d4b5bbc6d0f7b195e319de2467219b58334e4637aa06b6176afea206
CoinMiner
8b1b9c7f469633319ad8e5d68ed8151c6c49a6fd7ba76d2a80beb3ce1674068c
CoinMiner
8d64110a77ed9fe2d9454816668d95ed000442a34bb558ca0447ebd8c08b30ba
CoinMiner
dd6e9c87b9bd8749f642b5063107a9f9b4b3690ac13f9d418a839618bae04452
CoinMiner
e19af916ee2e230b6beafbb6d5c84354947cb03a0aa08754f1d43edb2f88cf08
CoinMiner
f5c60cf3334fc3093cb2b7b6bcfa480bf87a74b4edd8830b97c1ee3b3e66cefd
CoinMiner
+ 95 additional samples on MalwareBazaar
Result
Malware family:
tofsee
Create hunting rule
Score:
  10/10
Tags:
family:tofsee evasion persistence trojan
Link:
https://tria.ge/reports/201115-mr3kgfxpha/
Behaviour
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Launches sc.exe
Drops file in System32 directory
Modifies service
Suspicious use of SetThreadContext
Looks up external IP address via web service
Deletes itself
Creates new service(s)
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Tofsee
Windows security bypass
Unpacked files
SH256 hash:
bce291fde30f149b3e32fb853187931000f1fea517b18833e9a6458dfd5b769e
MD5 hash:
a126be13725ddeb16068419b79ad55c1
SHA1 hash:
5b683eb6e9342b8cf1031fcc8e543e81dbb91eef
Detections:
win_tofsee_w0
Create hunting rule
Link:
https://www.unpac.me/results/4ed9b2f6-e027-4142-b204-09bca82e4743/
SH256 hash:
967692708e762fda8ecb0b971aa06e33bca0b9d97b22ac7ffe8297df40a136dd
MD5 hash:
3c0f80a2feb1ba9cf781686c98dd6682
SHA1 hash:
d0960adb4d7be498b72089a880b94ed305b9d99c
Link:
https://www.unpac.me/results/4ed9b2f6-e027-4142-b204-09bca82e4743/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/967692708e762fda8ecb0b971aa06e33bca0b9d97b22ac7ffe8297df40a136dd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments