MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96b3aa4520797806ccaf670897eaead29ac9dd3f9a6add879e2d93f7e2557513. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 96b3aa4520797806ccaf670897eaead29ac9dd3f9a6add879e2d93f7e2557513
SHA3-384 hash: 11e30dbd4a319807199f51db3cfed7b11a84ad950b52bafce52690924f736cf95a95a24042aad6adaf0763dcad080d42
SHA1 hash: 8557048030f0397a830889a75442770288b62163
MD5 hash: 1c8758560b8877a094c657efa9b45125
humanhash: victor-floor-bulldog-apart
File name:1c8758560b8877a094c657efa9b45125.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:3'259'904 bytes
First seen:2022-03-08 18:07:33 UTC
Last seen:2022-03-08 19:55:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2f084553d02ee9faa371daf024a1480c (3 x CoinMiner)
ssdeep 49152:suSEyjSA5ae5UlcEhLVULAvXSENQOkCIHU4Sw731uiS6Je3Z1A4znOh/ESO:suCjf0epEhLV4+XHNnkdacF+Z1ZOKSO
Threatray 158 similar samples on MalwareBazaar
TLSH T142E501FD71843B1CC42A89349523FE14B271402E1EF999BA74D7BAD07FAB811D646F22
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/248444/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.42929.19939.9971.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %AppData% subdirectories
Launching a process
Creating a process with a hidden window
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  0/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/8647/overview
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/62279b9eb94fb38cb43fc4c9/reports/ea7e059b-4774-493f-99b4-78e1c02e1329/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fedb9da4-2c87-4884-9b7f-4827e0b07f8f
Result
Threat name:
Phoenix Miner
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/952880
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Phoenix Miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 585360 Sample: 15p5VAii7b.exe Startdate: 08/03/2022 Architecture: WINDOWS Score: 100 97 easyproducts.org 2->97 113 Multi AV Scanner detection for domain / URL 2->113 115 Antivirus detection for URL or domain 2->115 117 Multi AV Scanner detection for dropped file 2->117 119 4 other signatures 2->119 11 15p5VAii7b.exe 1 4 2->11         started        16 RegHost.exe 1 2->16         started        signatures3 process4 dnsIp5 111 185.137.234.33, 49769, 49770, 8080 SELECTELRU Russian Federation 11->111 91 C:\Users\user\AppData\...\RegModule.exe, PE32+ 11->91 dropped 93 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 11->93 dropped 95 C:\Users\user\AppData\Roaming\...\RegData.exe, PE32+ 11->95 dropped 125 Injects code into the Windows Explorer (explorer.exe) 11->125 127 Writes to foreign memory regions 11->127 129 Allocates memory in foreign processes 11->129 131 Injects a PE file into a foreign processes 11->131 18 explorer.exe 2 11->18         started        20 bfsvc.exe 1 11->20         started        23 conhost.exe 11->23         started        133 Multi AV Scanner detection for dropped file 16->133 135 Machine Learning detection for dropped file 16->135 137 Modifies the context of a thread in another process (thread injection) 16->137 25 explorer.exe 2 16->25         started        27 bfsvc.exe 1 16->27         started        29 conhost.exe 16->29         started        file6 signatures7 process8 signatures9 31 RegHost.exe 18->31         started        34 curl.exe 1 18->34         started        37 curl.exe 1 18->37         started        47 6 other processes 18->47 123 Hides threads from debuggers 20->123 39 conhost.exe 20->39         started        41 RegHost.exe 25->41         started        43 curl.exe 1 25->43         started        49 8 other processes 25->49 45 conhost.exe 27->45         started        process10 dnsIp11 139 Injects code into the Windows Explorer (explorer.exe) 31->139 141 Writes to foreign memory regions 31->141 143 Allocates memory in foreign processes 31->143 51 bfsvc.exe 31->51         started        60 2 other processes 31->60 62 2 other processes 34->62 54 conhost.exe 37->54         started        145 Modifies the context of a thread in another process (thread injection) 41->145 147 Injects a PE file into a foreign processes 41->147 56 bfsvc.exe 41->56         started        64 2 other processes 41->64 58 conhost.exe 43->58         started        99 easyproducts.org 193.233.48.63 NETIS-ASRU Russian Federation 47->99 101 192.168.2.1 unknown unknown 47->101 66 5 other processes 47->66 68 7 other processes 49->68 signatures12 process13 signatures14 121 Hides threads from debuggers 51->121 70 conhost.exe 51->70         started        72 curl.exe 60->72         started        75 curl.exe 60->75         started        77 curl.exe 60->77         started        79 conhost.exe 60->79         started        81 curl.exe 64->81         started        83 conhost.exe 64->83         started        process15 dnsIp16 103 easyproducts.org 72->103 85 conhost.exe 72->85         started        105 easyproducts.org 75->105 87 conhost.exe 75->87         started        107 easyproducts.org 77->107 89 conhost.exe 77->89         started        109 easyproducts.org 81->109 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/96b3aa4520797806ccaf670897eaead29ac9dd3f9a6add879e2d93f7e2557513/
Threat name:
Win64.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2022-02-27 02:25:13 UTC
File Type:
PE+ (Exe)
AV detection:
25 of 42 (59.52%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
093c77391ffd6eb280164f85a236886dfa56c3e1463fbba681982ce463b36810
CoinMiner
1635567f96d69d53a64c49fb4a8cb5d65663d545f4ae4ea7c6465b49e4c297f4
CoinMiner
3a06f4cc6efdaf99f8ddeb7303f2a0b18db737261e29b95dc8571420af6fb0f7
CoinMiner
527b3ec7f548207e3ef8509973591509e5d61c91d613c232329204dfa35535be
CoinMiner
57e8fc9e724f9a78b7d6d7c2f640ea8842bdbd7dcd1480b9463237bd70de2725
CoinMiner
99c01d1fd62da5b29fb9b5335319ae532d30679f39096284ee2da359a411b529
CoinMiner
ab678d5de5678d684711044c60a9b3a706f08be433692f0960b132b8bee3a2d2
CoinMiner
+ 148 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/220308-wqzqrsdagj/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Downloads MZ/PE file
UPX packed file
Unpacked files
SH256 hash:
96b3aa4520797806ccaf670897eaead29ac9dd3f9a6add879e2d93f7e2557513
MD5 hash:
1c8758560b8877a094c657efa9b45125
SHA1 hash:
8557048030f0397a830889a75442770288b62163
Link:
https://www.unpac.me/results/851a07db-728b-4909-b98a-4fc691ba4459/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/96b3aa452079/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/96b3aa4520797806ccaf670897eaead29ac9dd3f9a6add879e2d93f7e2557513

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 96b3aa4520797806ccaf670897eaead29ac9dd3f9a6add879e2d93f7e2557513

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2084566/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/248444/

Comments