MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9800fc9d430775d5d589dca968cf9973a6386cd48e393f14891e611c4872f132. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9800fc9d430775d5d589dca968cf9973a6386cd48e393f14891e611c4872f132
SHA3-384 hash: 0fe2b69c1ceacf936f49a30b595f9d51227399c8f91e969063c62064af9433f77b0151f6ded4760df9e4ba846465c1b2
SHA1 hash: b31e144d30f77f77c03347319b4e2909c8e9036f
MD5 hash: ea23c02fe4b5ae3da838a07023c532dd
humanhash: butter-indigo-robert-beer
File name:stubInf.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:712'645 bytes
First seen:2024-10-05 19:51:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b1c5b1beabd90d9fdabd1df0779ea832 (11 x CoinMiner, 10 x QuasarRAT, 8 x AsyncRAT)
ssdeep 12288:pyveQB/fTHIGaPkKEYzURNAwbAg/FzWqEEgalREwsYZnmzM0uptjC:puDXTIGaPhEYzUzA0rWogIBRVm4NptjC
Threatray 3 similar samples on MalwareBazaar
TLSH T1FCE4BF09E79808FBD0B7E57889524906F3F93C493360FA8F13A565661F773A89E2B311
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
File icon (PE):PE icon
dhash icon 64d4e8f0f0f8c4d4 (1 x CoinMiner)
Reporter imperialwool
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
427
Origin country :
BY BY
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
stubInf.exe
Verdict:
Malicious activity
Analysis date:
2024-10-05 19:52:22 UTC
Tags:
github
Link:
https://app.any.run/tasks/9da9e0ab-3972-4a4e-bd0e-7b1341be4582

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Dropper.Nanocore-9986456-0
Create hunting rule

Win.Malware.Bladabindi-10008357-0
Create hunting rule

Win.Packed.Bladabindi-10017056-0
Create hunting rule

Win.Malware.Zenpak-10017873-0
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=670198e2b932c04ee8fd2dcd
Tags:
Powershell Emotet
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm fingerprint installer lolbin microsoft_visual_cc overlay packed setupapi sfx shdocvw shell32
Link:
https://www.filescan.io/uploads/670198e35553b9e099abb873/reports/baf47747-3ece-441e-9bc2-158e6f7b06cb/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/9800fc9d430775d5d589dca968cf9973a6386cd48e393f14891e611c4872f132
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cc25ec2c-0174-4e06-96bf-eac845d45301
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
spre.bank.adwa.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1526463
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Creates autorun.inf (USB autostart)
Creates multiple autostart registry keys
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Enables a proxy for the internet explorer
Hides threads from debuggers
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Powershell drops PE file
Protects its processes via BreakOnTermination flag
Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
Queries temperature or sensor information (via WMI often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sets a proxy for the internet explorer
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: System File Execution Location Anomaly
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Powershell decode and execute
Yara detected UAC Bypass using CMSTP
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1526463 Sample: stubInf.exe Startdate: 05/10/2024 Architecture: WINDOWS Score: 100 138 102.16.14.0.in-addr.arpa 2->138 140 shed.dual-low.s-part-0017.t-0009.t-msedge.net 2->140 142 5 other IPs or domains 2->142 150 Malicious sample detected (through community Yara rule) 2->150 152 Multi AV Scanner detection for submitted file 2->152 154 Yara detected UAC Bypass using CMSTP 2->154 156 9 other signatures 2->156 14 stubInf.exe 9 2->14         started        17 explorer.exe 2->17         started        20 cmd.exe 2->20         started        22 5 other processes 2->22 signatures3 process4 file5 190 Machine Learning detection for dropped file 14->190 24 cmd.exe 1 14->24         started        108 C:\Windows\Temp\ewr1axdr.exe, PE32 17->108 dropped 110 C:\Windows\Temp\dyqoohcj.inf, Windows 17->110 dropped 192 Antivirus detection for dropped file 17->192 194 Query firmware table information (likely to detect VMs) 17->194 196 Hides threads from debuggers 17->196 27 cmstp.exe 17->27         started        198 Drops executables to the windows directory (C:\Windows) and starts them 20->198 29 lpnvg1n5.exe 20->29         started        31 conhost.exe 20->31         started        33 ewr1axdr.exe 22->33         started        35 conhost.exe 22->35         started        37 conhost.exe 22->37         started        39 conhost.exe 22->39         started        signatures6 process7 signatures8 170 Suspicious powershell command line found 24->170 41 powershell.exe 14 30 24->41         started        46 conhost.exe 24->46         started        48 cmd.exe 1 24->48         started        172 Antivirus detection for dropped file 29->172 174 Protects its processes via BreakOnTermination flag 29->174 176 Machine Learning detection for dropped file 29->176 process9 dnsIp10 144 github.com 140.82.121.3, 443, 49730, 49731 GITHUBUS United States 41->144 146 raw.githubusercontent.com 185.199.110.133, 443, 49732 FASTLYUS Netherlands 41->146 120 C:\Windows\SysWOW64\Winscreen.exe, PE32+ 41->120 dropped 122 \Device\ConDrv, ASCII 41->122 dropped 178 Injects code into the Windows Explorer (explorer.exe) 41->178 180 Drops executables to the windows directory (C:\Windows) and starts them 41->180 182 Writes to foreign memory regions 41->182 184 2 other signatures 41->184 50 Winscreen.exe 41->50         started        54 svchost.exe 41->54 injected 56 svchost.exe 41->56 injected 58 12 other processes 41->58 file11 signatures12 process13 file14 112 C:\Users\user\AppData\Roaming\upx.exe, PE32 50->112 dropped 114 C:\Users\user\AppData\Roaming\taskmoder.exe, PE32 50->114 dropped 116 C:\Users\user\AppData\Roaming\explorer.exe, PE32 50->116 dropped 118 C:\Users\user\AppData\Local\...\taskmen.exe, PE32 50->118 dropped 158 Antivirus detection for dropped file 50->158 160 Multi AV Scanner detection for dropped file 50->160 162 Query firmware table information (likely to detect VMs) 50->162 168 7 other signatures 50->168 60 taskmen.exe 50->60         started        65 taskmoder.exe 50->65         started        67 explorer.exe 50->67         started        73 7 other processes 50->73 164 Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes) 54->164 166 Queries temperature or sensor information (via WMI often done to detect virtual machines) 54->166 69 WMIADAP.exe 56->69         started        71 WmiPrvSE.exe 56->71         started        signatures15 process16 dnsIp17 148 127.0.0.1 unknown unknown 60->148 124 C:\Users\user\Desktop\stubInf.exe, PE32 60->124 dropped 126 C:\Users\user\AppData\Roaming\...\taskmen.exe, PE32 60->126 dropped 128 C:\Users\user\AppData\Local\...\h30r3teg.inp, PE32 60->128 dropped 136 3 other malicious files 60->136 dropped 200 Query firmware table information (likely to detect VMs) 60->200 202 Creates autorun.inf (USB autostart) 60->202 204 Machine Learning detection for dropped file 60->204 216 2 other signatures 60->216 130 C:\ProgramData\winlog.vbs, Unicode 65->130 dropped 206 Antivirus detection for dropped file 65->206 208 Sets a proxy for the internet explorer 65->208 210 Hides threads from debuggers 65->210 212 Enables a proxy for the internet explorer 65->212 75 cmd.exe 65->75         started        77 cmd.exe 65->77         started        79 cmd.exe 65->79         started        132 C:\Windows\Temp\lpnvg1n5.exe, PE32 67->132 dropped 134 C:\Windows\Temp\zkhdeoi3.inf, Windows 67->134 dropped 81 cmstp.exe 67->81         started        214 Loading BitLocker PowerShell Module 73->214 83 conhost.exe 73->83         started        85 conhost.exe 73->85         started        87 conhost.exe 73->87         started        89 3 other processes 73->89 file18 signatures19 process20 process21 91 wscript.exe 75->91         started        94 conhost.exe 75->94         started        96 wscript.exe 75->96         started        98 conhost.exe 77->98         started        100 choice.exe 77->100         started        102 conhost.exe 79->102         started        signatures22 186 Creates an undocumented autostart registry key 91->186 188 Windows Scripting host queries suspicious COM object (likely to drop second stage) 91->188 104 taskkill.exe 91->104         started        process23 process24 106 conhost.exe 104->106         started       
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9800fc9d430775d5d589dca968cf9973a6386cd48e393f14891e611c4872f132
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9800fc9d430775d5d589dca968cf9973a6386cd48e393f14891e611c4872f132/
Threat name:
Win64.Trojan.Alien
Create hunting rule
Status:
Malicious
First seen:
2024-10-05 19:52:04 UTC
File Type:
PE+ (Exe)
Extracted files:
18
AV detection:
11 of 38 (28.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=taapzhkda525lvmj3suwrt4zootdq3gury4t6fejdzqrysds6eza._file
Verdict:
malicious
Label(s):
donutloader
Create hunting rule
sectoprat
Create hunting rule
r77_core
Create hunting rule
Similar samples:
7cbcd631a4e13b12f1577b073d66c0ff99a3b1d59589e8064cda7b1a06d7cfac
CoinMiner
d66ce2f63139ffdc5a9eeff9ca44b17f82a36a3f8713f959e59997e850ccdbbf
CoinMiner
error
CoinMiner
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion execution
Link:
https://tria.ge/reports/241005-ylc3bawaqh/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Indicator Removal: Clear Windows Event Logs
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/07f2c306-d738-4f1c-8d52-f57f9e2785e8
Unpacked files
SH256 hash:
9800fc9d430775d5d589dca968cf9973a6386cd48e393f14891e611c4872f132
MD5 hash:
ea23c02fe4b5ae3da838a07023c532dd
SHA1 hash:
b31e144d30f77f77c03347319b4e2909c8e9036f
Link:
https://www.unpac.me/results/edd06be8-2006-49cc-b7d5-030dba3767fa/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9800fc9d4307/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9800fc9d430775d5d589dca968cf9973a6386cd48e393f14891e611c4872f132

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments