MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99a4483312a49933b40f2ce227cdc2a820a595eb465bc488a97e5e59fd94843e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 99a4483312a49933b40f2ce227cdc2a820a595eb465bc488a97e5e59fd94843e
SHA3-384 hash: bb36735ede3873291ba985d8c3fbd798e9f5a3d783c3e274b1b45ff6d545eee592ae0a218fbdadac0cabf5f25a5ea2ec
SHA1 hash: b4b5cfdcf7495119844ec6e11c4b57b9140d0f33
MD5 hash: e7a9fd8fe16de7cb4175a4e098362fcd
humanhash: harry-william-oxygen-alaska
File name:e7a9fd8fe16de7cb4175a4e098362fcd
Download: download sample
Signature CoinMiner
Create hunting rule
File size:46'592 bytes
First seen:2021-09-02 01:36:01 UTC
Last seen:2021-09-02 04:39:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 768:r5Ks3PvEzBIX2uBByrWOJudDbKzN7qneNeMbJOUF9tCJSK:rMcvEzmpsWGiHm2UJBF9NK
Threatray 51 similar samples on MalwareBazaar
TLSH T1BB23E11077F88517FAB38F3604A973D25E34F6A2E610C72E6440516C5E3AB24EB422AA
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
186
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e7a9fd8fe16de7cb4175a4e098362fcd
Verdict:
No threats detected
Analysis date:
2021-09-02 01:40:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b220c178-aac5-4fc3-9db2-8c3b1cbdd76c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/184626/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.14370.30398.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching a process
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Creating a process with a hidden window
Creating a file
Creating a process from a recently created file
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6c72b71b-ff58-4035-b8ad-eab92c791041
Result
Threat name:
BitCoin Miner
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/843736
Signature
Adds a directory exclusion to Windows Defender
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected BitCoin Miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 476167 Sample: 42Er2WbbDS Startdate: 02/09/2021 Architecture: WINDOWS Score: 88 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected BitCoin Miner 2->53 55 Machine Learning detection for sample 2->55 57 2 other signatures 2->57 9 42Er2WbbDS.exe 5 2->9         started        13 cmd.exe 1 2->13         started        process3 file4 43 C:\Users\user\AppData\Local\...\svchost64.exe, PE32+ 9->43 dropped 45 C:\Users\user\AppData\...\42Er2WbbDS.exe.log, ASCII 9->45 dropped 63 Adds a directory exclusion to Windows Defender 9->63 15 cmd.exe 1 9->15         started        17 cmd.exe 1 9->17         started        20 conhost.exe 13->20         started        signatures5 process6 signatures7 22 svchost64.exe 3 15->22         started        25 conhost.exe 15->25         started        47 Uses schtasks.exe or at.exe to add and modify task schedules 17->47 49 Adds a directory exclusion to Windows Defender 17->49 27 powershell.exe 23 17->27         started        29 powershell.exe 22 17->29         started        31 conhost.exe 17->31         started        33 2 other processes 17->33 process8 signatures9 59 Multi AV Scanner detection for dropped file 22->59 61 Machine Learning detection for dropped file 22->61 35 cmd.exe 1 22->35         started        37 WerFault.exe 20 9 22->37         started        process10 process11 39 conhost.exe 35->39         started        41 schtasks.exe 1 35->41         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/99a4483312a49933b40f2ce227cdc2a820a595eb465bc488a97e5e59fd94843e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-29 18:38:37 UTC
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0633bc4885fc8eb9c2f8bcd8110bff69e47444e68f4beb6757b23b2a2d59d3f7
CoinMiner
0757a3b97f39c1d8a6c3d94770762a3912304cfaffa0330761945acd7f236213
CoinMiner
2340f7976585cd113520b33eb51c6b57e37c6bad2fba29a48b8c7e8e784a2491
CoinMiner
b55bf0c98c34bb3ca46a7bb08598ffc1a97c9ad7bb47191cd1280b609322267f
CoinMiner
df47c9d6c0bcd204919cfd8d495a22ff35f8506cd328410393a724f3548ff828
CoinMiner
ff1ddb96f4984d4ed65016ca7814432d51a08fe090fae4907e85926469e880da
CoinMiner
+ 41 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/210902-qpyz78hjb2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Loads dropped DLL
Executes dropped EXE
xmrig
Unpacked files
SH256 hash:
99a4483312a49933b40f2ce227cdc2a820a595eb465bc488a97e5e59fd94843e
MD5 hash:
e7a9fd8fe16de7cb4175a4e098362fcd
SHA1 hash:
b4b5cfdcf7495119844ec6e11c4b57b9140d0f33
Link:
https://www.unpac.me/results/225dde42-3d87-49fd-8662-a0b416bcd8c5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/99a4483312a49933b40f2ce227cdc2a820a595eb465bc488a97e5e59fd94843e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 99a4483312a49933b40f2ce227cdc2a820a595eb465bc488a97e5e59fd94843e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1584791/
Cape
Cape
https://www.capesandbox.com/analysis/184626/
  
URLhaus
https://urlhaus.abuse.ch/url/1584839/

Comments


Avatar
zbet commented on 2021-09-02 01:36:03 UTC

url : hxxp://81.163.246.9/rvn.exe