MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99c01d1fd62da5b29fb9b5335319ae532d30679f39096284ee2da359a411b529. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 99c01d1fd62da5b29fb9b5335319ae532d30679f39096284ee2da359a411b529
SHA3-384 hash: 060638de2df7b1c2e036fc03cb74b9168711ed4bceba02f9c331a2845d5104a369474088e9c0a74df14c09f01cba55cc
SHA1 hash: f584f846f46cce8c6697f2cba01f5184360a34a1
MD5 hash: f74f67f98a700f27d7a894a630e73077
humanhash: quiet-blossom-diet-bacon
File name:SecuriteInfo.com.Trojan.DownLoader44.40553.568.24582
Download: download sample
Signature CoinMiner
Create hunting rule
File size:3'290'112 bytes
First seen:2022-02-22 19:23:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 629d572bad2dcff0fc429ecaf29f92a3 (2 x CoinMiner)
ssdeep 98304:RK5C/ErkKaRBnQNtDFtdndcTDixRv5wxGVyk7:RK5C/Er4RBWh6TDeD
Threatray 113 similar samples on MalwareBazaar
TLSH T17AE502BDA24033D8C01AC5381533ED46F1F6262F56E4D6EABADF7AC0376E511D942B0A
Reporter SecuriteInfoCom
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
246
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://bit.ly/Fortnite_Hackv2
Verdict:
Malicious activity
Analysis date:
2022-02-21 23:06:27 UTC
Tags:
trojan stealer raccoon loader rat redline
Link:
https://app.any.run/tasks/cd7ec4a1-1ce2-4174-a297-ce478bdfd42a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/243432/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.40553.568.24582.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Сreating synchronization primitives
Creating a process from a recently created file
Searching for synchronization primitives
Blocking the Windows Defender launch
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  0/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/7047/overview
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/62153856875593a3cc04fffa/reports/60e824a1-35f2-49d6-8ebd-376fecd5393a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/46f3395a-8e84-4544-881c-07a146e0187d
Result
Threat name:
Phoenix Miner
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/944249
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Phoenix Miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 576727 Sample: SecuriteInfo.com.Trojan.Dow... Startdate: 22/02/2022 Architecture: WINDOWS Score: 100 78 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->78 80 Multi AV Scanner detection for domain / URL 2->80 82 Antivirus detection for URL or domain 2->82 84 6 other signatures 2->84 9 SecuriteInfo.com.Trojan.DownLoader44.40553.568.exe 1 4 2->9         started        14 RegHost.exe 1 2->14         started        process3 dnsIp4 76 185.137.234.33, 49754, 8080 SELECTELRU Russian Federation 9->76 70 C:\Users\user\AppData\...\RegModule.exe, PE32+ 9->70 dropped 72 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 9->72 dropped 74 C:\Users\user\AppData\Roaming\...\RegData.exe, PE32+ 9->74 dropped 88 Injects code into the Windows Explorer (explorer.exe) 9->88 90 Writes to foreign memory regions 9->90 92 Allocates memory in foreign processes 9->92 100 2 other signatures 9->100 16 explorer.exe 2 9->16         started        18 bfsvc.exe 1 9->18         started        21 curl.exe 1 9->21         started        23 conhost.exe 9->23         started        94 Multi AV Scanner detection for dropped file 14->94 96 Machine Learning detection for dropped file 14->96 98 Modifies the context of a thread in another process (thread injection) 14->98 25 explorer.exe 2 14->25         started        27 bfsvc.exe 1 14->27         started        29 conhost.exe 14->29         started        file5 signatures6 process7 signatures8 31 RegHost.exe 16->31         started        34 curl.exe 1 16->34         started        46 13 other processes 16->46 86 Hides threads from debuggers 18->86 36 conhost.exe 18->36         started        38 conhost.exe 21->38         started        40 RegHost.exe 25->40         started        48 10 other processes 25->48 42 conhost.exe 27->42         started        44 conhost.exe 29->44         started        process9 signatures10 102 Modifies the context of a thread in another process (thread injection) 31->102 104 Injects a PE file into a foreign processes 31->104 50 conhost.exe 34->50         started        52 conhost.exe 46->52         started        54 conhost.exe 46->54         started        56 conhost.exe 46->56         started        64 9 other processes 46->64 58 conhost.exe 48->58         started        60 conhost.exe 48->60         started        62 conhost.exe 48->62         started        66 6 other processes 48->66 process11 process12 68 conhost.exe 50->68         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/99c01d1fd62da5b29fb9b5335319ae532d30679f39096284ee2da359a411b529/
Threat name:
Win64.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2022-02-21 19:46:00 UTC
File Type:
PE+ (Exe)
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
09b9283286463b35ea2d5abfa869110eb124eb8c1788eb2630480d058e82abf2
CoinMiner
2da24494535db516936e3fdf11f46423c3be7abd33afab194bd93388ab89b0cb
CoinMiner
3daecc42461e0c62077a67db5a175d393ed2db45e5be5a87bc69454981890e33
CoinMiner
9bd02c78d6dc379e0906312cbf3feee3df113f1837cd41d4e13b0d07e96c5233
CoinMiner
d057f4f00abe0297d81c25d6a1475c495b5784930ce77ca0b63bf2bad720b5e1
CoinMiner
dd469d067ee8f95f77fa9de6ae88c95e3a3d1b35c908c04eeba82a46316d1990
CoinMiner
fdb9272c85d1af641c164085e524b70517beb4fdf5cf764ba56df3bebf14e2c7
CoinMiner
+ 103 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan
Link:
https://tria.ge/reports/220222-x4dk5aeacj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
99c01d1fd62da5b29fb9b5335319ae532d30679f39096284ee2da359a411b529
MD5 hash:
f74f67f98a700f27d7a894a630e73077
SHA1 hash:
f584f846f46cce8c6697f2cba01f5184360a34a1
Link:
https://www.unpac.me/results/afc3d891-2c33-490b-9a3a-7d03aae4bc40/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/99c01d1fd62da5b29fb9b5335319ae532d30679f39096284ee2da359a411b529

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 99c01d1fd62da5b29fb9b5335319ae532d30679f39096284ee2da359a411b529

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2053691/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/243432/

Comments