MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99c24686e9ac15ec6914d314a1d72dd9a1ebece08fd1b8a75e00373051e82079. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 99c24686e9ac15ec6914d314a1d72dd9a1ebece08fd1b8a75e00373051e82079
SHA3-384 hash: 9025b194ce1669200e04dbb5bc49bb31feab1eb41be2ced042bffb2d094ad0c0d945b362dd41318f56d77bf1669448e2
SHA1 hash: 54faa6396f179908918b4d5f1fdc4e99ad6fbb5c
MD5 hash: e3dd0bfe38b07d750d2c13da80d9155d
humanhash: coffee-east-april-river
File name:VespyBuilder.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:12'919'808 bytes
First seen:2024-01-22 20:48:35 UTC
Last seen:2024-01-22 22:20:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6f462fcc6b830b77fb3fef2add9dc570 (9 x CoinMiner, 3 x BitRAT, 2 x XWorm)
ssdeep 393216:HaXuGHyMeW9/MkMVEoucpzXN78c6GxrLx:H6VDe4OAIx78c6CL
Threatray 32 similar samples on MalwareBazaar
TLSH T1BBD63399A03E4352E9936D365725E7BB09C68FC362B3C618AFD08CC3B1F6F1A5751182
TrID 30.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
19.7% (.EXE) Win64 Executable (generic) (10523/12/4)
12.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c069b1d96464701c (1 x CoinMiner)
Reporter e24111111111111
Tags:CoinMiner Crysan exe PureCrypt XenoRAT zgRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
525
Origin country :
GR GR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/472391/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.31485.19647.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% directory
Creating a file
Deleting a system file
Running batch commands
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
coinminer packed
Link:
https://www.filescan.io/uploads/65aed4c1eda27a7ac1ff5e93/reports/572b1af1-c273-4450-aad2-12473148c681/overview
Verdict:
Malicious
Labled as:
FakeAlert.Generic
Link:
https://www.hybrid-analysis.com/sample/99c24686e9ac15ec6914d314a1d72dd9a1ebece08fd1b8a75e00373051e82079
Result
Verdict:
MALICIOUS
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1a25a1cc-6e42-4993-ae6c-3fe5ceadd05d
Result
Threat name:
XenoRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1379071
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates files with lurking names (e.g. Crack.exe)
Encrypted powershell cmdline option found
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies power options to not sleep / hibernate
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Potential dropper URLs found in powershell memory
Sigma detected: Scheduled temp file as task from temp location
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected XenoRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1379071 Sample: VespyBuilder.exe Startdate: 22/01/2024 Architecture: WINDOWS Score: 100 98 jctestwindows.airdns.org 2->98 113 Antivirus detection for URL or domain 2->113 115 Antivirus / Scanner detection for submitted sample 2->115 117 Sigma detected: Scheduled temp file as task from temp location 2->117 119 7 other signatures 2->119 10 VespyBuilder.exe 5 2->10         started        14 bauwrdgwodhv.exe 2->14         started        16 svchost.exe 2->16         started        19 2 other processes 2->19 signatures3 process4 dnsIp5 86 C:\Users\user\AppData\...\KeyGeneratorTOP.exe, PE32+ 10->86 dropped 88 C:\Users\user\AppData\...\WinHostMgr.exe, PE32+ 10->88 dropped 90 C:\Users\user\AppData\...\WinErrorMgr.exe, PE32 10->90 dropped 92 C:\Users\user\AppData\Local\Temp\Ilkdt.exe, PE32 10->92 dropped 135 Encrypted powershell cmdline option found 10->135 137 Creates files with lurking names (e.g. Crack.exe) 10->137 21 KeyGeneratorTOP.exe 13 10->21         started        24 WinHostMgr.exe 1 2 10->24         started        27 WinErrorMgr.exe 4 10->27         started        29 2 other processes 10->29 139 Antivirus detection for dropped file 14->139 141 Multi AV Scanner detection for dropped file 14->141 96 127.0.0.1 unknown unknown 16->96 file6 signatures7 process8 file9 74 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 21->74 dropped 76 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 21->76 dropped 78 C:\Users\user\AppData\Local\...\python312.dll, PE32+ 21->78 dropped 84 7 other malicious files 21->84 dropped 31 KeyGeneratorTOP.exe 21->31         started        33 conhost.exe 21->33         started        80 C:\ProgramData\...\bauwrdgwodhv.exe, PE32+ 24->80 dropped 121 Antivirus detection for dropped file 24->121 123 Multi AV Scanner detection for dropped file 24->123 125 Uses powercfg.exe to modify the power settings 24->125 131 2 other signatures 24->131 35 powershell.exe 23 24->35         started        37 cmd.exe 24->37         started        39 sc.exe 24->39         started        48 12 other processes 24->48 82 C:\Users\user\AppData\...\WinErrorMgr.exe, PE32 27->82 dropped 41 WinErrorMgr.exe 5 27->41         started        127 Machine Learning detection for dropped file 29->127 129 Potential dropper URLs found in powershell memory 29->129 46 conhost.exe 29->46         started        signatures10 process11 dnsIp12 50 chrome.exe 31->50         started        53 conhost.exe 35->53         started        55 WmiPrvSE.exe 35->55         started        57 conhost.exe 37->57         started        59 wusa.exe 37->59         started        61 conhost.exe 39->61         started        111 jctestwindows.airdns.org 185.104.184.43, 45010 M247GB United Kingdom 41->111 94 C:\Users\user\AppData\Local\...\tmp84E6.tmp, ASCII 41->94 dropped 143 Antivirus detection for dropped file 41->143 145 Multi AV Scanner detection for dropped file 41->145 147 Uses schtasks.exe or at.exe to add and modify task schedules 41->147 63 schtasks.exe 41->63         started        65 conhost.exe 46->65         started        67 12 other processes 48->67 file13 signatures14 process15 dnsIp16 100 192.168.2.4, 138, 443, 45010 unknown unknown 50->100 102 239.255.255.250 unknown Reserved 50->102 69 chrome.exe 50->69         started        72 conhost.exe 63->72         started        process17 dnsIp18 104 pogothere.xyz 69->104 107 ihavelearnat.xyz 69->107 109 18 other IPs or domains 69->109 signatures19 133 Performs DNS queries to domains with low reputation 107->133
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/99c24686e9ac15ec6914d314a1d72dd9a1ebece08fd1b8a75e00373051e82079
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/99c24686e9ac15ec6914d314a1d72dd9a1ebece08fd1b8a75e00373051e82079/
Threat name:
Win32.Trojan.XenoRat
Create hunting rule
Status:
Malicious
First seen:
2024-01-16 19:23:41 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
29 of 38 (76.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=thbenbxjvqk6y2iu2mkkdvzn3gq6x3har7i3rj26aa3taupieb4q._file
Verdict:
malicious
Similar samples:
09b7860fd849ccffdeac55c70991b6735adb449095f0a0f164732361b2aab2c2
CoinMiner
15548dc4aab59a1ecc65d7cbe37b2a6224e8be7682621e8f6b9ed851ab6f4e97
CoinMiner
34ab005b549534dba9a83d9346e1618a18ecee2c99a93079551634f9480b2b79
CoinMiner
73c156ea9e0695256567a9f2b6a140f9758423880f971b20d5e9e2875a9ca036
CoinMiner
961a589be9f24446f3b01ea426bc975ab09c158c9ff0888cdef81fcdb596d818
CoinMiner
9f2bfb93647496f466b54b7b5405db565fb23b51b71f0fd97d034b24113d4b93
CoinMiner
+ 22 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat evasion persistence pyinstaller rat
Link:
https://tria.ge/reports/240122-zl1daadbgk/
Behaviour
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Detects Pyinstaller
Enumerates physical storage devices
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Creates new service(s)
Stops running service(s)
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
128ccee0f7eb201f9d9420880c027922cb3e2f9e39b288dfcfd807dc73ba904f
MD5 hash:
c329ed931d2729509053eb089da3ee76
SHA1 hash:
caf7675b8de63f5cbe33a2ec054bdcbf2b31afec
Link:
https://www.unpac.me/results/c60cc125-7506-4690-8a8f-e553ad962f02/
SH256 hash:
d49013d6be0f0e727c0b53bce1d3fed00656c7a2836ceef0a9d4cb816a5878db
MD5 hash:
e004a568b841c74855f1a8a5d43096c7
SHA1 hash:
b90fd74593ae9b5a48cb165b6d7602507e1aeca4
Link:
https://www.unpac.me/results/c60cc125-7506-4690-8a8f-e553ad962f02/
SH256 hash:
bc3d545c541e42420ce2c2eabc7e5afab32c869a1adb20adb11735957d0d0b0e
MD5 hash:
d499e979a50c958f1a67f0e2a28af43d
SHA1 hash:
1e5fa0824554c31f19ce01a51edb9bed86f67cf0
Link:
https://www.unpac.me/results/c60cc125-7506-4690-8a8f-e553ad962f02/
SH256 hash:
99c24686e9ac15ec6914d314a1d72dd9a1ebece08fd1b8a75e00373051e82079
MD5 hash:
e3dd0bfe38b07d750d2c13da80d9155d
SHA1 hash:
54faa6396f179908918b4d5f1fdc4e99ad6fbb5c
Link:
https://www.unpac.me/results/c60cc125-7506-4690-8a8f-e553ad962f02/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/99c24686e9ac/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/99c24686e9ac15ec6914d314a1d72dd9a1ebece08fd1b8a75e00373051e82079

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

zip 73f07fddafeb8be4938a1e7323aa17db0ab2375bbc5f6af1dd585ae8feb8e28f

CoinMiner

Executable exe 99c24686e9ac15ec6914d314a1d72dd9a1ebece08fd1b8a75e00373051e82079

(this sample)

  
Dropped by
SHA256 73f07fddafeb8be4938a1e7323aa17db0ab2375bbc5f6af1dd585ae8feb8e28f
Cape
Cape
https://www.capesandbox.com/analysis/472391/
  
Dropped by
MD5 d67fff4c20ad2a48ae853d2a3b1005c1

Comments