MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a044a7b7bad90beae6e290ffa6b7f36fc295c90472facf660045e21242a5c368. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a044a7b7bad90beae6e290ffa6b7f36fc295c90472facf660045e21242a5c368
SHA3-384 hash: 575fa8d3115c19edcaef7020f7523ae590e9e7e40942b05f67811617019f90ceaf4efa88b11c1801ec0e6d1ed34e0212
SHA1 hash: 9106ced726b52826cd1608f25af110cb8dae5465
MD5 hash: 00467bbcd4495d4968f0af46bccc7833
humanhash: lamp-undress-robin-wolfram
File name:00467bbcd4495d4968f0af46bccc7833
Download: download sample
Signature CoinMiner
Create hunting rule
File size:1'458'032 bytes
First seen:2021-11-05 00:31:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 94e2b0572ac9e87d08b3c525a2cff4f7 (16 x RedLineStealer, 4 x RaccoonStealer, 2 x ArkeiStealer)
ssdeep 24576:nW8B3pHXmYX6T5zfXWSyZ+ugBRDJ8g1H8SZWdYJqZlkZoLXpn1f3xVgAAc:nWUpHX5uLXyMBLdXZWkqEZobpn1TA
TLSH T1416533CB48906672FAFD9E309A7DD509596D27CAB73293C875AF41328F63071CA0BD48
Reporter zbetcheckin
Tags:32 CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
149
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
00467bbcd4495d4968f0af46bccc7833
Verdict:
Suspicious activity
Analysis date:
2021-11-05 00:33:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4ed10047-b3b2-4b5f-bbe9-5e686ae6730d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/202529/
Detection(s):
Win.Trojan.Generic-9905689-0
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61847b85c03a81a502411873/reports/a057db4e-c616-4435-8829-f93f2321a76a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/09110ef9-3c28-4a44-a9ca-20f4a979b03d
Result
Threat name:
BitCoin Miner
Create hunting rule
Detection:
malicious
Classification:
evad.troj.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/883638
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Found detection on Joe Sandbox Cloud Basic with higher score
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Suspicious powershell command line found
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to download and execute files (via powershell)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected BitCoin Miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 516072 Sample: qoiN87uOrD.exe Startdate: 05/11/2021 Architecture: WINDOWS Score: 100 91 Sigma detected: Powershell download and execute file 2->91 93 Multi AV Scanner detection for submitted file 2->93 95 Yara detected BitCoin Miner 2->95 97 6 other signatures 2->97 14 qoiN87uOrD.exe 2->14         started        process3 signatures4 131 Query firmware table information (likely to detect VMs) 14->131 133 Tries to detect sandboxes and other dynamic analysis tools (window names) 14->133 135 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 14->135 137 4 other signatures 14->137 17 AppLaunch.exe 14->17         started        20 WerFault.exe 23 9 14->20         started        process5 file6 89 Adds a directory exclusion to Windows Defender 17->89 23 cmd.exe 1 17->23         started        69 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->69 dropped signatures7 process8 signatures9 125 Suspicious powershell command line found 23->125 127 Tries to download and execute files (via powershell) 23->127 129 Adds a directory exclusion to Windows Defender 23->129 26 powershell.exe 23->26         started        28 powershell.exe 23->28         started        30 powershell.exe 15 17 23->30         started        34 4 other processes 23->34 process10 dnsIp11 37 monster.exe 26->37         started        40 monst.exe 28->40         started        83 antivirf.ru 81.177.141.85, 443, 49755, 49756 RTCOMM-ASRU Russian Federation 30->83 75 C:\Users\user\AppData\Roaming\monster.exe, PE32+ 30->75 dropped 77 C:\Users\user\AppData\Roaming\monst.exe, PE32 34->77 dropped 99 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 34->99 101 Powershell drops PE file 34->101 file12 signatures13 process14 dnsIp15 109 Writes to foreign memory regions 37->109 111 Allocates memory in foreign processes 37->111 113 Creates a thread in another existing process (thread injection) 37->113 43 conhost.exe 37->43         started        79 ip-api.com 208.95.112.1, 49758, 80 TUT-ASUS United States 40->79 81 api.telegram.org 149.154.167.220, 443, 49759 TELEGRAMRU United Kingdom 40->81 115 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 40->115 117 May check the online IP address of the machine 40->117 46 conhost.exe 40->46         started        signatures16 process17 file18 71 C:\Windows\System32\services32.exe, PE32+ 43->71 dropped 48 cmd.exe 43->48         started        51 cmd.exe 43->51         started        process19 signatures20 85 Drops executables to the windows directory (C:\Windows) and starts them 48->85 53 services32.exe 48->53         started        56 conhost.exe 48->56         started        87 Uses schtasks.exe or at.exe to add and modify task schedules 51->87 58 conhost.exe 51->58         started        60 schtasks.exe 51->60         started        process21 signatures22 119 Writes to foreign memory regions 53->119 121 Allocates memory in foreign processes 53->121 123 Creates a thread in another existing process (thread injection) 53->123 62 conhost.exe 53->62         started        process23 file24 73 C:\Windows\System32\...\sihost32.exe, PE32+ 62->73 dropped 139 Drops executables to the windows directory (C:\Windows) and starts them 62->139 66 sihost32.exe 62->66         started        signatures25 process26 signatures27 103 Writes to foreign memory regions 66->103 105 Allocates memory in foreign processes 66->105 107 Creates a thread in another existing process (thread injection) 66->107
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a044a7b7bad90beae6e290ffa6b7f36fc295c90472facf660045e21242a5c368/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2021-11-04 19:18:35 UTC
AV detection:
12 of 44 (27.27%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/211105-avmfcaaaf6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
Dropper Extraction:
https://antivirf.ru/monster.exe
https://antivirf.ru/monst.exe
Unpacked files
SH256 hash:
cd92f9a7aba0cec630e6e44f9435fac49914c7bdf3988e7202c2e443bc2e0c82
MD5 hash:
504cd8793131eb3c55aebcb5e9b75737
SHA1 hash:
e6ad04f976312a03279a9167826ee2851997067e
Link:
https://www.unpac.me/results/32966c85-9021-4313-8b5d-31ad91c3e470/
SH256 hash:
a044a7b7bad90beae6e290ffa6b7f36fc295c90472facf660045e21242a5c368
MD5 hash:
00467bbcd4495d4968f0af46bccc7833
SHA1 hash:
9106ced726b52826cd1608f25af110cb8dae5465
Link:
https://www.unpac.me/results/32966c85-9021-4313-8b5d-31ad91c3e470/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a044a7b7bad9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/a044a7b7bad90beae6e290ffa6b7f36fc295c90472facf660045e21242a5c368

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_62e745e92165213c971f5c490aea12a5
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe a044a7b7bad90beae6e290ffa6b7f36fc295c90472facf660045e21242a5c368

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1752897/
Cape
Cape
https://www.capesandbox.com/analysis/202529/

Comments