MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1d0727470709c53a1eacbfbf47eb4c9e83aff4c7ebf2161f8d925dd62c9cdaf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a1d0727470709c53a1eacbfbf47eb4c9e83aff4c7ebf2161f8d925dd62c9cdaf
SHA3-384 hash: 5d128849e9ca1e451d57a9f512687d6ed697adcbb4cdd077bafbf448bc97103c914ceb507198a863330a8ad032546232
SHA1 hash: 20db28a00c944fb9e764624532fc6568001c723c
MD5 hash: 97515f28bb9b97b67e47abdf7b802eb9
humanhash: red-mirror-timing-bacon
File name:SecuriteInfo.com.Trojan.InjectNET.14.31545.1818
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'043'904 bytes
First seen:2022-01-03 02:35:14 UTC
Last seen:2022-01-03 13:58:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 02549ff92b49cce693542fc9afb10102 (84 x CoinMiner, 2 x CoinMiner.XMRig, 1 x AgentTesla)
ssdeep 49152:ccJOoKo3xab9FJDNIrMKHe4WUcMkKABnqHekj:/PKo3Qb9FJDNI3+z2+Q
Threatray 434 similar samples on MalwareBazaar
TLSH T18C9533622B5462E0DB7E65B815C03F2AC1B3C9E04138759B44E63FDC1AFCA46F924E97
Reporter SecuriteInfoCom
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://gitlab.com/slavadurak23/opkppofqwkf/-/raw/main/ahahahaha.exe
Verdict:
Suspicious activity
Analysis date:
2021-12-27 01:38:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/21e2ab39-9912-46f7-9474-f20031905b69

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/217112/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.14474.29003.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a process from a recently created file
Creating a process with a hidden window
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3709/overview
Behaviour
MalwareBazaar
CallSleep
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
donut packed
Link:
https://www.filescan.io/uploads/61d26115ec6c6c14a9068839/reports/fdaf9f23-4bdd-4aa1-a75a-6e50a7cd6878/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4d4b5d6b-bf1e-4c2b-8755-64a1f28a137c
Result
Threat name:
BitCoin Miner SilentXMRMiner
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/914702
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected SilentXMRMiner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 547180 Sample: SecuriteInfo.com.Trojan.Inj... Startdate: 03/01/2022 Architecture: WINDOWS Score: 100 75 Multi AV Scanner detection for submitted file 2->75 77 Yara detected SilentXMRMiner 2->77 79 Yara detected BitCoin Miner 2->79 81 Sigma detected: Powershell Defender Exclusion 2->81 11 SecuriteInfo.com.Trojan.InjectNET.14.31545.exe 2->11         started        14 chefdrt.exe 2->14         started        process3 signatures4 103 Writes to foreign memory regions 11->103 105 Allocates memory in foreign processes 11->105 107 Creates a thread in another existing process (thread injection) 11->107 16 conhost.exe 5 11->16         started        109 Multi AV Scanner detection for dropped file 14->109 20 conhost.exe 3 14->20         started        process5 file6 67 C:\Windows\System32\chefdrt.exe, PE32+ 16->67 dropped 69 C:\Windows\...\chefdrt.exe:Zone.Identifier, ASCII 16->69 dropped 73 Adds a directory exclusion to Windows Defender 16->73 22 cmd.exe 1 16->22         started        25 cmd.exe 1 16->25         started        27 cmd.exe 1 16->27         started        29 cmd.exe 1 20->29         started        signatures7 process8 signatures9 87 Drops executables to the windows directory (C:\Windows) and starts them 22->87 31 chefdrt.exe 22->31         started        34 conhost.exe 22->34         started        89 Uses schtasks.exe or at.exe to add and modify task schedules 25->89 91 Adds a directory exclusion to Windows Defender 25->91 36 powershell.exe 22 25->36         started        38 powershell.exe 22 25->38         started        40 conhost.exe 25->40         started        42 conhost.exe 27->42         started        44 schtasks.exe 1 27->44         started        46 conhost.exe 29->46         started        48 2 other processes 29->48 process10 signatures11 111 Writes to foreign memory regions 31->111 113 Allocates memory in foreign processes 31->113 115 Creates a thread in another existing process (thread injection) 31->115 50 conhost.exe 4 31->50         started        process12 file13 71 C:\Windows\System32\...\sihost32.exe, PE32+ 50->71 dropped 83 Drops executables to the windows directory (C:\Windows) and starts them 50->83 85 Adds a directory exclusion to Windows Defender 50->85 54 sihost32.exe 50->54         started        57 cmd.exe 50->57         started        signatures14 process15 signatures16 93 Multi AV Scanner detection for dropped file 54->93 95 Writes to foreign memory regions 54->95 97 Allocates memory in foreign processes 54->97 99 Creates a thread in another existing process (thread injection) 54->99 59 conhost.exe 54->59         started        101 Adds a directory exclusion to Windows Defender 57->101 61 conhost.exe 57->61         started        63 powershell.exe 57->63         started        65 powershell.exe 57->65         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a1d0727470709c53a1eacbfbf47eb4c9e83aff4c7ebf2161f8d925dd62c9cdaf/
Threat name:
Win64.Trojan.Wovdnut
Create hunting rule
Status:
Malicious
First seen:
2021-12-27 06:36:43 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
28 of 43 (65.12%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1701171f89917e432739335ca3db9960f49bf7616a3832b4951df3215ceb0334
CoinMiner
2fa8fb2ee024e1a7c5a27fd07f4892b5e4c13c1d71624086ef3594a0644ceffb
CoinMiner
36a143318fa67627e0b9351d7add36540248fc73b147a83cff6d97f2c39b63c0
CoinMiner
3d030fbfbe328bc4f276d565854f89189094ddb46dc1c6d36e8e9a438227279f
CoinMiner
7387dda5e2f645e2bdb9c2b366b4917a52a0535800580deb50f28e6790418ec9
CoinMiner
92561a2126c31ee34edef41557d2c312a3e1f4b9909c99d8ca23d3cae19ee173
CoinMiner
ade44175f9769fe9eb39588ce0d33707f75ea44ea15cb1e7823ff49725ac24aa
CoinMiner
b4a3cafc8553c06b17131e6b3afb38971312a4d91ae3349d2d118bdfc3d8de94
CoinMiner
e59a89138d5d7d96b4336b9323be581e35b3056180cc4fcf2844027534d5c189
CoinMiner
f3940f6c65cda4da86d1f9712223b8a278cd0dc90f701938a38a61ff74c66c66
CoinMiner
+ 424 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/220103-c3k9csahf7/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Loads dropped DLL
Executes dropped EXE
xmrig
Unpacked files
SH256 hash:
a1d0727470709c53a1eacbfbf47eb4c9e83aff4c7ebf2161f8d925dd62c9cdaf
MD5 hash:
97515f28bb9b97b67e47abdf7b802eb9
SHA1 hash:
20db28a00c944fb9e764624532fc6568001c723c
Link:
https://www.unpac.me/results/a7814bb1-620e-4334-86c8-20f88f37c085/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a1d072747070/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a1d0727470709c53a1eacbfbf47eb4c9e83aff4c7ebf2161f8d925dd62c9cdaf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe a1d0727470709c53a1eacbfbf47eb4c9e83aff4c7ebf2161f8d925dd62c9cdaf

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1942350/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/217112/

Comments