MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a58198274fe278903f5cc16907437a6198725be5bc248d2b6155cd702caf3ed3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a58198274fe278903f5cc16907437a6198725be5bc248d2b6155cd702caf3ed3
SHA3-384 hash: 4c0813533e80c03931dc0449bd69a9eecc9150972595e18fb73310a7b469cd8a155a58f6e686b735ddb8cccaa32213d3
SHA1 hash: 5ad2eddbc8656a801ffde9ae8bee93ca5972834a
MD5 hash: 665d21893d1c5965bda02bfc43ea6871
humanhash: thirteen-mountain-jig-uniform
File name:665d21893d1c5965bda02bfc43ea6871
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'000'384 bytes
First seen:2021-08-27 08:17:28 UTC
Last seen:2021-08-27 09:26:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 49152:UidLHrxljg+vatJsf+v7mltueHc0iSrhZfLn4qnAK:UiZrvUb9iseHc0lV
Threatray 35 similar samples on MalwareBazaar
TLSH T1F39533E01D143086ECE4CFBC5676278024E7B6F63D24ED7D5C6863FDB181C429A6B4AA
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
172
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
OneTap Loader.exe
Verdict:
Malicious activity
Analysis date:
2021-08-20 02:09:42 UTC
Tags:
trojan rat redline stealer loader
Link:
https://app.any.run/tasks/6fb592d0-f7b7-47fe-a14d-a8a4d58cb5e0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/182850/
Detection(s):
SecuriteInfo.com.Trojan.MulDropNET.46.28930.22197.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching a process
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Creating a process with a hidden window
Creating a file
Creating a process from a recently created file
Creating a file in the system32 directory
Sending a UDP request
Creating a file in the system32 subdirectories
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/79a4e419-9416-4bba-ac89-26473e842867
Result
Threat name:
BitCoin Miner
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/840323
Signature
Adds a directory exclusion to Windows Defender
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected BitCoin Miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 472755 Sample: 6tBTq2Srdu Startdate: 27/08/2021 Architecture: WINDOWS Score: 92 95 Multi AV Scanner detection for submitted file 2->95 97 Yara detected BitCoin Miner 2->97 99 Machine Learning detection for sample 2->99 101 2 other signatures 2->101 10 6tBTq2Srdu.exe 5 2->10         started        14 services32.exe 2->14         started        process3 file4 91 C:\Users\user\AppData\...\6tBTq2Srdu.exe.log, ASCII 10->91 dropped 115 Adds a directory exclusion to Windows Defender 10->115 16 cmd.exe 1 10->16         started        18 cmd.exe 1 10->18         started        93 C:\Users\user\AppData\Local\...\svchost32.exe, PE32+ 14->93 dropped 117 Multi AV Scanner detection for dropped file 14->117 119 Machine Learning detection for dropped file 14->119 21 cmd.exe 14->21         started        23 cmd.exe 14->23         started        signatures5 process6 signatures7 25 svchost32.exe 6 16->25         started        29 conhost.exe 16->29         started        103 Uses schtasks.exe or at.exe to add and modify task schedules 18->103 105 Adds a directory exclusion to Windows Defender 18->105 31 powershell.exe 23 18->31         started        33 powershell.exe 21 18->33         started        35 conhost.exe 18->35         started        41 2 other processes 18->41 37 svchost32.exe 21->37         started        39 conhost.exe 21->39         started        43 5 other processes 23->43 process8 file9 85 C:\Windows\System32\services32.exe, PE32+ 25->85 dropped 87 C:\Windows\...\services32.exe:Zone.Identifier, ASCII 25->87 dropped 107 Multi AV Scanner detection for dropped file 25->107 109 Machine Learning detection for dropped file 25->109 111 Drops executables to the windows directory (C:\Windows) and starts them 25->111 45 services32.exe 25->45         started        48 cmd.exe 1 25->48         started        50 cmd.exe 25->50         started        89 C:\Windows\System32\...\sihost32.exe, PE32+ 37->89 dropped 52 sihost32.exe 37->52         started        54 cmd.exe 37->54         started        56 cmd.exe 37->56         started        signatures10 process11 signatures12 121 Adds a directory exclusion to Windows Defender 45->121 58 cmd.exe 45->58         started        61 conhost.exe 48->61         started        63 schtasks.exe 1 48->63         started        65 conhost.exe 50->65         started        67 choice.exe 50->67         started        123 Multi AV Scanner detection for dropped file 52->123 125 Machine Learning detection for dropped file 52->125 69 conhost.exe 54->69         started        71 schtasks.exe 54->71         started        73 conhost.exe 56->73         started        75 choice.exe 56->75         started        process13 signatures14 113 Adds a directory exclusion to Windows Defender 58->113 77 conhost.exe 58->77         started        79 powershell.exe 58->79         started        81 powershell.exe 58->81         started        83 2 other processes 58->83 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a58198274fe278903f5cc16907437a6198725be5bc248d2b6155cd702caf3ed3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-20 01:35:00 UTC
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uwazqj2p4j4jap24yfuqoq32mgmhew7fxqsi2k3bkxgxalfph3jq._file
Verdict:
unknown
Similar samples:
0633bc4885fc8eb9c2f8bcd8110bff69e47444e68f4beb6757b23b2a2d59d3f7
CoinMiner
4569c2ca16175dd869475526af97004f47e2918edb583043b609fceb86b35161
CoinMiner
50fcaa0ac7219a10cadfce715ba25a2f30fe3939fa3d4e1c899d321e397daa0d
CoinMiner
51bf9ff43b1aedfebfcf03c71e5bba10a6704b2cf4503e5bbe680221652cc458
CoinMiner
561b3cf57b33e115cabbb36756579d7fb15ae90656b826cbd286673b2eaef227
CoinMiner
587328521840c2d6fc72391af9027ddba0489878c7bb287058cbad683f6e0191
CoinMiner
73a353b47b07ab046af0164afa457af80c36b6899ae3c54f80052f1026538971
CoinMiner
9dbdfabbc99542e1c94b7a29eaf437b7fa4c898c4add1a677b126257ae54f94e
CoinMiner
e481e934466d3e768442331a3c3af50c4d430b6ed14059afbe661925338ef531
CoinMiner
f2dc381b529cbc75c03ca8bf1886b0ee6b1e2622f8918a27a876c50889e2ae7e
CoinMiner
+ 25 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210827-b2kxxm99y2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
a58198274fe278903f5cc16907437a6198725be5bc248d2b6155cd702caf3ed3
MD5 hash:
665d21893d1c5965bda02bfc43ea6871
SHA1 hash:
5ad2eddbc8656a801ffde9ae8bee93ca5972834a
Link:
https://www.unpac.me/results/bea0b4bb-9bd3-4619-9263-796151e2efb5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a58198274fe278903f5cc16907437a6198725be5bc248d2b6155cd702caf3ed3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe a58198274fe278903f5cc16907437a6198725be5bc248d2b6155cd702caf3ed3

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/182850/
  
URLhaus
https://urlhaus.abuse.ch/url/1569137/

Comments


Avatar
zbet commented on 2021-08-27 08:17:28 UTC

url : hxxp://a0572281.xsph.ru/hack1.exe