MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a615a2c647bce3b67f43c818a7fd972a653a605efce83b7eb6f38fb374ec8eba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a615a2c647bce3b67f43c818a7fd972a653a605efce83b7eb6f38fb374ec8eba
SHA3-384 hash: b41264b0de0fb237571f60cca060a00e0755848fe415bbf10ecd005eefdeed820e07b01f31c5edecf57ba041625b9a13
SHA1 hash: e91aff3d9a8c7cef0e9543350864971e4ad93f82
MD5 hash: e7bf9f0c2c1977ddd8e139c13c27be0d
humanhash: lima-asparagus-december-stream
File name:e7bf9f0c2c1977ddd8e139c13c27be0d
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'842'624 bytes
First seen:2023-05-23 14:26:42 UTC
Last seen:2023-05-23 15:51:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 49152:552sxwTr/VsoJteujcnqNwelN/z52r7zj9n0cqv/3SYd:55jxa3JteujcncNNQzj9hqXCY
Threatray 23 similar samples on MalwareBazaar
TLSH T1A9D5CF7C86B50EB7D0F7C7E457C4B817BAADAB33B10C9A2145D2439D026F96224DE42E
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 CoinMiner exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
326
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e7bf9f0c2c1977ddd8e139c13c27be0d
Verdict:
Malicious activity
Analysis date:
2023-05-23 14:28:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/20fceb4c-2729-41f0-b75d-e5c7da084fef

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Heur.17718.24665.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Moving of the original file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin packed
Link:
https://www.filescan.io/uploads/646ccd3763d8dda9d0ac6b06/reports/374d4d01-030e-46a3-8387-22f9e864ff53/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a615a2c647bce3b67f43c818a7fd972a653a605efce83b7eb6f38fb374ec8eba
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Taily
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fb58345f-1ca2-438b-a836-9ae9046c3b0e
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1240914
Signature
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Xmrig
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 873923 Sample: Vsob3IooE7.exe Startdate: 23/05/2023 Architecture: WINDOWS Score: 100 41 Sigma detected: Xmrig 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected AntiVM3 2->45 47 6 other signatures 2->47 8 Vsob3IooE7.exe 3 2->8         started        12 Vsob3IooE7.exe 2 2->12         started        14 Vsob3IooE7.exe 2->14         started        16 Vsob3IooE7.exe 2->16         started        process3 file4 35 C:\Users\user\AppData\...\Vsob3IooE7.exe.log, ASCII 8->35 dropped 49 Injects a PE file into a foreign processes 8->49 18 Vsob3IooE7.exe 1 4 8->18         started        21 Vsob3IooE7.exe 8->21         started        23 Vsob3IooE7.exe 8->23         started        signatures5 process6 file7 31 C:\Users\user\AppData\Roaming\...\Driver.exe, MS-DOS 18->31 dropped 33 C:\Users\user\AppData\Roaming\...\Driver.url, MS 18->33 dropped 25 Driver.exe 1 18->25         started        process8 dnsIp9 37 pool-fr.supportxmr.com 141.94.96.144, 3333, 49715 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 25->37 39 pool.supportxmr.com 25->39 51 Multi AV Scanner detection for dropped file 25->51 53 Machine Learning detection for dropped file 25->53 29 conhost.exe 25->29         started        signatures10 55 Detected Stratum mining protocol 37->55 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a615a2c647bce3b67f43c818a7fd972a653a605efce83b7eb6f38fb374ec8eba/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-23 14:27:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
16 of 22 (72.73%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uyk2frshxtr3m72dzamkp7mxfjstuyc67tudw7vw6oh3g5hmr25a._file
Verdict:
malicious
Similar samples:
15791f0ceae7a162d3280af791cd8837705a7ccb6248bbfc3184cc3306ec4a57
CoinMiner
19561969de9f77cf014c808177cbc5113576d07573d16706226e32c2277374b7
CoinMiner
217265e900ce6d8b7750e25c9d4560715f2e58be5a2aa9210ba4f9974ae760c8
CoinMiner
5bc457579941e276a1ad34f285a12d4a40febb92cafd37ac0ab8c476c240912a
CoinMiner
8d969f9014e5f4c7d2385b96c8a00870e634d271106cb6e684183e012e56aa8e
CoinMiner
9f7dfb962e2bf51b8635de5abf80bede395c54abdd19ce0e7caa2343667fefe9
CoinMiner
b4775eb6d51dc4621171d1a378263f93cfe9ce98d98eefd796e5fb24e2c6b25a
CoinMiner
+ 13 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:loaderbot family:xmrig loader miner persistence
Link:
https://tria.ge/reports/230523-rseq6aff58/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
LoaderBot executable
XMRig Miner payload
LoaderBot
xmrig
Unpacked files
SH256 hash:
2f96c26d40674e74f8f57028a47645b4c5e86d11eef6be4b1a5d235ac628cbd4
MD5 hash:
98cf85482562853c5408226a7ea55c27
SHA1 hash:
cfa98f1cd44059675d6267561a9e19b4a2f4a936
Link:
https://www.unpac.me/results/d815f135-4e62-452e-9160-e90b2a492740/
SH256 hash:
a7e471f7bc560488312d57e885bb4cfc423587a0d84abbb3073a820f7cd0e209
MD5 hash:
e7709a907be0cdb6ff7eb99daee97c6c
SHA1 hash:
bb3f6871c40f54070b53947bf6958d410ea8bac1
Link:
https://www.unpac.me/results/d815f135-4e62-452e-9160-e90b2a492740/
SH256 hash:
3a48d4a5106dd9ba74e5fccfe58bf65581ee894d7f3ca1b15e6680fc912cd150
MD5 hash:
33b4baef7b0a6ad57a7d30af324c4efd
SHA1 hash:
b169a559615a8448d7ed7da56d36a6850d2092e2
Link:
https://www.unpac.me/results/d815f135-4e62-452e-9160-e90b2a492740/
SH256 hash:
a615a2c647bce3b67f43c818a7fd972a653a605efce83b7eb6f38fb374ec8eba
MD5 hash:
e7bf9f0c2c1977ddd8e139c13c27be0d
SHA1 hash:
e91aff3d9a8c7cef0e9543350864971e4ad93f82
Link:
https://www.unpac.me/results/d815f135-4e62-452e-9160-e90b2a492740/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a615a2c647bce3b67f43c818a7fd972a653a605efce83b7eb6f38fb374ec8eba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe a615a2c647bce3b67f43c818a7fd972a653a605efce83b7eb6f38fb374ec8eba

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2639654/

Comments


Avatar
zbet commented on 2023-05-23 14:26:43 UTC

url : hxxp://95.214.27.98/lend/full_min_cr.exe