MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa212361c56bc3c307df12dd1ef574bb21c03f28a3cacc94a5a683d217b27ebc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 14


Intelligence 14 IOCs YARA 9 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa212361c56bc3c307df12dd1ef574bb21c03f28a3cacc94a5a683d217b27ebc
SHA3-384 hash: 2067a2ac5f377d3e1d17747b7f877744dc8422a442b82f269821ee95401eb410a96f534c8d9f4dab5704667a246def06
SHA1 hash: 446ba99bb2ca06fed22c0019a5e8671e7e3f1e62
MD5 hash: 5aece647826a6f39a8bb8b17cd4186d6
humanhash: island-diet-sink-double
File name:5aece647826a6f39a8bb8b17cd4186d6
Download: download sample
Signature CoinMiner
Create hunting rule
File size:17'027'072 bytes
First seen:2024-06-14 14:10:13 UTC
Last seen:2024-06-14 14:27:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c7b7b517cf49febe9724e1b897a98881 (22 x CoinMiner)
ssdeep 393216:A/53AXVAd5y2XjI4j10HlDR4K55RUGOtdMPFSeUP:GqUy+j1a9yPkFvU
TLSH T1FC0723D155BA92BCE2CA47101CC2738E2CC8712691FDCCAD39C65C076A95E698CCF5BB
TrID 33.6% (.EXE) OS/2 Executable (generic) (2029/13)
33.1% (.EXE) Generic Win/DOS Executable (2002/3)
33.1% (.EXE) DOS Executable Generic (2000/1)
Reporter zbetcheckin
Tags:64 CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
332
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
xmrig
Create hunting rule
ID:
1
File name:
aa212361c56bc3c307df12dd1ef574bb21c03f28a3cacc94a5a683d217b27ebc.exe
Verdict:
Malicious activity
Analysis date:
2024-06-14 14:12:44 UTC
Tags:
miner silentcryptominer xmrig
Link:
https://app.any.run/tasks/38761b49-509b-4016-b22c-116b9a988bc6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.Evo-gen.23217.27323.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=666c50b59172918f990da7b6win7simulatehigh_evasion
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Deleting a system file
Launching a process
Creating a service
Creating a file
Launching a service
Creating a process from a recently created file
Searching for synchronization primitives
Creating a file in the Windows subdirectories
Setting browser functions hooks
Enabling autorun for a service
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Changing the hosts file
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug packed
Link:
https://www.filescan.io/uploads/666c4f819fd5f9d5920fcde2/reports/516f667c-6a28-45b1-8fe0-83178df250e1/overview
Verdict:
Malicious
Labled as:
Trojan[Packed]/Win64.VMProtect
Link:
https://www.hybrid-analysis.com/sample/aa212361c56bc3c307df12dd1ef574bb21c03f28a3cacc94a5a683d217b27ebc
Result
Verdict:
MALICIOUS
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/dd4a953b-14d4-4448-9713-5ad5bcefbb80
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1457344
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Disable power options
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop EventLog
Snort IDS alert for network traffic
Tries to detect debuggers (CloseHandle check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction (VM detection)
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1457344 Sample: 1SE2yI1hsN.exe Startdate: 14/06/2024 Architecture: WINDOWS Score: 100 55 Snort IDS alert for network traffic 2->55 57 Antivirus / Scanner detection for submitted sample 2->57 59 Yara detected Xmrig cryptocurrency miner 2->59 61 10 other signatures 2->61 7 1SE2yI1hsN.exe 1 2 2->7         started        11 WindowsAutHost 1 2->11         started        process3 file4 49 C:\ProgramData\...\WindowsAutHost, PE32+ 7->49 dropped 51 C:\Windows\System32\drivers\etc\hosts, ASCII 7->51 dropped 63 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 7->63 65 Query firmware table information (likely to detect VMs) 7->65 67 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->67 75 9 other signatures 7->75 13 dialer.exe 1 7->13         started        16 powershell.exe 23 7->16         started        18 cmd.exe 1 7->18         started        26 13 other processes 7->26 53 C:\Windows\Temp\acghixdheeme.sys, PE32+ 11->53 dropped 69 Antivirus detection for dropped file 11->69 71 Multi AV Scanner detection for dropped file 11->71 73 Protects its processes via BreakOnTermination flag 11->73 77 2 other signatures 11->77 20 powershell.exe 11->20         started        22 cmd.exe 11->22         started        24 sc.exe 1 11->24         started        28 7 other processes 11->28 signatures5 process6 signatures7 79 Contains functionality to inject code into remote processes 13->79 81 Writes to foreign memory regions 13->81 83 Allocates memory in foreign processes 13->83 87 3 other signatures 13->87 30 lsass.exe 13->30 injected 39 10 other processes 13->39 85 Loading BitLocker PowerShell Module 16->85 33 conhost.exe 16->33         started        41 2 other processes 18->41 35 conhost.exe 20->35         started        43 2 other processes 22->43 37 conhost.exe 24->37         started        45 13 other processes 26->45 47 6 other processes 28->47 process8 signatures9 89 Writes to foreign memory regions 30->89
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/aa212361c56bc3c307df12dd1ef574bb21c03f28a3cacc94a5a683d217b27ebc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aa212361c56bc3c307df12dd1ef574bb21c03f28a3cacc94a5a683d217b27ebc/
Threat name:
Win64.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2024-06-14 14:11:18 UTC
File Type:
PE+ (Exe)
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=viqsgyofnpb4gb67clor55luxmq4apziupfmzfffu2b5ef5sp26a._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion execution persistence
Link:
https://tria.ge/reports/240614-rg9gdsxfkp/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks BIOS information in registry
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Drops file in Drivers directory
Sets service image path in registry
Stops running service(s)
Modifies security service
Unpacked files
SH256 hash:
aa212361c56bc3c307df12dd1ef574bb21c03f28a3cacc94a5a683d217b27ebc
MD5 hash:
5aece647826a6f39a8bb8b17cd4186d6
SHA1 hash:
446ba99bb2ca06fed22c0019a5e8671e7e3f1e62
Link:
https://www.unpac.me/results/6a397dfa-615b-42fd-91b1-bdf8aa23eb8a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aa212361c56b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
CoinMiner
Score:
0.60
Link:
https://yomi.yoroi.company/submissions/aa212361c56bc3c307df12dd1ef574bb21c03f28a3cacc94a5a683d217b27ebc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MALWARE_Win_R77
Create hunting rule
Author:ditekSHen
Description:Detects r77 rootkit
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Rootkit_R77_d0367e28
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe aa212361c56bc3c307df12dd1ef574bb21c03f28a3cacc94a5a683d217b27ebc

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2888804/
  
URLhaus
https://urlhaus.abuse.ch/url/2888843/
  
URLhaus
https://urlhaus.abuse.ch/url/2888844/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA

Comments


Avatar
zbet commented on 2024-06-14 14:10:14 UTC

url : hxxp://77.91.77.81/lend/installer2.exe