MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2a5b282b91df9293450c3570495800cab173545524fed91e3f32e732ebd012e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2a5b282b91df9293450c3570495800cab173545524fed91e3f32e732ebd012e
SHA3-384 hash: f65574f52cead2e98ccc821684bc37662285939a84eeaff3ae81e29de4958401e6e98863baeffa3c7df45b1f6099834c
SHA1 hash: 32fc509059de13ab5670cc8bec66654826c4b1d4
MD5 hash: e196b74bf29f8e56777f0ebeca67c480
humanhash: georgia-victor-pasta-washington
File name:SecuriteInfo.com.Trojan.MulDrop19.20484.6799.17581
Download: download sample
Signature CoinMiner
Create hunting rule
File size:6'992'896 bytes
First seen:2022-01-01 20:44:33 UTC
Last seen:2022-01-03 13:58:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 889336afd01a952ba79d1e90fb751739 (14 x CoinMiner)
ssdeep 98304:bnkxWdrqX7+0UJr0a+wkT9/l1PxktPJ+GC6xhCx7cNolij6Yv1A08+w8YLn:bnkWrA9K+79/zpUx+GC6xvxjpW8an
Threatray 38 similar samples on MalwareBazaar
TLSH T1236623FA614C731CC41EC9745423FE18B2F2951E4BFA9ABA74C7BEC06BA7424E501B52
Reporter SecuriteInfoCom
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
234
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.MulDrop19.20484.6799.17581
Verdict:
No threats detected
Analysis date:
2022-01-01 20:47:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2bd4ab2c-a0a8-458d-8c01-b031e261fe84

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/217025/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop19.20484.6692.15698.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Running batch commands
Launching a process
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Creating a file
Creating a process from a recently created file
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  0/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3639/overview
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
donut packed
Link:
https://www.filescan.io/uploads/61d0bd538991ba72b3a49aef/reports/ccd6a85f-bfc7-45bf-b7cd-0be52e13efca/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0fb8a42c-7b85-4c5b-a199-1e6f275f494f
Result
Threat name:
BitCoin Miner SilentXMRMiner Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/914512
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected VMProtect packer
Drops PE files with benign system names
Encrypted powershell cmdline option found
Found strings related to Crypto-Mining
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Potential dropper URLs found in powershell memory
Sigma detected: System File Execution Location Anomaly
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected BitCoin Miner
Yara detected SilentXMRMiner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 546990 Sample: SecuriteInfo.com.Trojan.Mul... Startdate: 01/01/2022 Architecture: WINDOWS Score: 100 64 Antivirus / Scanner detection for submitted sample 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 Yara detected SilentXMRMiner 2->68 70 6 other signatures 2->70 9 SecuriteInfo.com.Trojan.MulDrop19.20484.6799.exe 5 2->9         started        13 services.exe 2 2->13         started        process3 file4 54 C:\Users\user\AppData\...\services.exe, PE32+ 9->54 dropped 56 C:\Users\...\services.exe:Zone.Identifier, ASCII 9->56 dropped 58 SecuriteInfo.com.T....20484.6799.exe.log, ASCII 9->58 dropped 74 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->74 76 Tries to detect virtualization through RDTSC time measurements 9->76 78 Drops PE files with benign system names 9->78 15 cmd.exe 1 9->15         started        17 cmd.exe 1 9->17         started        20 cmd.exe 1 9->20         started        80 Antivirus detection for dropped file 13->80 82 Multi AV Scanner detection for dropped file 13->82 22 cmd.exe 13->22         started        signatures5 process6 signatures7 24 services.exe 5 15->24         started        27 conhost.exe 15->27         started        60 Encrypted powershell cmdline option found 17->60 62 Uses schtasks.exe or at.exe to add and modify task schedules 17->62 29 powershell.exe 23 17->29         started        31 powershell.exe 22 17->31         started        33 conhost.exe 17->33         started        35 conhost.exe 20->35         started        37 schtasks.exe 1 20->37         started        39 conhost.exe 22->39         started        41 2 other processes 22->41 process8 signatures9 72 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 24->72 43 cmd.exe 24->43         started        46 conhost.exe 29->46         started        process10 signatures11 84 Encrypted powershell cmdline option found 43->84 48 conhost.exe 43->48         started        50 powershell.exe 43->50         started        52 powershell.exe 43->52         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b2a5b282b91df9293450c3570495800cab173545524fed91e3f32e732ebd012e/
Threat name:
Win64.Trojan.Injectgen
Create hunting rule
Status:
Malicious
First seen:
2021-12-29 02:02:27 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
24 of 43 (55.81%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
19469d26a781545bc0347ba1ef6d885744ec26c525eafd7034155b1095bab742
CoinMiner
5285ffebc00e0e75efcb1944329d1708d658eb5b4e5928d191323d933a3673e4
CoinMiner
70abd0e56d64c9d19e81fc1f62f09b9644b00819c5a1feccfd185c168f4a2099
CoinMiner
773b40c8007545afd1b563bdf17dab8225acd4bd6def35e4db95f70fca16371c
CoinMiner
833990804d459870448fdb9a0f74f6b8f5c59d395a71da86f347cf7a74f858d2
CoinMiner
865baa577a2cdad80e6daefdd7b9bf06d4f9c5007d3bc17e98d13ca8d620feb6
CoinMiner
8a76fd10a479dbf5bb5d60f6ef949641d2ef4f1262a6d9dd273cf93b7be934b3
CoinMiner
96ad89ff084cb88f1bd0bf8f104b744d9bf26157aa9f117851fdbfc2b20585c5
CoinMiner
c0efa247a497b4d9d721d0f54e30e44007c5e53882cf822ade5c3b8f9dd6bbaf
CoinMiner
d3cfc436366c9d127c7a6233f6531cf6e5863153b41ba4ab6f8fe87f473c8c9d
CoinMiner
+ 28 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
vmprotect
Link:
https://tria.ge/reports/220101-zjq2tsaaa4/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Loads dropped DLL
Executes dropped EXE
VMProtect packed file
Unpacked files
SH256 hash:
b2a5b282b91df9293450c3570495800cab173545524fed91e3f32e732ebd012e
MD5 hash:
e196b74bf29f8e56777f0ebeca67c480
SHA1 hash:
32fc509059de13ab5670cc8bec66654826c4b1d4
Link:
https://www.unpac.me/results/4f1f146f-e3f0-4bb7-9be1-8e2a905fd649/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b2a5b282b91df9293450c3570495800cab173545524fed91e3f32e732ebd012e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe b2a5b282b91df9293450c3570495800cab173545524fed91e3f32e732ebd012e

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/217025/
  
URLhaus
https://urlhaus.abuse.ch/url/1941622/
  
Delivery method
Distributed via web download

Comments