MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5ec12c4a9c4110b60db7766315641497ad11f31ecaf9de0cc71b605256771d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b5ec12c4a9c4110b60db7766315641497ad11f31ecaf9de0cc71b605256771d9
SHA3-384 hash: d85e3fbab313058303d2a2d43a88898a60f5dded06ff282da438499aeecb2c8f6b269e44f0f11a00322e11a6df456a52
SHA1 hash: 4c3bf3b256a39c1a1656e79300a681bd43b30930
MD5 hash: 221e25b401ebbb3d1e716f71c83cbd9a
humanhash: wisconsin-sierra-robin-two
File name:221e25b401ebbb3d1e716f71c83cbd9a
Download: download sample
Signature CoinMiner
Create hunting rule
File size:1'995'264 bytes
First seen:2021-08-27 08:17:44 UTC
Last seen:2021-08-27 09:26:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 49152:6nIPGsWPBxUcynyYYukbTD0h5W/QKNmIAyJWcuB:itsGxE/Y90XaBJJ
Threatray 128 similar samples on MalwareBazaar
TLSH T1829533DB43E884C6C46FF3F051AB157056494D724CABC66F4B04CAF3A9588FC9A2727A
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
176
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
221e25b401ebbb3d1e716f71c83cbd9a
Verdict:
No threats detected
Analysis date:
2021-08-27 08:19:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/72dcb5de-38ea-4f94-8f10-8102609667ad

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/182852/
Detection(s):
SecuriteInfo.com.Trojan.MulDropNET.46.24309.14995.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching a process
Using the Windows Management Instrumentation requests
Sending a UDP request
Creating a file in the %temp% directory
Creating a process with a hidden window
Creating a file
Creating a process from a recently created file
Creating a file in the system32 directory
Creating a file in the system32 subdirectories
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Malware family:
CoinMiner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/777db6ca-e8b2-46a1-a191-cfe2c23e8bf3
Result
Threat name:
BitCoin Miner
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/840267
Signature
Adds a directory exclusion to Windows Defender
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected BitCoin Miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 472695 Sample: RZzLq62ASY Startdate: 27/08/2021 Architecture: WINDOWS Score: 92 79 Multi AV Scanner detection for submitted file 2->79 81 Yara detected BitCoin Miner 2->81 83 Machine Learning detection for sample 2->83 85 2 other signatures 2->85 10 RZzLq62ASY.exe 5 2->10         started        14 services32.exe 3 2->14         started        process3 file4 75 C:\Users\user\AppData\...\RZzLq62ASY.exe.log, ASCII 10->75 dropped 99 Adds a directory exclusion to Windows Defender 10->99 16 cmd.exe 1 10->16         started        18 cmd.exe 1 10->18         started        77 C:\Users\user\AppData\Local\...\svchost32.exe, PE32+ 14->77 dropped 101 Multi AV Scanner detection for dropped file 14->101 103 Machine Learning detection for dropped file 14->103 21 cmd.exe 14->21         started        23 cmd.exe 14->23         started        signatures5 process6 signatures7 25 svchost32.exe 6 16->25         started        29 conhost.exe 16->29         started        87 Uses schtasks.exe or at.exe to add and modify task schedules 18->87 89 Adds a directory exclusion to Windows Defender 18->89 31 powershell.exe 21 18->31         started        33 powershell.exe 22 18->33         started        35 conhost.exe 18->35         started        41 2 other processes 18->41 37 conhost.exe 21->37         started        43 4 other processes 21->43 39 conhost.exe 23->39         started        process8 file9 71 C:\Windows\System32\services32.exe, PE32+ 25->71 dropped 73 C:\Windows\...\services32.exe:Zone.Identifier, ASCII 25->73 dropped 93 Multi AV Scanner detection for dropped file 25->93 95 Machine Learning detection for dropped file 25->95 97 Drops executables to the windows directory (C:\Windows) and starts them 25->97 45 services32.exe 25->45         started        48 cmd.exe 1 25->48         started        50 cmd.exe 25->50         started        signatures10 process11 signatures12 105 Adds a directory exclusion to Windows Defender 45->105 52 cmd.exe 45->52         started        55 conhost.exe 48->55         started        57 schtasks.exe 1 48->57         started        59 conhost.exe 50->59         started        61 choice.exe 50->61         started        process13 signatures14 91 Adds a directory exclusion to Windows Defender 52->91 63 conhost.exe 52->63         started        65 powershell.exe 52->65         started        67 powershell.exe 52->67         started        69 2 other processes 52->69 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b5ec12c4a9c4110b60db7766315641497ad11f31ecaf9de0cc71b605256771d9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-19 19:07:00 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wxwbfrfjyqiqwyg3o5tdcvsbjf5nchzr5sxz3ygmog3akjlhohmq._file
Verdict:
unknown
Similar samples:
010e5cf08f24b0b769747b20d38324e7ea5b3633cc72832a07cb8769b126dd0f
CoinMiner
24ea17a2c73edd5668c90344844c696e8bfddb72bf605feeea1a0dcc054f246f
CoinMiner
2dfdc495160b8492466dfe6108702ea44b5a7ff1b8d439d6a6dc9af9359a0838
CoinMiner
3cc3678682dc887a9f5e168717967fc266e266a5fd5dfe10e210d26b7246e5c4
CoinMiner
455c9a38ec39915d187e3d1093eb3456798f01ffd9f925b2e15e10beced936f0
CoinMiner
561b3cf57b33e115cabbb36756579d7fb15ae90656b826cbd286673b2eaef227
CoinMiner
819e5d9898ec33babab2fe49e72681fd6b389951fddce04b7ebf636155596997
CoinMiner
d96b12587bf342e3a99493402b3ede54ef5b3f31ff4b09a6710f1443a66f2683
CoinMiner
debc1a729e69d48bab2082aab44d8aae428066d42379838464dadecba5066852
CoinMiner
e481e934466d3e768442331a3c3af50c4d430b6ed14059afbe661925338ef531
CoinMiner
+ 118 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210827-4wy11nd2zn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
b5ec12c4a9c4110b60db7766315641497ad11f31ecaf9de0cc71b605256771d9
MD5 hash:
221e25b401ebbb3d1e716f71c83cbd9a
SHA1 hash:
4c3bf3b256a39c1a1656e79300a681bd43b30930
Link:
https://www.unpac.me/results/64a2e8ce-4440-45d9-a922-aed1c9f6dd26/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/b5ec12c4a9c4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b5ec12c4a9c4110b60db7766315641497ad11f31ecaf9de0cc71b605256771d9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe b5ec12c4a9c4110b60db7766315641497ad11f31ecaf9de0cc71b605256771d9

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/182852/
  
URLhaus
https://urlhaus.abuse.ch/url/1569135/

Comments


Avatar
zbet commented on 2021-08-27 08:17:45 UTC

url : hxxp://a0572281.xsph.ru/hack.exe