MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b64e4dd4b90a918e87571b990801eb1e33444e3108fceca963aed1bd27f1890c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b64e4dd4b90a918e87571b990801eb1e33444e3108fceca963aed1bd27f1890c
SHA3-384 hash: 96c82d44bcd0272130fc825b910e683c7927c76d0ac27a9c018d1f286a636b59fe7d930ea6b57a3d7bb677f9dd369770
SHA1 hash: 91cd24ec1ee98c6a7579d8da294a324ccbfa0fe9
MD5 hash: fcdf7ac67101861b39623dc6ac5d10b7
humanhash: sodium-pennsylvania-river-west
File name:fcdf7ac67101861b39623dc6ac5d10b7.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'004'992 bytes
First seen:2021-09-30 15:16:50 UTC
Last seen:2021-11-03 10:38:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 43801be8f5954e7259ebb6bc7f6dfe40 (3 x CoinMiner, 2 x RedLineStealer, 1 x njrat)
ssdeep 49152:gMW/Mi3n6OKH/c4C55qXxdOYiX5vncNq9YL:X6Mi3nlKHk13qBoYipvcNqW
Threatray 179 similar samples on MalwareBazaar
TLSH T1DF95336BBD7C0C6FF10A8D706D9DBDA8CB081CA61190BE77C59BF9EC50A6418C07875A
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
269
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://cdn.discordapp.com/attachments/892828074675171371/892828551064199208/2.exe
Verdict:
Malicious activity
Analysis date:
2021-09-29 22:20:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/eddf26de-1be0-458d-b877-c047a59f95c4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/193702/
Detection(s):
SecuriteInfo.com.Variant.FakeAlert.2.32645.814.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a file in the Windows directory
Creating a window
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3d6e8dac-a102-4c9f-a770-cbe97f4c6b3c
Result
Threat name:
BitCoin Miner
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/862067
Signature
Adds a directory exclusion to Windows Defender
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected BitCoin Miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 494495 Sample: yl2FFyMUUL.exe Startdate: 30/09/2021 Architecture: WINDOWS Score: 88 104 Multi AV Scanner detection for submitted file 2->104 106 Yara detected BitCoin Miner 2->106 108 Sigma detected: Powershell Defender Exclusion 2->108 110 Sigma detected: Suspicious Script Execution From Temp Folder 2->110 12 yl2FFyMUUL.exe 1 2->12         started        16 FcIso.exe 2->16         started        process3 file4 94 C:\Windows\FcIso.exe, PE32+ 12->94 dropped 130 Adds a directory exclusion to Windows Defender 12->130 18 cmd.exe 1 12->18         started        21 cmd.exe 1 12->21         started        96 C:\Users\user\AppData\Local\...\svchost32.exe, PE32+ 16->96 dropped 132 Multi AV Scanner detection for dropped file 16->132 134 Machine Learning detection for dropped file 16->134 23 cmd.exe 16->23         started        25 cmd.exe 16->25         started        signatures5 process6 signatures7 112 Drops executables to the windows directory (C:\Windows) and starts them 18->112 27 FcIso.exe 5 18->27         started        31 conhost.exe 18->31         started        33 powershell.exe 23 21->33         started        35 conhost.exe 21->35         started        37 powershell.exe 21->37         started        114 Adds a directory exclusion to Windows Defender 23->114 39 conhost.exe 23->39         started        41 powershell.exe 23->41         started        45 3 other processes 23->45 43 conhost.exe 25->43         started        process8 dnsIp9 98 192.168.2.1 unknown unknown 27->98 124 Multi AV Scanner detection for dropped file 27->124 126 Machine Learning detection for dropped file 27->126 128 Adds a directory exclusion to Windows Defender 27->128 47 cmd.exe 1 27->47         started        49 cmd.exe 1 27->49         started        signatures10 process11 signatures12 52 svchost32.exe 5 47->52         started        56 conhost.exe 47->56         started        100 Uses schtasks.exe or at.exe to add and modify task schedules 49->100 102 Adds a directory exclusion to Windows Defender 49->102 58 powershell.exe 22 49->58         started        60 conhost.exe 49->60         started        62 powershell.exe 49->62         started        64 2 other processes 49->64 process13 file14 92 C:\Windows\System32\FcIso.exe, PE32+ 52->92 dropped 118 Multi AV Scanner detection for dropped file 52->118 120 Machine Learning detection for dropped file 52->120 122 Drops executables to the windows directory (C:\Windows) and starts them 52->122 66 FcIso.exe 52->66         started        69 cmd.exe 52->69         started        71 cmd.exe 52->71         started        73 conhost.exe 58->73         started        75 choice.exe 58->75         started        signatures15 process16 signatures17 116 Adds a directory exclusion to Windows Defender 66->116 77 cmd.exe 66->77         started        80 conhost.exe 69->80         started        82 schtasks.exe 69->82         started        process18 signatures19 136 Adds a directory exclusion to Windows Defender 77->136 84 conhost.exe 77->84         started        86 powershell.exe 77->86         started        88 powershell.exe 77->88         started        90 2 other processes 77->90 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b64e4dd4b90a918e87571b990801eb1e33444e3108fceca963aed1bd27f1890c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-29 16:42:46 UTC
AV detection:
27 of 45 (60.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
25fa15664bb857af7bd264779f9d1d7b898cae1afcb992e0e3a6923f0c1d1992
CoinMiner
42506f9e15ffdab6fce67556b602075ff779e2e84c6a40058a3941f0f71071b2
CoinMiner
493bfdb9e04607e49f6ead719b51e9c25cc8c4fa76bcb79c2f8e9225bb46e659
CoinMiner
55cc17a628f34a739ffb2f1318e0762dbf61d41c17c6624615bffa667f4609a9
CoinMiner
65bbafc229aa726d189d7607d03b1c6835ddcdf8ad6ac90017749b051f6b0770
CoinMiner
71bbaf19229855f0bfdebbe93d12b5f5fac6c0b542b5ca3b5a00d4b088ccdadc
CoinMiner
75359481a80ae7253f5a8859cc9d899020a24af197b95f8ef2716a9f011dc3b1
CoinMiner
92d222fc274d0c981a595327cf103960535339a655ae240f9267a84aedba7f41
CoinMiner
dc633709fc89e2c8596d97b71135911f73fb51bd4b9e7adbac5692fc287b0165
CoinMiner
dc9787f1ca396af3c6a84f52c1f4a1969b7d33999507f2093480071fc22e9d63
CoinMiner
+ 169 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/210930-sn192aaac5/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Loads dropped DLL
Executes dropped EXE
xmrig
Unpacked files
SH256 hash:
b64e4dd4b90a918e87571b990801eb1e33444e3108fceca963aed1bd27f1890c
MD5 hash:
fcdf7ac67101861b39623dc6ac5d10b7
SHA1 hash:
91cd24ec1ee98c6a7579d8da294a324ccbfa0fe9
Link:
https://www.unpac.me/results/d4891903-aa7c-43b2-88f6-e04378d9d2da/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b64e4dd4b90a918e87571b990801eb1e33444e3108fceca963aed1bd27f1890c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe b64e4dd4b90a918e87571b990801eb1e33444e3108fceca963aed1bd27f1890c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1649176/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/193702/
  
URLhaus
https://urlhaus.abuse.ch/url/1650285/

Comments