MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba7a55b17174de39cb44b553a52de3d0b3c979d37104a5ad1580cb97a8acc800. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ba7a55b17174de39cb44b553a52de3d0b3c979d37104a5ad1580cb97a8acc800
SHA3-384 hash: 620a7efdc22331af3900c7c1a6c6dd4f40e1dafc6bf345a11c7399c95498cbf3d0d474c6bb500256e59c6238607779ff
SHA1 hash: 7712c3b551f0412a15b258dfbf1ec224774cde60
MD5 hash: 32c4a9891310195be4a43a8c1970467d
humanhash: single-spring-pasta-angel
File name:32c4a9891310195be4a43a8c1970467d.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:5'632 bytes
First seen:2022-01-10 07:57:15 UTC
Last seen:2022-01-10 09:34:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a000d5ec0cb7981aab740e433bb322a8 (2 x CoinMiner, 1 x Phorpiex)
ssdeep 96:WhQTEhiF5QZFfsHxuHuHgPtboynunVCtrO:CUEhcAFcqmgP1oynWUr
Threatray 452 similar samples on MalwareBazaar
TLSH T1B3C1D61BAA548231D25C07F41D3B814D9BFE1873576909FFA333158B66F12A1F411B2B
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
217
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
32c4a9891310195be4a43a8c1970467d.exe
Verdict:
Malicious activity
Analysis date:
2022-01-10 08:01:54 UTC
Tags:
loader
Link:
https://app.any.run/tasks/2b21d596-cad5-4eff-a4a3-14e496751cbd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/217959/
Detection(s):
SecuriteInfo.com.Trojan.Siggen16.28939.7798.5311.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3964/overview
Behaviour
MalwareBazaar
SystemUptime
CallSleep
EvasionGetTickCount
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
evasive greyware phorpiex shell32.dll tiny
Link:
https://www.filescan.io/uploads/61dbe70d02e388f9fdbd304f/reports/c7bcd5c3-7247-4990-b45a-fc0e7d932eb6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Phorpiex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7cb9844a-fc9f-4a28-b00c-c8cf335b0158
Result
Threat name:
BitCoin Miner Phorpiex SilentXMRMiner Xm
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/917502
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to check if Internet connection is working
Contains functionality to detect sleep reduction / modifications
Creates a thread in another existing process (thread injection)
Detected Stratum mining protocol
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the user root directory
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking mutex)
Found strings related to Crypto-Mining
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Suspicious Svchost Process
Sigma detected: Xmrig
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected Phorpiex
Yara detected SilentXMRMiner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 549980 Sample: Ycmt4NSlWu.exe Startdate: 10/01/2022 Architecture: WINDOWS Score: 100 167 Sigma detected: Xmrig 2->167 169 Malicious sample detected (through community Yara rule) 2->169 171 Antivirus detection for URL or domain 2->171 173 15 other signatures 2->173 14 Ycmt4NSlWu.exe 14 2->14         started        19 wincsvns.exe 2->19         started        21 svchost.exe 9 1 2->21         started        23 9 other processes 2->23 process3 dnsIp4 123 185.215.113.84, 49760, 49766, 49769 WHOLESALECONNECTIONSNL Portugal 14->123 117 C:\Users\user\AppData\Local\Temp\39342.exe, PE32 14->117 dropped 119 C:\Users\user\AppData\Local\...\tpeinf[1].exe, PE32 14->119 dropped 133 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->133 25 39342.exe 1 1 14->25         started        135 Writes to foreign memory regions 19->135 137 Allocates memory in foreign processes 19->137 139 Creates a thread in another existing process (thread injection) 19->139 29 conhost.exe 19->29         started        125 127.0.0.1 unknown unknown 21->125 file5 141 Detected Stratum mining protocol 123->141 signatures6 process7 file8 111 C:\Windows\wsparscv.exe, PE32 25->111 dropped 189 Antivirus detection for dropped file 25->189 191 Multi AV Scanner detection for dropped file 25->191 193 Found evasive API chain (may stop execution after checking mutex) 25->193 201 5 other signatures 25->201 31 wsparscv.exe 8 22 25->31         started        113 C:\Users\user\AppData\...\sihost64.exe, PE32+ 29->113 dropped 115 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 29->115 dropped 195 Modifies the context of a thread in another process (thread injection) 29->195 197 Sample is not signed and drops a device driver 29->197 199 Injects a PE file into a foreign processes 29->199 36 sihost64.exe 29->36         started        signatures9 process10 dnsIp11 127 154.118.221.239, 40500 ZAP-AngolaAO Angola 31->127 129 187.143.128.94, 40500 UninetSAdeCVMX Mexico 31->129 131 27 other IPs or domains 31->131 93 C:\Users\user\AppData\Local\...\292467311.exe, PE32 31->93 dropped 95 C:\Users\user\AppData\Local\...\255136117.exe, PE32 31->95 dropped 97 C:\Users\user\AppData\Local\...\200410465.exe, PE32 31->97 dropped 153 Antivirus detection for dropped file 31->153 155 Found evasive API chain (may stop execution after checking mutex) 31->155 157 Contains functionality to check if Internet connection is working 31->157 165 4 other signatures 31->165 38 292467311.exe 14 31->38         started        42 200410465.exe 14 31->42         started        44 255136117.exe 14 31->44         started        159 Writes to foreign memory regions 36->159 161 Allocates memory in foreign processes 36->161 163 Creates a thread in another existing process (thread injection) 36->163 46 conhost.exe 36->46         started        file12 signatures13 process14 file15 99 C:\Users\user\AppData\Local\Temp\37938.exe, PE32+ 38->99 dropped 101 C:\Users\user\AppData\Local\...\xmr[1].exe, PE32+ 38->101 dropped 175 Antivirus detection for dropped file 38->175 177 Machine Learning detection for dropped file 38->177 179 Hides that the sample has been downloaded from the Internet (zone.identifier) 38->179 48 37938.exe 38->48         started        103 C:\Users\...\Windows Security Service.exe, PE32 42->103 dropped 105 C:\Users\user\AppData\Local\...\peinf[1].exe, PE32 42->105 dropped 181 Multi AV Scanner detection for dropped file 42->181 51 Windows Security Service.exe 1 42->51         started        53 Windows Security Service.exe 42->53         started        55 Windows Security Service.exe 42->55         started        107 C:\Users\user\...\Windows Security Update.exe, PE32 44->107 dropped 109 C:\Users\user\AppData\Local\...\secdis[1].exe, PE32 44->109 dropped 57 Windows Security Update.exe 44->57         started        59 Windows Security Update.exe 44->59         started        61 Windows Security Update.exe 44->61         started        signatures16 process17 signatures18 143 Multi AV Scanner detection for dropped file 48->143 145 Writes to foreign memory regions 48->145 147 Allocates memory in foreign processes 48->147 149 Creates a thread in another existing process (thread injection) 48->149 63 conhost.exe 4 48->63         started        67 Windows Security Update.exe 57->67         started        69 Windows Security Update.exe 59->69         started        71 Windows Security Update.exe 61->71         started        process19 file20 121 C:\Users\user\wincsvns.exe, PE32+ 63->121 dropped 151 Drops PE files to the user root directory 63->151 73 cmd.exe 63->73         started        75 cmd.exe 1 63->75         started        signatures21 process22 signatures23 78 wincsvns.exe 73->78         started        81 conhost.exe 73->81         started        209 Uses schtasks.exe or at.exe to add and modify task schedules 75->209 83 conhost.exe 75->83         started        85 schtasks.exe 75->85         started        process24 signatures25 211 Writes to foreign memory regions 78->211 213 Allocates memory in foreign processes 78->213 215 Creates a thread in another existing process (thread injection) 78->215 87 conhost.exe 78->87         started        process26 signatures27 183 Writes to foreign memory regions 87->183 185 Modifies the context of a thread in another process (thread injection) 87->185 187 Injects a PE file into a foreign processes 87->187 90 sihost64.exe 87->90         started        process28 signatures29 203 Writes to foreign memory regions 90->203 205 Allocates memory in foreign processes 90->205 207 Creates a thread in another existing process (thread injection) 90->207
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ba7a55b17174de39cb44b553a52de3d0b3c979d37104a5ad1580cb97a8acc800/
Threat name:
Win32.Downloader.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-01-09 07:53:10 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
28 of 43 (65.12%)
Threat level:
  3/5
Verdict:
malicious
Similar samples:
48eee6e4eedb7291e09cd68d3ff4f1608df7fb538be806d785a4e99cb77a9da2
CoinMiner
555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99
CoinMiner
588923b5dbf82de5793c49d09b2d68b862228fb57ba821492179761e170c5e24
CoinMiner
81fe52e70e3f0562d02591313a49d2b353bedc557fcc09d3d6093160de68f3d0
CoinMiner
865baa577a2cdad80e6daefdd7b9bf06d4f9c5007d3bc17e98d13ca8d620feb6
CoinMiner
92d30855da0de535afe7d2b432108880f5d3766767c09c493defcb6c05c10448
CoinMiner
c0efa247a497b4d9d721d0f54e30e44007c5e53882cf822ade5c3b8f9dd6bbaf
CoinMiner
d4142d1a7e14ae837548204e7ca53bb1b6cf293c5b0e7ff4a58e9b22246be55e
CoinMiner
+ 442 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence spyware stealer trojan
Link:
https://tria.ge/reports/220110-jtt88seaa4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Downloads MZ/PE file
Executes dropped EXE
Modifies security service
Windows security bypass
Unpacked files
SH256 hash:
ba7a55b17174de39cb44b553a52de3d0b3c979d37104a5ad1580cb97a8acc800
MD5 hash:
32c4a9891310195be4a43a8c1970467d
SHA1 hash:
7712c3b551f0412a15b258dfbf1ec224774cde60
Link:
https://www.unpac.me/results/9b47961d-5992-4972-b42e-fd7f082c7a0a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ba7a55b17174de39cb44b553a52de3d0b3c979d37104a5ad1580cb97a8acc800

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/217959/

Comments