MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bbe5544c408a6eb95dd9980c61a63c4ebc8ccbeecade4de4fae8332361e27278. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bbe5544c408a6eb95dd9980c61a63c4ebc8ccbeecade4de4fae8332361e27278
SHA3-384 hash: b1b7ce650e8ad58328c928e36a547ae820f7a799d30c22785f9e6e17a5e09d22898661a1a9c655039efeeee6cbee30e5
SHA1 hash: 53c870d62dcd6154052445dc03888cdc6cffd370
MD5 hash: 1274cbcd6329098f79a3be6d76ab8b97
humanhash: hawaii-orange-oscar-minnesota
File name:setup.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:5'617'152 bytes
First seen:2024-11-10 11:36:11 UTC
Last seen:2025-02-01 18:08:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0fdd3d21d2193b717f076a70dfaa659c (14 x CoinMiner)
ssdeep 98304:Dei3W2HJn8hqIOLmRLRSo+QqvCRs19A3JIkLJQrAtjRQii7yXdmMpy2N:6Z2i4OcxQECE6ZIkLJIAt8y4
TLSH T12E46E01B9BB5EF12D119C0FE306626086634D3069DE87C28EF6F5B41351632E63E9EE1
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10522/11/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter aachum
Tags:CoinMiner exe tronbruteforce-online


Avatar
iamaachum
Dropped by .zip in https://tronbruteforce.online/

Intelligence

File Origin
# of uploads :
2
# of downloads :
388
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://cdn.discordapp.com/attachments/1250327383010181161/1262852381390143669/maple.rar?ex=669a14ae&is=6698c32e&hm=c7c89e5a00ba842b2f7a6207eca96bceb91e8cfe3a29abcf62396e86c3f5302d&
Verdict:
Malicious activity
Analysis date:
2024-07-18 18:18:51 UTC
Tags:
discord payload blankgrabber python evasion github discordgrabber generic stealer growtopia susp-powershell umbralstealer telegram phishing exfiltration upx
Link:
https://app.any.run/tasks/b09b00d7-f654-4094-8b6b-3d04132c66b9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Malware.Zusy-10016270-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67309af66c614f3030a3feee
Tags:
rozena cobalt xmrig
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Launching a process
Creating a file in the %temp% directory
Deleting a recently created file
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Creating a file in the Windows subdirectories
Searching for synchronization primitives
Creating a file in the system32 subdirectories
Replacing files
Forced system process termination
Connection attempt to an infection source
Creating a service
Launching a service
Loading a system driver
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun for a service
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Enabling autorun by creating a file
Unauthorized injection to a browser process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug coinminer packed packed packer_detected rozena
Link:
https://www.filescan.io/uploads/67309adf95a0f2e2fac2db9e/reports/ff004102-2cf6-44c9-9eee-62dec24ecb8d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/bbe5544c408a6eb95dd9980c61a63c4ebc8ccbeecade4de4fae8332361e27278
Malware family:
CoinMiner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/444c8225-5dea-4480-9e01-b6363280c6f6
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1553146
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for dropped file
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop multiple services
Stops critical windows services
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1553146 Sample: setup.exe Startdate: 10/11/2024 Architecture: WINDOWS Score: 100 60 Antivirus detection for dropped file 2->60 62 Multi AV Scanner detection for dropped file 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 10 other signatures 2->66 7 setup.exe 3 2->7         started        11 cmd.exe 1 2->11         started        13 powershell.exe 23 2->13         started        15 updater.exe 2->15         started        process3 file4 42 C:\Users\user\AppData\...\wxyubnjmnlae.tmp, PE32+ 7->42 dropped 44 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 7->44 dropped 68 Writes to foreign memory regions 7->68 70 Modifies the context of a thread in another process (thread injection) 7->70 72 Found hidden mapped module (file has been removed from disk) 7->72 80 2 other signatures 7->80 17 dialer.exe 1 7->17         started        74 Stops critical windows services 11->74 20 conhost.exe 11->20         started        22 sc.exe 1 11->22         started        24 sc.exe 1 11->24         started        30 3 other processes 11->30 76 Loading BitLocker PowerShell Module 13->76 26 WmiPrvSE.exe 13->26         started        28 conhost.exe 13->28         started        78 Found direct / indirect Syscall (likely to bypass EDR) 15->78 signatures5 process6 signatures7 52 Injects code into the Windows Explorer (explorer.exe) 17->52 54 Contains functionality to inject code into remote processes 17->54 56 Writes to foreign memory regions 17->56 58 4 other signatures 17->58 32 lsass.exe 17->32 injected 35 svchost.exe 17->35 injected 37 svchost.exe 4 17->37 injected 40 24 other processes 17->40 process8 dnsIp9 48 Writes to foreign memory regions 32->48 50 System process connects to network (likely due to code injection or exploit) 35->50 46 241.42.69.40.in-addr.arpa 37->46 signatures10
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/bbe5544c408a6eb95dd9980c61a63c4ebc8ccbeecade4de4fae8332361e27278
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bbe5544c408a6eb95dd9980c61a63c4ebc8ccbeecade4de4fae8332361e27278/
Threat name:
Win64.Trojan.SilentCryptoMiner
Create hunting rule
Status:
Malicious
First seen:
2024-03-01 14:46:20 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
29 of 38 (76.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xpsvitcarjxlsxoztaggdjr4j26izs7ozlpe3zh25azsgypcoj4a._file
Verdict:
malicious
Label(s):
r77
Create hunting rule
r77_core
Create hunting rule
Similar samples:
error
CoinMiner
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion evasion execution
Link:
https://tria.ge/reports/241110-nq5m1swckj/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks BIOS information in registry
Executes dropped EXE
Indicator Removal: Clear Windows Event Logs
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Stops running service(s)
Modifies security service
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
Win.Malware.Zusy-10016270-0
YARA:
n/a
Link:
https://app.threat.zone/submission/bc9b9134-c0a8-4edd-a729-768c9f90f479
Unpacked files
SH256 hash:
bbe5544c408a6eb95dd9980c61a63c4ebc8ccbeecade4de4fae8332361e27278
MD5 hash:
1274cbcd6329098f79a3be6d76ab8b97
SHA1 hash:
53c870d62dcd6154052445dc03888cdc6cffd370
Link:
https://www.unpac.me/results/eb80a899-e903-4e70-b2f5-10c9a0bc4c08/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.72
Link:
https://yomi.yoroi.company/submissions/bbe5544c408a6eb95dd9980c61a63c4ebc8ccbeecade4de4fae8332361e27278

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe bbe5544c408a6eb95dd9980c61a63c4ebc8ccbeecade4de4fae8332361e27278

(this sample)

  
Link
https://tria.ge/241110-nfnlravngs/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high

Comments