MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bcb32ac45b1ed10696c9b50fefda160fca340ac43fda723411be99bb47445746. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bcb32ac45b1ed10696c9b50fefda160fca340ac43fda723411be99bb47445746
SHA3-384 hash: 0352c3a03544a45061548c07be5fb601fab03b6139952d39823dde0a1cfc78bfd433756562c192e362cddd081d8530cf
SHA1 hash: d0d2a2705847c51276a7c94947cb24a7e028b8ff
MD5 hash: f1cc697810eec739a630c9837f5dbd9c
humanhash: kitten-sixteen-moon-november
File name:f1cc697810eec739a630c9837f5dbd9c
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'043'904 bytes
First seen:2021-12-23 20:47:12 UTC
Last seen:2021-12-24 00:15:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 02549ff92b49cce693542fc9afb10102 (84 x CoinMiner, 2 x CoinMiner.XMRig, 1 x AgentTesla)
ssdeep 49152:LKILRtJGGLPQ2bwsi3A9/Ef0J/eQi+jgEzQ/rQ4MrK9A05z+:LKI1l4qwb3A9bJ/elmgXxT
Threatray 336 similar samples on MalwareBazaar
TLSH T1DE95332AD7AD98E1C395AE74822A38D75C625A600FEE1C136BC97F7D7227460F0C476C
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
185
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2_5341322772138169183.exe
Verdict:
Malicious activity
Analysis date:
2021-12-23 13:07:03 UTC
Tags:
trojan rat redline loader
Link:
https://app.any.run/tasks/3106b0ed-3089-4854-aab2-82febaa2e7c7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/216023/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.10967.9317.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a process from a recently created file
Creating a process with a hidden window
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3040/overview
Behaviour
MalwareBazaar
CallSleep
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
donut packed
Link:
https://www.filescan.io/uploads/61c4e0878991ba72b3943dab/reports/0ae4d572-515f-4292-baaf-13503671d8ef/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/36f1f893-079b-4e03-8291-5cad447e3fdc
Result
Threat name:
BitCoin Miner
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/912190
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 544668 Sample: 6xNdd0fItP Startdate: 23/12/2021 Architecture: WINDOWS Score: 92 82 Multi AV Scanner detection for submitted file 2->82 84 Yara detected BitCoin Miner 2->84 86 Sigma detected: Powershell Defender Exclusion 2->86 11 6xNdd0fItP.exe 2->11         started        14 bdwtibgd.exe 2->14         started        process3 signatures4 106 Writes to foreign memory regions 11->106 108 Allocates memory in foreign processes 11->108 110 Creates a thread in another existing process (thread injection) 11->110 16 conhost.exe 5 11->16         started        112 Multi AV Scanner detection for dropped file 14->112 20 conhost.exe 5 14->20         started        process5 file6 68 C:\Windows\System32\bdwtibgd.exe, PE32+ 16->68 dropped 70 C:\Windows\...\bdwtibgd.exe:Zone.Identifier, ASCII 16->70 dropped 74 Adds a directory exclusion to Windows Defender 16->74 22 cmd.exe 1 16->22         started        25 cmd.exe 1 16->25         started        27 cmd.exe 1 16->27         started        72 C:\Windows\System32\...\sihost32.exe, PE32+ 20->72 dropped 29 cmd.exe 1 20->29         started        31 sihost32.exe 20->31         started        signatures7 process8 signatures9 92 Drops executables to the windows directory (C:\Windows) and starts them 22->92 33 bdwtibgd.exe 22->33         started        36 conhost.exe 22->36         started        94 Uses schtasks.exe or at.exe to add and modify task schedules 25->94 96 Adds a directory exclusion to Windows Defender 25->96 38 powershell.exe 19 25->38         started        40 conhost.exe 25->40         started        42 powershell.exe 25->42         started        50 2 other processes 27->50 44 powershell.exe 19 29->44         started        46 conhost.exe 29->46         started        48 powershell.exe 29->48         started        process10 signatures11 76 Writes to foreign memory regions 33->76 78 Allocates memory in foreign processes 33->78 80 Creates a thread in another existing process (thread injection) 33->80 52 conhost.exe 33->52         started        process12 signatures13 88 Drops executables to the windows directory (C:\Windows) and starts them 52->88 90 Adds a directory exclusion to Windows Defender 52->90 55 sihost32.exe 52->55         started        58 cmd.exe 52->58         started        process14 signatures15 98 Writes to foreign memory regions 55->98 100 Allocates memory in foreign processes 55->100 102 Creates a thread in another existing process (thread injection) 55->102 60 conhost.exe 55->60         started        104 Adds a directory exclusion to Windows Defender 58->104 62 conhost.exe 58->62         started        64 powershell.exe 58->64         started        66 powershell.exe 58->66         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bcb32ac45b1ed10696c9b50fefda160fca340ac43fda723411be99bb47445746/
Threat name:
Win64.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2021-12-23 19:04:27 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
25 of 43 (58.14%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
2cd29b8b5c71f0f7df5dd0bcedbb134977d9c6269861dddd65db1db203194c08
CoinMiner
38a2144651bd3980612f92a1cd2308adf10dd630d618ee05232bf1a8cf76444c
CoinMiner
467457b20fa5230a77027240f20bfac6130d66e1ca0e3abd3f89a067745e654f
CoinMiner
64edbaff99fe8c87c2f5f826b0d1741c575295e3ab0c3d16db8bbacd2baebd30
CoinMiner
c0efa247a497b4d9d721d0f54e30e44007c5e53882cf822ade5c3b8f9dd6bbaf
CoinMiner
e9f1d411e9f40b3050fd6bec3caf316b0986bce3f8185b6529efc6586800fd4a
CoinMiner
eb6b810f2cb85c0a1a028c53e4c346b3ec7601d1853758c3b8ce56eac6f96be8
CoinMiner
f3a0806bf7e9030e703483f4469a2292d9595d500a2365336de454a3bf047e26
CoinMiner
feb365d784b06535c3bd3ab5c525e771521f0f7dcc71c8c3e800226fdb117085
CoinMiner
+ 326 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/211223-zlfnwabeg6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Loads dropped DLL
Executes dropped EXE
xmrig
Unpacked files
SH256 hash:
bcb32ac45b1ed10696c9b50fefda160fca340ac43fda723411be99bb47445746
MD5 hash:
f1cc697810eec739a630c9837f5dbd9c
SHA1 hash:
d0d2a2705847c51276a7c94947cb24a7e028b8ff
Link:
https://www.unpac.me/results/b5dc1d1e-d1c6-47e5-928a-a5a4fb222663/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/bcb32ac45b1e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.10
Link:
https://yomi.yoroi.company/submissions/bcb32ac45b1ed10696c9b50fefda160fca340ac43fda723411be99bb47445746

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe bcb32ac45b1ed10696c9b50fefda160fca340ac43fda723411be99bb47445746

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1915072/
  
URLhaus
https://urlhaus.abuse.ch/url/1915073/
Cape
Cape
https://www.capesandbox.com/analysis/216023/

Comments


Avatar
zbet commented on 2021-12-23 20:47:13 UTC

url : hxxp://data-file-data-7.com/files/9674_1640263501_824.exe