MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bdbf24537950b4bb8ca32e92dc5934fd651792db3452c748d7893da61aca1710. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bdbf24537950b4bb8ca32e92dc5934fd651792db3452c748d7893da61aca1710
SHA3-384 hash: c6c4436f31f6f570fde74275c135bd364afa6eb8352cf98ed94fec9b771e423e99847d0431122c25da562b95e13328d9
SHA1 hash: 2b70fb6b95495973f408abd5b0b340dddab5a9ae
MD5 hash: 5c28e053a7702cad262eb0ad5363d6c0
humanhash: georgia-three-spring-batman
File name:5c28e053a7702cad262eb0ad5363d6c0
Download: download sample
Signature CoinMiner
Create hunting rule
File size:31'232 bytes
First seen:2021-09-02 01:40:45 UTC
Last seen:2021-09-02 04:39:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 768:7LdLR4zyJp5Lt/Gcmph8eLuW27jojgqM7yNYF9IfS:7LbBT5LccreSWXgVoYF9+S
Threatray 49 similar samples on MalwareBazaar
TLSH T1E2E2D016A3F8C845EEF64D357992B7041E3B6BF74342D6AFAC4961496C63310DAC3326
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5c28e053a7702cad262eb0ad5363d6c0
Verdict:
No threats detected
Analysis date:
2021-09-02 01:43:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cb823d54-cf19-45dc-9119-4e3cb4460492

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/184628/
Detection(s):
SecuriteInfo.com.Trojan.MulDropNET.46.8415.19994.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
DNS request
Launching a process
Using the Windows Management Instrumentation requests
Sending a UDP request
Creating a file in the %temp% directory
Creating a process with a hidden window
Creating a file
Creating a process from a recently created file
Creating a file in the system32 directory
Creating a file in the system32 subdirectories
Connection attempt
Sending a custom TCP request
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/95802c6f-f6db-4f37-b8b0-85ac885c8e58
Result
Threat name:
BitCoin Miner
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/843739
Signature
Adds a directory exclusion to Windows Defender
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected BitCoin Miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 476170 Sample: ha261UNcA2 Startdate: 02/09/2021 Architecture: WINDOWS Score: 92 79 Multi AV Scanner detection for submitted file 2->79 81 Yara detected BitCoin Miner 2->81 83 Machine Learning detection for sample 2->83 85 2 other signatures 2->85 11 ha261UNcA2.exe 5 2->11         started        15 services64.exe 3 2->15         started        process3 file4 75 C:\Users\user\AppData\Local\...\svchost32.exe, PE32+ 11->75 dropped 77 C:\Users\user\AppData\...\ha261UNcA2.exe.log, ASCII 11->77 dropped 99 Adds a directory exclusion to Windows Defender 11->99 17 cmd.exe 1 11->17         started        19 cmd.exe 1 11->19         started        101 Multi AV Scanner detection for dropped file 15->101 103 Machine Learning detection for dropped file 15->103 22 cmd.exe 1 15->22         started        signatures5 process6 signatures7 24 svchost32.exe 6 17->24         started        28 conhost.exe 17->28         started        87 Uses schtasks.exe or at.exe to add and modify task schedules 19->87 89 Adds a directory exclusion to Windows Defender 19->89 30 powershell.exe 23 19->30         started        32 powershell.exe 22 19->32         started        34 conhost.exe 19->34         started        40 2 other processes 19->40 36 conhost.exe 22->36         started        38 powershell.exe 22->38         started        42 3 other processes 22->42 process8 file9 71 C:\Windows\System32\services64.exe, PE32+ 24->71 dropped 73 C:\Windows\...\services64.exe:Zone.Identifier, ASCII 24->73 dropped 93 Multi AV Scanner detection for dropped file 24->93 95 Machine Learning detection for dropped file 24->95 97 Drops executables to the windows directory (C:\Windows) and starts them 24->97 44 cmd.exe 1 24->44         started        46 services64.exe 2 24->46         started        49 cmd.exe 24->49         started        signatures10 process11 signatures12 51 schtasks.exe 1 44->51         started        54 conhost.exe 44->54         started        107 Adds a directory exclusion to Windows Defender 46->107 56 conhost.exe 49->56         started        58 choice.exe 49->58         started        process13 signatures14 91 Adds a directory exclusion to Windows Defender 51->91 60 cmd.exe 51->60         started        process15 signatures16 105 Adds a directory exclusion to Windows Defender 60->105 63 conhost.exe 60->63         started        65 powershell.exe 60->65         started        67 powershell.exe 60->67         started        69 2 other processes 60->69 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bdbf24537950b4bb8ca32e92dc5934fd651792db3452c748d7893da61aca1710/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-29 18:38:37 UTC
AV detection:
26 of 45 (57.78%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
4569c2ca16175dd869475526af97004f47e2918edb583043b609fceb86b35161
CoinMiner
51bf9ff43b1aedfebfcf03c71e5bba10a6704b2cf4503e5bbe680221652cc458
CoinMiner
6f14afbba1fb3f07259d7153604a7877f9a0be968b600e2f82b6b491d4e994a6
CoinMiner
a80e58ef1c5a06c712d21814ad9d003f6f9482f5e7375ec15e5d2363f99b7c12
CoinMiner
d99ac72301d4d4c55ee0c6e33ad4e4551bac90b71f80515eea1a3dfe426abf23
CoinMiner
eef5d903a7e1eb2b6ecd93316efad2bf00def8fd4466dae0157615726a46ba4b
CoinMiner
f7873cf1b6200ab714ca6d6ff929fc4192d91a1cfc6d685cc734d8f1decb691d
CoinMiner
ff1ddb96f4984d4ed65016ca7814432d51a08fe090fae4907e85926469e880da
CoinMiner
+ 39 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210902-3eew5v3756/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Legitimate hosting services abused for malware hosting/C2
Executes dropped EXE
Unpacked files
SH256 hash:
bdbf24537950b4bb8ca32e92dc5934fd651792db3452c748d7893da61aca1710
MD5 hash:
5c28e053a7702cad262eb0ad5363d6c0
SHA1 hash:
2b70fb6b95495973f408abd5b0b340dddab5a9ae
Link:
https://www.unpac.me/results/1ae12d5e-fec5-4ee8-863f-77a01f7fae4b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/bdbf24537950/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bdbf24537950b4bb8ca32e92dc5934fd651792db3452c748d7893da61aca1710

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe bdbf24537950b4bb8ca32e92dc5934fd651792db3452c748d7893da61aca1710

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1584802/
Cape
Cape
https://www.capesandbox.com/analysis/184628/
  
URLhaus
https://urlhaus.abuse.ch/url/1584970/

Comments


Avatar
zbet commented on 2021-09-02 01:40:46 UTC

url : hxxp://retracker.host/eth.exe