MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0b57dd5b03e87a86866c7785e7e5356387c4d3b012b97ae57c6c27e664834c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c0b57dd5b03e87a86866c7785e7e5356387c4d3b012b97ae57c6c27e664834c6
SHA3-384 hash: 52937e3e0896737e44e295d08aa64c764fe50c72bf91d3603de0a4ebf518016c1fd3f98b6b9820e48f43807b908c624a
SHA1 hash: 6889a8eec82f9fdd598669a50146524ddf6e78ab
MD5 hash: 75332b77102d4ebf9c8c084fa39d865c
humanhash: london-mountain-carolina-washington
File name:75332b77102d4ebf9c8c084fa39d865c
Download: download sample
Signature CoinMiner
Create hunting rule
File size:156'672 bytes
First seen:2021-07-26 08:31:24 UTC
Last seen:2021-07-26 09:39:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 3072:IMfMIiXUzYiCF/lKJvtNK/Iqr35bgMwxHHUtoGO2SD:rfM3iCDUjK/3Dufs
Threatray 33 similar samples on MalwareBazaar
TLSH T1C2E35D1E5E8BB8DBE4250AB558A6E7D1067CDFA5F5E1069C30E8BE3CB7D24748500FA0
dhash icon f0d4820ccecef4f8 (7 x AsyncRAT, 6 x XWorm, 5 x CoinMiner)
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
75332b77102d4ebf9c8c084fa39d865c
Verdict:
No threats detected
Analysis date:
2021-07-26 08:35:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/620468af-4199-47c6-80a2-dede2f6fb2c7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/174077/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.943.10637.7538.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% directory
Launching a process
Creating a process from a recently created file
Creating a file
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Connection attempt
Sending an HTTP GET request
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3b2ec3e1-bffa-4d5c-b40d-e0a62854620e
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/821661
Signature
.NET source code contains potential unpacker
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses nslookup.exe to query domains
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 454073 Sample: qSN1mPnL52 Startdate: 26/07/2021 Architecture: WINDOWS Score: 76 59 Multi AV Scanner detection for submitted file 2->59 61 .NET source code contains potential unpacker 2->61 63 Machine Learning detection for sample 2->63 65 Uses nslookup.exe to query domains 2->65 8 nslookup.exe 5 2->8         started        13 qSN1mPnL52.exe 6 2->13         started        process3 dnsIp4 53 140.82.121.3, 443, 49740 GITHUBUS United States 8->53 55 raw.githubusercontent.com 8->55 57 github.com 8->57 39 C:\Users\user\AppData\...\sihost32.exe, PE32+ 8->39 dropped 67 Multi AV Scanner detection for dropped file 8->67 69 Machine Learning detection for dropped file 8->69 15 sihost32.exe 2 8->15         started        18 cmd.exe 1 8->18         started        41 C:\Users\user\AppData\Roaming\nslookup.exe, PE32+ 13->41 dropped 43 C:\Users\...\nslookup.exe:Zone.Identifier, ASCII 13->43 dropped 45 C:\Users\user\AppData\...\qSN1mPnL52.exe.log, ASCII 13->45 dropped 71 Uses nslookup.exe to query domains 13->71 20 cmd.exe 1 13->20         started        22 nslookup.exe 14 5 13->22         started        file5 signatures6 process7 dnsIp8 73 Multi AV Scanner detection for dropped file 15->73 75 Machine Learning detection for dropped file 15->75 25 conhost.exe 18->25         started        27 schtasks.exe 1 18->27         started        77 Uses schtasks.exe or at.exe to add and modify task schedules 20->77 29 conhost.exe 20->29         started        31 schtasks.exe 1 20->31         started        47 194.147.142.230, 49736, 49739, 80 PTPEU unknown 22->47 49 github.com 140.82.121.4, 443, 49737 GITHUBUS United States 22->49 51 2 other IPs or domains 22->51 33 cmd.exe 1 22->33         started        signatures9 process10 process11 35 conhost.exe 33->35         started        37 schtasks.exe 1 33->37         started       
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-07-22 00:58:50 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
2b49d6c607ec59ab95f8473169f8673b7d6772252092e1ce2ecb9b63d2255b96
CoinMiner
6c3a2575d3325e7a0f520a5fefa0384855980461683e6c7463debbd668ab3258
CoinMiner
74b13418d9f50f94920aa870823732618509599ed36a57e440c32c1e9cd928f2
CoinMiner
995ab2c020f8d8ac61c6c5e2bfdd383f2134a6463ea2ba218337b80b639e13cd
CoinMiner
b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae
CoinMiner
c6c9d678a3313c5bb7fe71194a2a1e4d3ffca2f04252dd1983ba657cfe17320e
CoinMiner
e08f276f148db04bdcd9fe52e5418b06572a5c537e5610d1ef711591c6d416bf
CoinMiner
+ 23 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210726-qxxryl6xva/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
c0b57dd5b03e87a86866c7785e7e5356387c4d3b012b97ae57c6c27e664834c6
MD5 hash:
75332b77102d4ebf9c8c084fa39d865c
SHA1 hash:
6889a8eec82f9fdd598669a50146524ddf6e78ab
Link:
https://www.unpac.me/results/195a5ee6-b320-4730-aa56-8ca3ac5b8e85/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c0b57dd5b03e87a86866c7785e7e5356387c4d3b012b97ae57c6c27e664834c6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe c0b57dd5b03e87a86866c7785e7e5356387c4d3b012b97ae57c6c27e664834c6

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1094119/
Cape
Cape
https://www.capesandbox.com/analysis/174077/

Comments


Avatar
zbet commented on 2021-07-26 08:31:25 UTC

url : hxxp://194.147.142.230/download/activationeth.exe