MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0ccd75375402c9d18d9fd11207ddf17011449874a2bc3521c6e3b815402b578. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c0ccd75375402c9d18d9fd11207ddf17011449874a2bc3521c6e3b815402b578
SHA3-384 hash: 34ff493d1f06eb6c5210f6389cfea1125c9f33179b9e0df2e384eb3342c5b4ab786988b9b2308acae48f142cf06778c5
SHA1 hash: 7f70c51dd1b68f190ec2c817401c11d4251e767a
MD5 hash: 3d0f27b348dbb44c5b00f0aa5a7522ff
humanhash: aspen-red-comet-georgia
File name:3d0f27b348dbb44c5b00f0aa5a7522ff
Download: download sample
Signature CoinMiner
Create hunting rule
File size:1'209'576 bytes
First seen:2022-01-04 08:39:07 UTC
Last seen:2022-01-04 11:02:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 24576:svids75bUkcBTdl9xp+/uonbmb0aKQwEbcyZwqlO:svRfOTdvxw/Fqb0aKQwH
Threatray 160 similar samples on MalwareBazaar
TLSH T18C451222F7CBC173EB8A0379A4A052508F31B59939C3E7617D79E6AE12713D50C3266E
File icon (PE):PE icon
dhash icon c0d4ec80b0b4b4e4 (5 x RaccoonStealer, 4 x RedLineStealer, 4 x LummaStealer)
Reporter zbetcheckin
Tags:CoinMiner exe signed

Code Signing Certificate

Organisation:Logitech ZC-9016 USA State of Washington
Issuer:Logitech ZC-9016 USA State of Washington
Algorithm:sha1WithRSAEncryption
Valid from:2021-12-15T11:48:33Z
Valid to:2031-12-16T11:48:33Z
Serial number: 5fcd5e9349261c9449b88b4124df5004
Intelligence: 27 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 63aa80362de14c7d27647ef57cf3a4928f5dda32e3a54c46c72902172a42dea0
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
247
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3d0f27b348dbb44c5b00f0aa5a7522ff
Verdict:
No threats detected
Analysis date:
2022-01-04 08:40:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0fd663a2-d614-4254-8923-cc7e76bb55c6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/217233/
Detection(s):
SecuriteInfo.com.generic.ml.17591.26618.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
DNS request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Creating a process from a recently created file
Creating a window
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
67%
Tags:
obfuscated overlay packed
Link:
https://www.filescan.io/uploads/61d407e892bdc4b4077d7ebc/reports/3149eb71-10ab-497a-9054-aef3bb4b96f6/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2930f938-3dcd-4913-b86c-703c1d797c7d
Result
Threat name:
IPack Miner
Create hunting rule
Detection:
malicious
Classification:
expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/915151
Signature
Deletes itself after installation
Detected VMProtect packer
Drops VBS files to the startup folder
Encrypted powershell cmdline option found
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sample is protected by VMProtect
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Encoded PowerShell Command Line
Yara detected Costura Assembly Loader
Yara detected IPack Miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 547625 Sample: 7TT0b79cIi Startdate: 04/01/2022 Architecture: WINDOWS Score: 100 35 Multi AV Scanner detection for submitted file 2->35 37 Yara detected IPack Miner 2->37 39 Sigma detected: Drops script at startup location 2->39 41 5 other signatures 2->41 7 7TT0b79cIi.exe 1 6 2->7         started        12 wscript.exe 1 2->12         started        process3 dnsIp4 33 91.243.32.131, 4404, 49694, 49695 MATTEOGB Russian Federation 7->33 27 C:\Users\user\AppData\...\7TT0b79cIi.exe, PE32+ 7->27 dropped 29 C:\Users\user\AppData\Local\...\dziovpy.exe, PE32+ 7->29 dropped 31 C:\Users\user\AppData\...\7TT0b79cIi.vbs, ASCII 7->31 dropped 47 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 7->47 49 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->49 51 Drops VBS files to the startup folder 7->51 53 Encrypted powershell cmdline option found 7->53 14 powershell.exe 18 7->14         started        17 7TT0b79cIi.exe 3 12->17         started        file5 signatures6 process7 file8 55 Deletes itself after installation 14->55 20 dziovpy.exe 2 14->20         started        23 conhost.exe 14->23         started        25 C:\Users\user\AppData\...\7TT0b79cIi.exe.log, ASCII 17->25 dropped 57 Multi AV Scanner detection for dropped file 17->57 59 Machine Learning detection for dropped file 17->59 61 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 17->61 63 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 17->63 signatures9 process10 signatures11 43 Multi AV Scanner detection for dropped file 20->43 45 Machine Learning detection for dropped file 20->45
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c0ccd75375402c9d18d9fd11207ddf17011449874a2bc3521c6e3b815402b578/
Threat name:
ByteCode-MSIL.Dropper.Scrop
Create hunting rule
Status:
Malicious
First seen:
2022-01-04 05:29:05 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
18
AV detection:
22 of 27 (81.48%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ydgnou3viawj2ggz7uisa7o7c4arismhjiv4guq4ny5ycvacwv4a._file
Verdict:
malicious
Similar samples:
03d077ca800b98cfc1d6889ad6c8b09d395231b29f98290481b1a4267f53345d
CoinMiner
0e24295a6109df43faefbf365cc71506d0c730ad2cd8ec5d93c28ba619a3fdaa
CoinMiner
585e4146923404bbe11c2cf5a423e2650a5d133541e9baeacb64a4d675f6484d
CoinMiner
6b10f57d5211fa504775f4db4021b74bfee20d6fc6f908fb062044db926c0656
CoinMiner
73a8ad379a2f6efec0754119102727765066db33a4f8b4a0aed21608bdb0cdfd
CoinMiner
8f9ff0227f4ce6ed3259d5f2f8bfd8c54496e9896ad5f522cdd768911be4b4bc
CoinMiner
d24cfa0bdad2e8531085b2cf684b9ea333fd5d85daa7c7a51750e943f6ae7e0b
CoinMiner
e46ea10a5b05bf3eec5a25019a2d41b2a21d236c6bb2be113879d2c765ba7946
CoinMiner
e53815bde4306397c668c921b03877403c5faae724ec66e1a62f3cc506fdb2ea
CoinMiner
ec50240df30bcbc5ece80e6a6702b7230b81e68b712083f01a5780761693c5ae
CoinMiner
+ 150 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
vmprotect
Link:
https://tria.ge/reports/220104-kkwldaafcq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Deletes itself
Drops startup file
Loads dropped DLL
Executes dropped EXE
VMProtect packed file
Unpacked files
SH256 hash:
c0ccd75375402c9d18d9fd11207ddf17011449874a2bc3521c6e3b815402b578
MD5 hash:
3d0f27b348dbb44c5b00f0aa5a7522ff
SHA1 hash:
7f70c51dd1b68f190ec2c817401c11d4251e767a
Link:
https://www.unpac.me/results/8c1ab602-7a7f-448d-918e-07ddf37a0719/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c0ccd7537540/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c0ccd75375402c9d18d9fd11207ddf17011449874a2bc3521c6e3b815402b578

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe c0ccd75375402c9d18d9fd11207ddf17011449874a2bc3521c6e3b815402b578

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/217233/
  
URLhaus
https://urlhaus.abuse.ch/url/1948169/

Comments


Avatar
zbet commented on 2022-01-04 08:39:10 UTC

url : hxxp://91.243.44.130/miner/new.exe