MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c2a7a2a0fcb69d153a1abc06e5b316a496501e89f71c761f620fbb6a3867af14. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c2a7a2a0fcb69d153a1abc06e5b316a496501e89f71c761f620fbb6a3867af14
SHA3-384 hash: 24fbc3d69301f3d32f47ec519be89f33d9ee7a5272aecacb3e261dcc0472a9d46ee6d622c7ee20da010a195d5b78ee15
SHA1 hash: 40f1a2cb6799b82806c012a39703064459f79786
MD5 hash: 4be4a8e13248732ef335846c1c698f41
humanhash: orange-low-stairway-hamper
File name:4be4a8e13248732ef335846c1c698f41
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'042'880 bytes
First seen:2021-11-11 01:45:54 UTC
Last seen:2021-11-11 05:24:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 02549ff92b49cce693542fc9afb10102 (84 x CoinMiner, 2 x CoinMiner.XMRig, 1 x AgentTesla)
ssdeep 49152:wd7D2uVtChNOz/J1Po32UqzlHRrMvXdGoHk0A4wfMv7:w9D2u8Q/jDqXdzA4wf
Threatray 127 similar samples on MalwareBazaar
TLSH T11E9533939AB3D801F43A003E65CDB5DB8B02E6225BA4DB7F31E74A108868F9DDB55DC1
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/204899/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.180.19476.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/618c75dda00afa9663a384ee/reports/f3bcc27a-aa68-44ea-87e9-a620f7acf5da/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/80bd7052-b8c1-4e69-b710-4a673b0c5a0f
Result
Threat name:
BitCoin Miner
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/887221
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 519692 Sample: RXQri9FS9t Startdate: 11/11/2021 Architecture: WINDOWS Score: 80 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected BitCoin Miner 2->50 11 RXQri9FS9t.exe 2->11         started        14 services32.exe 2->14         started        process3 signatures4 68 Writes to foreign memory regions 11->68 70 Allocates memory in foreign processes 11->70 72 Creates a thread in another existing process (thread injection) 11->72 16 conhost.exe 5 11->16         started        74 Multi AV Scanner detection for dropped file 14->74 19 conhost.exe 5 14->19         started        process5 file6 42 C:\Users\user\AppData\...\services32.exe, PE32+ 16->42 dropped 44 C:\Users\...\services32.exe:Zone.Identifier, ASCII 16->44 dropped 21 cmd.exe 1 16->21         started        23 cmd.exe 1 16->23         started        46 C:\Users\user\AppData\...\sihost32.exe, PE32+ 19->46 dropped process7 signatures8 26 services32.exe 21->26         started        29 conhost.exe 21->29         started        60 Uses schtasks.exe or at.exe to add and modify task schedules 23->60 31 conhost.exe 23->31         started        33 schtasks.exe 1 23->33         started        process9 signatures10 62 Writes to foreign memory regions 26->62 64 Allocates memory in foreign processes 26->64 66 Creates a thread in another existing process (thread injection) 26->66 35 conhost.exe 3 26->35         started        process11 process12 37 sihost32.exe 35->37         started        signatures13 52 Multi AV Scanner detection for dropped file 37->52 54 Writes to foreign memory regions 37->54 56 Allocates memory in foreign processes 37->56 58 Creates a thread in another existing process (thread injection) 37->58 40 conhost.exe 2 37->40         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c2a7a2a0fcb69d153a1abc06e5b316a496501e89f71c761f620fbb6a3867af14/
Threat name:
Win64.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2021-11-05 02:26:54 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
139c83b8cf3674d992e04f9e4a047c3a7ad5279b2f6b8bf18c39603f82bca16d
CoinMiner
1505d3b595d18d1b255253b080bed85334916ff81174a5685a6f3f3433cbe746
CoinMiner
40387bebfe97eea9c90425caf5519019dfc0e7425bb238246ec9f7bb5d621293
CoinMiner
4428c955f11bf14ee87a1c6540314b9f24f6adbe848724dab4029242fef22137
CoinMiner
58f64e4083fa288b091dc0d29a050da9cd09e4ee6607aff2e5fa5ffbe2c7a887
CoinMiner
9b8c70d1c0537d946bf7233df72a7e0ebdff2cb70404a69ee6a2419730973462
CoinMiner
b41455dfe45bf98bd2f1acec07d7a0df02a3c83e1fdecfb403df3984ab794761
CoinMiner
e558134f888d403ba60d7db59978502a9071951528cd4873bd4702921012d69e
CoinMiner
fd6996eab709c3ed21ef140958d9a9147902336b85b47bc896372a18e469a6fc
CoinMiner
+ 117 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/211111-b6zeqaffcp/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
c2a7a2a0fcb69d153a1abc06e5b316a496501e89f71c761f620fbb6a3867af14
MD5 hash:
4be4a8e13248732ef335846c1c698f41
SHA1 hash:
40f1a2cb6799b82806c012a39703064459f79786
Link:
https://www.unpac.me/results/1b1c6c83-1246-4ef7-ac6f-4d8e3e06058d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.10
Link:
https://yomi.yoroi.company/submissions/c2a7a2a0fcb69d153a1abc06e5b316a496501e89f71c761f620fbb6a3867af14

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe c2a7a2a0fcb69d153a1abc06e5b316a496501e89f71c761f620fbb6a3867af14

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1775162/
Cape
Cape
https://www.capesandbox.com/analysis/204899/

Comments


Avatar
zbet commented on 2021-11-11 01:45:56 UTC

url : hxxps://antivirf.ru/monsterbez.exe