MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5c1c355c0e253df7b6a49d296c00663cc9692328dd236ab4f43fafc2ec70ec8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c5c1c355c0e253df7b6a49d296c00663cc9692328dd236ab4f43fafc2ec70ec8
SHA3-384 hash: 26e5bdeec06405cfda61ce3be062e8c78a56e2d4255c50281c3e9f0615cbab567f1c904bf119a959ef233f14139d19c1
SHA1 hash: e082dd13c52fe7fb65fac801d2588e0c9153d9cc
MD5 hash: fa409741e16094bb8bc373d7b46742cd
humanhash: eighteen-river-east-charlie
File name:fa409741e16094bb8bc373d7b46742cd
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'038'272 bytes
First seen:2021-10-14 05:07:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 27516fd8750f40bdecf52a1420a0296a (12 x CoinMiner)
ssdeep 49152:47HPtc7WxLiwBM+/hO7ufPUWvcf5p/ZjlicJ6fuJ+Kjt1ph:eHPa7elm+/hTMlv/2cJ624Wt17
Threatray 107 similar samples on MalwareBazaar
TLSH T1AC9533B78F03DDE1C81D71782F0346A516F7FF899988A72B9E402D73423912C976B262
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://dropmefiles.com/cZGXf
Verdict:
Malicious activity
Analysis date:
2021-10-11 23:14:38 UTC
Tags:
trojan rat redline loader
Link:
https://app.any.run/tasks/8fea9951-c4a1-41a1-9476-7cdb608dbec0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/197409/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching a process
Creating a process from a recently created file
Creating a process with a hidden window
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
donut packed
Link:
https://www.filescan.io/uploads/6167bb351c2d58ba7405def2/reports/9329ccc5-8b41-4c9d-8cf1-9cd373fd7dab/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9c6fa2f1-1028-46fa-8d30-6ef79e07c7dd
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/870196
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 502620 Sample: 7boI2bEm21 Startdate: 14/10/2021 Architecture: WINDOWS Score: 84 73 Multi AV Scanner detection for submitted file 2->73 75 Sigma detected: Powershell Defender Exclusion 2->75 11 7boI2bEm21.exe 2->11         started        14 shrome.exe 2->14         started        process3 signatures4 97 Writes to foreign memory regions 11->97 99 Allocates memory in foreign processes 11->99 101 Creates a thread in another existing process (thread injection) 11->101 16 conhost.exe 4 11->16         started        103 Multi AV Scanner detection for dropped file 14->103 20 conhost.exe 3 14->20         started        process5 file6 67 C:\Windows\System32\shrome.exe, PE32+ 16->67 dropped 71 Adds a directory exclusion to Windows Defender 16->71 22 cmd.exe 1 16->22         started        25 cmd.exe 1 16->25         started        27 cmd.exe 1 16->27         started        29 cmd.exe 1 20->29         started        signatures7 process8 signatures9 81 Drops executables to the windows directory (C:\Windows) and starts them 22->81 31 shrome.exe 22->31         started        34 conhost.exe 22->34         started        83 Uses schtasks.exe or at.exe to add and modify task schedules 25->83 85 Adds a directory exclusion to Windows Defender 25->85 36 powershell.exe 21 25->36         started        38 conhost.exe 25->38         started        40 powershell.exe 25->40         started        42 conhost.exe 27->42         started        44 schtasks.exe 1 27->44         started        46 powershell.exe 21 29->46         started        48 2 other processes 29->48 process10 signatures11 105 Writes to foreign memory regions 31->105 107 Allocates memory in foreign processes 31->107 109 Creates a thread in another existing process (thread injection) 31->109 50 conhost.exe 4 31->50         started        process12 file13 69 C:\Windows\System32\...\sihost32.exe, PE32+ 50->69 dropped 77 Drops executables to the windows directory (C:\Windows) and starts them 50->77 79 Adds a directory exclusion to Windows Defender 50->79 54 sihost32.exe 50->54         started        57 cmd.exe 1 50->57         started        signatures14 process15 signatures16 87 Multi AV Scanner detection for dropped file 54->87 89 Writes to foreign memory regions 54->89 91 Allocates memory in foreign processes 54->91 93 Creates a thread in another existing process (thread injection) 54->93 59 conhost.exe 54->59         started        95 Adds a directory exclusion to Windows Defender 57->95 61 powershell.exe 21 57->61         started        63 conhost.exe 57->63         started        65 powershell.exe 57->65         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c5c1c355c0e253df7b6a49d296c00663cc9692328dd236ab4f43fafc2ec70ec8/
Threat name:
Win64.Trojan.AgentAGen
Create hunting rule
Status:
Malicious
First seen:
2021-10-12 03:04:40 UTC
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0fecc31110c98a487e301d783c61d7f0e3e607854b5b94a01a96c73b07a99272
CoinMiner
12439fc7c876b8bf881db4e97ed57827c1c4f2fd0ebccc29a4e197b19c80488b
CoinMiner
5221a9886df44c6e76d7a6d770ffe811d68cb8e6b96267e5ef40393ac675f6ff
CoinMiner
5f5650987c9810c4cc59a467650844179c1349ded7b2fa0f1b00edbbf648612c
CoinMiner
9b8c70d1c0537d946bf7233df72a7e0ebdff2cb70404a69ee6a2419730973462
CoinMiner
b41455dfe45bf98bd2f1acec07d7a0df02a3c83e1fdecfb403df3984ab794761
CoinMiner
c178858bc5b0763eaadbffe1d432de85a73c6f8ba4b7ce7f7bc98dc119532297
CoinMiner
de74006a23319ed5aa596ee8e047df2a6823fecdb9e0f4a5298418e665b56564
CoinMiner
e558134f888d403ba60d7db59978502a9071951528cd4873bd4702921012d69e
CoinMiner
e7b94b42550145f6653edad5a47879f3bad1abe865f065d7036ca942c572e842
CoinMiner
+ 97 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/211014-fsj54agcb7/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Loads dropped DLL
Executes dropped EXE
xmrig
Unpacked files
SH256 hash:
c5c1c355c0e253df7b6a49d296c00663cc9692328dd236ab4f43fafc2ec70ec8
MD5 hash:
fa409741e16094bb8bc373d7b46742cd
SHA1 hash:
e082dd13c52fe7fb65fac801d2588e0c9153d9cc
Link:
https://www.unpac.me/results/54e4377f-5c4a-47b8-85a4-2cbdd7634f9e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.10
Link:
https://yomi.yoroi.company/submissions/c5c1c355c0e253df7b6a49d296c00663cc9692328dd236ab4f43fafc2ec70ec8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe c5c1c355c0e253df7b6a49d296c00663cc9692328dd236ab4f43fafc2ec70ec8

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1676345/
Cape
Cape
https://www.capesandbox.com/analysis/197409/

Comments


Avatar
zbet commented on 2021-10-14 05:07:26 UTC

url : hxxp://cx55566.tmweb.ru/farm_money.exe