MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7d852a3e36342b86a6cc8911662c78b7c0910376ce6348811f31687dd0e9ee5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c7d852a3e36342b86a6cc8911662c78b7c0910376ce6348811f31687dd0e9ee5
SHA3-384 hash: 1c7ccfc23ad9a0cc8483e239125c57e3af97f64b8a105330c64474e54bf2441332f4683ba3fe620a57054bba857a073b
SHA1 hash: 212f39834719ab22f9720d9f6f06b37109570c9a
MD5 hash: f389a87f614665cb6ffba673ae194fa6
humanhash: mountain-island-indigo-tennessee
File name:SecuriteInfo.com.Trojan.GenericKDZ.85142.32252.22193
Download: download sample
Signature CoinMiner
Create hunting rule
File size:3'364'352 bytes
First seen:2022-03-21 18:14:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f41bd45d825b0e2e44373b89f24d3e52 (5 x CoinMiner, 1 x CoinMiner.XMRig)
ssdeep 98304:ZGZWeamTwj+67d1RsIxye6Y70fgV73BFmo8CtoqISZwi:ZGoSTK7+Y0fg53SoRHii
Threatray 290 similar samples on MalwareBazaar
TLSH T14CF5F19E6258336CC03AC4B49523BD0BF6B6321E07E4A6EF72C776C177E7590A51AB01
Reporter SecuriteInfoCom
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
232
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/253744/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.85142.32252.22193.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %AppData% subdirectories
Launching a process
Creating a process with a hidden window
DNS request
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  0/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/10170/overview
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/6238c0c1b94fb38cb4c5d401/reports/bd3ddce7-9a5a-4661-a9b5-703cb2f0e99e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/33aaab2d-1c0e-4aa6-91b5-5543955c3522
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
adwa.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/961171
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Shellcode strings
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 593654 Sample: SecuriteInfo.com.Trojan.Gen... Startdate: 21/03/2022 Architecture: WINDOWS Score: 100 76 easyproducts.org 2->76 82 Antivirus detection for URL or domain 2->82 84 Antivirus detection for dropped file 2->84 86 Multi AV Scanner detection for dropped file 2->86 88 5 other signatures 2->88 10 SecuriteInfo.com.Trojan.GenericKDZ.85142.32252.exe 1 5 2->10         started        15 RegHost.exe 1 1 2->15         started        signatures3 process4 dnsIp5 78 185.137.234.33, 49761, 49762, 8080 SELECTELRU Russian Federation 10->78 68 C:\Users\user\AppData\...\RegModule.exe, PE32+ 10->68 dropped 70 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 10->70 dropped 72 C:\Users\user\AppData\Roaming\...\RegData.exe, PE32+ 10->72 dropped 74 C:\Users\user\AppData\...\OneDrive.exe, PE32+ 10->74 dropped 90 Injects code into the Windows Explorer (explorer.exe) 10->90 92 Writes to foreign memory regions 10->92 94 Allocates memory in foreign processes 10->94 17 explorer.exe 1 10->17         started        19 bfsvc.exe 1 10->19         started        21 conhost.exe 10->21         started        96 Multi AV Scanner detection for dropped file 15->96 98 Modifies the context of a thread in another process (thread injection) 15->98 100 Injects a PE file into a foreign processes 15->100 23 explorer.exe 1 15->23         started        25 bfsvc.exe 1 15->25         started        27 conhost.exe 15->27         started        file6 signatures7 process8 process9 29 curl.exe 1 17->29         started        32 curl.exe 1 17->32         started        34 curl.exe 1 17->34         started        44 11 other processes 17->44 36 conhost.exe 19->36         started        38 curl.exe 1 23->38         started        40 curl.exe 1 23->40         started        46 12 other processes 23->46 42 conhost.exe 25->42         started        dnsIp10 48 conhost.exe 29->48         started        80 easyproducts.org 193.233.48.63 NETIS-ASRU Russian Federation 32->80 50 conhost.exe 32->50         started        52 conhost.exe 34->52         started        54 conhost.exe 38->54         started        56 conhost.exe 40->56         started        58 conhost.exe 44->58         started        62 9 other processes 44->62 60 conhost.exe 46->60         started        64 8 other processes 46->64 process11 process12 66 conhost.exe 48->66         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c7d852a3e36342b86a6cc8911662c78b7c0910376ce6348811f31687dd0e9ee5/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-03-18 19:01:00 UTC
File Type:
PE+ (Exe)
AV detection:
19 of 42 (45.24%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1430de888f5ef501e60e80398b0309a05f453a8b2e8c9b24fdaa5e722d2f8242
CoinMiner
18d3c86e8cf3eef27c596430279fade1c4c46b3ed4e59de2912ef2c803e13e32
CoinMiner
206965feae3c8aa99bf38f625be1e674771faef044c013def41981e7af9bd403
CoinMiner
641b9d5b4543b83154505b255b80b88f96e8689f32f6278f07f0dc22360d84ee
CoinMiner
96b3aa4520797806ccaf670897eaead29ac9dd3f9a6add879e2d93f7e2557513
CoinMiner
cdd12576c48c2123efbc19404d37cc9505c80d8378f37e793a4b0ecb02aa2361
CoinMiner
d2e800b01162a5151738eb524ef4bd36faeba8dd33b8c3d68edb635c29d38d9b
CoinMiner
e29526b1d3297a4d2d5cd5f8e4cce9a7a63b84f49470dafb02449269e055a4dc
CoinMiner
+ 280 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/220321-wvx3qsdde2/
Behaviour
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
UPX packed file
Downloads MZ/PE file
Unpacked files
SH256 hash:
c7d852a3e36342b86a6cc8911662c78b7c0910376ce6348811f31687dd0e9ee5
MD5 hash:
f389a87f614665cb6ffba673ae194fa6
SHA1 hash:
212f39834719ab22f9720d9f6f06b37109570c9a
Link:
https://www.unpac.me/results/9ba2d050-3bfb-4e18-bd10-8ab7f570d8cd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c7d852a3e36342b86a6cc8911662c78b7c0910376ce6348811f31687dd0e9ee5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe c7d852a3e36342b86a6cc8911662c78b7c0910376ce6348811f31687dd0e9ee5

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/253744/
  
URLhaus
https://urlhaus.abuse.ch/url/2109365/
  
Delivery method
Distributed via web download

Comments