MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc6611635ca61701a1aa303698270f8e6d8de4f6fc5e6b3a11c5fa9cb1621972. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc6611635ca61701a1aa303698270f8e6d8de4f6fc5e6b3a11c5fa9cb1621972
SHA3-384 hash: 132247b7807ead7f2bdb0a4b62fb21546dc4eb5b2dd788f5efdc740e611928df38cb00c2a0af9f47344212fdab0f8161
SHA1 hash: 4f252e828d51bfe8cf1322e6c18656a8a9b359e2
MD5 hash: cab63b06017beec8efd11d7f03ca5a85
humanhash: don-diet-alabama-artist
File name:cab63b06017beec8efd11d7f03ca5a85
Download: download sample
Signature CoinMiner
Create hunting rule
File size:101'888 bytes
First seen:2021-07-27 00:00:26 UTC
Last seen:2021-07-27 00:56:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 3072:kwWI7JE7j41QqqhH+hFC/tu7NF9ETWHQbPRyZ2pP:kwWvp+hMlW9f8AZ2
Threatray 3 similar samples on MalwareBazaar
TLSH T1F3A3E14673A6E411D9090932ECE3CBE93AB4ADE0AD018B2FB581BB1F2D307515D625EC
dhash icon 6960e896228a6968 (3 x CoinMiner, 2 x AsyncRAT, 1 x RaccoonStealer)
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cab63b06017beec8efd11d7f03ca5a85
Verdict:
No threats detected
Analysis date:
2021-07-27 00:02:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4886e10b-6d9f-48fe-88b7-f854d28f1887

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/174219/
Detection(s):
SecuriteInfo.com.Trojan.MulDropNET.46.6344.1523.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching a process
Creating a file in the %temp% directory
Creating a process with a hidden window
Creating a process from a recently created file
Creating a file in the system32 directory
Deleting a recently created file
Replacing files
Creating a file in the system32 subdirectories
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending a custom TCP request
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ff0e17b1-085a-40c6-9363-e29a4c8dfec5
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/822061
Signature
Adds a directory exclusion to Windows Defender
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 454473 Sample: GDCxcNWXge Startdate: 27/07/2021 Architecture: WINDOWS Score: 84 77 Multi AV Scanner detection for submitted file 2->77 79 Machine Learning detection for sample 2->79 81 Sigma detected: Powershell Defender Exclusion 2->81 83 Sigma detected: Suspicious Script Execution From Temp Folder 2->83 10 GDCxcNWXge.exe 5 2->10         started        14 splwow64.exe 2 2->14         started        process3 file4 73 C:\Users\user\AppData\Local\...\svchost64.exe, PE32+ 10->73 dropped 75 C:\Users\user\AppData\...behaviorgraphDCxcNWXge.exe.log, ASCII 10->75 dropped 95 Adds a directory exclusion to Windows Defender 10->95 16 cmd.exe 1 10->16         started        18 cmd.exe 1 10->18         started        21 cmd.exe 1 14->21         started        signatures5 process6 signatures7 23 svchost64.exe 6 16->23         started        27 conhost.exe 16->27         started        85 Uses schtasks.exe or at.exe to add and modify task schedules 18->85 87 Adds a directory exclusion to Windows Defender 18->87 29 powershell.exe 22 18->29         started        31 conhost.exe 18->31         started        39 3 other processes 18->39 33 conhost.exe 21->33         started        35 powershell.exe 21->35         started        37 powershell.exe 21->37         started        41 2 other processes 21->41 process8 file9 69 C:\Windows\System32\splwow64.exe, PE32+ 23->69 dropped 71 C:\Windows\...\splwow64.exe:Zone.Identifier, ASCII 23->71 dropped 91 Machine Learning detection for dropped file 23->91 93 Drops executables to the windows directory (C:\Windows) and starts them 23->93 43 splwow64.exe 3 23->43         started        46 cmd.exe 1 23->46         started        48 cmd.exe 1 23->48         started        signatures10 process11 signatures12 97 Multi AV Scanner detection for dropped file 43->97 99 Machine Learning detection for dropped file 43->99 101 Adds a directory exclusion to Windows Defender 43->101 50 cmd.exe 1 43->50         started        53 conhost.exe 46->53         started        55 choice.exe 1 46->55         started        57 conhost.exe 48->57         started        59 schtasks.exe 1 48->59         started        process13 signatures14 89 Adds a directory exclusion to Windows Defender 50->89 61 powershell.exe 22 50->61         started        63 conhost.exe 50->63         started        65 powershell.exe 50->65         started        67 2 other processes 50->67 process15
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Tasker
Create hunting rule
Status:
Malicious
First seen:
2021-07-26 18:07:57 UTC
AV detection:
18 of 46 (39.13%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zrtbcy24uylqdinkga3jqjyprzwy3zhw7rpgwoqryx5jzmlcdfza._file
Verdict:
unknown
Similar samples:
24ea17a2c73edd5668c90344844c696e8bfddb72bf605feeea1a0dcc054f246f
CoinMiner
7980ef30b9bed26a9823d3dd5746cdefe5d01de2b2eb2c5e17dbfd1fd52f62bf
CoinMiner
e481e934466d3e768442331a3c3af50c4d430b6ed14059afbe661925338ef531
CoinMiner
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/210727-996eeftry6/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Executes dropped EXE
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
cc6611635ca61701a1aa303698270f8e6d8de4f6fc5e6b3a11c5fa9cb1621972
MD5 hash:
cab63b06017beec8efd11d7f03ca5a85
SHA1 hash:
4f252e828d51bfe8cf1322e6c18656a8a9b359e2
Link:
https://www.unpac.me/results/d06cc0e2-6a29-43f7-885f-9e77f68ae55f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cc6611635ca61701a1aa303698270f8e6d8de4f6fc5e6b3a11c5fa9cb1621972

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe cc6611635ca61701a1aa303698270f8e6d8de4f6fc5e6b3a11c5fa9cb1621972

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1483539/
Cape
Cape
https://www.capesandbox.com/analysis/174219/

Comments


Avatar
zbet commented on 2021-07-27 00:00:29 UTC

url : hxxp://clanlegion.ddns.net/x1.exe