MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc6d0138a98d588a8a180929426c3095a18f109d5e0272456a62f06eacac01cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc6d0138a98d588a8a180929426c3095a18f109d5e0272456a62f06eacac01cc
SHA3-384 hash: f2b00d827528782ab5db285ee299ff08355aa4f3daf81959c14d212b5af75e7b6be8abcd1d525406c8749c3fac828565
SHA1 hash: c63c1f8482362ca1b34039824240a2cd045355aa
MD5 hash: 48310da51b819059ba1b30ce47be5590
humanhash: jupiter-echo-six-hawaii
File name:48310da51b819059ba1b30ce47be5590
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'044'928 bytes
First seen:2022-03-21 16:38:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 02549ff92b49cce693542fc9afb10102 (84 x CoinMiner, 2 x CoinMiner.XMRig, 1 x AgentTesla)
ssdeep 49152:Ux+727InuP3+9ik5lg7IglPbi3TC7InfNpEf7nJ3JQoQCJt8MpylVmZMn6+VV:u+727IuP3QtTgljh0nfNpEDrQoQwtEVL
Threatray 480 similar samples on MalwareBazaar
TLSH T1DF953305DD4C1EE8D6F2C6FDBBE9CB4217EFE1E9648CF8065341E4162414C16BBAAB18
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
232
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/253703/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.18131.19812.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a process from a recently created file
Creating a process with a hidden window
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/10182/overview
Behaviour
MalwareBazaar
CallSleep
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6238aa31b94fb38cb4c516d6/reports/367fc3d1-92d0-4d3a-a2a3-636499908043/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bf210ae6-28a1-4038-bbf5-ddfe70cb48ee
Result
Threat name:
BitCoin Miner SilentXMRMiner Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/960986
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Drops PE files with benign system names
Found strings related to Crypto-Mining
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: File Created with System Process Name
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Sigma detected: System File Execution Location Anomaly
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected SilentXMRMiner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 593471 Sample: ewLNByF8v2 Startdate: 21/03/2022 Architecture: WINDOWS Score: 100 52 Antivirus / Scanner detection for submitted sample 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 Yara detected SilentXMRMiner 2->56 58 6 other signatures 2->58 11 ewLNByF8v2.exe 2->11         started        14 services.exe 2->14         started        process3 signatures4 70 Writes to foreign memory regions 11->70 72 Allocates memory in foreign processes 11->72 74 Creates a thread in another existing process (thread injection) 11->74 16 conhost.exe 6 11->16         started        76 Antivirus detection for dropped file 14->76 78 Multi AV Scanner detection for dropped file 14->78 20 conhost.exe 5 14->20         started        process5 file6 44 C:\Users\user\AppData\Local\...\services.exe, PE32+ 16->44 dropped 46 C:\Users\...\services.exe:Zone.Identifier, ASCII 16->46 dropped 50 Drops PE files with benign system names 16->50 22 cmd.exe 1 16->22         started        24 cmd.exe 1 16->24         started        signatures7 process8 signatures9 27 services.exe 22->27         started        30 conhost.exe 22->30         started        68 Uses schtasks.exe or at.exe to add and modify task schedules 24->68 32 conhost.exe 24->32         started        34 schtasks.exe 1 24->34         started        process10 signatures11 80 Writes to foreign memory regions 27->80 82 Allocates memory in foreign processes 27->82 84 Creates a thread in another existing process (thread injection) 27->84 36 conhost.exe 4 27->36         started        process12 file13 48 C:\Users\user\AppData\...\sihost64.exe, PE32+ 36->48 dropped 39 sihost64.exe 36->39         started        process14 signatures15 60 Antivirus detection for dropped file 39->60 62 Multi AV Scanner detection for dropped file 39->62 64 Writes to foreign memory regions 39->64 66 2 other signatures 39->66 42 conhost.exe 2 39->42         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cc6d0138a98d588a8a180929426c3095a18f109d5e0272456a62f06eacac01cc/
Threat name:
Win64.Trojan.Wovdnut
Create hunting rule
Status:
Malicious
First seen:
2022-03-17 09:45:00 UTC
File Type:
PE+ (Exe)
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0ba5bc2a4412ad5a9e6c873d77ca59d2650ca6138126737e02f89a0581832ed5
CoinMiner
1660fa277deb0f1afcd706189ecca08930050458121c2a2f42f2dcdeb1cf9c29
CoinMiner
588923b5dbf82de5793c49d09b2d68b862228fb57ba821492179761e170c5e24
CoinMiner
7e1624df0ec310b2766bd7a9a98f05ef1ed576f0f7e0699aee3ecc35ddb03c12
CoinMiner
7f94c21c8bb8b634df7616ec35572439237604fae7e049e1fad38403955996b9
CoinMiner
b03f5bd449dbd6441f14720cd78dc280580a998842675cec12b7d1a840c67932
CoinMiner
c9c79f349ba263858347e2a724368d31fb0a43542bb222c0e36d55198fbf7bfe
CoinMiner
cde7e237d3724ede32827c724793cd1e44f041b020a49a5188df9f0f0a92a722
CoinMiner
ec86b00b3f187f93e86711f82043af2ec359861bd60497b53998b0a28bc20d3e
CoinMiner
f24c30b470bbed7b13040919adaad588854f82e994cd2aa620bf94adffbdaa2c
CoinMiner
+ 470 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220321-t5zcfadbe5/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
cc6d0138a98d588a8a180929426c3095a18f109d5e0272456a62f06eacac01cc
MD5 hash:
48310da51b819059ba1b30ce47be5590
SHA1 hash:
c63c1f8482362ca1b34039824240a2cd045355aa
Link:
https://www.unpac.me/results/cee7ddbc-5788-416a-bfba-e144fbd80705/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cc6d0138a98d588a8a180929426c3095a18f109d5e0272456a62f06eacac01cc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe cc6d0138a98d588a8a180929426c3095a18f109d5e0272456a62f06eacac01cc

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2109469/
Cape
Cape
https://www.capesandbox.com/analysis/253703/

Comments


Avatar
zbet commented on 2022-03-21 16:38:46 UTC

url : hxxp://193.106.191.131:1337/dada.exe