MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cccef70aff3b7d8bcc6264bc9e9ae833a9128b45421880e511171ad28a1cd4ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cccef70aff3b7d8bcc6264bc9e9ae833a9128b45421880e511171ad28a1cd4ce
SHA3-384 hash: f719a954e28a40978829f1807a5f3096cddaa5e97d437acf45d66f4a199acd816f519c134fce5450404fe897ba36d688
SHA1 hash: 19a9206253be2dd917bdc3311f872c3dcc0b2ad2
MD5 hash: 06c646c60e546101398cfb8cc5df876e
humanhash: sodium-oven-florida-fanta
File name:06c646c60e546101398cfb8cc5df876e
Download: download sample
Signature CoinMiner
Create hunting rule
File size:5'277'696 bytes
First seen:2022-01-07 20:09:29 UTC
Last seen:2022-01-07 21:57:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b8ba55866bfe7b49b97c43084c1885db (25 x CoinMiner)
ssdeep 98304:5hLSzmHF8/snjAHeJmAGFLYC6W7NFvnyi16q/OBxKQ29os+0UF3uRlvsjpTRmUON:TUmHekj9J4FLpTp5oxKjECl0jpt
Threatray 174 similar samples on MalwareBazaar
TLSH T1CB363339BDDD20F2F482F57AA2BD9E138E932327D2F6411B432562904BDEE115CB7261
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
305
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
06c646c60e546101398cfb8cc5df876e
Verdict:
No threats detected
Analysis date:
2022-01-07 20:12:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/912f32b0-654b-42c0-bf84-4386f5cbe26f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
EnigmaStub
Create hunting rule
Link:
https://www.capesandbox.com/analysis/217762/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.23769.28843.3842.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a process from a recently created file
Creating a process with a hidden window
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/61d89e2102e388f9fdb40156/reports/a603f6b3-a3e9-4196-abec-24bfedb6de33/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9d2bd975-7078-4b55-8151-c34ea51a9c60
Result
Threat name:
BitCoin Miner SilentXMRMiner
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/917003
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected SilentXMRMiner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 549481 Sample: 4M8FTLkZAp Startdate: 07/01/2022 Architecture: WINDOWS Score: 100 50 Antivirus / Scanner detection for submitted sample 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 Yara detected SilentXMRMiner 2->54 56 3 other signatures 2->56 11 4M8FTLkZAp.exe 2->11         started        14 services32.exe 2->14         started        process3 signatures4 68 Detected unpacking (changes PE section rights) 11->68 70 Writes to foreign memory regions 11->70 72 Allocates memory in foreign processes 11->72 80 2 other signatures 11->80 16 conhost.exe 5 11->16         started        74 Antivirus detection for dropped file 14->74 76 Multi AV Scanner detection for dropped file 14->76 78 Machine Learning detection for dropped file 14->78 19 conhost.exe 5 14->19         started        process5 file6 44 C:\Users\user\AppData\...\services32.exe, PE32+ 16->44 dropped 46 C:\Users\...\services32.exe:Zone.Identifier, ASCII 16->46 dropped 21 cmd.exe 1 16->21         started        23 cmd.exe 1 16->23         started        48 C:\Users\user\AppData\...\sihost32.exe, PE32+ 19->48 dropped 26 sihost32.exe 19->26         started        process7 signatures8 28 services32.exe 21->28         started        31 conhost.exe 21->31         started        58 Uses schtasks.exe or at.exe to add and modify task schedules 23->58 33 conhost.exe 23->33         started        35 schtasks.exe 1 23->35         started        60 Multi AV Scanner detection for dropped file 26->60 process9 signatures10 82 Writes to foreign memory regions 28->82 84 Allocates memory in foreign processes 28->84 86 Hides threads from debuggers 28->86 88 Creates a thread in another existing process (thread injection) 28->88 37 conhost.exe 3 28->37         started        process11 process12 39 sihost32.exe 37->39         started        signatures13 62 Writes to foreign memory regions 39->62 64 Allocates memory in foreign processes 39->64 66 Creates a thread in another existing process (thread injection) 39->66 42 conhost.exe 2 39->42         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cccef70aff3b7d8bcc6264bc9e9ae833a9128b45421880e511171ad28a1cd4ce/
Threat name:
Win64.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2022-01-06 23:22:32 UTC
File Type:
PE+ (Exe)
AV detection:
24 of 42 (57.14%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0e49a7e27c826b6afb92d25bd287493693af46e42838270cf96ee2f27c2c0521
CoinMiner
600c157ddb6d90c409f612a89e5c4259af4a7f724fd23ba85d1879b49c83054b
CoinMiner
64edbaff99fe8c87c2f5f826b0d1741c575295e3ab0c3d16db8bbacd2baebd30
CoinMiner
865baa577a2cdad80e6daefdd7b9bf06d4f9c5007d3bc17e98d13ca8d620feb6
CoinMiner
c0efa247a497b4d9d721d0f54e30e44007c5e53882cf822ade5c3b8f9dd6bbaf
CoinMiner
cd716a11679b98b42382e72283c0fa785d8a4b041bee8044a2c7dffae2142446
CoinMiner
e9f1d411e9f40b3050fd6bec3caf316b0986bce3f8185b6529efc6586800fd4a
CoinMiner
f3de4ce2a7e7d27e8dcfc9b38b0e55631181393e673a37a57bd97e218a797cfe
CoinMiner
feb365d784b06535c3bd3ab5c525e771521f0f7dcc71c8c3e800226fdb117085
CoinMiner
+ 164 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220107-yxpv9adadr/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
cccef70aff3b7d8bcc6264bc9e9ae833a9128b45421880e511171ad28a1cd4ce
MD5 hash:
06c646c60e546101398cfb8cc5df876e
SHA1 hash:
19a9206253be2dd917bdc3311f872c3dcc0b2ad2
Link:
https://www.unpac.me/results/bb702de2-9a2e-456d-a8f3-c186164bb16b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/cccef70aff3b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cccef70aff3b7d8bcc6264bc9e9ae833a9128b45421880e511171ad28a1cd4ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe cccef70aff3b7d8bcc6264bc9e9ae833a9128b45421880e511171ad28a1cd4ce

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/217762/
  
URLhaus
https://urlhaus.abuse.ch/url/1956078/

Comments


Avatar
zbet commented on 2022-01-07 20:09:31 UTC

url : hxxp://data-host-coin-8.com/files/4794_1641405425_8852.exe