MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cdf45f57fd8885bea02e2fcaf7b3a13c3f8185827cee1ef348a22cb36c1886c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cdf45f57fd8885bea02e2fcaf7b3a13c3f8185827cee1ef348a22cb36c1886c0
SHA3-384 hash: bfb8083e7e8a02166724f221e9df50a5f2d208e4b61aa9be021f53316ce63953e38b7e4701f667f03e67bf6cfdc566d1
SHA1 hash: ad6a08df345f9aee1e7d4e9ff292e2ba23098728
MD5 hash: e88ced23521be82bcef6357fdb45ecf6
humanhash: magazine-potato-single-five
File name:e88ced23521be82bcef6357fdb45ecf6
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'006'528 bytes
First seen:2022-01-12 01:02:51 UTC
Last seen:2022-01-12 04:13:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 49152:F2ducSf/Sr8KGP5/Z5nRwgH6Md+56IPNBGT8TT:F2kzf/Sr8KW5/zR7H6bP
TLSH T1C29533772378D2D5F6F648339A720AAC0A72B37B1321EA9EC041161529F7C5921D8FB3
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
250
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e88ced23521be82bcef6357fdb45ecf6
Verdict:
No threats detected
Analysis date:
2022-01-12 01:06:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ee65e4dd-e6f2-4e20-9eea-0fc9b45e23a5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/218431/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.19502.31526.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Running batch commands
Launching a process
DNS request
Creating a file in the %AppData% subdirectories
Creating a file
Creating a process from a recently created file
Сreating synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm obfuscated packed
Link:
https://www.filescan.io/uploads/61de28c91883c5ba4ec2b577/reports/4f5da06f-8642-4599-b094-1781ec02383f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CoinMiner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/01c240fa-431f-4dd5-82ed-f19cb1b2f9e4
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/918816
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops PE files with benign system names
Found strings related to Crypto-Mining
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: System File Execution Location Anomaly
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 551294 Sample: h5gyOplna0 Startdate: 12/01/2022 Architecture: WINDOWS Score: 100 39 Antivirus / Scanner detection for submitted sample 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected Xmrig cryptocurrency miner 2->43 45 3 other signatures 2->45 8 services.exe 7 2->8         started        12 h5gyOplna0.exe 5 2->12         started        process3 file4 31 C:\Users\user\AppData\...\sihost64.exe, PE32+ 8->31 dropped 47 Antivirus detection for dropped file 8->47 49 Multi AV Scanner detection for dropped file 8->49 51 Machine Learning detection for dropped file 8->51 14 sihost64.exe 8->14         started        33 C:\Users\user\AppData\...\services.exe, PE32+ 12->33 dropped 35 C:\Users\...\services.exe:Zone.Identifier, ASCII 12->35 dropped 37 C:\Users\user\AppData\...\h5gyOplna0.exe.log, ASCII 12->37 dropped 53 Drops PE files with benign system names 12->53 17 cmd.exe 1 12->17         started        19 cmd.exe 1 12->19         started        signatures5 process6 signatures7 55 Antivirus detection for dropped file 14->55 57 Multi AV Scanner detection for dropped file 14->57 59 Machine Learning detection for dropped file 14->59 61 Uses schtasks.exe or at.exe to add and modify task schedules 17->61 21 conhost.exe 17->21         started        23 schtasks.exe 1 17->23         started        25 services.exe 3 19->25         started        27 conhost.exe 19->27         started        process8 process9 29 sihost64.exe 2 25->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cdf45f57fd8885bea02e2fcaf7b3a13c3f8185827cee1ef348a22cb36c1886c0/
Threat name:
ByteCode-MSIL.Trojan.Injectgen
Create hunting rule
Status:
Malicious
First seen:
2022-01-09 21:42:48 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
4
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220112-bedc6safap/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
cdf45f57fd8885bea02e2fcaf7b3a13c3f8185827cee1ef348a22cb36c1886c0
MD5 hash:
e88ced23521be82bcef6357fdb45ecf6
SHA1 hash:
ad6a08df345f9aee1e7d4e9ff292e2ba23098728
Link:
https://www.unpac.me/results/9e0f1681-b2f1-4b00-aedc-58bbfa9ccbb5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cdf45f57fd8885bea02e2fcaf7b3a13c3f8185827cee1ef348a22cb36c1886c0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe cdf45f57fd8885bea02e2fcaf7b3a13c3f8185827cee1ef348a22cb36c1886c0

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/218431/
  
URLhaus
https://urlhaus.abuse.ch/url/1969147/

Comments


Avatar
zbet commented on 2022-01-12 01:02:53 UTC

url : hxxp://95.143.178.121/pwNmvLJF2.exe