MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf2cb34e061e0a3d995c8d9910e1f03e63b0c8c848e8a697a3ec8b0cb294e96e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf2cb34e061e0a3d995c8d9910e1f03e63b0c8c848e8a697a3ec8b0cb294e96e
SHA3-384 hash: d43fff76a66ab090c032ec7a8b4bbd708fbab31723967ef706daaa712c48f82960d18858b8d3b772d4605dc6a3fbb86d
SHA1 hash: 4df0682355e50dce08d9a43a47b9954d36a2f24b
MD5 hash: f9d5c1cd96f5884fbed96d46be260037
humanhash: delaware-video-fanta-jersey
File name:f9d5c1cd96f5884fbed96d46be260037.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'045'440 bytes
First seen:2022-02-10 07:39:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 02549ff92b49cce693542fc9afb10102 (84 x CoinMiner, 2 x CoinMiner.XMRig, 1 x AgentTesla)
ssdeep 49152:KHOORoYnrjWvwPDzAN43oHmnxiGjGp9HkrporT:eVRHnnWveDzrB4XpVIpI
Threatray 1'414 similar samples on MalwareBazaar
TLSH T1A395335B28FB641CE8E6D17CDD39D9278788A1B9C43C2D83915216DBB811883C2796BF
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
203
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://62.197.136.229/build.exe
Verdict:
Suspicious activity
Analysis date:
2022-02-10 01:07:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/19614a0c-dbfe-4f20-b6ce-9f94e7cd78d0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/240203/
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a process from a recently created file
Sending a custom TCP request
Creating a process with a hidden window
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6204c15aa35489c8da006d76/reports/9114b181-837e-447c-bf5a-734f5c44a1dc/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7adfee89-e80a-44aa-933d-b233ad156550
Result
Threat name:
BitCoin Miner SilentXMRMiner Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/937418
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Found strings related to Crypto-Mining
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected SilentXMRMiner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 569896 Sample: WN1oT4p9M6.exe Startdate: 10/02/2022 Architecture: WINDOWS Score: 100 49 Antivirus / Scanner detection for submitted sample 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected SilentXMRMiner 2->53 55 3 other signatures 2->55 11 WN1oT4p9M6.exe 2->11         started        14 asjaszsdge.exe 2->14         started        process3 signatures4 73 Writes to foreign memory regions 11->73 75 Allocates memory in foreign processes 11->75 77 Creates a thread in another existing process (thread injection) 11->77 16 conhost.exe 6 11->16         started        79 Antivirus detection for dropped file 14->79 81 Multi AV Scanner detection for dropped file 14->81 19 conhost.exe 4 14->19         started        process5 file6 43 C:\Users\user\AppData\...\asjaszsdge.exe, PE32+ 16->43 dropped 45 C:\Users\...\asjaszsdge.exe:Zone.Identifier, ASCII 16->45 dropped 21 cmd.exe 1 16->21         started        23 cmd.exe 1 16->23         started        process7 signatures8 26 asjaszsdge.exe 21->26         started        29 conhost.exe 21->29         started        65 Uses schtasks.exe or at.exe to add and modify task schedules 23->65 31 conhost.exe 23->31         started        33 schtasks.exe 1 23->33         started        process9 signatures10 67 Writes to foreign memory regions 26->67 69 Allocates memory in foreign processes 26->69 71 Creates a thread in another existing process (thread injection) 26->71 35 conhost.exe 4 26->35         started        process11 file12 47 C:\Users\user\AppData\...\sihost64.exe, PE32+ 35->47 dropped 38 sihost64.exe 35->38         started        process13 signatures14 57 Antivirus detection for dropped file 38->57 59 Multi AV Scanner detection for dropped file 38->59 61 Writes to foreign memory regions 38->61 63 2 other signatures 38->63 41 conhost.exe 2 38->41         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cf2cb34e061e0a3d995c8d9910e1f03e63b0c8c848e8a697a3ec8b0cb294e96e/
Threat name:
Win64.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2022-02-10 07:31:03 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
18205615390b3e8e007e8c0d7016978c268697f39ad0f7f2f441fedaf1c01237
CoinMiner
3d030fbfbe328bc4f276d565854f89189094ddb46dc1c6d36e8e9a438227279f
CoinMiner
7387dda5e2f645e2bdb9c2b366b4917a52a0535800580deb50f28e6790418ec9
CoinMiner
752e7330e3a78a5f97d052bbaad3b72803b4f9d21fe3b90f6619422dbcfe6fac
CoinMiner
76924e1b0e41295f579dec281f27ad044ad3b60ac06dbe93ba193506c7b5c200
CoinMiner
914cd602a58f69dd35dd207d8128807926a139f27f4d8b7b2b958041783bc10c
CoinMiner
944b430ea906d74d8d8a8d2d487696f48e5d427e3ae8ee493dddebb3660ae766
CoinMiner
9ba99ef6e07d224b950b451c6e414e9c12ef7429d8e59d5cd841ffbc3c5369ec
CoinMiner
a5da2c2da168c53897eb7580f0af6e0988e5c801ed766d7a7450e97b9b000ff4
CoinMiner
cd716a11679b98b42382e72283c0fa785d8a4b041bee8044a2c7dffae2142446
CoinMiner
+ 1'404 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220210-jg24bagcd5/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
cf2cb34e061e0a3d995c8d9910e1f03e63b0c8c848e8a697a3ec8b0cb294e96e
MD5 hash:
f9d5c1cd96f5884fbed96d46be260037
SHA1 hash:
4df0682355e50dce08d9a43a47b9954d36a2f24b
Link:
https://www.unpac.me/results/0e25b581-6133-40c5-9197-871c5c5c5868/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/cf2cb34e061e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe cf2cb34e061e0a3d995c8d9910e1f03e63b0c8c848e8a697a3ec8b0cb294e96e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2019185/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/240203/

Comments