MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d48303d7682c1be689d10541e6b1976cff2a0f1af7423d47213ed877cdd0feaf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d48303d7682c1be689d10541e6b1976cff2a0f1af7423d47213ed877cdd0feaf
SHA3-384 hash: f960e5022ff710dfa753544f74812bfa708dc82d231d348fc9b2cc4e05c22e0a6e22d5562fcfefa94583030a43fd9a54
SHA1 hash: f4093b32a531f4d5e2bc5bb33283941448a9b4fa
MD5 hash: 90888df5fed3a0bed79e68b028ba949d
humanhash: edward-pizza-avocado-yankee
File name:90888df5fed3a0bed79e68b028ba949d
Download: download sample
Signature CoinMiner
Create hunting rule
File size:5'998'592 bytes
First seen:2021-11-28 18:37:00 UTC
Last seen:2021-11-28 21:42:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9bfd2dac39af50555ae9789117b36b66 (19 x CoinMiner, 2 x CoinMiner.XMRig)
ssdeep 49152:3AfsPuDUggL2iMzLWgo4KRGMC68irCKQihJ2kK9K5MRvlcYoihXRxotSgkaLAG:
Threatray 1'804 similar samples on MalwareBazaar
TLSH T1C35633609F583C7DC7A8027DA0BB2E3D26B25FC9802DE4D747E055D726AFB54052B8B8
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
172
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
90888df5fed3a0bed79e68b028ba949d
Verdict:
No threats detected
Analysis date:
2021-11-28 18:40:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9d077fc3-96ee-468e-bb6f-94068546e538

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.79899.23362.22945.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Running batch commands
Launching a process
Using the Windows Management Instrumentation requests
Creating a file
Possible injection to a system process
Unauthorized injection to a system process
Enabling autorun by creating a file
Using obfuscated Powershell scripts
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
monero stealer
Link:
https://www.filescan.io/uploads/61a3cc52effcae2254f3a42b/reports/3f4321dc-ed92-45fd-a5c9-582680a734bd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3a62eab1-2686-45ad-9b58-7e2056e963bb
Result
Threat name:
BitCoin Miner Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/897484
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Creates files in the system32 config directory
Drops PE files with benign system names
Encrypted powershell cmdline option found
Found strings related to Crypto-Mining
Found suspicious powershell code related to unpacking or dynamic code loading
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Potential dropper URLs found in powershell memory
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Uses nslookup.exe to query domains
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected PersistenceViaHiddenTask
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 529962 Sample: corYd2UsOF Startdate: 28/11/2021 Architecture: WINDOWS Score: 100 103 Malicious sample detected (through community Yara rule) 2->103 105 Multi AV Scanner detection for submitted file 2->105 107 Yara detected BitCoin Miner 2->107 109 12 other signatures 2->109 11 corYd2UsOF.exe 5 2->11         started        15 powershell.exe 2->15         started        17 services.exe 2->17         started        19 powershell.exe 21 2->19         started        process3 file4 89 C:\Users\user\AppData\...\services.exe, PE32+ 11->89 dropped 91 C:\Users\...\services.exe:Zone.Identifier, ASCII 11->91 dropped 93 C:\Users\user\AppData\...\corYd2UsOF.exe.log, ASCII 11->93 dropped 147 Uses nslookup.exe to query domains 11->147 149 Writes to foreign memory regions 11->149 151 Allocates memory in foreign processes 11->151 161 2 other signatures 11->161 21 cmd.exe 11->21         started        23 cmd.exe 1 11->23         started        26 cmd.exe 11->26         started        28 nslookup.exe 2 2 11->28         started        153 Creates files in the system32 config directory 15->153 155 Modifies the context of a thread in another process (thread injection) 15->155 157 Found suspicious powershell code related to unpacking or dynamic code loading 15->157 30 dllhost.exe 15->30         started        32 conhost.exe 15->32         started        159 Multi AV Scanner detection for dropped file 17->159 34 cmd.exe 17->34         started        36 conhost.exe 19->36         started        signatures5 process6 signatures7 38 services.exe 21->38         started        42 conhost.exe 21->42         started        113 Uses schtasks.exe or at.exe to add and modify task schedules 23->113 44 powershell.exe 18 23->44         started        52 2 other processes 23->52 54 2 other processes 26->54 115 Writes to foreign memory regions 30->115 117 Creates a thread in another existing process (thread injection) 30->117 119 Injects a PE file into a foreign processes 30->119 56 6 other processes 30->56 121 Encrypted powershell cmdline option found 34->121 46 powershell.exe 34->46         started        48 powershell.exe 34->48         started        50 conhost.exe 34->50         started        process8 file9 85 C:\Users\user\AppData\...\sihost64.exe, PE32+ 38->85 dropped 87 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 38->87 dropped 123 Uses nslookup.exe to query domains 38->123 125 Writes to foreign memory regions 38->125 127 Allocates memory in foreign processes 38->127 131 3 other signatures 38->131 58 sihost64.exe 38->58         started        61 cmd.exe 38->61         started        63 nslookup.exe 38->63         started        129 Found suspicious powershell code related to unpacking or dynamic code loading 46->129 signatures10 process11 dnsIp12 133 Antivirus detection for dropped file 58->133 135 Uses nslookup.exe to query domains 58->135 137 Writes to foreign memory regions 58->137 143 2 other signatures 58->143 66 nslookup.exe 58->66         started        139 Encrypted powershell cmdline option found 61->139 68 powershell.exe 61->68         started        71 powershell.exe 61->71         started        73 conhost.exe 61->73         started        95 94.23.23.52, 3333, 49810 OVHFR France 63->95 97 pool.supportxmr.com 63->97 99 pool-fr.supportxmr.com 63->99 141 Query firmware table information (likely to detect VMs) 63->141 signatures13 process14 signatures15 75 cmd.exe 66->75         started        78 conhost.exe 66->78         started        111 Found suspicious powershell code related to unpacking or dynamic code loading 68->111 process16 signatures17 145 Encrypted powershell cmdline option found 75->145 80 powershell.exe 75->80         started        83 conhost.exe 75->83         started        process18 signatures19 101 Found suspicious powershell code related to unpacking or dynamic code loading 80->101
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d48303d7682c1be689d10541e6b1976cff2a0f1af7423d47213ed877cdd0feaf/
Threat name:
Win64.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2021-11-28 18:25:36 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
402d6617014b320ae65709f7029fd2cf3661f5d69932abfa2e2e770236718d65
CoinMiner
46e01b9491f7ed9a2408278c7dd4b6a3b6c7f9a780f1d07531a1c23bf76f9992
CoinMiner
888497ac8f3cb030dc34d198ef8e307fab6b129f31f4fc9c41ea78f94d831529
CoinMiner
95654525c7022015e1177ff2e8eba84837f6808b6568bccd87af3e55a3c1f481
CoinMiner
ac085734d51ca988db79b3078badc4ce24481eee7ef68db8811b1a98d2b3980c
CoinMiner
c87e6397cfee421392ddb68a814bc6370ff72ab3d32606ec147d66b8ed70db50
CoinMiner
cdf2ed21f6bda94bdebd880cb3e45005de2e714d8f1311f3d38684f103be2f00
CoinMiner
eb639e9d45ed4d4cf911195b7ef53d61897dd8f826c542ae411854ddec3aea87
CoinMiner
ff8f62e6964487e861a3ed16e6cb69438a9a33e2d47c1ebe966aa116b7a82258
CoinMiner
+ 1'794 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion miner
Link:
https://tria.ge/reports/211128-w9gpasdcd3/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
XMRig Miner Payload
Modifies security service
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
xmrig
Unpacked files
SH256 hash:
d48303d7682c1be689d10541e6b1976cff2a0f1af7423d47213ed877cdd0feaf
MD5 hash:
90888df5fed3a0bed79e68b028ba949d
SHA1 hash:
f4093b32a531f4d5e2bc5bb33283941448a9b4fa
Link:
https://www.unpac.me/results/9986827c-14fc-4d04-adae-ed8621aff680/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d48303d7682c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d48303d7682c1be689d10541e6b1976cff2a0f1af7423d47213ed877cdd0feaf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe d48303d7682c1be689d10541e6b1976cff2a0f1af7423d47213ed877cdd0feaf

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1829389/

Comments


Avatar
zbet commented on 2021-11-28 18:37:02 UTC

url : hxxp://coin-coin-coin-2.com/files/5834_1638116407_2621.exe