MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d52a74310f131f46d27b2da4aa9553e1a5a09b44c991cc69ae2ff91e001469e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d52a74310f131f46d27b2da4aa9553e1a5a09b44c991cc69ae2ff91e001469e0
SHA3-384 hash: 4de440081705ea78f1b3af4725ab7fc20de01f9ea2bcf8f0153f75bebc4baf49dbad032b0deadc0bae5e9d0c86ed5af9
SHA1 hash: c14b0072d0f5d0dfb5fc82c877ba3cf938aeeb43
MD5 hash: bad1c7d34f61510cfefc54f5ebbf04fd
humanhash: zulu-pasta-coffee-xray
File name:bad1c7d34f61510cfefc54f5ebbf04fd
Download: download sample
Signature CoinMiner
Create hunting rule
File size:173'568 bytes
First seen:2022-05-21 01:04:10 UTC
Last seen:2022-05-21 01:39:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 384:6bl0GqfYTWqdqmwww6BKpwWowwwlpESUJXtdhVm13jWtSHPWcAwaYwYWdRmVW:sd9ERpESUJXtdhVm13jWtSHPWcFaYwV
Threatray 1'419 similar samples on MalwareBazaar
TLSH T14F04EA92EBF6EF34CE34093F8245B3295F2E5E9181F27D8D304DB1652EB9D00C5846AA
TrID 63.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 31f098b29298f031 (53 x AgentTesla, 30 x Formbook, 12 x RedLineStealer)
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
367
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bad1c7d34f61510cfefc54f5ebbf04fd
Verdict:
No threats detected
Analysis date:
2022-05-21 01:06:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ea294b62-c817-4c97-a9ef-1dfb4bf1e49c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/273199/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Сreating synchronization primitives
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated wacatac
Link:
https://www.filescan.io/uploads/62883a98afb61a3866614254/reports/e87a6d05-cc7e-4b1f-a2f4-8d206a4fb008/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1665d6d2-52ca-4757-87d8-120b0ba65c8c
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/998929
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 631425 Sample: ZHNZ58d0mr Startdate: 21/05/2022 Architecture: WINDOWS Score: 100 29 241.24.6.0.in-addr.arpa 2->29 37 Antivirus detection for URL or domain 2->37 39 Multi AV Scanner detection for dropped file 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 3 other signatures 2->43 8 ZHNZ58d0mr.exe 14 7 2->8         started        signatures3 process4 dnsIp5 31 198.251.86.46, 49740, 80 PONYNETUS United States 8->31 23 C:\Users\user\AppData\Roaming\...\cloud.exe, PE32+ 8->23 dropped 25 C:\Users\user\...\cloud.exe:Zone.Identifier, ASCII 8->25 dropped 27 C:\Users\user\AppData\...\ZHNZ58d0mr.exe.log, ASCII 8->27 dropped 45 Creates an undocumented autostart registry key 8->45 47 Writes to foreign memory regions 8->47 49 Modifies the context of a thread in another process (thread injection) 8->49 51 2 other signatures 8->51 13 InstallUtil.exe 2 8->13         started        17 cmd.exe 1 8->17         started        file6 signatures7 process8 dnsIp9 33 185.157.160.201, 49832, 49834, 49838 OBE-EUROPEObenetworkEuropeSE Sweden 13->33 35 241.24.6.0.in-addr.arpa 13->35 53 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 13->53 55 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 13->55 19 conhost.exe 17->19         started        21 timeout.exe 1 17->21         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d52a74310f131f46d27b2da4aa9553e1a5a09b44c991cc69ae2ff91e001469e0/
Threat name:
ByteCode-MSIL.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2022-05-20 20:40:25 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
19
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2uvhimipcmpunut3fwskvfkt4gs2bg2ezgi4y2nof74r4aaunhqa._file
Verdict:
malicious
Similar samples:
191e0b6b997739d71b92939ca736a43be3e742aa1b8baf025b5f9114f1f3e7ae
CoinMiner
203bfe6c0c5879e5951719fa76fdd9de0343e2652b58141660651d84790310ed
CoinMiner
32f396374d2c80cb3c72983d7d232e40bdbcd70475c389c94caa118d4c8f3032
CoinMiner
64432a60f19aa2b6365f98fd236200b873770c59e66bf3f25d21c4974f565a65
CoinMiner
6e38a3ddc750c13372311bd90bf5bdde571d005f1af0c62b1eb95b02467ee2d1
CoinMiner
879ff48aeaeee7c94d11e1988c282be172b994b2ad436f966937ffe6e3258275
CoinMiner
a342e8f2472ac316cab1017fc24f46d8206390f90448b91d62b9225aa3d2e229
CoinMiner
b64081fc4a7dc5e73ab017b1f0453c27d5e6040134dd269bc01de45cad3713b7
CoinMiner
+ 1'409 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220521-bfhpaabgf6/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
d52a74310f131f46d27b2da4aa9553e1a5a09b44c991cc69ae2ff91e001469e0
MD5 hash:
bad1c7d34f61510cfefc54f5ebbf04fd
SHA1 hash:
c14b0072d0f5d0dfb5fc82c877ba3cf938aeeb43
Link:
https://www.unpac.me/results/e6bc3c96-26af-44f3-96d4-3fc0280f84e2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d52a74310f13/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.76
Link:
https://yomi.yoroi.company/submissions/d52a74310f131f46d27b2da4aa9553e1a5a09b44c991cc69ae2ff91e001469e0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe d52a74310f131f46d27b2da4aa9553e1a5a09b44c991cc69ae2ff91e001469e0

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/273199/
  
URLhaus
https://urlhaus.abuse.ch/url/2203952/
  
URLhaus
https://urlhaus.abuse.ch/url/2204693/

Comments


Avatar
zbet commented on 2022-05-21 01:04:20 UTC

url : hxxp://198.251.86.46/checkit2.exe