MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d66ce2f63139ffdc5a9eeff9ca44b17f82a36a3f8713f959e59997e850ccdbbf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d66ce2f63139ffdc5a9eeff9ca44b17f82a36a3f8713f959e59997e850ccdbbf
SHA3-384 hash: b7842b9a69c640a2a69981fba14d762626d5ac607fc5f4ce32137431db3d6f520212282b47e408bd97e9e7dba21a2ab0
SHA1 hash: ea4f64edd2c1779966b5d0eecba6d7d9ba8a01c9
MD5 hash: 05b30a117a6915c4591c65449e83f0a4
humanhash: maryland-montana-equal-xray
File name:Winscreen.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:4'116'480 bytes
First seen:2024-10-05 19:55:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 98304:2dffmDjO/1TFS2aQnJuOYPTGfxom+IYMIlvdx:2MWlFS2aQnJubbGfxom+cGX
TLSH T1681633212BB14972CF8482BB510190E498F2AF65277FE3F6343B3AF236E43507D56966
TrID 40.9% (.EXE) Win64 Executable (generic) (10523/12/4)
19.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
8.0% (.ICL) Windows Icons Library (generic) (2059/9)
7.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon 1c5d611f0f33334d (5 x RevengeRAT, 3 x QuasarRAT, 2 x CoinMiner)
Reporter imperialwool
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
509
Origin country :
BY BY
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
stubInf.exe
Verdict:
Malicious activity
Analysis date:
2024-10-05 19:52:22 UTC
Tags:
github
Link:
https://app.any.run/tasks/9da9e0ab-3972-4a4e-bd0e-7b1341be4582

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=670199d4ebeac9e68050ca2d
Tags:
Msil
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed vbnet
Link:
https://www.filescan.io/uploads/670199d45553b9e099abb8ad/reports/67ee7539-a11c-4b0d-bbab-34cf783564fc/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/d66ce2f63139ffdc5a9eeff9ca44b17f82a36a3f8713f959e59997e850ccdbbf
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/30a572ab-f2e7-4fa0-ba33-4666adfc724b
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
spre.bank.adwa.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1526464
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Bypasses PowerShell execution policy
Creates an undocumented autostart registry key
Creates autorun.inf (USB autostart)
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Enables a proxy for the internet explorer
Hides threads from debuggers
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sets a proxy for the internet explorer
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: System File Execution Location Anomaly
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected Powershell decode and execute
Yara detected UAC Bypass using CMSTP
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1526464 Sample: Winscreen.exe Startdate: 05/10/2024 Architecture: WINDOWS Score: 100 125 start-supplier.at.ply.gg 2->125 127 raw.githubusercontent.com 2->127 129 2 other IPs or domains 2->129 157 Antivirus / Scanner detection for submitted sample 2->157 159 Multi AV Scanner detection for dropped file 2->159 161 Multi AV Scanner detection for submitted file 2->161 163 11 other signatures 2->163 11 Winscreen.exe 1 8 2->11         started        15 explorer.exe 2->15         started        17 cmd.exe 2->17         started        19 9 other processes 2->19 signatures3 process4 file5 107 C:\Users\user\AppData\Roaming\upx.exe, PE32 11->107 dropped 109 C:\Users\user\AppData\Roaming\taskmoder.exe, PE32 11->109 dropped 111 C:\Users\user\AppData\Roaming\explorer.exe, PE32 11->111 dropped 117 2 other malicious files 11->117 dropped 191 Query firmware table information (likely to detect VMs) 11->191 193 Creates multiple autostart registry keys 11->193 195 Bypasses PowerShell execution policy 11->195 201 3 other signatures 11->201 21 taskmen.exe 11->21         started        26 taskmoder.exe 11->26         started        28 explorer.exe 5 11->28         started        38 6 other processes 11->38 113 C:\Windows\Temp\swtpd1aw.exe, PE32 15->113 dropped 115 C:\Windows\Temp\05mor1jc.inf, Windows 15->115 dropped 197 Hides threads from debuggers 15->197 30 cmstp.exe 15->30         started        199 Drops executables to the windows directory (C:\Windows) and starts them 17->199 32 ydztkyrb.exe 17->32         started        34 conhost.exe 17->34         started        36 swtpd1aw.exe 19->36         started        40 3 other processes 19->40 signatures6 process7 dnsIp8 131 github.com 140.82.121.3, 443, 49786, 49790 GITHUBUS United States 21->131 133 raw.githubusercontent.com 185.199.110.133, 443, 49800 FASTLYUS Netherlands 21->133 91 C:\Windows\Client.exe, PE32+ 21->91 dropped 93 C:\Users\user\AppData\Roaming\...\taskmen.exe, PE32 21->93 dropped 95 C:\Users\user\AppData\Local\...\ch1pl1en.gh2, PE32 21->95 dropped 103 3 other malicious files 21->103 dropped 165 Query firmware table information (likely to detect VMs) 21->165 167 Creates autorun.inf (USB autostart) 21->167 169 Creates multiple autostart registry keys 21->169 171 Drops executables to the windows directory (C:\Windows) and starts them 21->171 42 Client.exe 21->42         started        46 cmd.exe 21->46         started        97 C:\ProgramData\winlog.vbs, Unicode 26->97 dropped 173 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 26->173 175 Sets a proxy for the internet explorer 26->175 177 Queries memory information (via WMI often done to detect virtual machines) 26->177 179 Enables a proxy for the internet explorer 26->179 48 cmd.exe 26->48         started        50 wscript.exe 26->50         started        52 cmd.exe 26->52         started        58 3 other processes 26->58 99 C:\Windows\Temp\ydztkyrb.exe, PE32 28->99 dropped 101 C:\Windows\Temp\xtm5g4p2.inf, Windows 28->101 dropped 181 Hides threads from debuggers 28->181 54 cmstp.exe 28->54         started        183 Protects its processes via BreakOnTermination flag 32->183 185 Loading BitLocker PowerShell Module 38->185 56 conhost.exe 38->56         started        60 4 other processes 38->60 file9 signatures10 process11 file12 105 C:\Users\user\AppData\...\Client (1).vmp.exe, PE32 42->105 dropped 187 Multi AV Scanner detection for dropped file 42->187 62 Client (1).vmp.exe 42->62         started        67 Client (1).vmp.exe 42->67         started        69 powershell.exe 46->69         started        71 conhost.exe 46->71         started        73 cmd.exe 46->73         started        75 wscript.exe 48->75         started        77 2 other processes 48->77 189 Creates an undocumented autostart registry key 50->189 79 2 other processes 52->79 81 3 other processes 58->81 signatures13 process14 dnsIp15 135 start-supplier.at.ply.gg 209.25.140.180, 49852, 49962, 49988 COGECO-PEER1CA Canada 62->135 119 C:\pastibin.exe, PE32 62->119 dropped 121 C:\Users\user\AppData\...\Client (1).vmp.exe, PE32 62->121 dropped 139 Query firmware table information (likely to detect VMs) 62->139 141 Creates autostart registry keys with suspicious names 62->141 143 Creates multiple autostart registry keys 62->143 145 Hides threads from debuggers 67->145 137 127.0.0.1 unknown unknown 69->137 123 \Device\ConDrv, ASCII 69->123 dropped 147 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 69->147 149 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 69->149 151 Tries to harvest and steal browser information (history, passwords, etc) 69->151 153 Creates an undocumented autostart registry key 75->153 155 Windows Scripting host queries suspicious COM object (likely to drop second stage) 75->155 83 taskkill.exe 75->83         started        85 userinit.exe 75->85         started        file16 signatures17 process18 process19 87 conhost.exe 83->87         started        89 explorer.exe 85->89         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d66ce2f63139ffdc5a9eeff9ca44b17f82a36a3f8713f959e59997e850ccdbbf
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d66ce2f63139ffdc5a9eeff9ca44b17f82a36a3f8713f959e59997e850ccdbbf/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-10-05 19:56:05 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
16
AV detection:
20 of 24 (83.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2zwof5rrhh75ywu65744urfrp6bkg2r7q4j7swpftgl6qugm3o7q._file
Verdict:
malicious
Label(s):
sectoprat
Create hunting rule
Similar samples:
error
CoinMiner
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/241005-ynnlts1ckj/
Behaviour
Suspicious use of NtSetInformationThreadHideFromDebugger
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bdaba18b-5a28-4dcb-b640-66b67da77a67
Unpacked files
SH256 hash:
d66ce2f63139ffdc5a9eeff9ca44b17f82a36a3f8713f959e59997e850ccdbbf
MD5 hash:
05b30a117a6915c4591c65449e83f0a4
SHA1 hash:
ea4f64edd2c1779966b5d0eecba6d7d9ba8a01c9
Link:
https://www.unpac.me/results/03671722-ef95-4a85-b372-e2fc4209238a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d66ce2f63139/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/d66ce2f63139ffdc5a9eeff9ca44b17f82a36a3f8713f959e59997e850ccdbbf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments