MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da5edd26691ace1af31cfc1e1ae61de36e1c82f02aba24835ca566fe0c9b71a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: da5edd26691ace1af31cfc1e1ae61de36e1c82f02aba24835ca566fe0c9b71a0
SHA3-384 hash: 535f7d514fd146ca18f424b9b22ce8c3416d792499451f9fff82ade97dec0dca4a27d95e4263d6b020c125e096384d07
SHA1 hash: 608f9dc7d128febe518ff091117cb5882b0ffff2
MD5 hash: bf2ddd801ea0ba48c4e32ff47bece3de
humanhash: table-avocado-earth-coffee
File name:da5edd26691ace1af31cfc1e1ae61de36e1c82f02aba24835ca566fe0c9b71a0
Download: download sample
Signature CoinMiner
Create hunting rule
File size:5'967'208 bytes
First seen:2021-09-10 05:27:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dc12932426806b6b47a373d7ae42c21d (12 x CoinMiner, 1 x StealeriumStealer)
ssdeep 98304:0KsPXZtxb1jgM2ar1l8LS4R0eQvSRFAVkgUI5EBcZh5Y:01XZz9EuHcS4RuvSbEkgUI5bhm
Threatray 77 similar samples on MalwareBazaar
TLSH T116565BE320C3A6DDC416CA3B8753FDBF999FB1365616D4F3A054A2229C26CC436B5E09
Reporter JAMESWT_WT
Tags:CoinMiner exe FORTH PROPERTY LTD signed

Code Signing Certificate

Organisation:FORTH PROPERTY LTD
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2021-04-02T00:00:00Z
Valid to:2022-04-02T23:59:59Z
Serial number: 37a67cf754ee5ae284b4cf8b9d651604
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 4cf43525a4aba3b5fb3c6fae7323dea509aac73724b4a547414e56c8aa2eacf8
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
da5edd26691ace1af31cfc1e1ae61de36e1c82f02aba24835ca566fe0c9b71a0
Verdict:
No threats detected
Analysis date:
2021-09-10 05:29:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/281d6796-f6d6-493b-8676-788a2181a8ce

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/186771/
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.17130.29726.31149.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Enabling autorun by creating a file
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e7518c0c-72d2-451f-96bc-0a1ba0dfc122
Result
Threat name:
BitCoin Miner Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/848570
Signature
Detected unpacking (changes PE section rights)
Drops PE files with benign system names
Found strings related to Crypto-Mining
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Sigma detected: Schedule system process
Sigma detected: System File Execution Location Anomaly
Sigma detected: Xmrig
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Uses nslookup.exe to query domains
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 481001 Sample: pzR7UVgiqV Startdate: 10/09/2021 Architecture: WINDOWS Score: 100 35 Sigma detected: Xmrig 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected BitCoin Miner 2->39 41 5 other signatures 2->41 8 pzR7UVgiqV.exe 7 2->8         started        process3 file4 29 C:\Users\user\AppData\Roaming\lsass.exe, PE32+ 8->29 dropped 31 C:\Users\user\...\lsass.exe:Zone.Identifier, ASCII 8->31 dropped 33 C:\Users\user\AppData\...\pzR7UVgiqV.exe.log, ASCII 8->33 dropped 43 Detected unpacking (changes PE section rights) 8->43 45 Tries to detect virtualization through RDTSC time measurements 8->45 47 Drops PE files with benign system names 8->47 12 lsass.exe 4 8->12         started        15 cmd.exe 1 8->15         started        signatures5 process6 signatures7 49 Multi AV Scanner detection for dropped file 12->49 51 Hijacks the control flow in another process 12->51 53 Tries to detect sandboxes and other dynamic analysis tools (window names) 12->53 57 5 other signatures 12->57 17 cmd.exe 1 12->17         started        19 nslookup.exe 12->19         started        55 Uses schtasks.exe or at.exe to add and modify task schedules 15->55 21 conhost.exe 15->21         started        23 schtasks.exe 1 15->23         started        process8 process9 25 conhost.exe 17->25         started        27 schtasks.exe 1 17->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/da5edd26691ace1af31cfc1e1ae61de36e1c82f02aba24835ca566fe0c9b71a0/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-05 15:58:32 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
20 of 45 (44.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3jpn2jtjdlhbv4y47qpbvzq54nxbzaxqfk5cja24uvtp4de3ogqa._file
Verdict:
malicious
Similar samples:
20906f345b3c3cefe54adc059792cfa4c098f0547df80c8c7e70ff79c914ae38
CoinMiner
29b10facf712978e41161daf15235a8d74ef5cf16318a5887e39ee1e8cff297b
CoinMiner
3302a82e26c8bb1cee622704a852c98c099432d4bfa01403bae962ade7595a63
CoinMiner
831ba6efa4a49eb1c7ff749fe442b393c5a614f383bf1efb52512a183b4362fc
CoinMiner
9debd5d7a5f7cf87a37d1f1432878baa0ac7cf6ecca5b4bfdcfa1163f07a6953
CoinMiner
9f387190a5ac2872f67933759c544031a1485727d41329d9c4740c2358c54fe0
CoinMiner
a2f0a1d469d73a11c69afc9eb12000fa7f7652305d936a10d12dabce693f878b
CoinMiner
a9fe52010982ccd3628a5a882c019556b361c3fa7c29cb8052ff66f02bd28490
CoinMiner
df0bc1a4eb32d964f7405e8238e28d4c67e33e8552c708247a4cd654a30b836d
CoinMiner
f8915227c25c5ac552d66f3708f615cd517363953829d3715f38666d7dfa9770
CoinMiner
+ 67 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210910-f5f9zahde8/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks BIOS information in registry
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
da5edd26691ace1af31cfc1e1ae61de36e1c82f02aba24835ca566fe0c9b71a0
MD5 hash:
bf2ddd801ea0ba48c4e32ff47bece3de
SHA1 hash:
608f9dc7d128febe518ff091117cb5882b0ffff2
Link:
https://www.unpac.me/results/6587e40b-1dc8-468b-919b-d8312a791829/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/da5edd26691ace1af31cfc1e1ae61de36e1c82f02aba24835ca566fe0c9b71a0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/186771/

Comments