MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db4597572c03a863fdfb6bb3291ee732d6a3547014867f7497d3c6dd378df75c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db4597572c03a863fdfb6bb3291ee732d6a3547014867f7497d3c6dd378df75c
SHA3-384 hash: 5788c93cb49aa9c06e074dabd1fe60272625a29d2f4229ff1d9d82658b64b30e0c95be794f47d45157a27b61fb9e2740
SHA1 hash: 0274f0646403847c3e98e836a791b278ee40d7ca
MD5 hash: 867c376db0a4baf3cfc2d49bb71a27f6
humanhash: robert-eighteen-six-foxtrot
File name:Cleaner.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'424'320 bytes
First seen:2022-04-16 18:38:27 UTC
Last seen:2022-04-20 10:23:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7dbd2319b33ed25eb7ad7d0162c2bb3a (18 x CoinMiner, 1 x CoinMiner.XMRig, 1 x XFilesStealer)
ssdeep 49152:wFP788CshGswucE2TdS3XYVr/MWrzcLvG3UGSHh5hT1:wFP78vsM+D2TkXobSGkl5h
Threatray 174 similar samples on MalwareBazaar
TLSH T134B5333C9286E68EFFEEFBF9829D82EB82F312744501E01F516C16B146F566B60C914D
TrID 59.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
18.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.3% (.EXE) OS/2 Executable (generic) (2029/13)
7.2% (.EXE) Generic Win/DOS Executable (2002/3)
7.2% (.EXE) DOS Executable Generic (2000/1)
Reporter AndreGironda
Tags:64 CoinMiner exe XMRIG


Avatar
AndreGironda
MITRE T1566.002
Date: Sat, 16 Apr 2022 00:30-01:00 +0000
Received: from vps.amsgroupe.com (193.70.0.119)
Content-Type: multipart/mixed; boundary="===============5359411225640362882=="
MIME-Version: 1.0
From: Microsoft <no-reply@microsoft.com>
Subject: Take action
X-Get-Message-Sender-Via: vps.amsgroupe.com: authenticated_id: asekkoum@amsgroupe.com
X-Authenticated-Sender: vps.amsgroupe.com: asekkoum@amsgroupe.com
Message-ID: <744245af-e1bb-4657-8bb4-4067efcc3649@DM6NAM11FT038.eop-nam11.prod.protection.outlook.com>
Return-Path: no-reply@microsoft.com
Message Body URL: hXXps://mega[.]nz/file/xAc3zZ7Q#nXjvwTQ8pV9BI6WSmDWLHf2cCbcPqkMUkiUgoISFVx0
Zipfile Name: Cleaner.zip
Zipfile SHA256: 08ab14b4880ff3d7926af95a2a150825e2673bcec69ae6a2e5071133634f46da
Unzipped Executable Name: Cleaner.exe
Executable SHA256: db4597572c03a863fdfb6bb3291ee732d6a3547014867f7497d3c6dd378df75c

Intelligence

File Origin
# of uploads :
2
# of downloads :
581
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/264121/
Detection(s):
SecuriteInfo.com.Variant.Kryptik.177.21920.7450.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process from a recently created file
Creating a service
Launching a service
Loading a system driver
Query of malicious DNS domain
Enabling autorun for a service
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/14037/overview
Behaviour
MalwareBazaar
CallSleep
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/625b0d48ffe27d5119e9f26a/reports/83ab6e28-3928-48ec-b69c-af8d66a3dc5e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6130b33b-389d-4df7-b2ac-bdea5fe23929
Result
Threat name:
BitCoin Miner Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/977719
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Creates a thread in another existing process (thread injection)
Encrypted powershell cmdline option found
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Potential dropper URLs found in powershell memory
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 610206 Sample: Cleaner.exe Startdate: 16/04/2022 Architecture: WINDOWS Score: 100 86 Malicious sample detected (through community Yara rule) 2->86 88 Antivirus / Scanner detection for submitted sample 2->88 90 Yara detected BitCoin Miner 2->90 92 4 other signatures 2->92 11 Cleaner.exe 2->11         started        14 svchost.exe 2->14         started        16 svchost.exe 1 2->16         started        18 8 other processes 2->18 process3 dnsIp4 106 Writes to foreign memory regions 11->106 108 Allocates memory in foreign processes 11->108 110 Creates a thread in another existing process (thread injection) 11->110 21 conhost.exe 7 11->21         started        112 Changes security center settings (notifications, updates, antivirus, firewall) 14->112 24 MpCmdRun.exe 1 14->24         started        114 System process connects to network (likely due to code injection or exploit) 16->114 72 127.0.0.1 unknown unknown 18->72 74 192.168.2.1 unknown unknown 18->74 signatures5 process6 file7 68 C:\Users\user\AppData\Roaming\...\updater.exe, PE32+ 21->68 dropped 70 C:\Users\user\...\updater.exe:Zone.Identifier, ASCII 21->70 dropped 26 cmd.exe 1 21->26         started        28 cmd.exe 1 21->28         started        31 cmd.exe 1 21->31         started        33 conhost.exe 24->33         started        process8 signatures9 35 updater.exe 26->35         started        38 conhost.exe 26->38         started        116 Encrypted powershell cmdline option found 28->116 118 Uses schtasks.exe or at.exe to add and modify task schedules 28->118 40 powershell.exe 23 28->40         started        42 conhost.exe 28->42         started        44 conhost.exe 31->44         started        46 schtasks.exe 1 31->46         started        process10 signatures11 94 Antivirus detection for dropped file 35->94 96 Multi AV Scanner detection for dropped file 35->96 98 Writes to foreign memory regions 35->98 100 2 other signatures 35->100 48 conhost.exe 7 35->48         started        process12 file13 66 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 48->66 dropped 78 Writes to foreign memory regions 48->78 80 Modifies the context of a thread in another process (thread injection) 48->80 82 Sample is not signed and drops a device driver 48->82 84 Injects a PE file into a foreign processes 48->84 52 svchost.exe 48->52         started        56 cmd.exe 48->56         started        58 conhost.exe 48->58         started        signatures14 process15 dnsIp16 76 pool.minexmr.com 94.130.164.163, 443, 49783 HETZNER-ASDE Germany 52->76 102 Query firmware table information (likely to detect VMs) 52->102 104 Encrypted powershell cmdline option found 56->104 60 conhost.exe 56->60         started        62 powershell.exe 56->62         started        64 conhost.exe 2 58->64         started        signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/db4597572c03a863fdfb6bb3291ee732d6a3547014867f7497d3c6dd378df75c/
Threat name:
Win64.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2022-04-16 18:39:12 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
19 of 42 (45.24%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3nczovzmaough7p3nozsshxhgllkgvdqcsdh65ex2pdn2n4n65oa._file
Verdict:
malicious
Similar samples:
06af78c89fc6b79696c14326d98a5d8ff14ae51b4303c308a77d980dbd731922
CoinMiner
0dee20eae747781c183499abc341feded87a5a6325f0a9b789067d1b6377ef89
CoinMiner
29c21dfbd286de4e1ef151053a40b5de880607c0edf38f5b77a5721b1342bb61
CoinMiner
2fa8fb2ee024e1a7c5a27fd07f4892b5e4c13c1d71624086ef3594a0644ceffb
CoinMiner
5abd0dd9cfbf6f323c0737b139b0daea3f568da4f95fe862b66b74ba3fc04ebe
CoinMiner
7387dda5e2f645e2bdb9c2b366b4917a52a0535800580deb50f28e6790418ec9
CoinMiner
a9eb984c9de2d2d061babaaec8c15a04895af2cc0653d044f7092ba73013da5b
CoinMiner
ac8bc27c6868bbb4b617b4280d8e400e6c9dda52c3ffda8a5603fe378374f69e
CoinMiner
c8b8445f2852e90f152f6f469e61af5562850ae1814d8b93f7d7f3df0cb0b114
CoinMiner
cd716a11679b98b42382e72283c0fa785d8a4b041bee8044a2c7dffae2142446
CoinMiner
+ 164 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/220416-xalpmsffen/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
db4597572c03a863fdfb6bb3291ee732d6a3547014867f7497d3c6dd378df75c
MD5 hash:
867c376db0a4baf3cfc2d49bb71a27f6
SHA1 hash:
0274f0646403847c3e98e836a791b278ee40d7ca
Link:
https://www.unpac.me/results/6bbd68d7-cf89-43db-a539-e39f6da049eb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.10
Link:
https://yomi.yoroi.company/submissions/db4597572c03a863fdfb6bb3291ee732d6a3547014867f7497d3c6dd378df75c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

08ab14b4880ff3d7926af95a2a150825e2673bcec69ae6a2e5071133634f46da

CoinMiner

Executable exe db4597572c03a863fdfb6bb3291ee732d6a3547014867f7497d3c6dd378df75c

(this sample)

  
Dropped by
SHA256 08ab14b4880ff3d7926af95a2a150825e2673bcec69ae6a2e5071133634f46da
  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/264121/

Comments