MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc0baa5222e0650bad953be552414a9b12d58573e2f8d3e84142233f35456d1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 6


Intelligence 6 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc0baa5222e0650bad953be552414a9b12d58573e2f8d3e84142233f35456d1d
SHA3-384 hash: 5b6c4e3277633e43a19a8a2b49f81a1257097dcf955c535e84ebcfca7b819d3744241c512d18015b7b6bc71c40a1fe4c
SHA1 hash: decf63b2afa782bdf825b772f86c562c4e780e06
MD5 hash: bfce9bcbe4daf88e777f092b8a2fdf93
humanhash: march-ceiling-bacon-carbon
File name:bfce9bcbe4daf88e777f092b8a2fdf93
Download: download sample
Signature CoinMiner
Create hunting rule
File size:291'328 bytes
First seen:2021-10-11 10:49:19 UTC
Last seen:2021-10-11 13:57:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:TeGE92X6Blb05upvyLfrfiXTkUioCMTWB6bRZQnjt7U:T62X6BlPvaD+CBMf
Threatray 91 similar samples on MalwareBazaar
TLSH T18F543A1135E9669AF33B4FB5D7C5A06DC771A0635A0EF749385283E68A023C0CE92B77
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bfce9bcbe4daf88e777f092b8a2fdf93
Verdict:
No threats detected
Analysis date:
2021-10-11 10:55:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/22b0158a-ce66-4fde-b1b7-9a3bc4469169

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/196582/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop18.43276.14651.31314.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a window
Creating a file in the %temp% directory
DNS request
Connection attempt
Sending a custom TCP request
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Launching a process
Running batch commands
Creating a process from a recently created file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated virus wacatac
Link:
https://www.filescan.io/uploads/616416dcfd35fe780c37cd64/reports/5a0a8916-5488-42a6-9890-e62d626720bc/overview
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/867977
Signature
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
DNS related to crypt mining pools
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 500408 Sample: A9F6W7cHfI Startdate: 12/10/2021 Architecture: WINDOWS Score: 100 33 xmr-eu1.nanopool.org 2->33 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected Xmrig cryptocurrency miner 2->43 45 Machine Learning detection for sample 2->45 47 6 other signatures 2->47 8 A9F6W7cHfI.exe 14 11 2->8         started        13 AudioDriveSTRAPI.exe 1 2->13         started        signatures3 process4 dnsIp5 39 api.telegram.org 149.154.167.220, 443, 49745 TELEGRAMRU United Kingdom 8->39 31 C:\Users\user\...\AudioDriveSTRAPI.exe, PE32+ 8->31 dropped 49 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->49 51 Changes the view of files in windows explorer (hidden files and folders) 8->51 53 Uses schtasks.exe or at.exe to add and modify task schedules 8->53 55 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 8->55 15 cmd.exe 1 8->15         started        17 schtasks.exe 1 8->17         started        file6 signatures7 process8 process9 19 AudioDriveSTRAPI.exe 14 5 15->19         started        23 conhost.exe 15->23         started        25 timeout.exe 1 15->25         started        27 conhost.exe 17->27         started        dnsIp10 35 github.com 140.82.121.3, 443, 49762 GITHUBUS United States 19->35 37 raw.githubusercontent.com 185.199.108.133, 443, 49763 FASTLYUS Netherlands 19->37 29 C:\Users\user\...\soundapiflow.exe.tmp, PE32+ 19->29 dropped file11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dc0baa5222e0650bad953be552414a9b12d58573e2f8d3e84142233f35456d1d/
Threat name:
ByteCode-MSIL.Spyware.Bobik
Create hunting rule
Status:
Malicious
First seen:
2021-10-09 21:35:35 UTC
AV detection:
17 of 45 (37.78%)
Threat level:
  2/5
Verdict:
unknown
Similar samples:
0b2c3a6f79db7046057e5a4114008001a9d64298b389d76a2a60ec9cec2757ac
CoinMiner
1d136937763204fc0a997d98108af4c145a91f481cfc87bea6bd940341e47417
CoinMiner
309e1c2273438c39e256372e5fbaec1e790767d7c966fc323fac368d34acf7a8
CoinMiner
3729cc0e9183d4e4e6e7c9b82311538cc4357e35f817c32791131cc62a32ae1a
CoinMiner
7578b1f217fca3612bbabadca671494f35cbada8d58fc11c68092477c99ec084
CoinMiner
8486a418f9f04f24f3792559221ef2f13b613f9a6fab066a264211e52638fad7
CoinMiner
db2e0387321f6901c75228564c23c7d55a4d05e5b9bbe54a7f11a85b3d187dab
CoinMiner
e10e6de81f3af56db427e5c916171887171686ec46812dbebecee354f6c2a0cd
CoinMiner
e2a3d9b8067133ddbcaedfc53e6f730cdb1df00db8d3255e98e63b6d49b67e24
CoinMiner
f58d2071a2fdaea27d814e788e002fe5da63843546f22c255eceade162323ce1
CoinMiner
+ 81 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/211011-mw9ngsghfq/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
dc0baa5222e0650bad953be552414a9b12d58573e2f8d3e84142233f35456d1d
MD5 hash:
bfce9bcbe4daf88e777f092b8a2fdf93
SHA1 hash:
decf63b2afa782bdf825b772f86c562c4e780e06
Link:
https://www.unpac.me/results/716986e4-3350-4290-80a9-6aa3d19007dc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.86
Link:
https://yomi.yoroi.company/submissions/dc0baa5222e0650bad953be552414a9b12d58573e2f8d3e84142233f35456d1d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
Author:ditekSHen
Description:Detects executables containing bas64 encoded gzip files
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe dc0baa5222e0650bad953be552414a9b12d58573e2f8d3e84142233f35456d1d

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/196582/
  
URLhaus
https://urlhaus.abuse.ch/url/1666520/

Comments


Avatar
zbet commented on 2021-10-11 10:49:20 UTC

url : hxxp://sherence.ru/testversionXMRIG.exe