MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc0ea72a8f4a4006bd93dd68cec4eaecf1ab781a068a26e5922ba0b6eed61e75. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc0ea72a8f4a4006bd93dd68cec4eaecf1ab781a068a26e5922ba0b6eed61e75
SHA3-384 hash: 51992b011aae7852efec8c3f5440fc268cb6d18f49880277d966d06886db7799f32a359190f400b81f65fcf3319e175a
SHA1 hash: 411fa8c75170a9a326929ae4b680a7ddea060fe8
MD5 hash: 4aacf3008e67ba581bb82aff8f572442
humanhash: tennis-nebraska-lemon-yankee
File name:4aacf3008e67ba581bb82aff8f572442.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:39'936 bytes
First seen:2021-11-11 16:22:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 768:xKPo36q92dtcbxvEYY9gmTDWZO1IW4qG8u9rVV8zM4q4rF9GaZK:xKPe6OscbxsYa9Ss21qGDrcK4rF9GkK
Threatray 125 similar samples on MalwareBazaar
TLSH T10403F15207EC8927FAC5CFF58877F3D61A78FB901602995C24C4015D46A2BC4CA72DF5
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/205023/
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/618d4369175442ca93ac7f35/reports/56af5561-abfb-41f7-b9da-983dadef5e9f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4dc44ebf-04ac-4dcf-b5f7-8c6dd6f483a8
Result
Threat name:
BitCoin Miner
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/887585
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected BitCoin Miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 520058 Sample: yDxpZa2fQU.exe Startdate: 11/11/2021 Architecture: WINDOWS Score: 100 86 Multi AV Scanner detection for domain / URL 2->86 88 Antivirus / Scanner detection for submitted sample 2->88 90 Multi AV Scanner detection for submitted file 2->90 92 5 other signatures 2->92 8 yDxpZa2fQU.exe 8 2->8         started        12 services32.exe 3 2->12         started        process3 dnsIp4 66 C:\Windows\System32\services32.exe, PE32+ 8->66 dropped 68 C:\Windows\System32\...\sihost32.exe, PE32+ 8->68 dropped 70 C:\Windows\...\services32.exe:Zone.Identifier, ASCII 8->70 dropped 72 C:\Users\user\AppData\...\yDxpZa2fQU.exe.log, ASCII 8->72 dropped 94 Drops executables to the windows directory (C:\Windows) and starts them 8->94 96 Adds a directory exclusion to Windows Defender 8->96 15 sihost32.exe 2 8->15         started        18 services32.exe 8->18         started        21 cmd.exe 1 8->21         started        23 cmd.exe 1 8->23         started        80 sanctam.net 12->80 82 140.82.121.4, 443, 49758 GITHUBUS United States 12->82 84 3 other IPs or domains 12->84 98 Antivirus detection for dropped file 12->98 100 Multi AV Scanner detection for dropped file 12->100 102 Machine Learning detection for dropped file 12->102 25 cmd.exe 1 12->25         started        27 cmd.exe 12->27         started        file5 signatures6 process7 dnsIp8 106 Antivirus detection for dropped file 15->106 108 Multi AV Scanner detection for dropped file 15->108 110 Machine Learning detection for dropped file 15->110 29 cmd.exe 15->29         started        74 sanctam.net 18->74 76 github.com 140.82.121.3, 443, 49756 GITHUBUS United States 18->76 78 raw.githubusercontent.com 185.199.110.133, 443, 49757 FASTLYUS Netherlands 18->78 112 Adds a directory exclusion to Windows Defender 18->112 32 cmd.exe 18->32         started        34 cmd.exe 18->34         started        114 Uses schtasks.exe or at.exe to add and modify task schedules 21->114 36 powershell.exe 23 21->36         started        42 4 other processes 21->42 38 conhost.exe 23->38         started        40 schtasks.exe 1 23->40         started        44 5 other processes 25->44 46 2 other processes 27->46 signatures9 process10 signatures11 104 Adds a directory exclusion to Windows Defender 29->104 48 conhost.exe 29->48         started        50 powershell.exe 29->50         started        62 3 other processes 29->62 52 conhost.exe 32->52         started        54 powershell.exe 32->54         started        56 powershell.exe 32->56         started        64 2 other processes 32->64 58 conhost.exe 34->58         started        60 schtasks.exe 34->60         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dc0ea72a8f4a4006bd93dd68cec4eaecf1ab781a068a26e5922ba0b6eed61e75/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-21 01:47:00 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
191018b2c61b46c04fba2acfd7138621ad327b5e918bee60e551c466aa9aca33
CoinMiner
28f5fb04e33ee8f3257b1a2c6f4ade3f281b0d474eea4bdde2abe622a1b11994
CoinMiner
786cd9f43e76702fd26319d85239b17c6acf79e5afda1a3ab82d95e46bbceff7
CoinMiner
852a677fbc8242015c84b8d00234ea00eb5be4a10c0eef80b2ab17dd3471496e
CoinMiner
c6110583978af41e0ec6705f89b4c6c0acccb6b314b6376052f1b984bd282456
CoinMiner
d1b138a211d4b9ce4d825f82669ba211e585a87eec0e877a2b8ef87a9e43ccb6
CoinMiner
d3971de408a80057671d1f39dd0aafcb4501903b6c9cf7f5fb51fffc0ab43599
CoinMiner
e6dff8475541ebddc1f0db47a311eb2c25581b7d5e62af8066d59c283114c2d3
CoinMiner
f70e0c1d6dcec7a1da46f9b0a76f717d8b8d33bc8e15898d0dce194bec87eedc
CoinMiner
f89908f8594a0dccfb5e52b295075ff63be86c0f5584f990d39dfe2b2c2f9c08
CoinMiner
+ 115 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/211111-tvsrxabfa5/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
dc0ea72a8f4a4006bd93dd68cec4eaecf1ab781a068a26e5922ba0b6eed61e75
MD5 hash:
4aacf3008e67ba581bb82aff8f572442
SHA1 hash:
411fa8c75170a9a326929ae4b680a7ddea060fe8
Link:
https://www.unpac.me/results/6aa50a10-ce78-436f-a92e-305e80d03c61/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/dc0ea72a8f4a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dc0ea72a8f4a4006bd93dd68cec4eaecf1ab781a068a26e5922ba0b6eed61e75

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/205023/

Comments