MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 def3f8797891579623385136838b1526096afc2bf01f9a08e27aa2073b6d7539. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 6


Intelligence 6 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: def3f8797891579623385136838b1526096afc2bf01f9a08e27aa2073b6d7539
SHA3-384 hash: 4266b684e9570f9a055b6d349a2207c098632f7d91a6244b5e88d0e3f496dd1e3bfb16d988068496937879cf3024bc47
SHA1 hash: 50e5d50b997bacc6284e79da6cd852b151a86138
MD5 hash: 22a0d63cf7eb1d4436b29f4949d9c79a
humanhash: mars-five-sixteen-coffee
File name:22a0d63cf7eb1d4436b29f4949d9c79a.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:5'915'658 bytes
First seen:2020-12-02 15:26:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fc6683d30d9f25244a50fd5357825e79 (92 x Formbook, 52 x AgentTesla, 23 x SnakeKeylogger)
ssdeep 98304:IU3HrYrjGx5n1cYdpXaCTWNIfGo0Yb6GR2k5n9I9kLfvINjIOB8EHlP5vYQbGet5:bYaxd1cYddaOW6urmxr5akLHMjPvJGe/
Threatray 918 similar samples on MalwareBazaar
TLSH 0B5633C0D1C16D3BD0E02D3DE9EA9878E582B9B35A142BDBD433D033B275DB2790965A
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
597
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106427/
Detection(s):
PUA.Win.Packer.Upx-48
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Launching a process
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/553741
Signature
Allocates memory in foreign processes
AutoIt script contains suspicious strings
Binary is likely a compiled AutoIt script file
Changes security center settings (notifications, updates, antivirus, firewall)
Drops PE files with benign system names
Injects a PE file into a foreign processes
Installs a global keyboard hook
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 325969 Sample: S765v7j4JR.exe Startdate: 02/12/2020 Architecture: WINDOWS Score: 88 56 Multi AV Scanner detection for dropped file 2->56 58 AutoIt script contains suspicious strings 2->58 60 May check the online IP address of the machine 2->60 62 Binary is likely a compiled AutoIt script file 2->62 7 S765v7j4JR.exe 2 3 2->7         started        11 svchost.exe 2->11         started        13 svchost.exe 2->13         started        15 10 other processes 2->15 process3 dnsIp4 42 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32 7->42 dropped 44 C:\Users\user\...\svchost.exe:Zone.Identifier, ASCII 7->44 dropped 68 Binary is likely a compiled AutoIt script file 7->68 70 Writes to foreign memory regions 7->70 72 Allocates memory in foreign processes 7->72 74 Drops PE files with benign system names 7->74 18 RegAsm.exe 15 4 7->18         started        76 Injects a PE file into a foreign processes 11->76 22 RegAsm.exe 2 11->22         started        24 RegAsm.exe 13->24         started        52 127.0.0.1 unknown unknown 15->52 54 192.168.2.1 unknown unknown 15->54 78 Changes security center settings (notifications, updates, antivirus, firewall) 15->78 26 RegAsm.exe 15->26         started        28 MpCmdRun.exe 15->28         started        30 WerFault.exe 15->30         started        32 2 other processes 15->32 file5 signatures6 process7 dnsIp8 46 checkip.dyndns.org 18->46 48 82.148.8.0.in-addr.arpa 18->48 50 4 other IPs or domains 18->50 64 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->64 66 Installs a global keyboard hook 18->66 34 WerFault.exe 22->34         started        36 WerFault.exe 24->36         started        38 WerFault.exe 26->38         started        40 conhost.exe 28->40         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/def3f8797891579623385136838b1526096afc2bf01f9a08e27aa2073b6d7539/
Threat name:
Win32.Trojan.Nymeria
Create hunting rule
Status:
Malicious
First seen:
2020-12-02 15:27:05 UTC
AV detection:
29 of 48 (60.42%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
28102f94dd691b7e8f350f294bb627cc5620188b9b8f3fb5fba6e822924105fe
CoinMiner
2ef4e1dddd31d73ccff96b2611380c25148db5aab6f23f7a631079c6ad4a0769
CoinMiner
62e9a9522a98f1a4ad322c5ef52fa3187a1204df9455d57766e4b221dc56fd35
CoinMiner
b1cd81ef90363936ef04a6d5cabb539bbc4a89a25b6baf6777e1a3e373455f40
CoinMiner
ca0ffb047bb011ae244daae2f9eb29e4e2db3d77817c5eea1636ce57b6c041cb
CoinMiner
d99b374a5972bbdeb57de9c8a41cc6b8c3f8928916151a40257967baa855917b
CoinMiner
ee21511b610cd2a154c85c04c0e3d88f82b0ee835afd51247a1a7e97900cd733
CoinMiner
eee4d211bbffe896f0de21854cb5adac6e10c85016986efd260b45c7022d7521
CoinMiner
f3076b129ca1990de7b828fdb29711a778ae3f0b724edf5ef47a8b229fba0c9a
CoinMiner
fd6545dad035b74dea3eb7a3d62a3270331db331479a8194e32333abbec20da6
CoinMiner
+ 908 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/201202-chllwvvzjj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Unpacked files
SH256 hash:
def3f8797891579623385136838b1526096afc2bf01f9a08e27aa2073b6d7539
MD5 hash:
22a0d63cf7eb1d4436b29f4949d9c79a
SHA1 hash:
50e5d50b997bacc6284e79da6cd852b151a86138
Link:
https://www.unpac.me/results/116b0f17-9f97-4b6f-b113-df67fff88aa2/
SH256 hash:
e1998c9403473d318a235fa170e859821376b095d9e4cf2642c07a093fa91fce
MD5 hash:
930784eb6b61cd270f48b5f97396613a
SHA1 hash:
8b77fe810f7426b5d6cc88de15acbda05c1eaf81
Link:
https://www.unpac.me/results/116b0f17-9f97-4b6f-b113-df67fff88aa2/
SH256 hash:
26826a245738c1d2de73ed8a17374f0baf08230877fe9857ec412a3160edc140
MD5 hash:
f7367298e53a8a43e325caac9854e826
SHA1 hash:
ddbe34c63d5ee576987f41dd7a1cc17fa6153929
Link:
https://www.unpac.me/results/116b0f17-9f97-4b6f-b113-df67fff88aa2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.99
Link:
https://yomi.yoroi.company/submissions/def3f8797891579623385136838b1526096afc2bf01f9a08e27aa2073b6d7539

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:ccrewQAZ
Create hunting rule
Author:AlienVault Labs
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Stealer_word_in_memory
Create hunting rule
Author:James_inthe_box
Description:The actual word stealer in memory
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe def3f8797891579623385136838b1526096afc2bf01f9a08e27aa2073b6d7539

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/878315/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/106427/

Comments