MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df2d4c6b0c6b9ac50f424b166e07fd984d559f773748ee89fe2f5dc7f6e57f70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 7


Intelligence 7 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df2d4c6b0c6b9ac50f424b166e07fd984d559f773748ee89fe2f5dc7f6e57f70
SHA3-384 hash: bcaf40fd80f70f15067c3cf7907d21a4df7e38fff35576ff460e4a476282cd735757dac3422796020ffe02afcf2f6443
SHA1 hash: fab8e9074f5d7590a3037c0bca8b0d8de15c4ef3
MD5 hash: 950e2358e73827f1479c442e71a308ac
humanhash: victor-burger-uranus-grey
File name:file
Download: download sample
Signature CoinMiner
Create hunting rule
File size:1'395'200 bytes
First seen:2023-01-18 12:59:55 UTC
Last seen:2023-01-18 14:28:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 562e5647b1e855591c935ada41148514 (1 x CoinMiner)
ssdeep 24576:XNGgdOw2ej9/3FX7fqxFbpsYgBTLe3g1O5ffPvT7QiN9:XNGw28v5fqx0/51afY
TLSH T10B55024AA74918E2CC8A01B3335B75EEA7317DB93B950144379FB00C2B7335897769AE
File icon (PE):PE icon
dhash icon c000d4e8f0313000 (1 x CoinMiner)
Reporter jstrosch
Tags:CoinMiner exe X64

Intelligence

File Origin
# of uploads :
2
# of downloads :
246
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-01-18 13:01:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/def2cf9d-a9b4-4838-96e8-d97720623919

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/354159/
Detection(s):
SecuriteInfo.com.SpywareX-gen.11398.4077.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a window
Searching for analyzing tools
Сreating synchronization primitives
Launching a process
Creating a file
Enabling the 'hidden' option for recently created files
Using the Windows Management Instrumentation requests
Verdict:
No Threat
Threat level:
  2/10
Confidence:
60%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63c7ed5986e9647bb4c9d258/reports/06f97ba6-62ad-411c-ac62-0d86d5867d96/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e680445f-5c8d-4490-8688-64e0bbef22c7
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1153838
Signature
Adds a directory exclusion to Windows Defender
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sets debug register (to hijack the execution of another thread)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/df2d4c6b0c6b9ac50f424b166e07fd984d559f773748ee89fe2f5dc7f6e57f70/
Threat name:
Win64.Trojan.Tasker
Create hunting rule
Status:
Malicious
First seen:
2023-01-18 13:00:14 UTC
File Type:
PE+ (Exe)
Extracted files:
121
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=34wuy2ymnonmkd2cjmlg4b75tbgvlh3xg5eo5cp6f5o4p5xfp5ya._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230118-p8nmwshc66/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Unpacked files
SH256 hash:
df2d4c6b0c6b9ac50f424b166e07fd984d559f773748ee89fe2f5dc7f6e57f70
MD5 hash:
950e2358e73827f1479c442e71a308ac
SHA1 hash:
fab8e9074f5d7590a3037c0bca8b0d8de15c4ef3
Link:
https://www.unpac.me/results/10513199-52bc-40f3-ba8f-87d80f55fcf7/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/df2d4c6b0c6b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.20
Link:
https://yomi.yoroi.company/submissions/df2d4c6b0c6b9ac50f424b166e07fd984d559f773748ee89fe2f5dc7f6e57f70

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:win_xfilesstealer_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.xfilesstealer.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe df2d4c6b0c6b9ac50f424b166e07fd984d559f773748ee89fe2f5dc7f6e57f70

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/354159/
  
URLhaus
https://urlhaus.abuse.ch/url/2511168/

Comments