MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7d6efa5783c7c9a417518ee96f0ddbb919ab711669cbf68ef6caa27dac966d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7d6efa5783c7c9a417518ee96f0ddbb919ab711669cbf68ef6caa27dac966d5
SHA3-384 hash: f50c1e73195198134093165116801fc983165db555f6c34a946d15135aaf2b9d003fb596752f76a4873e10eabe40b3fd
SHA1 hash: 24ad2e0e8382f338c4557715e3a943a9c991abe2
MD5 hash: 37e37ea3df51cfb8c55f52f30f09220f
humanhash: tango-seven-magnesium-pennsylvania
File name:godeth.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:1'741'824 bytes
First seen:2021-05-06 04:38:56 UTC
Last seen:2021-05-06 05:58:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 49152:QgD/hObpS70JYx1g9igGNaCm1OR3o4NCVrlyWDULkp:/hKKzbKC1o42BDULI
Threatray 15 similar samples on MalwareBazaar
TLSH 988523067B814292C19D4D70D0F71AA403F7E7C766B7E3497E9892921E463C6EC9B38E
Reporter starsSk87264403
Tags:CoinMiner

Intelligence

File Origin
# of uploads :
2
# of downloads :
296
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/151254/
Detection(s):
SecuriteInfo.com.Variant.Bulz.196239.16273.28217.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Sending a UDP request
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/713057
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Drops PE files with benign system names
Found strings related to Crypto-Mining
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 405455 Sample: godeth.exe Startdate: 06/05/2021 Architecture: WINDOWS Score: 100 94 Multi AV Scanner detection for submitted file 2->94 96 Yara detected Xmrig cryptocurrency miner 2->96 98 .NET source code contains method to dynamically call methods (often used by packers) 2->98 100 4 other signatures 2->100 11 godeth.exe 7 2->11         started        15 svchost.exe 3 2->15         started        process3 file4 76 C:\Users\user\AppData\Local\...\svchost.exe, PE32+ 11->76 dropped 78 C:\Users\user\AppData\...\godeth.exe.log, ASCII 11->78 dropped 108 Drops PE files with benign system names 11->108 17 sihost32.exe 3 11->17         started        20 svchost.exe 4 11->20         started        22 cmd.exe 1 11->22         started        110 Multi AV Scanner detection for dropped file 15->110 112 Hijacks the control flow in another process 15->112 114 Machine Learning detection for dropped file 15->114 116 3 other signatures 15->116 24 cmd.exe 1 15->24         started        26 svchost.exe 15->26         started        signatures5 process6 signatures7 82 Multi AV Scanner detection for dropped file 17->82 28 svchost.exe 3 17->28         started        84 Hijacks the control flow in another process 20->84 86 Writes to foreign memory regions 20->86 88 Modifies the context of a thread in another process (thread injection) 20->88 90 Injects a PE file into a foreign processes 20->90 31 cmd.exe 20->31         started        33 svchost.exe 20->33         started        92 Uses schtasks.exe or at.exe to add and modify task schedules 22->92 35 conhost.exe 22->35         started        37 schtasks.exe 1 22->37         started        39 conhost.exe 24->39         started        41 schtasks.exe 24->41         started        process8 signatures9 118 Hijacks the control flow in another process 28->118 120 Writes to foreign memory regions 28->120 122 Modifies the context of a thread in another process (thread injection) 28->122 124 Injects a PE file into a foreign processes 28->124 43 sihost32.exe 28->43         started        46 cmd.exe 28->46         started        48 svchost.exe 28->48         started        50 conhost.exe 31->50         started        52 schtasks.exe 31->52         started        process10 dnsIp11 80 192.168.2.1 unknown unknown 43->80 54 svchost.exe 43->54         started        58 svchost.exe 43->58         started        60 conhost.exe 46->60         started        62 schtasks.exe 46->62         started        process12 file13 74 C:\Users\user\AppData\...\sihost32.exe, PE32+ 54->74 dropped 102 Hijacks the control flow in another process 54->102 104 Modifies the context of a thread in another process (thread injection) 54->104 106 Injects a PE file into a foreign processes 54->106 64 cmd.exe 54->64         started        66 cmd.exe 58->66         started        signatures14 process15 process16 68 conhost.exe 64->68         started        70 conhost.exe 66->70         started        72 schtasks.exe 66->72         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e7d6efa5783c7c9a417518ee96f0ddbb919ab711669cbf68ef6caa27dac966d5/
Threat name:
ByteCode-MSIL.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2021-05-04 15:02:10 UTC
AV detection:
20 of 47 (42.55%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=47lo7jlyhr6juqlvddxjn4g5xoizvnyrm2ol62hpnsvcpwwjm3kq._file
Verdict:
malicious
Similar samples:
0294e5e38373123aacb7dc64aef0e353277e1f11edb3ff6f711e0080e5e6516c
CoinMiner
3b019e395d076e03b3b4a2d9468d3acb36df69115e059119194fbd8dd6d1dd6b
CoinMiner
5f06da67169389577ec237bfb0c3e0e9203833048f48081deed7b6201ad18c27
CoinMiner
713984a9d714e58c92b1338df4c54b55da27753d18c09d6a45427fd85c145454
CoinMiner
770b35e82759eb0107679b50d38f5e40175901c548a5fd8282e116e8d455c418
CoinMiner
777a1b5eb79e751f4684f825ef2a5df80433a2d4e20f921d4f747e904793f3d2
CoinMiner
93eefdff4ee4bc7cb7ad565c2f61b45a791568a3f428c936b96f65538656f464
CoinMiner
a465bb35f4e7bafb2fea17156c39daee286e49c3f10463ecb8d29766e2d0b200
CoinMiner
d0468ea18c3ec3cc761985436a8d0d299191f27b2288597d29eed413e140cef9
CoinMiner
d2d9b66c9aad0e6cc20a786a89299a8b4a65a5a344db369dfd7bfbad3fb40b55
CoinMiner
+ 5 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210506-wlc6ln8gj6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
e7d6efa5783c7c9a417518ee96f0ddbb919ab711669cbf68ef6caa27dac966d5
MD5 hash:
37e37ea3df51cfb8c55f52f30f09220f
SHA1 hash:
24ad2e0e8382f338c4557715e3a943a9c991abe2
Link:
https://www.unpac.me/results/cd98c17f-dfaa-4bd3-b06c-f9ff1eebd1de/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e7d6efa5783c7c9a417518ee96f0ddbb919ab711669cbf68ef6caa27dac966d5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe e7d6efa5783c7c9a417518ee96f0ddbb919ab711669cbf68ef6caa27dac966d5

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/151254/
  
URLhaus
https://urlhaus.abuse.ch/url/1105134/
  
Delivery method
Distributed via web download

Comments