MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee987d5d4e5f25b0f245376444d7e89d5ab5da49f26a80809271348623ea3536. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee987d5d4e5f25b0f245376444d7e89d5ab5da49f26a80809271348623ea3536
SHA3-384 hash: 4c2440ce350ba78e357183a9d57ad73f96a1fd59bccdcf462504b22361372665f77caa9538183e934ccb733a1550e9ba
SHA1 hash: 8ca9c328184904cbc98453760f1743f77c2f4569
MD5 hash: 39969aee3bfbf3ceb5ed329e7c1e86a6
humanhash: spring-alanine-two-nine
File name:crypt1.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'044'584 bytes
First seen:2022-06-01 07:17:37 UTC
Last seen:2022-06-01 07:41:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d41eb0ad57233e368d4f7c1c7ff2cb28 (1 x CoinMiner)
ssdeep 49152:JZGGDVSxv6rfk+JY6sO7LrgHL/I7YGpZjosGIDGkr285B/G6:XGGDExv6reXCsrI7PpRP+B0/
Threatray 548 similar samples on MalwareBazaar
TLSH T11595334236C24C3AF39369323854C083C93EF5458A939DBFA759117E1F317959A2CFAA
TrID 38.0% (.EXE) Win64 Executable (generic) (10523/12/4)
23.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
16.3% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.EXE) OS/2 Executable (generic) (2029/13)
7.2% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter nyyuzyou
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
345
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
crypt1.exe
Verdict:
No threats detected
Analysis date:
2022-06-01 07:41:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5066229e-0a3c-4b19-97ff-9e956d6085b6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/275931/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.32063.4156.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/84c5233b-d9e5-4d41-be5a-10a044eb92da
Result
Threat name:
BitCoin Miner, SilentXMRMiner, Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1004786
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Creates files in the system32 config directory
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected SilentXMRMiner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 637281 Sample: crypt1.exe Startdate: 01/06/2022 Architecture: WINDOWS Score: 100 47 Antivirus detection for dropped file 2->47 49 Multi AV Scanner detection for dropped file 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 4 other signatures 2->53 9 crypt1.exe 3 2->9         started        12 updater.exe 2->12         started        process3 file4 45 C:\Users\Public\Videos\hahgdsd.exe, PE32+ 9->45 dropped 15 hahgdsd.exe 9->15         started        18 conhost.exe 9->18         started        57 Writes to foreign memory regions 12->57 59 Allocates memory in foreign processes 12->59 61 Creates a thread in another existing process (thread injection) 12->61 20 conhost.exe 5 12->20         started        signatures5 process6 signatures7 65 Antivirus detection for dropped file 15->65 67 Multi AV Scanner detection for dropped file 15->67 69 Writes to foreign memory regions 15->69 79 2 other signatures 15->79 22 conhost.exe 5 15->22         started        71 Obfuscated command line found 18->71 73 Creates files in the system32 config directory 20->73 75 Modifies the context of a thread in another process (thread injection) 20->75 77 Injects a PE file into a foreign processes 20->77 26 conhost.exe 20->26         started        process8 file9 43 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 22->43 dropped 55 Obfuscated command line found 22->55 28 cmd.exe 1 22->28         started        31 cmd.exe 1 22->31         started        33 conhost.exe 2 26->33         started        signatures10 process11 signatures12 63 Uses schtasks.exe or at.exe to add and modify task schedules 28->63 35 conhost.exe 28->35         started        37 schtasks.exe 1 28->37         started        39 conhost.exe 31->39         started        41 schtasks.exe 1 31->41         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ee987d5d4e5f25b0f245376444d7e89d5ab5da49f26a80809271348623ea3536/
Threat name:
Win32.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2022-05-29 23:04:46 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=52mh2xkol4s3b4sfg5sejv7itvnllwsj6jvibaesoe2imi7kgu3a._file
Verdict:
malicious
Similar samples:
003bf16a4661cccc90dd7410ab077d356a3d434effe1047a6df1c133b1746b33
CoinMiner
219f75d798f48a66a7643cacca827cd6d9fbf72af8dfaa05b88cb0538a7864f7
CoinMiner
28432c6b761d9a0d6d3a80cbeda9b6f745cf55b5a2c234737afe493d1ff11158
CoinMiner
45a04b7f0b2daf0793cd2eb4d8664a7a824a8c353ffb57bb6d0ada7ce39b8910
CoinMiner
529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8
CoinMiner
c526976d9d9231c422d620c402a306f458b832f16d8cd68c87a12964104a9d24
CoinMiner
db4597572c03a863fdfb6bb3291ee732d6a3547014867f7497d3c6dd378df75c
CoinMiner
ee987d5d4e5f25b0f245376444d7e89d5ab5da49f26a80809271348623ea3536
CoinMiner
+ 538 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220601-h4y5hafca3/
Unpacked files
SH256 hash:
ee987d5d4e5f25b0f245376444d7e89d5ab5da49f26a80809271348623ea3536
MD5 hash:
39969aee3bfbf3ceb5ed329e7c1e86a6
SHA1 hash:
8ca9c328184904cbc98453760f1743f77c2f4569
Link:
https://www.unpac.me/results/cb2da11f-fc6d-4ee2-98a2-4a08265b185d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ee987d5d4e5f25b0f245376444d7e89d5ab5da49f26a80809271348623ea3536

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/275931/

Comments