MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef3e8b5d5f06f7303cd60e8e7cf970c70bb5939f59d56a2a39ca6a87f1ca507f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef3e8b5d5f06f7303cd60e8e7cf970c70bb5939f59d56a2a39ca6a87f1ca507f
SHA3-384 hash: 42fc992d86ad7e0124c45cc3f8aca64b0aefb1b06718baf58e9e69f4073af54c3f373ba851a9a8df15b5c6cd96ee30c4
SHA1 hash: b2386f0e5a2f319d1e1dd9e97b7ef13b367647c2
MD5 hash: 313f7fe785bd1fddd1fba66d5959a5d4
humanhash: network-hamper-low-artist
File name:SecuriteInfo.com.Trojan.InjectNET.14.28887.19992
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'043'392 bytes
First seen:2022-02-11 16:56:23 UTC
Last seen:2022-02-11 19:10:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 02549ff92b49cce693542fc9afb10102 (84 x CoinMiner, 2 x CoinMiner.XMRig, 1 x AgentTesla)
ssdeep 49152:LvjGKN4///cnd8bVuSyWV2hrSamzBOj2UjVqUV/6:jnIgUVuTWVX/VOjFVqAi
Threatray 1'337 similar samples on MalwareBazaar
TLSH T1519533B356729347F29EB3F73DF4905CE1324C812221619B84DA46EC234B8585BEA79F
Reporter SecuriteInfoCom
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
291
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cleaner.exe
Verdict:
No threats detected
Analysis date:
2022-01-07 12:23:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8a041b9a-4466-4a27-add7-31ab11a822f4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/240947/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.28887.19992.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a process from a recently created file
Creating a process with a hidden window
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62069566289e2f3e4fc3ffb8/reports/81c6f660-7e1e-4fef-bd28-092323c243db/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/35c8e74c-c2a1-4bc0-b223-715f9f40e15e
Result
Threat name:
BitCoin Miner SilentXMRMiner
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/938484
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected SilentXMRMiner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 570962 Sample: SecuriteInfo.com.Trojan.Inj... Startdate: 11/02/2022 Architecture: WINDOWS Score: 100 79 Antivirus / Scanner detection for submitted sample 2->79 81 Multi AV Scanner detection for submitted file 2->81 83 Yara detected SilentXMRMiner 2->83 85 2 other signatures 2->85 11 SecuriteInfo.com.Trojan.InjectNET.14.28887.exe 2->11         started        14 networker.exe 2->14         started        process3 signatures4 119 Writes to foreign memory regions 11->119 121 Allocates memory in foreign processes 11->121 123 Creates a thread in another existing process (thread injection) 11->123 16 conhost.exe 5 11->16         started        125 Antivirus detection for dropped file 14->125 127 Multi AV Scanner detection for dropped file 14->127 20 conhost.exe 3 14->20         started        process5 file6 71 C:\Windows\System32\networker.exe, PE32+ 16->71 dropped 73 C:\Windows\...\networker.exe:Zone.Identifier, ASCII 16->73 dropped 77 Adds a directory exclusion to Windows Defender 16->77 22 cmd.exe 1 16->22         started        25 cmd.exe 1 16->25         started        27 cmd.exe 1 16->27         started        29 sihost32.exe 20->29         started        31 cmd.exe 20->31         started        33 cmd.exe 20->33         started        signatures7 process8 signatures9 93 Drops executables to the windows directory (C:\Windows) and starts them 22->93 35 networker.exe 22->35         started        38 conhost.exe 22->38         started        95 Uses schtasks.exe or at.exe to add and modify task schedules 25->95 97 Adds a directory exclusion to Windows Defender 25->97 40 powershell.exe 22 25->40         started        42 powershell.exe 22 25->42         started        44 conhost.exe 25->44         started        48 2 other processes 27->48 99 Writes to foreign memory regions 29->99 101 Allocates memory in foreign processes 29->101 103 Creates a thread in another existing process (thread injection) 29->103 46 conhost.exe 29->46         started        50 3 other processes 31->50 52 2 other processes 33->52 process10 signatures11 87 Writes to foreign memory regions 35->87 89 Allocates memory in foreign processes 35->89 91 Creates a thread in another existing process (thread injection) 35->91 54 conhost.exe 5 35->54         started        process12 file13 75 C:\Windows\System32\...\sihost32.exe, PE32+ 54->75 dropped 105 Drops executables to the windows directory (C:\Windows) and starts them 54->105 107 Adds a directory exclusion to Windows Defender 54->107 58 sihost32.exe 54->58         started        61 cmd.exe 54->61         started        signatures14 process15 signatures16 109 Antivirus detection for dropped file 58->109 111 Multi AV Scanner detection for dropped file 58->111 113 Writes to foreign memory regions 58->113 117 2 other signatures 58->117 63 conhost.exe 58->63         started        115 Adds a directory exclusion to Windows Defender 61->115 65 powershell.exe 18 61->65         started        67 conhost.exe 61->67         started        69 powershell.exe 61->69         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ef3e8b5d5f06f7303cd60e8e7cf970c70bb5939f59d56a2a39ca6a87f1ca507f/
Threat name:
Win64.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2021-11-17 14:35:53 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
30 of 43 (69.77%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
06af78c89fc6b79696c14326d98a5d8ff14ae51b4303c308a77d980dbd731922
CoinMiner
0dee20eae747781c183499abc341feded87a5a6325f0a9b789067d1b6377ef89
CoinMiner
18205615390b3e8e007e8c0d7016978c268697f39ad0f7f2f441fedaf1c01237
CoinMiner
1f3246dd99e2f38b68b94c56fc44ac8994eb924e8526d395dcdfb7a9fd34da91
CoinMiner
3a40d13ba6b30c31d8d5380b61806ec76355f4c10a3c242eff71ddc020907be7
CoinMiner
596b8d2ea9be082c0eea726b7217597fe293eef85069a8dd03a6024b48c7a199
CoinMiner
7387dda5e2f645e2bdb9c2b366b4917a52a0535800580deb50f28e6790418ec9
CoinMiner
914cd602a58f69dd35dd207d8128807926a139f27f4d8b7b2b958041783bc10c
CoinMiner
+ 1'327 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220211-vf983schg6/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in System32 directory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
ef3e8b5d5f06f7303cd60e8e7cf970c70bb5939f59d56a2a39ca6a87f1ca507f
MD5 hash:
313f7fe785bd1fddd1fba66d5959a5d4
SHA1 hash:
b2386f0e5a2f319d1e1dd9e97b7ef13b367647c2
Link:
https://www.unpac.me/results/289c7980-4e30-4988-b6f0-6718687b32d5/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe ef3e8b5d5f06f7303cd60e8e7cf970c70bb5939f59d56a2a39ca6a87f1ca507f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2040580/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/240947/

Comments