MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3076b129ca1990de7b828fdb29711a778ae3f0b724edf5ef47a8b229fba0c9a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 6


Intelligence 6 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f3076b129ca1990de7b828fdb29711a778ae3f0b724edf5ef47a8b229fba0c9a
SHA3-384 hash: df1d95d8e269dc5b16f752ea52c8831dffe9e7b3ba2c60cca78ca2bf44713ec8a7702534a845791415a6f144bc6b5376
SHA1 hash: 9b5f3d7afed499b46ae3d900e2b22bc2e58c36f2
MD5 hash: ce9540183f7a8cbbe0da671a090488a1
humanhash: ceiling-bluebird-hotel-mountain
File name:ce9540183f7a8cbbe0da671a090488a1.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:4'486'666 bytes
First seen:2020-12-02 15:28:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fc6683d30d9f25244a50fd5357825e79 (92 x Formbook, 52 x AgentTesla, 23 x SnakeKeylogger)
ssdeep 98304:IUCAdw+vWXqIuOFyknOtu5yzMyaOnpYI+r1XO:bw+vWruOFwSsaOpR
Threatray 918 similar samples on MalwareBazaar
TLSH 8B2633AB49D38CBAC4143830C57E9E86E856E4334A4F7FDED297E81D7D296C0A025C9D
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
615
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106428/
Detection(s):
PUA.Win.Packer.Upx-48
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Launching a process
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/553743
Signature
Allocates memory in foreign processes
AutoIt script contains suspicious strings
Binary is likely a compiled AutoIt script file
Changes security center settings (notifications, updates, antivirus, firewall)
Drops PE files with benign system names
Injects a PE file into a foreign processes
Installs a global keyboard hook
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 325970 Sample: PF1ZSzutaM.exe Startdate: 02/12/2020 Architecture: WINDOWS Score: 96 51 54.229.13.0.in-addr.arpa 2->51 53 g.msn.com 2->53 61 Multi AV Scanner detection for dropped file 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 AutoIt script contains suspicious strings 2->65 67 2 other signatures 2->67 8 PF1ZSzutaM.exe 2 3 2->8         started        12 svchost.exe 2->12         started        14 svchost.exe 2->14         started        16 9 other processes 2->16 signatures3 process4 dnsIp5 43 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32 8->43 dropped 45 C:\Users\user\...\svchost.exe:Zone.Identifier, ASCII 8->45 dropped 73 Writes to foreign memory regions 8->73 75 Allocates memory in foreign processes 8->75 77 Drops PE files with benign system names 8->77 19 RegAsm.exe 15 4 8->19         started        79 Injects a PE file into a foreign processes 12->79 23 RegAsm.exe 2 12->23         started        25 RegAsm.exe 14->25         started        47 127.0.0.1 unknown unknown 16->47 49 192.168.2.1 unknown unknown 16->49 81 Changes security center settings (notifications, updates, antivirus, firewall) 16->81 27 RegAsm.exe 16->27         started        29 MpCmdRun.exe 16->29         started        31 WerFault.exe 16->31         started        33 2 other processes 16->33 file6 signatures7 process8 dnsIp9 55 checkip.dyndns.org 19->55 57 54.229.13.0.in-addr.arpa 19->57 59 4 other IPs or domains 19->59 69 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->69 71 Installs a global keyboard hook 19->71 35 WerFault.exe 23->35         started        37 WerFault.exe 25->37         started        39 WerFault.exe 27->39         started        41 conhost.exe 29->41         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f3076b129ca1990de7b828fdb29711a778ae3f0b724edf5ef47a8b229fba0c9a/
Threat name:
Win32.Hacktool.AutoKMS
Create hunting rule
Status:
Malicious
First seen:
2020-12-02 12:17:47 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  1/5
Verdict:
unknown
Similar samples:
28102f94dd691b7e8f350f294bb627cc5620188b9b8f3fb5fba6e822924105fe
CoinMiner
2ef4e1dddd31d73ccff96b2611380c25148db5aab6f23f7a631079c6ad4a0769
CoinMiner
62e9a9522a98f1a4ad322c5ef52fa3187a1204df9455d57766e4b221dc56fd35
CoinMiner
b1cd81ef90363936ef04a6d5cabb539bbc4a89a25b6baf6777e1a3e373455f40
CoinMiner
ca0ffb047bb011ae244daae2f9eb29e4e2db3d77817c5eea1636ce57b6c041cb
CoinMiner
d99b374a5972bbdeb57de9c8a41cc6b8c3f8928916151a40257967baa855917b
CoinMiner
ee21511b610cd2a154c85c04c0e3d88f82b0ee835afd51247a1a7e97900cd733
CoinMiner
eee4d211bbffe896f0de21854cb5adac6e10c85016986efd260b45c7022d7521
CoinMiner
fd6545dad035b74dea3eb7a3d62a3270331db331479a8194e32333abbec20da6
CoinMiner
fe4ac58f37f9a49960cdd331a74ceabc5a504e6e87669d668b20d14ffae27ce9
CoinMiner
+ 908 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/201202-xxkj6nzxd6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Unpacked files
SH256 hash:
f3076b129ca1990de7b828fdb29711a778ae3f0b724edf5ef47a8b229fba0c9a
MD5 hash:
ce9540183f7a8cbbe0da671a090488a1
SHA1 hash:
9b5f3d7afed499b46ae3d900e2b22bc2e58c36f2
Link:
https://www.unpac.me/results/669ef98b-8227-4ac9-a85b-9bd353fc707d/
SH256 hash:
0d4e2683ed6959b56d9e443db4279ae6c01588be42a7bb8f400a186b8e96f91c
MD5 hash:
89e1bdb4ba0ad05e02332635ec59e58b
SHA1 hash:
1d518f6209ba9e993c59d3480052b0b6934718c9
Link:
https://www.unpac.me/results/669ef98b-8227-4ac9-a85b-9bd353fc707d/
SH256 hash:
31abbfcaea7cd9070e4bcbb0d3b303df32e4c31a3ff803666b128a9ba5e56b7e
MD5 hash:
8e86f562c6764881c781562bbcc6192b
SHA1 hash:
f8b39e637f94a1a114a768c5cc2a0914b767d013
Link:
https://www.unpac.me/results/669ef98b-8227-4ac9-a85b-9bd353fc707d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AutoKMS
Score:
0.70
Link:
https://yomi.yoroi.company/submissions/f3076b129ca1990de7b828fdb29711a778ae3f0b724edf5ef47a8b229fba0c9a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:ccrewQAZ
Create hunting rule
Author:AlienVault Labs
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Stealer_word_in_memory
Create hunting rule
Author:James_inthe_box
Description:The actual word stealer in memory
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe f3076b129ca1990de7b828fdb29711a778ae3f0b724edf5ef47a8b229fba0c9a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/877161/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/878363/
  
URLhaus
https://urlhaus.abuse.ch/url/878191/
Cape
Cape
https://www.capesandbox.com/analysis/106428/
  
URLhaus
https://urlhaus.abuse.ch/url/878155/

Comments