MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3622af9e9478d97008e6a7d3f97449148f2cc6fc03420d47020f7b33dbd47cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f3622af9e9478d97008e6a7d3f97449148f2cc6fc03420d47020f7b33dbd47cb
SHA3-384 hash: 227fb89a41683131ef379ce531871b2f094e7eaec8defc5657772a2d9c5c99c373bf6e921d19b291b70ffab417947f3d
SHA1 hash: 6ff171a9f8cc9a192a14b8313814854fbdf2f5ff
MD5 hash: c44f4a2ee25a20ae573838ac013b6de2
humanhash: winner-two-bluebird-blue
File name:c44f4a2ee25a20ae573838ac013b6de2.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:357'376 bytes
First seen:2022-01-13 12:55:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2c5f2513605e48f2d8ea5440a870cb9e (60 x Babadeda, 6 x AveMariaRAT, 5 x CoinMiner)
ssdeep 6144:j5aWbksiNTBc5CkQCICKw106JKPvQeSEl63nNnf7QYZXd3LSn81fvbAzK1:j5atNTuAjCm174eSEl6tkYZJGkT
Threatray 85 similar samples on MalwareBazaar
TLSH T1CA740145A2D642F7F6E1053101E6756FD739B2398330E8DBC35C2D429A42AD6A63E3EC
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
260
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c44f4a2ee25a20ae573838ac013b6de2.exe
Verdict:
Malicious activity
Analysis date:
2022-01-13 12:59:10 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/d8173b8a-c349-4a29-9530-faca69255e27

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/219010/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.41903412.23037.4057.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Moving a file to the %AppData% subdirectory
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process from a recently created file
Creating a window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Searching for the window
Searching for analyzing tools
Creating a file in the %AppData% subdirectories
Adding an access-denied ACE
Using the Windows Management Instrumentation requests
Launching a process
Creating a file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4072/overview
Behaviour
MalwareBazaar
CPUID_Instruction
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/61e02166e997359713e613cf/reports/9eab1f47-3e76-4e8e-b75c-2749beb8eb66/overview
Malware family:
Ryuk
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c7e4ce2f-2ef8-4fea-a596-c0f1aeed5a5f
Result
Threat name:
Phoenix Stealer Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/920068
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus detection for dropped file
Command shell drops VBS files
Contains functionality to hide user accounts
Creates multiple autostart registry keys
Detected Stratum mining protocol
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (suspicious strings)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Windows Crypto Mining Indicators
Sigma detected: WScript or CScript Dropper
Sigma detected: Xmrig
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Uses BatToExe to download additional code
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected BatToExe compiled binary
Yara detected Phoenix Stealer
Yara detected UAC Bypass using CMSTP
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 552546 Sample: 4nmeEJrZJ9.exe Startdate: 13/01/2022 Architecture: WINDOWS Score: 100 84 Sigma detected: Xmrig 2->84 86 Multi AV Scanner detection for dropped file 2->86 88 Multi AV Scanner detection for submitted file 2->88 90 16 other signatures 2->90 9 4nmeEJrZJ9.exe 10 2->9         started        13 dllhost.exe 2->13         started        15 setup_s.exe 2->15         started        17 4 other processes 2->17 process3 file4 50 C:\Users\user\AppData\Local\Temp\...\extd.exe, PE32 9->50 dropped 52 C:\Users\user\AppData\Local\Temp\...\37E6.bat, ASCII 9->52 dropped 106 Potential malicious VBS script found (suspicious strings) 9->106 19 cmd.exe 3 6 9->19         started        23 conhost.exe 9->23         started        108 Antivirus detection for dropped file 13->108 110 Multi AV Scanner detection for dropped file 13->110 112 Detected unpacking (changes PE section rights) 13->112 114 Machine Learning detection for dropped file 13->114 116 Tries to detect sandboxes and other dynamic analysis tools (window names) 15->116 118 Tries to evade analysis by execution special instruction which cause usermode exception 15->118 120 Hides threads from debuggers 15->120 signatures5 process6 file7 48 C:\Users\user\AppData\Local\Temp\...\123.vbs, ASCII 19->48 dropped 92 Potential malicious VBS script found (suspicious strings) 19->92 94 Command shell drops VBS files 19->94 96 Uses BatToExe to download additional code 19->96 25 setup_s.exe 19->25         started        29 setup_m.exe 16 4 19->29         started        32 setup_c.exe 1 19->32         started        34 6 other processes 19->34 signatures8 process9 dnsIp10 54 C:\Users\user\AppData\...\setup_s.exe (copy), MS-DOS 25->54 dropped 56 C:\Users\user\AppData\Roaming\...\Driver.exe, MS-DOS 25->56 dropped 58 C:\Users\user\AppData\Roaming\...\Driver.url, MS 25->58 dropped 122 Multi AV Scanner detection for dropped file 25->122 124 Detected unpacking (changes PE section rights) 25->124 126 Creates multiple autostart registry keys 25->126 128 Hides threads from debuggers 25->128 36 Driver.exe 25->36         started        76 yandex.ru 5.255.255.5, 443, 49768 YANDEXRU Russian Federation 29->76 78 192.168.2.1 unknown unknown 29->78 60 C:\Users\user\AppData\Roaming\...\dllhost.exe, MS-DOS 29->60 dropped 130 Antivirus detection for dropped file 29->130 132 Machine Learning detection for dropped file 29->132 134 Tries to evade analysis by execution special instruction which cause usermode exception 29->134 136 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 32->136 138 Writes to foreign memory regions 32->138 140 Allocates memory in foreign processes 32->140 142 Injects a PE file into a foreign processes 32->142 40 SystemPropertiesPerformance.exe 32->40         started        42 replace.exe 32->42         started        44 iscsicli.exe 32->44         started        80 a0620960.xsph.ru 141.8.192.93, 49765, 49766, 49767 SPRINTHOSTRU Russian Federation 34->80 82 iplogger.org 148.251.234.83, 443, 49764 HETZNER-ASDE Germany 34->82 62 C:\Users\user\AppData\Local\...\setup_c.exe, PE32 34->62 dropped 64 C:\Users\user\AppData\Local\...\setup_s.exe, MS-DOS 34->64 dropped 66 C:\Users\user\AppData\Local\...\setup_m.exe, MS-DOS 34->66 dropped 144 System process connects to network (likely due to code injection or exploit) 34->144 146 May check the online IP address of the machine 34->146 file11 signatures12 process13 dnsIp14 68 149.202.83.171, 3333, 49774 OVHFR France 36->68 70 pool.supportxmr.com 36->70 72 pool-fr.supportxmr.com 36->72 98 Multi AV Scanner detection for dropped file 36->98 46 conhost.exe 36->46         started        74 95.142.46.35, 49769, 6666 VDSINA-ASRU Russian Federation 40->74 100 Tries to harvest and steal ftp login credentials 40->100 102 Tries to harvest and steal browser information (history, passwords, etc) 40->102 signatures15 104 Detected Stratum mining protocol 68->104 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f3622af9e9478d97008e6a7d3f97449148f2cc6fc03420d47020f7b33dbd47cb/
Threat name:
Win32.Trojan.Fsysna
Create hunting rule
Status:
Malicious
First seen:
2022-01-13 11:39:23 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0cc7d034e9b01b5f02d0843e62c5ce0c79dc380fc3c126be71c8ad31ab8acad6
CoinMiner
4da864854d368ab640245f8174d247e0b9947045712d2d7449e25e7074b8587c
CoinMiner
534b9bc8809ae37a2beada5b9d868bda1c17c32be812ec3b30de2ad2382014a0
CoinMiner
6fc704900ddda4e22fd10ae2bf066c403a2567ce830d1b8fe7721231414382b7
CoinMiner
83ae57bdc0f817111ab909f54ec0f33b84f6504596d2a55adf39a16c5cf1afc0
CoinMiner
83b1180e8794a4d719586d4f5fe237b37167ef93c186d3c0976a70d39541c72f
CoinMiner
9e1565a4e0af404cf7eb096a60ddb70b5d5adf849312ea6f76c6374841759166
CoinMiner
+ 75 additional samples on MalwareBazaar
Result
Malware family:
mimikatz
Create hunting rule
Score:
  10/10
Tags:
family:loaderbot family:mimikatz evasion loader miner persistence upx
Link:
https://tria.ge/reports/220113-p6cgvaaca9/
Behaviour
Modifies registry class
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
Checks BIOS information in registry
Drops startup file
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Looks for VMWare Tools registry key
UPX packed file
LoaderBot executable
Looks for VirtualBox Guest Additions in registry
mimikatz is an open source tool to dump credentials on Windows
LoaderBot
Mimikatz
Unpacked files
SH256 hash:
2f1d39ba573b84486227a1a96ee73c2016ef1ff08db4ef0101a14118d31f3f24
MD5 hash:
ff1fe289bf932bd268f5b8de03a1ee52
SHA1 hash:
3ed3b21e7b9e1b9fa07754550bd014352fdba6cd
Link:
https://www.unpac.me/results/a5e0bece-e6de-460c-aea6-3de8d84cb510/
SH256 hash:
f3622af9e9478d97008e6a7d3f97449148f2cc6fc03420d47020f7b33dbd47cb
MD5 hash:
c44f4a2ee25a20ae573838ac013b6de2
SHA1 hash:
6ff171a9f8cc9a192a14b8313814854fbdf2f5ff
Link:
https://www.unpac.me/results/a5e0bece-e6de-460c-aea6-3de8d84cb510/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f3622af9e9478d97008e6a7d3f97449148f2cc6fc03420d47020f7b33dbd47cb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/219010/

Comments