MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3aa18ec1d6075e859622e8af114df28939eb5414cc8b0f0094b43b0c55d1de8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f3aa18ec1d6075e859622e8af114df28939eb5414cc8b0f0094b43b0c55d1de8
SHA3-384 hash: ed6db7541b6865e70841173ede32e99ef11683735e5b629f675def88a114dba37cdb9e69064f95b82a052ad5cbfe692e
SHA1 hash: 46e7a169436ae366758cb3c01a40552cd59c0aee
MD5 hash: 1a92a9c5ed159ed0914f2e4570661a15
humanhash: fourteen-mississippi-eleven-tennis
File name:1a92a9c5ed159ed0914f2e4570661a15
Download: download sample
Signature CoinMiner
Create hunting rule
File size:356'864 bytes
First seen:2022-01-14 15:35:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2c5f2513605e48f2d8ea5440a870cb9e (60 x Babadeda, 6 x AveMariaRAT, 5 x CoinMiner)
ssdeep 6144:P5aWbksiNTB6VcYEL6MQU9KKqmUhZiZs3lyiFiznt804G+YCN+0ORduk:P5atNTQVcYE9KKqfziZs3EznX4mCN+0Y
TLSH T1C4740240B2E246F7DAF2093102F5613FA73962385754DCDBC38C2E5256036E5AA7D3EA
Reporter zbetcheckin
Tags:32 CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
318
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1a92a9c5ed159ed0914f2e4570661a15
Verdict:
Malicious activity
Analysis date:
2022-01-14 15:52:03 UTC
Tags:
evasion loader
Link:
https://app.any.run/tasks/684d59ef-bf02-498e-bfd6-ae344a6ae0d6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/219353/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.41903412.23037.4057.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process from a recently created file
Creating a window
Сreating synchronization primitives
Sending an HTTP GET request
DNS request
Sending a custom TCP request
Launching a process
Searching for synchronization primitives
Launching a service
Modifying a system file
Searching for analyzing tools
Searching for the window
Creating a file in the Windows subdirectories
Moving a file to the %AppData% subdirectory
Forced system process termination
Creating a file in the %AppData% subdirectories
Creating a file
Creating a process with a hidden window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4200/overview
Behaviour
MalwareBazaar
CPUID_Instruction
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/61e1986ef2e8ec86fefd64e3/reports/c6b8bcf4-4501-4f52-b479-44d6d48d30aa/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ryuk
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2aa8b9b3-2fe1-4bfb-a0cb-841a3fe0a556
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/920832
Signature
Antivirus detection for URL or domain
Command shell drops VBS files
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (suspicious strings)
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
Uses BatToExe to download additional code
Yara detected BatToExe compiled binary
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 553310 Sample: VQ9zW80IGY Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 37 Antivirus detection for URL or domain 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Machine Learning detection for sample 2->41 43 3 other signatures 2->43 7 VQ9zW80IGY.exe 10 2->7         started        process3 file4 27 C:\Users\user\AppData\Local\Temp\...\extd.exe, PE32 7->27 dropped 29 C:\Users\user\AppData\Local\Temp\...\FD94.bat, ASCII 7->29 dropped 51 Potential malicious VBS script found (suspicious strings) 7->51 11 cmd.exe 3 5 7->11         started        15 conhost.exe 7->15         started        signatures5 process6 file7 31 C:\Users\user\AppData\Local\Temp\...\360t.vbs, ASCII 11->31 dropped 53 Potential malicious VBS script found (suspicious strings) 11->53 55 Command shell drops VBS files 11->55 57 Uses BatToExe to download additional code 11->57 17 wscript.exe 11->17         started        21 extd.exe 1 11->21         started        23 extd.exe 2 11->23         started        25 msiexec.exe 11->25         started        signatures8 process9 dnsIp10 33 iplogger.org 148.251.234.83, 443, 49757 HETZNER-ASDE Germany 17->33 45 System process connects to network (likely due to code injection or exploit) 17->45 47 May check the online IP address of the machine 17->47 49 Multi AV Scanner detection for dropped file 21->49 35 81.163.30.181, 49756, 80 IR-RASANAPISHTAZIR Russian Federation 23->35 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f3aa18ec1d6075e859622e8af114df28939eb5414cc8b0f0094b43b0c55d1de8/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-01-14 15:36:20 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6ovbr3a5mb26qwlcf2fpcfg7fcjz5nkbjtelb4ajjnb3brk5dxua._file
Verdict:
malicious
Label(s):
ryuk
Create hunting rule
Result
Malware family:
loaderbot
Create hunting rule
Score:
  10/10
Tags:
family:loaderbot loader miner persistence upx
Link:
https://tria.ge/reports/220114-s1zlzahab8/
Behaviour
Modifies data under HKEY_USERS
Modifies registry class
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Drops startup file
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
LoaderBot executable
LoaderBot
Unpacked files
SH256 hash:
c5d788de9cfb428f70b521fb3ab5639b8882e1c0b799cce9be033c5309897c0c
MD5 hash:
0f670a9f505f21cf2dfca63f0055e1f8
SHA1 hash:
7dc008cd399d020fce4302c553a1aa7ec3d04ec9
Link:
https://www.unpac.me/results/0aec2bf6-da99-4f94-8f63-3a81eb03602d/
SH256 hash:
f3aa18ec1d6075e859622e8af114df28939eb5414cc8b0f0094b43b0c55d1de8
MD5 hash:
1a92a9c5ed159ed0914f2e4570661a15
SHA1 hash:
46e7a169436ae366758cb3c01a40552cd59c0aee
Link:
https://www.unpac.me/results/0aec2bf6-da99-4f94-8f63-3a81eb03602d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f3aa18ec1d6075e859622e8af114df28939eb5414cc8b0f0094b43b0c55d1de8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:MALWARE_Win_CoinMiner04
Create hunting rule
Author:ditekSHen
Description:Detects coinmining malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe f3aa18ec1d6075e859622e8af114df28939eb5414cc8b0f0094b43b0c55d1de8

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1976766/
Cape
Cape
https://www.capesandbox.com/analysis/219353/

Comments