MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6db67d86284b56e01a696535996455416a4e86ec12b923721771d010210c487. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f6db67d86284b56e01a696535996455416a4e86ec12b923721771d010210c487
SHA3-384 hash: a78c76007bc6c60b2c728d7d32b92470f48b2e3c1fb4bfec84fef8df07e433d8421c4455212da001fcd35b1ec9acd572
SHA1 hash: fa3828e6d776fc6c72634750e7ecd001aa081498
MD5 hash: 1292235b7a31fb359e34d4267364dcc6
humanhash: pip-romeo-lithium-bulldog
File name:FragHack.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:8'046'256 bytes
First seen:2022-05-14 18:30:27 UTC
Last seen:2022-05-14 19:22:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5933e3a588501c54144ffecc471f85ef (1 x CoinMiner)
ssdeep 196608:F9k4CONhOU/wqsnzsL5yHFgPXufcBxe7Z1pArd3pslA:FP/aU/AzsL5ydfcB4QdZslA
Threatray 2'418 similar samples on MalwareBazaar
TLSH T1DD8633D82B5DFCDEDF295B36A84052C8D9943E51D1DF16B71220321E968EF886C7C23A
TrID 45.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.2% (.EXE) OS/2 Executable (generic) (2029/13)
18.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.0% (.EXE) DOS Executable Generic (2000/1)
0.2% (.VXD) VXD Driver (29/21)
File icon (PE):PE icon
dhash icon 2be8cc0d8696b2e8 (1 x CoinMiner)
Reporter JaffaCakes118
Tags:CoinMiner exe signed

Code Signing Certificate

Organisation:epicgames.com
Issuer:Amazon
Algorithm:sha256WithRSAEncryption
Valid from:2021-10-25T00:00:00Z
Valid to:2022-11-22T23:59:59Z
Serial number: 07d97598602b9d8357a2b89601bfe25b
Thumbprint Algorithm:SHA256
Thumbprint: 86c10eefd1e8503428b36c6e60aecf81dc3b15220f992e9161bf81f5175a2393
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
375
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FragHack.zip
Verdict:
Suspicious activity
Analysis date:
2022-03-23 20:11:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/01b79734-d71e-461b-8d92-65d86fe314bd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CoinMiner02
Create hunting rule
Link:
https://www.capesandbox.com/analysis/270669/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/17749/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
donut overlay packed
Link:
https://www.filescan.io/uploads/627ff54722b733139c17c0fb/reports/29d55cbc-7f3a-4fb2-8f68-481d91212eaa/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/24881894-7d24-46a9-bc8b-570bf1f3842a
Result
Threat name:
BitCoin Miner, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/994171
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Creates a thread in another existing process (thread injection)
DNS related to crypt mining pools
Encrypted powershell cmdline option found
Found strings related to Crypto-Mining
Hides threads from debuggers
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Potential dropper URLs found in powershell memory
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses nslookup.exe to query domains
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 626667 Sample: FragHack.exe Startdate: 14/05/2022 Architecture: WINDOWS Score: 100 95 Malicious sample detected (through community Yara rule) 2->95 97 Antivirus / Scanner detection for submitted sample 2->97 99 Multi AV Scanner detection for submitted file 2->99 101 6 other signatures 2->101 11 FragHack.exe 2->11         started        14 DriverUpdate.exe 2->14         started        16 svchost.exe 2->16         started        18 10 other processes 2->18 process3 dnsIp4 115 Query firmware table information (likely to detect VMs) 11->115 117 Writes to foreign memory regions 11->117 119 Allocates memory in foreign processes 11->119 129 3 other signatures 11->129 21 conhost.exe 6 11->21         started        121 Antivirus detection for dropped file 14->121 123 Multi AV Scanner detection for dropped file 14->123 125 Tries to detect sandboxes and other dynamic analysis tools (window names) 14->125 25 conhost.exe 14->25         started        127 Changes security center settings (notifications, updates, antivirus, firewall) 16->127 27 MpCmdRun.exe 16->27         started        87 127.0.0.1 unknown unknown 18->87 signatures5 process6 file7 79 C:\Users\user\AppData\...\DriverUpdate.exe, PE32+ 21->79 dropped 81 C:\Users\...\DriverUpdate.exe:Zone.Identifier, ASCII 21->81 dropped 103 Very long command line found 21->103 105 Uses nslookup.exe to query domains 21->105 29 cmd.exe 21->29         started        31 cmd.exe 1 21->31         started        34 cmd.exe 1 21->34         started        36 cmd.exe 25->36         started        38 conhost.exe 27->38         started        signatures8 process9 signatures10 40 DriverUpdate.exe 29->40         started        43 conhost.exe 29->43         started        139 Encrypted powershell cmdline option found 31->139 141 Uses schtasks.exe or at.exe to add and modify task schedules 31->141 45 powershell.exe 22 31->45         started        47 powershell.exe 23 31->47         started        49 conhost.exe 31->49         started        51 conhost.exe 34->51         started        53 schtasks.exe 34->53         started        55 conhost.exe 36->55         started        57 2 other processes 36->57 process11 signatures12 107 Query firmware table information (likely to detect VMs) 40->107 109 Writes to foreign memory regions 40->109 111 Allocates memory in foreign processes 40->111 113 3 other signatures 40->113 59 conhost.exe 40->59         started        process13 file14 83 C:\Users\user\AppData\...\sihost64.exe, PE32+ 59->83 dropped 85 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 59->85 dropped 131 Very long command line found 59->131 133 Uses nslookup.exe to query domains 59->133 135 Writes to foreign memory regions 59->135 137 3 other signatures 59->137 63 sihost64.exe 59->63         started        66 nslookup.exe 59->66         started        69 cmd.exe 59->69         started        signatures15 process16 dnsIp17 143 Antivirus detection for dropped file 63->143 145 Multi AV Scanner detection for dropped file 63->145 147 Writes to foreign memory regions 63->147 155 2 other signatures 63->155 71 conhost.exe 63->71         started        89 213.32.74.157, 14433, 49827 OVHFR France 66->89 91 dalyokiy.xyz 66->91 93 2 other IPs or domains 66->93 149 Query firmware table information (likely to detect VMs) 66->149 151 Performs DNS queries to domains with low reputation 66->151 153 Encrypted powershell cmdline option found 69->153 73 conhost.exe 69->73         started        75 powershell.exe 69->75         started        77 powershell.exe 69->77         started        signatures18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f6db67d86284b56e01a696535996455416a4e86ec12b923721771d010210c487/
Threat name:
Win64.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2022-02-20 05:13:20 UTC
File Type:
PE+ (Exe)
Extracted files:
15
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
3fd0837381babda7ef617b810457f0db32bd7c1f7e345480e6c525050ca818fa
CoinMiner
73872c3c2ba2f4e09a18b0e0b3e00419b302781a83206512da39c28ae2e35fcc
CoinMiner
7ee182a4e061b93eaa096b87b0914d115f5c49d2812a6c81c62a836892adc359
CoinMiner
a71ca3a4994f11007ef42e19b763773a49f7067daf28b3ca16e81a65a4fd4dd4
CoinMiner
aa45bdb023a15b2fbfcac1636620908400d63cf862ea9f07fc42a73387693cf1
CoinMiner
b840f10ae378fa15f8570f6eb208e2f280618bd49ade560eca00c93b6a4bd7d9
CoinMiner
c73a91a1fdfa8b8ad1c4092fd33e3e84c16b568ae622996891d573bb449eec04
CoinMiner
ee1524e4980cac431ae0f92888ee0cc8a1fa9e7981df0be6abd7efa98adf9a45
CoinMiner
+ 2'408 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion miner themida trojan
Link:
https://tria.ge/reports/220514-w5175sdefk/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Checks BIOS information in registry
Loads dropped DLL
Themida packer
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
f6db67d86284b56e01a696535996455416a4e86ec12b923721771d010210c487
MD5 hash:
1292235b7a31fb359e34d4267364dcc6
SHA1 hash:
fa3828e6d776fc6c72634750e7ecd001aa081498
Link:
https://www.unpac.me/results/599bbd1d-0d50-438a-9462-97239045c6e1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f6db67d86284/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/f6db67d86284b56e01a696535996455416a4e86ec12b923721771d010210c487

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe f6db67d86284b56e01a696535996455416a4e86ec12b923721771d010210c487

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/270669/

Comments