MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f70e0c1d6dcec7a1da46f9b0a76f717d8b8d33bc8e15898d0dce194bec87eedc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f70e0c1d6dcec7a1da46f9b0a76f717d8b8d33bc8e15898d0dce194bec87eedc
SHA3-384 hash: 5c7db7203655282c4f70b26faf4cc2a193084aa613aad689063ecbc58c2ebcbf7188aa69b84836be9c1ec4fd432ecc87
SHA1 hash: 796198cc724ed90dbad61dfc215450b09c809989
MD5 hash: 469608ac8c6416d714329e77660c1d14
humanhash: crazy-bakerloo-black-six
File name:469608ac8c6416d714329e77660c1d14
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'043'392 bytes
First seen:2021-11-11 01:31:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 02549ff92b49cce693542fc9afb10102 (87 x CoinMiner, 2 x CoinMiner.XMRig, 1 x AgentTesla)
ssdeep 49152:GDYmpFS7op1+YFMbK4ffBLEzUQmQOAgTSjgQkJvZvW/L:G8mpiK/F4K4fizZmQOPTSJp
Threatray 122 similar samples on MalwareBazaar
TLSH T17C9533987AD86D75E6A5B9BFFCB38647F92720C6616870C2C4F51EE51100F32B16B388
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/204891/
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
donut packed
Link:
https://www.filescan.io/uploads/618c7295dec3347825a1a3d2/reports/601a2eea-323d-4d4f-9cc9-ac268b2ba705/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/507ed422-83e6-4758-83d7-7b5c8949a62d
Result
Threat name:
BitCoin Miner
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/887213
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 519687 Sample: Bzt5q0bW52 Startdate: 11/11/2021 Architecture: WINDOWS Score: 84 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected BitCoin Miner 2->53 9 services32.exe 2->9         started        12 Bzt5q0bW52.exe 2->12         started        process3 signatures4 67 Multi AV Scanner detection for dropped file 9->67 69 Writes to foreign memory regions 9->69 71 Allocates memory in foreign processes 9->71 14 conhost.exe 5 9->14         started        73 Creates a thread in another existing process (thread injection) 12->73 19 conhost.exe 5 12->19         started        process5 dnsIp6 47 192.168.2.1 unknown unknown 14->47 41 C:\Windows\System32\...\sihost32.exe, PE32+ 14->41 dropped 49 Drops executables to the windows directory (C:\Windows) and starts them 14->49 21 sihost32.exe 14->21         started        43 C:\Windows\System32\services32.exe, PE32+ 19->43 dropped 45 C:\Windows\...\services32.exe:Zone.Identifier, ASCII 19->45 dropped 24 cmd.exe 1 19->24         started        26 cmd.exe 1 19->26         started        file7 signatures8 process9 signatures10 55 Multi AV Scanner detection for dropped file 21->55 57 Writes to foreign memory regions 21->57 59 Allocates memory in foreign processes 21->59 61 Creates a thread in another existing process (thread injection) 21->61 28 conhost.exe 2 21->28         started        63 Drops executables to the windows directory (C:\Windows) and starts them 24->63 30 services32.exe 24->30         started        33 conhost.exe 24->33         started        65 Uses schtasks.exe or at.exe to add and modify task schedules 26->65 35 conhost.exe 26->35         started        37 schtasks.exe 1 26->37         started        process11 signatures12 75 Writes to foreign memory regions 30->75 77 Allocates memory in foreign processes 30->77 79 Creates a thread in another existing process (thread injection) 30->79 39 conhost.exe 2 30->39         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f70e0c1d6dcec7a1da46f9b0a76f717d8b8d33bc8e15898d0dce194bec87eedc/
Threat name:
Win64.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2021-11-07 00:47:33 UTC
AV detection:
24 of 45 (53.33%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
139c83b8cf3674d992e04f9e4a047c3a7ad5279b2f6b8bf18c39603f82bca16d
CoinMiner
191018b2c61b46c04fba2acfd7138621ad327b5e918bee60e551c466aa9aca33
CoinMiner
28f5fb04e33ee8f3257b1a2c6f4ade3f281b0d474eea4bdde2abe622a1b11994
CoinMiner
4428c955f11bf14ee87a1c6540314b9f24f6adbe848724dab4029242fef22137
CoinMiner
58f64e4083fa288b091dc0d29a050da9cd09e4ee6607aff2e5fa5ffbe2c7a887
CoinMiner
773b40c8007545afd1b563bdf17dab8225acd4bd6def35e4db95f70fca16371c
CoinMiner
d3cfc436366c9d127c7a6233f6531cf6e5863153b41ba4ab6f8fe87f473c8c9d
CoinMiner
e7b94b42550145f6653edad5a47879f3bad1abe865f065d7036ca942c572e842
CoinMiner
f89908f8594a0dccfb5e52b295075ff63be86c0f5584f990d39dfe2b2c2f9c08
CoinMiner
+ 112 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/211111-bxzn5affbk/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
f70e0c1d6dcec7a1da46f9b0a76f717d8b8d33bc8e15898d0dce194bec87eedc
MD5 hash:
469608ac8c6416d714329e77660c1d14
SHA1 hash:
796198cc724ed90dbad61dfc215450b09c809989
Link:
https://www.unpac.me/results/aebb746a-9bae-4412-8b5f-830ef1d6d483/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f70e0c1d6dce/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.10
Link:
https://yomi.yoroi.company/submissions/f70e0c1d6dcec7a1da46f9b0a76f717d8b8d33bc8e15898d0dce194bec87eedc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe f70e0c1d6dcec7a1da46f9b0a76f717d8b8d33bc8e15898d0dce194bec87eedc

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1775139/
Cape
Cape
https://www.capesandbox.com/analysis/204891/

Comments


Avatar
zbet commented on 2021-11-11 01:31:36 UTC

url : hxxp://antivirf.ru/main.exe