MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f882cbd19bca7935fb6d2214f305299399dec452b9db794cc4f97b1a1104c538. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f882cbd19bca7935fb6d2214f305299399dec452b9db794cc4f97b1a1104c538
SHA3-384 hash: 0e576eaff30a2e647a87bac62ce4e6b1e69e2d24bebe766cca9c78e1b7c65cec849afd7440de37f5d09a77e9b7799535
SHA1 hash: ede0c4b82a9b4107fe4432643f886059944b4ee6
MD5 hash: bc690d37ae8395cb25a8657db1d370e8
humanhash: louisiana-vermont-massachusetts-purple
File name:Discord Grabber.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:3'924'480 bytes
First seen:2024-01-17 04:04:14 UTC
Last seen:2024-01-17 05:17:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a9c887a4f18a3fede2cc29ceea138ed3 (35 x CoinMiner, 17 x AsyncRAT, 17 x BlankGrabber)
ssdeep 98304:UXDDWMyNVmf2ILDVGDgRdWiN0d1nbudqP4X+u0dOW+M8xFZwnzTu:UzDWMDV2gRdfN81nbDPQyOXMw/wz
Threatray 34 similar samples on MalwareBazaar
TLSH T1A60633D184F97829C1E919FE037C32D624C42A69B355EF05BFE9FB06B6A3451F240D29
TrID 38.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
15.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
11.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4505/5/1)
4.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter byte5
Tags:CoinMiner exe


Avatar
byte5
Possible crypto miner

Intelligence

File Origin
# of uploads :
2
# of downloads :
455
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/471245/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.48973.5294.9365.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65a751ef1bf798554ab30ec3/reports/b0c2f389-aa97-4e2f-aca6-540d95a8c4a1/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/f882cbd19bca7935fb6d2214f305299399dec452b9db794cc4f97b1a1104c538
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a9f02183-8978-401b-836f-3d7381edec58
Result
Threat name:
Blank Grabber
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1375856
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Encrypted powershell cmdline option found
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Blank Grabber
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1375856 Sample: Discord_Grabber.exe Startdate: 17/01/2024 Architecture: WINDOWS Score: 100 81 de.zephyr.herominers.com 2->81 97 Snort IDS alert for network traffic 2->97 99 Antivirus detection for URL or domain 2->99 101 Antivirus / Scanner detection for submitted sample 2->101 103 3 other signatures 2->103 9 Discord_Grabber.exe 3 3 2->9         started        13 jjqyznjsierq.exe 1 2->13         started        signatures3 process4 file5 77 C:\Users\user\AppData\Local\Temp\xax.exe, PE32+ 9->77 dropped 105 Encrypted powershell cmdline option found 9->105 15 unarchiver.exe 4 9->15         started        17 xax.exe 1 2 9->17         started        21 powershell.exe 21 9->21         started        79 C:\Windows\Temp\iezwvcbtoilj.sys, PE32+ 13->79 dropped 107 Antivirus detection for dropped file 13->107 109 Multi AV Scanner detection for dropped file 13->109 111 Injects code into the Windows Explorer (explorer.exe) 13->111 113 3 other signatures 13->113 23 explorer.exe 13->23         started        26 cmd.exe 13->26         started        28 powershell.exe 21 13->28         started        30 conhost.exe 13->30         started        signatures6 process7 dnsIp8 32 7za.exe 38 15->32         started        75 C:\ProgramData\...\jjqyznjsierq.exe, PE32+ 17->75 dropped 85 Antivirus detection for dropped file 17->85 87 Multi AV Scanner detection for dropped file 17->87 89 Adds a directory exclusion to Windows Defender 17->89 35 cmd.exe 1 17->35         started        37 powershell.exe 23 17->37         started        39 sc.exe 1 17->39         started        49 3 other processes 17->49 91 Potential dropper URLs found in powershell memory 21->91 41 conhost.exe 21->41         started        83 de.zephyr.herominers.com 167.235.223.40, 1123, 49704 ALBERTSONSUS United States 23->83 93 System process connects to network (likely due to code injection or exploit) 23->93 95 Query firmware table information (likely to detect VMs) 23->95 43 conhost.exe 26->43         started        45 wusa.exe 26->45         started        47 conhost.exe 28->47         started        file9 signatures10 process11 file12 67 C:\Users\user\AppData\Local\Temp\...\upx.exe, PE32+ 32->67 dropped 69 C:\Users\user\AppData\Local\Temp\...\rar.exe, PE32+ 32->69 dropped 71 C:\Users\user\AppData\Local\Temp\...\gui.py, Python 32->71 dropped 73 8 other malicious files 32->73 dropped 51 conhost.exe 32->51         started        53 conhost.exe 35->53         started        55 wusa.exe 35->55         started        57 conhost.exe 37->57         started        59 conhost.exe 39->59         started        61 conhost.exe 49->61         started        63 conhost.exe 49->63         started        65 conhost.exe 49->65         started        process13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f882cbd19bca7935fb6d2214f305299399dec452b9db794cc4f97b1a1104c538
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f882cbd19bca7935fb6d2214f305299399dec452b9db794cc4f97b1a1104c538/
Threat name:
Win32.Dropper.Dapato
Create hunting rule
Status:
Malicious
First seen:
2023-12-03 14:25:59 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 24 (87.50%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7cbmxum3zj4tl63neikpgbjjsom55rcsxhnxstge7f5rueieyu4a._file
Verdict:
malicious
Similar samples:
201fb376d18d216baf555ff6afdc0754f94c4475ceaf3b5c713473833cc60aa5
CoinMiner
9c2d872fbf03c564452ffd898153a5a869a1210ab27212b8d4952ec11e158356
CoinMiner
d6e7ccaafc7a6641ce67c75483994806c20cd2a8d5235c0e74dbad4ef10ddc53
CoinMiner
e380482fc3d8c4fe11073f9734238d60ab66385e3261231358f7d02082b235cd
CoinMiner
e479db70018c1524ad4e7134186c418a043d815e13bf29b0b667a4928e6d8cde
CoinMiner
+ 24 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion miner persistence upx
Link:
https://tria.ge/reports/240117-eng99sgcep/
Behaviour
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Enumerates physical storage devices
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
UPX packed file
Creates new service(s)
Stops running service(s)
XMRig Miner payload
xmrig
Unpacked files
SH256 hash:
f882cbd19bca7935fb6d2214f305299399dec452b9db794cc4f97b1a1104c538
MD5 hash:
bc690d37ae8395cb25a8657db1d370e8
SHA1 hash:
ede0c4b82a9b4107fe4432643f886059944b4ee6
Link:
https://www.unpac.me/results/d34f59c3-a0dc-4084-a147-d7f1adb62808/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f882cbd19bca/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f882cbd19bca7935fb6d2214f305299399dec452b9db794cc4f97b1a1104c538

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/471245/

Comments