MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8e512cd8999ab9a3b83ca080647262389cdd72ee22b4afcecf5100fc3abded5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f8e512cd8999ab9a3b83ca080647262389cdd72ee22b4afcecf5100fc3abded5
SHA3-384 hash: 575996d250cc8a84f14f4690ad8758240634a730c0bddbc21b1b054aec23f0c4548b206cb60cd98f17a8330c994852fb
SHA1 hash: 88cfaf2f8d1051092e467e12de987bf717164d60
MD5 hash: 5895e63a7bca8cc08b3a0b624342678d
humanhash: twenty-emma-seven-ink
File name:SecuriteInfo.com.Trojan.Inject4.21377.30820.127
Download: download sample
Signature CoinMiner
Create hunting rule
File size:7'017'984 bytes
First seen:2021-12-06 03:13:15 UTC
Last seen:2021-12-06 04:32:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ad03ae817c87fd74bd29f1c17e69dc64 (4 x CoinMiner)
ssdeep 196608:rBKyvuzV4lgEHF2cC+xHmptrUnwYmr3LnK:rnumlfgF+tG/YY3D
Threatray 346 similar samples on MalwareBazaar
TLSH T1326623FD6284336CC41EC974C433F984F276561E4ADAE4BAB2DB36D067A7424D842F4A
Reporter SecuriteInfoCom
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Download+file+Арифметико+{Alawar}.exe+(7,57+Mb)+In+free+mode+_+Turbobit.net.zip
Verdict:
Malicious activity
Analysis date:
2021-11-28 22:01:38 UTC
Tags:
evasion trojan loader opendir rat redline stealer vidar backdoor dcrat
Link:
https://app.any.run/tasks/e4fd53a2-5813-48f1-a577-c504feff8990

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/211572/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.21377.30820.127.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a process from a recently created file
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/989/overview
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61ad7ffe4d8e6f3a5e13674e/reports/33a6d278-1543-4e69-a91d-9615b07ace01/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/29df8c85-7e8f-4195-b8b4-0cc55ed3b7c4
Result
Threat name:
BitCoin Miner
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/901924
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Detected VMProtect packer
Drops PE files to the user root directory
Hides threads from debuggers
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Conti Backup Database
Sigma detected: Disable or Delete Windows Eventlog
Sigma detected: PowerShell SAM Copy
Sigma detected: Suspicious PowerShell Invocations - Generic
Tries to detect debuggers (CloseHandle check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 534398 Sample: SecuriteInfo.com.Trojan.Inj... Startdate: 06/12/2021 Architecture: WINDOWS Score: 100 52 Multi AV Scanner detection for submitted file 2->52 54 Yara detected BitCoin Miner 2->54 56 Detected VMProtect packer 2->56 58 5 other signatures 2->58 11 SecuriteInfo.com.Trojan.Inject4.21377.30820.exe 2->11         started        14 services32.exe 2->14         started        process3 signatures4 70 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->70 72 Writes to foreign memory regions 11->72 74 Tries to evade analysis by execution special instruction which cause usermode exception 11->74 82 2 other signatures 11->82 16 conhost.exe 5 11->16         started        76 Multi AV Scanner detection for dropped file 14->76 78 Tries to detect debuggers (CloseHandle check) 14->78 80 Tries to detect virtualization through RDTSC time measurements 14->80 20 conhost.exe 3 14->20         started        process5 file6 44 C:\Users\user\services32.exe, PE32+ 16->44 dropped 46 C:\Users\...\services32.exe:Zone.Identifier, ASCII 16->46 dropped 50 Drops PE files to the user root directory 16->50 22 cmd.exe 1 16->22         started        24 cmd.exe 1 16->24         started        signatures7 process8 signatures9 27 services32.exe 22->27         started        30 conhost.exe 22->30         started        68 Uses schtasks.exe or at.exe to add and modify task schedules 24->68 32 conhost.exe 24->32         started        34 schtasks.exe 1 24->34         started        process10 signatures11 84 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 27->84 86 Writes to foreign memory regions 27->86 88 Tries to detect debuggers (CloseHandle check) 27->88 90 2 other signatures 27->90 36 conhost.exe 4 27->36         started        process12 file13 48 C:\Users\user\AppData\...\sihost32.exe, PE32+ 36->48 dropped 39 sihost32.exe 36->39         started        process14 signatures15 60 Multi AV Scanner detection for dropped file 39->60 62 Writes to foreign memory regions 39->62 64 Allocates memory in foreign processes 39->64 66 Creates a thread in another existing process (thread injection) 39->66 42 conhost.exe 2 39->42         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f8e512cd8999ab9a3b83ca080647262389cdd72ee22b4afcecf5100fc3abded5/
Threat name:
Win64.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2021-11-29 06:00:14 UTC
File Type:
PE+ (Exe)
AV detection:
25 of 45 (55.56%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1505d3b595d18d1b255253b080bed85334916ff81174a5685a6f3f3433cbe746
CoinMiner
36318442bbfa58a7dfa39620245f9e0fa3c672c0c9e63c267150c03fed4bb550
CoinMiner
773b40c8007545afd1b563bdf17dab8225acd4bd6def35e4db95f70fca16371c
CoinMiner
7e6b525d20c679bb8241177f2e307bb9c5b9070e4846a033640eb45eafcf64ea
CoinMiner
96ad89ff084cb88f1bd0bf8f104b744d9bf26157aa9f117851fdbfc2b20585c5
CoinMiner
bf47b285157f4274914515e77af23fc9924e7e10ea95065a37aa1e2d0deb8836
CoinMiner
d3cfc436366c9d127c7a6233f6531cf6e5863153b41ba4ab6f8fe87f473c8c9d
CoinMiner
e67db91b7e8bcf1cf40735c556df7971af493cfd6b0fe4ffd25774ca7c31e070
CoinMiner
fbf130705ed4de523fd2e38a6c64848af5d6e1ce6a268251e7b6d6e3f8089957
CoinMiner
+ 336 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
vmprotect
Link:
https://tria.ge/reports/211206-drb2zsdcbk/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Loads dropped DLL
Executes dropped EXE
VMProtect packed file
Unpacked files
SH256 hash:
f8e512cd8999ab9a3b83ca080647262389cdd72ee22b4afcecf5100fc3abded5
MD5 hash:
5895e63a7bca8cc08b3a0b624342678d
SHA1 hash:
88cfaf2f8d1051092e467e12de987bf717164d60
Link:
https://www.unpac.me/results/f5892a2c-7ffd-478e-9558-44db90383493/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f8e512cd8999/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f8e512cd8999ab9a3b83ca080647262389cdd72ee22b4afcecf5100fc3abded5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe f8e512cd8999ab9a3b83ca080647262389cdd72ee22b4afcecf5100fc3abded5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1856793/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/211572/

Comments