MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f97732ec57a865e9740251bae169db88deb546f1eacae127658867a35f95b7c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f97732ec57a865e9740251bae169db88deb546f1eacae127658867a35f95b7c7
SHA3-384 hash: d0e95c0ba69f07ac049644abc10024bde96a6a37d46a066867d16ae7be48c2e5777d4ab8c17475bbe46eb535dfc24f05
SHA1 hash: e221e33e99e952d40fe525961759c4f507315c6f
MD5 hash: 2814d4305c6694071a326efcbd55c3a2
humanhash: cat-fish-edward-moon
File name:2814d4305c6694071a326efcbd55c3a2
Download: download sample
Signature CoinMiner
Create hunting rule
File size:280'576 bytes
First seen:2021-09-20 07:29:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:zvuWKb3LDaINbAPD2XGf1KHKUaHgIXIGDZVA0ckae++5T8:zAarTdK9LqnHckae+8I
Threatray 217 similar samples on MalwareBazaar
TLSH T10654CFF61A50CE25FDF5893252B6CA144A7ADD063920E93BE5C8708A5BBF3874F435C2
File icon (PE):PE icon
dhash icon da3930ae989192d9 (1 x CoinMiner, 1 x RedLineStealer)
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2814d4305c6694071a326efcbd55c3a2
Verdict:
No threats detected
Analysis date:
2021-09-20 07:30:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/48fc66e8-4f37-4e9d-8228-7396231bae98

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/189244/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.19625.35.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Creating a file in the %temp% directory
Creating a process from a recently created file
Running batch commands
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/84cfb879-c513-4aec-9c00-d90f9c19a472
Result
Threat name:
BitCoin Miner Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/853800
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Detected Stratum mining protocol
Encrypted powershell cmdline option found
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Xmrig
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 486231 Sample: YgTvaZ5Vkh Startdate: 20/09/2021 Architecture: WINDOWS Score: 100 116 Sigma detected: Xmrig 2->116 118 Malicious sample detected (through community Yara rule) 2->118 120 Multi AV Scanner detection for submitted file 2->120 122 6 other signatures 2->122 10 YgTvaZ5Vkh.exe 6 2->10         started        14 services64.exe 2->14         started        16 svchost.exe 2->16         started        18 9 other processes 2->18 process3 dnsIp4 84 C:\Users\user\AppData\...\YgTvaZ5Vkh.exe, PE32+ 10->84 dropped 86 C:\Users\...\YgTvaZ5Vkh.exe:Zone.Identifier, ASCII 10->86 dropped 88 C:\Users\user\AppData\...\YgTvaZ5Vkh.exe.log, ASCII 10->88 dropped 126 Encrypted powershell cmdline option found 10->126 128 Writes to foreign memory regions 10->128 130 Modifies the context of a thread in another process (thread injection) 10->130 21 YgTvaZ5Vkh.exe 5 10->21         started        25 powershell.exe 16 10->25         started        132 Multi AV Scanner detection for dropped file 14->132 134 Injects a PE file into a foreign processes 14->134 27 services64.exe 14->27         started        29 powershell.exe 14->29         started        136 Changes security center settings (notifications, updates, antivirus, firewall) 16->136 31 MpCmdRun.exe 16->31         started        96 127.0.0.1 unknown unknown 18->96 file5 signatures6 process7 file8 76 C:\Users\user\AppData\...\services64.exe, PE32+ 21->76 dropped 78 C:\Users\...\services64.exe:Zone.Identifier, ASCII 21->78 dropped 124 Multi AV Scanner detection for dropped file 21->124 33 services64.exe 21->33         started        36 cmd.exe 1 21->36         started        38 conhost.exe 25->38         started        80 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 27->80 dropped 82 C:\Users\user\AppData\...\sihost64.exe, PE32+ 27->82 dropped 40 cmd.exe 27->40         started        42 sihost64.exe 27->42         started        44 conhost.exe 29->44         started        46 conhost.exe 31->46         started        signatures9 process10 signatures11 100 Encrypted powershell cmdline option found 33->100 102 Modifies the context of a thread in another process (thread injection) 33->102 104 Injects a PE file into a foreign processes 33->104 48 services64.exe 33->48         started        52 powershell.exe 33->52         started        106 Uses schtasks.exe or at.exe to add and modify task schedules 36->106 54 conhost.exe 36->54         started        56 schtasks.exe 36->56         started        58 conhost.exe 40->58         started        60 schtasks.exe 40->60         started        process12 dnsIp13 90 sanctam.net 185.65.135.234, 49775, 58899 ESAB-ASSE Sweden 48->90 92 bitbucket.org 104.192.141.1, 443, 49776 AMAZON-02US United States 48->92 94 192.168.2.1 unknown unknown 48->94 108 Injects code into the Windows Explorer (explorer.exe) 48->108 110 Writes to foreign memory regions 48->110 112 Allocates memory in foreign processes 48->112 114 3 other signatures 48->114 62 explorer.exe 48->62         started        66 cmd.exe 48->66         started        68 sihost64.exe 48->68         started        70 conhost.exe 52->70         started        signatures14 process15 dnsIp16 98 mine.bmpool.org 157.90.156.89, 49777, 6004 REDIRISRedIRISAutonomousSystemES United States 62->98 138 System process connects to network (likely due to code injection or exploit) 62->138 140 Query firmware table information (likely to detect VMs) 62->140 72 conhost.exe 66->72         started        74 schtasks.exe 66->74         started        signatures17 142 Detected Stratum mining protocol 98->142 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f97732ec57a865e9740251bae169db88deb546f1eacae127658867a35f95b7c7/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 07:30:09 UTC
AV detection:
7 of 45 (15.56%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7f3tf3cxvbs6s5ackg5oc2o3rdplkrxr5lfocj3frbt2gx4vw7dq._file
Verdict:
malicious
Similar samples:
2340f7976585cd113520b33eb51c6b57e37c6bad2fba29a48b8c7e8e784a2491
CoinMiner
24b35ddd2195133e968aeed816c92367a47413f58506138e75441446be1524de
CoinMiner
31f0308a25262c3c2f7e58d60d2c861d73fd4fee2822af6ce393a7676453d3a4
CoinMiner
bc99b42680a19379e7030dc0871c143afd142ccb9b12efd2942a97e706f7dd59
CoinMiner
cedead0402b84528a99183467e491dd9c106847eaa9090853ccf6fa522e1bb42
CoinMiner
ef25bb229ec8ca7d7b2e3d4e23036b74bdc8b9154bb4c5b532e7ea2a0a7c8ee6
CoinMiner
f43b25a5501033f574f0467cdf7534f50cdbec94c3d8a173a80ee9f54fce55eb
CoinMiner
f4ec629473fbe96fa82fe1c1e30e6784144163d662e1c977acf5bc1d62b20c0b
CoinMiner
+ 207 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/210920-jbtvrafhgn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Executes dropped EXE
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
f97732ec57a865e9740251bae169db88deb546f1eacae127658867a35f95b7c7
MD5 hash:
2814d4305c6694071a326efcbd55c3a2
SHA1 hash:
e221e33e99e952d40fe525961759c4f507315c6f
Link:
https://www.unpac.me/results/7268a3e9-fb12-4bf2-acb2-3c5f153a4af1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f97732ec57a865e9740251bae169db88deb546f1eacae127658867a35f95b7c7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe f97732ec57a865e9740251bae169db88deb546f1eacae127658867a35f95b7c7

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/189244/
  
URLhaus
https://urlhaus.abuse.ch/url/1634848/

Comments


Avatar
zbet commented on 2021-09-20 07:29:29 UTC

url : hxxp://renewal.fun/install1.exe