MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 facab61038ac54dfdae40e4d9557b33a891439f8201be728004c354a0bfbd7ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: facab61038ac54dfdae40e4d9557b33a891439f8201be728004c354a0bfbd7ab
SHA3-384 hash: 49510dc486dabeb671612fcafaed5650dd8416ee4968094fddfd22dc963379411c4b6635f52c3054ef2cc317b953d3c4
SHA1 hash: 400012011ce04dee21b0c557d76dd1d8971b0e09
MD5 hash: a8831802f7ca482cb46423271bad444c
humanhash: michigan-early-oscar-salami
File name:OneDriveSetup.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:3'818'496 bytes
First seen:2023-03-06 16:52:32 UTC
Last seen:2023-03-06 18:41:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 02549ff92b49cce693542fc9afb10102 (86 x CoinMiner, 2 x CoinMiner.XMRig, 1 x AgentTesla)
ssdeep 98304:cZAaHcVJrIbXXLMijTSzuBP/OlsLzFmNfW6FJKxxfZA4G:ckgr1SzB
Threatray 1'060 similar samples on MalwareBazaar
TLSH T13706BEDB3E50B6B6D28CEC7A356773BC87576C7CAE534E4EA14BFF2A02361198506006
TrID 55.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
16.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.9% (.ICL) Windows Icons Library (generic) (2059/9)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
6.7% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 418e1729e0592300 (8 x njrat, 5 x AsyncRAT, 3 x CoinMiner)
Reporter Chainskilabs
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
316
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
OneDriveSetup.exe
Verdict:
Malicious activity
Analysis date:
2023-03-06 16:57:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4012bdeb-9df5-4ba8-a599-a5e9d133abb5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CoinMiner02
Create hunting rule
Link:
https://www.capesandbox.com/analysis/372088/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.78844.12001.3123.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Creating a process from a recently created file
Creating a process with a hidden window
DNS request
Creating a service
Launching a service
Loading a system driver
Enabling autorun for a service
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64061a6f03b144271569ed7b/reports/f24a6c66-84aa-4802-99fa-9effb884a875/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/facab61038ac54dfdae40e4d9557b33a891439f8201be728004c354a0bfbd7ab
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0480d080-4af1-4dc6-9a56-39c80fe87365
Result
Threat name:
BitCoin Miner, SilentXMRMiner, Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1187970
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Creates a thread in another existing process (thread injection)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Xmrig
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected SilentXMRMiner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 820843 Sample: OneDriveSetup.exe Startdate: 06/03/2023 Architecture: WINDOWS Score: 100 78 Sigma detected: Xmrig 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 Antivirus / Scanner detection for submitted sample 2->82 84 5 other signatures 2->84 11 OneDriveSetup.exe 2->11         started        14 servicesupdate.exe 2->14         started        16 svchost.exe 2->16         started        18 8 other processes 2->18 process3 dnsIp4 112 Writes to foreign memory regions 11->112 114 Allocates memory in foreign processes 11->114 116 Creates a thread in another existing process (thread injection) 11->116 21 conhost.exe 5 11->21         started        118 Antivirus detection for dropped file 14->118 120 Multi AV Scanner detection for dropped file 14->120 24 conhost.exe 3 14->24         started        122 Changes security center settings (notifications, updates, antivirus, firewall) 16->122 26 MpCmdRun.exe 1 16->26         started        74 192.168.2.1 unknown unknown 18->74 124 Query firmware table information (likely to detect VMs) 18->124 signatures5 process6 file7 66 C:\Users\user\AppData\...\servicesupdate.exe, PE32+ 21->66 dropped 68 C:\...\servicesupdate.exe:Zone.Identifier, ASCII 21->68 dropped 28 cmd.exe 1 21->28         started        30 cmd.exe 1 21->30         started        33 sihost64.exe 24->33         started        35 cmd.exe 1 24->35         started        37 conhost.exe 26->37         started        process8 signatures9 39 servicesupdate.exe 28->39         started        42 conhost.exe 28->42         started        126 Uses schtasks.exe or at.exe to add and modify task schedules 30->126 44 conhost.exe 30->44         started        46 schtasks.exe 1 30->46         started        128 Writes to foreign memory regions 33->128 130 Allocates memory in foreign processes 33->130 132 Creates a thread in another existing process (thread injection) 33->132 48 conhost.exe 2 33->48         started        50 taskkill.exe 1 35->50         started        52 conhost.exe 35->52         started        process10 signatures11 86 Writes to foreign memory regions 39->86 88 Allocates memory in foreign processes 39->88 90 Creates a thread in another existing process (thread injection) 39->90 54 conhost.exe 6 39->54         started        process12 file13 70 C:\Users\user\AppData\...\sihost64.exe, PE32+ 54->70 dropped 72 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 54->72 dropped 92 Injects code into the Windows Explorer (explorer.exe) 54->92 94 Writes to foreign memory regions 54->94 96 Modifies the context of a thread in another process (thread injection) 54->96 98 2 other signatures 54->98 58 sihost64.exe 54->58         started        61 explorer.exe 54->61         started        signatures14 process15 dnsIp16 100 Antivirus detection for dropped file 58->100 102 Multi AV Scanner detection for dropped file 58->102 104 Writes to foreign memory regions 58->104 110 2 other signatures 58->110 64 conhost.exe 2 58->64         started        76 xmr.2miners.com 162.19.139.184, 12222, 49698 CENTURYLINK-US-LEGACY-QWESTUS United States 61->76 106 System process connects to network (likely due to code injection or exploit) 61->106 108 Query firmware table information (likely to detect VMs) 61->108 signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/facab61038ac54dfdae40e4d9557b33a891439f8201be728004c354a0bfbd7ab/
Threat name:
Win64.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2023-03-06 17:03:09 UTC
File Type:
PE+ (Exe)
Extracted files:
131
AV detection:
19 of 25 (76.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7lflmebyvrkn7wxebzgzkv5thkeriopyean6okaajq2uuc7326vq._file
Verdict:
malicious
Similar samples:
0f3f497656360cc536d0b0ff8832fadfa10f3c3ae0aed5c1deb2e4b406afe0d5
CoinMiner
4608c3c211744ce283dac6c36cb7a2c0fd584ee440fa4f671bc270f1bc737ff0
CoinMiner
640315d3ee04d383d4b8702b0d29a11846139cb9505078440f2e67b2d9bc3cce
CoinMiner
c8bb8271adc398661a408fc99b14a7d3797bd546b0b836f68a059c2f72948937
CoinMiner
cd23680ab97a8fa8c459690061e90ea0d48d19975900f1a0ee41ffcd76bbb311
CoinMiner
+ 1'050 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/230306-vdyr9sdd57/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
XMRig Miner payload
xmrig
Unpacked files
SH256 hash:
facab61038ac54dfdae40e4d9557b33a891439f8201be728004c354a0bfbd7ab
MD5 hash:
a8831802f7ca482cb46423271bad444c
SHA1 hash:
400012011ce04dee21b0c557d76dd1d8971b0e09
Link:
https://www.unpac.me/results/e18cb7e9-ce16-4684-bee9-f533da2ec169/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/facab61038ac/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/facab61038ac54dfdae40e4d9557b33a891439f8201be728004c354a0bfbd7ab

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe facab61038ac54dfdae40e4d9557b33a891439f8201be728004c354a0bfbd7ab

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/372088/

Comments