MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 facfe6d03ae63e1cb28ac57bcbc366a17b1d7dea227dbb87de6d0cb98bb53feb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: facfe6d03ae63e1cb28ac57bcbc366a17b1d7dea227dbb87de6d0cb98bb53feb
SHA3-384 hash: 936c5bc5d08041d7ae8f01b1a98d77842b189dde760ff0970d3e2f07f7587346e6a32a457c87188212daeb667ef985cd
SHA1 hash: 6ae50e721f3c23dbb8928620fc9d9370c7755df8
MD5 hash: 3a35f2315dc33b6cdba331ec662fad0a
humanhash: yellow-floor-montana-vermont
File name:64RasftubyGen11.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:1'765'336 bytes
First seen:2022-03-07 05:30:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 027ea80e8125c6dda271246922d4c3b0 (10 x njrat, 7 x DCRat, 5 x DarkComet)
ssdeep 24576:kmoO8ituuZgHt+PwYsK3kgytvU3pQLdrEHPWh/jVc4GBcBMasKZ29LcbnpmTUWoI:vvZgqJ3Et8gSHuhhc4ccRsK29WnpmroI
Threatray 6'846 similar samples on MalwareBazaar
TLSH T1DB852302EBD184B2D42255364D197751A27CBE301F18CA5FF78C3E6DA8751B27722EA3
File icon (PE):PE icon
dhash icon 71f0e8e8e8e8f069 (1 x CoinMiner)
Reporter adm1n_usa32
Tags:CoinMiner exe hacktool UFR UFRStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
394
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
64RasftubyGen11.exe
Verdict:
Malicious activity
Analysis date:
2022-03-07 05:27:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b9b266bf-cdbd-4717-81dc-1585b281786a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/247736/
Detection(s):
Win.Dropper.Nanocore-9818262-0
Create hunting rule

SecuriteInfo.com.BehavesLike.Win32.Backdoor.tc.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Running batch commands
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/8427/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2b6ed925-22a7-4ea8-81c7-83ac8201b588
Result
Threat name:
Crypto Miner Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/951542
Signature
Antivirus detection for dropped file
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found strings related to Crypto-Mining
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Windows Crypto Mining Indicators
Sigma detected: Xmrig
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected Crypto Miner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 584023 Sample: 64RasftubyGen11.exe Startdate: 07/03/2022 Architecture: WINDOWS Score: 100 45 xmr.pool.minergate.com 2->45 47 pool.minergate.com 2->47 55 Sigma detected: Xmrig 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 5 other signatures 2->61 11 64RasftubyGen11.exe 4 2->11         started        14 svhoster.exe 1 2->14         started        signatures3 process4 file5 43 C:\UFR..exe, PE32 11->43 dropped 16 cmd.exe 1 11->16         started        18 conhost.exe 14->18         started        process6 process7 20 UFR..exe 12 16->20         started        23 conhost.exe 16->23         started        file8 37 C:\Users\user\AppData\Local\Temp\...\UFR.exe, PE32 20->37 dropped 25 UFR.exe 1 10 20->25         started        process9 file10 39 C:\Users\user\AppData\Local\...\svhoster.exe, PE32+ 25->39 dropped 41 C:\Users\user\AppData\Local\Temp\UFR.exe, PE32 25->41 dropped 63 Antivirus detection for dropped file 25->63 65 Machine Learning detection for dropped file 25->65 67 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 25->67 69 Tries to detect virtualization through RDTSC time measurements 25->69 29 svhoster.exe 1 25->29         started        33 UFR.exe 1 2 25->33         started        signatures11 process12 dnsIp13 49 pool.minergate.com 49.12.80.38, 45560, 49750, 49753 HETZNER-ASDE Germany 29->49 51 49.12.80.39, 45560 HETZNER-ASDE Germany 29->51 53 2 other IPs or domains 29->53 71 Antivirus detection for dropped file 29->71 73 Multi AV Scanner detection for dropped file 29->73 75 Machine Learning detection for dropped file 29->75 77 Found API chain indicative of debugger detection 29->77 35 conhost.exe 29->35         started        signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/facfe6d03ae63e1cb28ac57bcbc366a17b1d7dea227dbb87de6d0cb98bb53feb/
Threat name:
Win32.Trojan.Rasftuby
Create hunting rule
Status:
Malicious
First seen:
2022-02-23 02:28:00 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
07d34ae6bb632f04345eb39f5b4221f9a7e37145c55350222fcf191778a28d5e
CoinMiner
0af65c358ae4d3f9db0fc6229e3fd6451c80b6143e0cfb56bdba9d36621ed584
CoinMiner
31960e88d4d665dffd9121c10a7a2e23daf2557ee5a3ca24d4f8263e28abc01f
CoinMiner
6feed8191753c80eec2e50df8f8a82450bfef9fd080e85f0f87149d94fb89097
CoinMiner
77146703fc5c722e50ccc571bcfcf55278f5cc86574f4b470ed382bf66447945
CoinMiner
a431e9a19e85223c02ac9f8c68e9b5ec86168c004c87646907d6267bbb3c94b6
CoinMiner
a91e16a41ab876d2d8a65dd4d5ce904bc8654de209538d664168d43092de1aa2
CoinMiner
cf75d51ec31d817017d71dbe8def69d443e4ecca131e70ca6252ebc455e065a2
CoinMiner
fbde44031b8acd00f624403184405b3fcf572c220c321ec82c29e7f9c3cbc233
CoinMiner
fd8d8b2d1513fe8e59d21e96e5f66695bbca33b6f4f9b1561136196db97b9bde
CoinMiner
+ 6'836 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
miner persistence upx
Link:
https://tria.ge/reports/220307-f7qanahdc8/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Cryptocurrency Miner
Loads dropped DLL
Executes dropped EXE
UPX packed file
Detected Stratum cryptominer command
Unpacked files
SH256 hash:
e8dbf4265d2059720c254a20b64954a571c8b3589fabb9d1904ccca875452ad7
MD5 hash:
7a36cc0247077b74cfac575d14de01c3
SHA1 hash:
22179793a3873cfb289763a765816672374526e7
Link:
https://www.unpac.me/results/4515130b-6171-462f-b0b7-bbf9a1faf18a/
SH256 hash:
f486b902a2face8f1823b985e900f2852f862438e6848bad61746d5309ba797b
MD5 hash:
2debb1650265f25b2896551b35ba019d
SHA1 hash:
537de104cd1a7ec647b0dd87ae5c02dd33a03aec
Link:
https://www.unpac.me/results/4515130b-6171-462f-b0b7-bbf9a1faf18a/
SH256 hash:
8fdc0cf562b7d92f17a0830346341877a20fc4563b91960d5446a1baf58000cd
MD5 hash:
cfa6664e8258848b1019f12b80bfd7aa
SHA1 hash:
ba3635c74feb5cd06768c450fc0145f1d0c33c41
Detections:
win_ufrstealer_auto
Create hunting rule
Link:
https://www.unpac.me/results/4515130b-6171-462f-b0b7-bbf9a1faf18a/
SH256 hash:
aafc17ce15cc9f1d01a50a3f419cf9fa2721e18831189dd226b78df41b113d2e
MD5 hash:
f5f0791b948b95cab35448635ea6d2f6
SHA1 hash:
837261be22e3de48f354d2d094ffbc0d56e06e7e
Link:
https://www.unpac.me/results/4515130b-6171-462f-b0b7-bbf9a1faf18a/
SH256 hash:
facfe6d03ae63e1cb28ac57bcbc366a17b1d7dea227dbb87de6d0cb98bb53feb
MD5 hash:
3a35f2315dc33b6cdba331ec662fad0a
SHA1 hash:
6ae50e721f3c23dbb8928620fc9d9370c7755df8
Link:
https://www.unpac.me/results/4515130b-6171-462f-b0b7-bbf9a1faf18a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/facfe6d03ae63e1cb28ac57bcbc366a17b1d7dea227dbb87de6d0cb98bb53feb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/b9b266bf-cdbd-4717-81dc-1585b281786a
Cape
Cape
https://www.capesandbox.com/analysis/247736/

Comments