MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fbf130705ed4de523fd2e38a6c64848af5d6e1ce6a268251e7b6d6e3f8089957. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fbf130705ed4de523fd2e38a6c64848af5d6e1ce6a268251e7b6d6e3f8089957
SHA3-384 hash: a45252848aedf070ad9cb1fc6d19b0509d798f016cf29e554fd651fc0426f40e0fb4581f3827516fbb03e0b924e6d910
SHA1 hash: 6779946a2959078f21509f7b11e19b33435de555
MD5 hash: ea4b4ec80f45958158d072e1831f8ac7
humanhash: four-mango-moon-harry
File name:ea4b4ec80f45958158d072e1831f8ac7
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'236'928 bytes
First seen:2021-10-15 14:44:43 UTC
Last seen:2021-10-15 16:11:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 02549ff92b49cce693542fc9afb10102 (84 x CoinMiner, 2 x CoinMiner.XMRig, 1 x AgentTesla)
ssdeep 49152:642jPfGa80VhQ+QaCjkn0CKygHvP4Qyf9e9iI0Oc:tkXlLVh5wkpKy4v+FQibOc
Threatray 190 similar samples on MalwareBazaar
TLSH T11CA533B1D2F994BCE2DE04376BA195F21B2AD18F510BE5C356BFAC4CC1868A14533B4B
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
389
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ea4b4ec80f45958158d072e1831f8ac7
Verdict:
No threats detected
Analysis date:
2021-10-15 14:48:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/297f039c-cc37-4751-936a-d8a77a9c6f37

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/197783/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.78844.4637.17028.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching a process
Creating a process from a recently created file
Creating a process with a hidden window
DNS request
Connecting to a cryptocurrency mining pool
Connection attempt
Sending a custom TCP request
Creating a service
Launching a service
Loading a system driver
Enabling autorun for a service
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
donut packed
Link:
https://www.filescan.io/uploads/616993f2db358dd15eb9cbbd/reports/f31a0f53-39bc-48f7-a350-2165a10503a1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5a3a6300-0805-4dcb-9acb-9d4e9df1b4fd
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/871205
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to a pastebin service (likely for C&C)
Creates a thread in another existing process (thread injection)
DNS related to crypt mining pools
Drops PE files to the user root directory
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Svchost Process
Sigma detected: Xmrig
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 503633 Sample: p5x6Tk5245 Startdate: 15/10/2021 Architecture: WINDOWS Score: 100 107 Sigma detected: Xmrig 2->107 109 Malicious sample detected (through community Yara rule) 2->109 111 Multi AV Scanner detection for submitted file 2->111 113 6 other signatures 2->113 11 p5x6Tk5245.exe 2->11         started        14 services32.exe 2->14         started        16 svchost.exe 2->16         started        18 7 other processes 2->18 process3 dnsIp4 131 Writes to foreign memory regions 11->131 133 Allocates memory in foreign processes 11->133 135 Creates a thread in another existing process (thread injection) 11->135 21 conhost.exe 5 11->21         started        137 Multi AV Scanner detection for dropped file 14->137 25 conhost.exe 4 14->25         started        139 Changes security center settings (notifications, updates, antivirus, firewall) 16->139 27 MpCmdRun.exe 16->27         started        91 192.168.2.1 unknown unknown 18->91 141 System process connects to network (likely due to code injection or exploit) 18->141 signatures5 process6 file7 83 C:\Users\user\services32.exe, PE32+ 21->83 dropped 85 C:\Users\...\services32.exe:Zone.Identifier, ASCII 21->85 dropped 127 Drops PE files to the user root directory 21->127 129 Adds a directory exclusion to Windows Defender 21->129 29 cmd.exe 1 21->29         started        31 cmd.exe 1 21->31         started        34 cmd.exe 1 21->34         started        36 sihost64.exe 25->36         started        38 cmd.exe 25->38         started        40 cmd.exe 25->40         started        42 conhost.exe 27->42         started        signatures8 process9 signatures10 44 services32.exe 29->44         started        47 conhost.exe 29->47         started        149 Uses schtasks.exe or at.exe to add and modify task schedules 31->149 151 Adds a directory exclusion to Windows Defender 31->151 49 powershell.exe 19 31->49         started        51 powershell.exe 23 31->51         started        53 conhost.exe 31->53         started        57 2 other processes 34->57 153 Writes to foreign memory regions 36->153 155 Allocates memory in foreign processes 36->155 157 Creates a thread in another existing process (thread injection) 36->157 55 conhost.exe 36->55         started        59 3 other processes 38->59 61 2 other processes 40->61 process11 signatures12 143 Writes to foreign memory regions 44->143 145 Allocates memory in foreign processes 44->145 147 Creates a thread in another existing process (thread injection) 44->147 63 conhost.exe 5 44->63         started        process13 file14 87 C:\Users\user\AppData\...\sihost64.exe, PE32+ 63->87 dropped 89 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 63->89 dropped 99 Writes to foreign memory regions 63->99 101 Modifies the context of a thread in another process (thread injection) 63->101 103 Adds a directory exclusion to Windows Defender 63->103 105 2 other signatures 63->105 67 sihost64.exe 63->67         started        70 cmd.exe 63->70         started        72 svchost.exe 63->72         started        signatures15 process16 dnsIp17 115 Multi AV Scanner detection for dropped file 67->115 117 Writes to foreign memory regions 67->117 119 Allocates memory in foreign processes 67->119 121 Creates a thread in another existing process (thread injection) 67->121 75 conhost.exe 67->75         started        123 Adds a directory exclusion to Windows Defender 70->123 77 conhost.exe 70->77         started        79 powershell.exe 70->79         started        81 powershell.exe 70->81         started        93 139.99.101.197, 14433, 49761 OVHFR Canada 72->93 95 139.99.102.74, 14433, 49759 OVHFR Canada 72->95 97 2 other IPs or domains 72->97 125 Query firmware table information (likely to detect VMs) 72->125 signatures18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fbf130705ed4de523fd2e38a6c64848af5d6e1ce6a268251e7b6d6e3f8089957/
Threat name:
Win64.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2021-10-13 01:38:08 UTC
AV detection:
20 of 45 (44.44%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
046976da5783b0425976084bc16ababee1094e98a1f0648fc10c91dcf49bc395
CoinMiner
12439fc7c876b8bf881db4e97ed57827c1c4f2fd0ebccc29a4e197b19c80488b
CoinMiner
2636b0f988e2d2129d014b870101be731b72d39e4f8ff12156b1b523a5c36c6a
CoinMiner
40387bebfe97eea9c90425caf5519019dfc0e7425bb238246ec9f7bb5d621293
CoinMiner
979489468d527202ce55a465799013a16fccfcc838d523707a016e064a0e85a1
CoinMiner
b41455dfe45bf98bd2f1acec07d7a0df02a3c83e1fdecfb403df3984ab794761
CoinMiner
e558134f888d403ba60d7db59978502a9071951528cd4873bd4702921012d69e
CoinMiner
ef25bb229ec8ca7d7b2e3d4e23036b74bdc8b9154bb4c5b532e7ea2a0a7c8ee6
CoinMiner
f84c1b53daf8279593ae9a9f6d8590ceb488318ce70a09bf25bfbf494398a83c
CoinMiner
fd6996eab709c3ed21ef140958d9a9147902336b85b47bc896372a18e469a6fc
CoinMiner
+ 180 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/211015-r4qykabag8/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Executes dropped EXE
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
fbf130705ed4de523fd2e38a6c64848af5d6e1ce6a268251e7b6d6e3f8089957
MD5 hash:
ea4b4ec80f45958158d072e1831f8ac7
SHA1 hash:
6779946a2959078f21509f7b11e19b33435de555
Link:
https://www.unpac.me/results/ee571d0f-9c93-4dbb-bc42-51cf2b06ab95/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/fbf130705ed4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.10
Link:
https://yomi.yoroi.company/submissions/fbf130705ed4de523fd2e38a6c64848af5d6e1ce6a268251e7b6d6e3f8089957

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe fbf130705ed4de523fd2e38a6c64848af5d6e1ce6a268251e7b6d6e3f8089957

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/197783/

Comments


Avatar
zbet commented on 2021-10-15 14:44:45 UTC

url : hxxp://uplooder.net/f/tl/91/4fa417b6e6303a2c5222c6e3332344ce/mclient.exe