MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fdaae3b3560efecbdf76d5a6751c1d7c5964bb0186b81575fedce4b394a8fe0a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fdaae3b3560efecbdf76d5a6751c1d7c5964bb0186b81575fedce4b394a8fe0a
SHA3-384 hash: 35bb389894a4251ad2eb81f2129308fb0c770ec23310e5fafec90d7633eaba6f9bf46ffb5f1d4102d6a310d3665cd051
SHA1 hash: bd008e49df07f14bb7122b4551247502478613bf
MD5 hash: 4a1e23e8a070b3482184b8adff7f7071
humanhash: jig-spring-tango-rugby
File name:4a1e23e8a070b3482184b8adff7f7071
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'000'896 bytes
First seen:2021-10-01 09:48:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 49152:Fz2LBiWfPI1w+uctH7C9MohTF6Y11LfRPlrryqTVNE8/Q5E:V2LBY1puctHMHTbrrTVNEp
Threatray 69 similar samples on MalwareBazaar
TLSH T12195330EB3A2441FF41D0B7FB19A8CA8B77C71AF907115E635562430152AD4AFEF06AE
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Neverlose Loader.exe
Verdict:
Malicious activity
Analysis date:
2021-10-01 11:07:09 UTC
Tags:
trojan rat redline stealer loader
Link:
https://app.any.run/tasks/7c4ac932-b8a2-4ab6-a4d6-4bac0fda57ec

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/193953/
Detection(s):
SecuriteInfo.com.Trojan.MulDropNET.46.14481.29958.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching a process
Creating a file in the %temp% directory
Creating a process with a hidden window
Creating a process from a recently created file
Creating a file in the system32 directory
Deleting a recently created file
Replacing files
Creating a file in the system32 subdirectories
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Malware family:
CoinMiner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/686f8ee2-5c18-4a99-b2ab-bd2afa774051
Result
Threat name:
BitCoin Miner
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/862627
Signature
Adds a directory exclusion to Windows Defender
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected BitCoin Miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 495055 Sample: 0DcHBDYjBF Startdate: 01/10/2021 Architecture: WINDOWS Score: 92 82 Multi AV Scanner detection for submitted file 2->82 84 Yara detected BitCoin Miner 2->84 86 Machine Learning detection for sample 2->86 88 2 other signatures 2->88 10 0DcHBDYjBF.exe 5 2->10         started        14 gscript.exe 3 2->14         started        process3 file4 76 C:\Users\user\AppData\...\0DcHBDYjBF.exe.log, ASCII 10->76 dropped 100 Adds a directory exclusion to Windows Defender 10->100 16 cmd.exe 1 10->16         started        18 cmd.exe 1 10->18         started        78 C:\Users\user\AppData\Local\...\svchost32.exe, PE32+ 14->78 dropped 102 Multi AV Scanner detection for dropped file 14->102 104 Machine Learning detection for dropped file 14->104 21 cmd.exe 14->21         started        23 cmd.exe 14->23         started        signatures5 process6 signatures7 25 svchost32.exe 6 16->25         started        29 conhost.exe 16->29         started        90 Uses schtasks.exe or at.exe to add and modify task schedules 18->90 92 Adds a directory exclusion to Windows Defender 18->92 31 powershell.exe 23 18->31         started        33 powershell.exe 18->33         started        35 conhost.exe 18->35         started        42 2 other processes 18->42 37 powershell.exe 21->37         started        44 4 other processes 21->44 40 conhost.exe 23->40         started        process8 dnsIp9 72 C:\Windows\System32\gscript.exe, PE32+ 25->72 dropped 74 C:\Windows\...\gscript.exe:Zone.Identifier, ASCII 25->74 dropped 96 Machine Learning detection for dropped file 25->96 98 Drops executables to the windows directory (C:\Windows) and starts them 25->98 46 gscript.exe 3 25->46         started        49 cmd.exe 1 25->49         started        51 cmd.exe 25->51         started        80 192.168.2.1 unknown unknown 37->80 file10 signatures11 process12 signatures13 106 Adds a directory exclusion to Windows Defender 46->106 53 cmd.exe 46->53         started        56 conhost.exe 49->56         started        58 schtasks.exe 1 49->58         started        60 conhost.exe 51->60         started        62 choice.exe 51->62         started        process14 signatures15 94 Adds a directory exclusion to Windows Defender 53->94 64 conhost.exe 53->64         started        66 powershell.exe 53->66         started        68 powershell.exe 53->68         started        70 2 other processes 53->70 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fdaae3b3560efecbdf76d5a6751c1d7c5964bb0186b81575fedce4b394a8fe0a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-10-01 09:45:31 UTC
AV detection:
20 of 45 (44.44%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
329903818d07ba0d9e6e77b1a334e7adc0be9ca594d122ee592257b34d4e8208
CoinMiner
65bbafc229aa726d189d7607d03b1c6835ddcdf8ad6ac90017749b051f6b0770
CoinMiner
73c1188d93bd4318a830cb6d891aae7580a61c396ce37ba3676a321bbd3a137e
CoinMiner
75359481a80ae7253f5a8859cc9d899020a24af197b95f8ef2716a9f011dc3b1
CoinMiner
833ab773ed2c4e4cd2581d1e42bc5471f0621786007a8846aaf6cdfeccb198c2
CoinMiner
92d222fc274d0c981a595327cf103960535339a655ae240f9267a84aedba7f41
CoinMiner
a0c86be7bbd36ce47ea9f012fe868411819bf695472cc2b3f860bd604e082445
CoinMiner
bdbf24537950b4bb8ca32e92dc5934fd651792db3452c748d7893da61aca1710
CoinMiner
d9d30a33e55e18b21223661fd4d18a59ec2ccaca3b65325ff49d687435f17ad7
CoinMiner
dc9787f1ca396af3c6a84f52c1f4a1969b7d33999507f2093480071fc22e9d63
CoinMiner
+ 59 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/211001-ltb4rsbdfn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Loads dropped DLL
Executes dropped EXE
xmrig
Unpacked files
SH256 hash:
fdaae3b3560efecbdf76d5a6751c1d7c5964bb0186b81575fedce4b394a8fe0a
MD5 hash:
4a1e23e8a070b3482184b8adff7f7071
SHA1 hash:
bd008e49df07f14bb7122b4551247502478613bf
Link:
https://www.unpac.me/results/111af0d4-b187-4d62-93d8-aba0a3f900fa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fdaae3b3560efecbdf76d5a6751c1d7c5964bb0186b81575fedce4b394a8fe0a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe fdaae3b3560efecbdf76d5a6751c1d7c5964bb0186b81575fedce4b394a8fe0a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1650256/
Cape
Cape
https://www.capesandbox.com/analysis/193953/

Comments


Avatar
zbet commented on 2021-10-01 09:48:34 UTC

url : hxxp://f0571088.xsph.ru/gscript.exe