MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fdb9272c85d1af641c164085e524b70517beb4fdf5cf764ba56df3bebf14e2c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fdb9272c85d1af641c164085e524b70517beb4fdf5cf764ba56df3bebf14e2c7
SHA3-384 hash: 86559a3b8fd9c4c76778a27017f3db8909740a084562bea49d9bdfcd08dfa629c15ba6f5196d9502b00a94dd067719aa
SHA1 hash: 76dee47d3ceda8f807d7504c314f64c47e3710b4
MD5 hash: 3692ac2947ad8dffb0747548e0225913
humanhash: spaghetti-romeo-uniform-asparagus
File name:fd.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:7'611'392 bytes
First seen:2022-02-11 15:22:28 UTC
Last seen:2022-02-11 16:56:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 22590512994df9e6d22bf24a16aae00d (3 x CoinMiner)
ssdeep 196608:bC2iFhyamzCfeJjrAeV4A+9A58TaYySsMjFjZsSi5:bC/AK6HVj+aM75tGSi5
Threatray 95 similar samples on MalwareBazaar
TLSH T18A7623FE6254370CC41EC8799033FD04B6F5152E13F9DAAA75DBBAD07B6B8249912B02
Reporter 0x746f6d6669
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
299
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://cdn.discordapp.com/attachments/922916416934535192/937781254231822396/global.exe
Verdict:
Malicious activity
Analysis date:
2022-01-31 23:01:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/23617b1a-c1de-427b-8258-5e9092f64c13

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/240937/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.25257.11898.24121.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Сreating synchronization primitives
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/62067f59289e2f3e4fc39843/reports/2ea65a3d-7e45-4751-8d92-521f4cd5890d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/9751c501-4241-4e00-a231-17a7019f7ad4
Result
Threat name:
Phoenix Miner
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/938425
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Phoenix Miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 570903 Sample: fd.exe Startdate: 11/02/2022 Architecture: WINDOWS Score: 100 80 Antivirus detection for URL or domain 2->80 82 Multi AV Scanner detection for submitted file 2->82 84 Yara detected Phoenix Miner 2->84 86 2 other signatures 2->86 8 fd.exe 1 2 2->8         started        12 RegHost.exe 1 2->12         started        process3 file4 72 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 8->72 dropped 90 Injects code into the Windows Explorer (explorer.exe) 8->90 92 Writes to foreign memory regions 8->92 94 Allocates memory in foreign processes 8->94 96 Injects a PE file into a foreign processes 8->96 14 explorer.exe 2 8->14         started        16 bfsvc.exe 1 8->16         started        19 curl.exe 1 8->19         started        22 conhost.exe 8->22         started        98 Multi AV Scanner detection for dropped file 12->98 100 Machine Learning detection for dropped file 12->100 102 Modifies the context of a thread in another process (thread injection) 12->102 24 bfsvc.exe 1 12->24         started        26 explorer.exe 12->26         started        28 conhost.exe 12->28         started        signatures5 process6 dnsIp7 30 RegHost.exe 1 14->30         started        33 curl.exe 1 14->33         started        36 curl.exe 1 14->36         started        46 10 other processes 14->46 78 Hides threads from debuggers 16->78 38 conhost.exe 16->38         started        76 api.telegram.org 149.154.167.220, 443, 49765 TELEGRAMRU United Kingdom 19->76 40 conhost.exe 19->40         started        42 conhost.exe 24->42         started        44 curl.exe 26->44         started        48 2 other processes 26->48 signatures8 process9 dnsIp10 104 Injects code into the Windows Explorer (explorer.exe) 30->104 106 Writes to foreign memory regions 30->106 108 Allocates memory in foreign processes 30->108 110 2 other signatures 30->110 50 bfsvc.exe 30->50         started        54 conhost.exe 30->54         started        74 185.137.234.33, 49766, 49767, 49768 SELECTELRU Russian Federation 33->74 56 conhost.exe 33->56         started        58 conhost.exe 36->58         started        60 conhost.exe 44->60         started        62 conhost.exe 46->62         started        64 conhost.exe 46->64         started        66 conhost.exe 46->66         started        68 6 other processes 46->68 signatures11 process12 file13 70 \Device\ConDrv, ASCII 50->70 dropped 88 Hides threads from debuggers 50->88 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fdb9272c85d1af641c164085e524b70517beb4fdf5cf764ba56df3bebf14e2c7/
Threat name:
Win64.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2022-02-01 15:16:16 UTC
File Type:
PE+ (Exe)
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
09b9283286463b35ea2d5abfa869110eb124eb8c1788eb2630480d058e82abf2
CoinMiner
177281ae34e8e42aeca619f1a5dd728bb7dc4647b64b1411b2b13103c6b06865
CoinMiner
2da24494535db516936e3fdf11f46423c3be7abd33afab194bd93388ab89b0cb
CoinMiner
3daecc42461e0c62077a67db5a175d393ed2db45e5be5a87bc69454981890e33
CoinMiner
8bed08289125d9f5cb405760a2d5f64546ce90e5fab1a06ad523d3b66e13c51a
CoinMiner
d19c22fa99afdf39746a775736de31f8e39748287ee38f33e9fb3912129991de
CoinMiner
fce878416b9dc2879bb7a631342a0d6504264fbd3184b49fc9545e9d3ba581b4
CoinMiner
+ 85 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/220211-ssf5nacgg3/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
fdb9272c85d1af641c164085e524b70517beb4fdf5cf764ba56df3bebf14e2c7
MD5 hash:
3692ac2947ad8dffb0747548e0225913
SHA1 hash:
76dee47d3ceda8f807d7504c314f64c47e3710b4
Link:
https://www.unpac.me/results/01ced23f-4fc1-48a8-bd52-facc0288424d/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exec_macros
Create hunting rule
Author:ddvvmmzz
Description:exec macros
Rule name:obfuscate_macros
Create hunting rule
Author:ddvvmmzz
Description:obfuscate macros

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/240937/

Comments