MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ffc3d4c2d7568d3d632ba01f05fcb54bb8bc2b73afabc4741999957498011568. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments 1

SHA256 hash:	ffc3d4c2d7568d3d632ba01f05fcb54bb8bc2b73afabc4741999957498011568
SHA3-384 hash:	9a82676ccb6119c41a1d41d32f7d29143d86be2f0e6bcf124c3cf112b0b0aa65a3f9dd8c10b89470fd9f2ff6b84f4ae5
SHA1 hash:	7cff60e19482e15af32ad00bd31726d290eb37de
MD5 hash:	9bb8c2398b05475e367347edc42f44ae
humanhash:	bulldog-virginia-uranus-maryland
File name:	9bb8c2398b05475e367347edc42f44ae
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	7'336'392 bytes
First seen:	2022-01-14 17:55:39 UTC
Last seen:	2022-01-14 20:02:55 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c5640c7a22008f949f9bc94a27623f95 (3 x RaccoonStealer, 3 x IrisStealer, 2 x CoinMiner)
ssdeep	196608:qW+hvICteEroXxqENE+sKsXXgvkeNAhOhMCG+N2bL:UInEroXjsKkXgsq3hVN0
TLSH	T193763300B3E808EEF87B8938C5658621A0B2B5679759C4DF17BC835E9F935D36E73A04
Reporter	zbetcheckin
Tags:	CoinMiner exe

Intelligence

File Origin

# of uploads :

# of downloads :

342

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

9bb8c2398b05475e367347edc42f44ae

Verdict:

No threats detected

Analysis date:

2022-01-14 18:14:30 UTC

Tags:

installer

Link:

https://app.any.run/tasks/666350dd-cdf6-4d0e-899b-379d82624ab1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

PyInstaller

Link:

https://www.capesandbox.com/analysis/219379/

Detection(s):

SecuriteInfo.com.PyInstaller.21084.8990.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Running batch commands

Сreating synchronization primitives

Launching a process

Creating a window

Searching for synchronization primitives

Creating a process from a recently created file

Searching for analyzing tools

Searching for the window

Launching a service

Modifying a system file

Creating a file in the %AppData% subdirectories

Creating a file in the Windows subdirectories

Creating a process with a hidden window

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Enabling autorun by creating a file

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/4209/overview

Behaviour

MalwareBazaar

MeasuringTime

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control.exe expand.exe greyware overlay packed

Link:

https://www.filescan.io/uploads/61e1b93b1883c5ba4ecc863e/reports/511ba30c-4535-4c2d-9998-f270f0f1d806/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ee0e1c49-309a-4aee-a039-cdc86df38682

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/920884

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ffc3d4c2d7568d3d632ba01f05fcb54bb8bc2b73afabc4741999957498011568/

Threat name:

Win64.Trojan.Scar

Status:

Malicious

First seen:

2022-01-14 17:56:36 UTC

File Type:

PE+ (Exe)

Extracted files:

516

AV detection:

14 of 28 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=77b5jqwxk2gt2yzluapql7fvjo4lyk3tv6v4i5aztgkxjgabcvua._file

Verdict:

malicious

Result

Malware family:

loaderbot

Score:

10/10

Tags:

family:loaderbot loader miner persistence pyinstaller suricata

Link:

https://tria.ge/reports/220114-wh26xshhdn/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Modifies data under HKEY_USERS

Modifies registry class

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Windows directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Adds Run key to start application

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Checks computer location settings

Drops startup file

Loads dropped DLL

Downloads MZ/PE file

Executes dropped EXE

LoaderBot executable

LoaderBot

suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

Unpacked files

SH256 hash:

ffc3d4c2d7568d3d632ba01f05fcb54bb8bc2b73afabc4741999957498011568

MD5 hash:

9bb8c2398b05475e367347edc42f44ae

SHA1 hash:

7cff60e19482e15af32ad00bd31726d290eb37de

Link:

https://www.unpac.me/results/cd9da909-6f8d-472b-983d-cacd005637bc/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ffc3d4c2d7568d3d632ba01f05fcb54bb8bc2b73afabc4741999957498011568

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	INDICATOR_EXE_Packed_MPress Create hunting rule
Author:	ditekSHen
Description:	Detects executables built or packed with MPress PE compressor

Rule name:	MALWARE_Win_CoinMiner04 Create hunting rule
Author:	ditekSHen
Description:	Detects coinmining malware

Rule name:	PyInstaller Create hunting rule
Author:	@bartblaze
Description:	Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

exe ffc3d4c2d7568d3d632ba01f05fcb54bb8bc2b73afabc4741999957498011568

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1976980/

Cape

https://www.capesandbox.com/analysis/219379/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2022-01-14 17:55:41 UTC

url : hxxp://81.163.30.181/l1.exe