MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03fcf785b17d2ef8014c2bc90129da267f899218312c789ce94ee24e9a97c105. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 03fcf785b17d2ef8014c2bc90129da267f899218312c789ce94ee24e9a97c105
SHA3-384 hash: 18248458af8e5afa7bd4117f8f0ba2ce015d97f4bac249433d19b63079f71a09adc4b22f2120343b74a8630c9f581d43
SHA1 hash: 5ba6af2698c3a3a86d1132239c0033284762f755
MD5 hash: 6efa2cd0f1f512cddfad2faa457eddcb
humanhash: nebraska-lithium-maryland-seven
File name:Qaxxckf.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:679'424 bytes
First seen:2023-05-19 00:09:56 UTC
Last seen:2023-05-20 15:20:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:VkQDvtTSFQ/Lumd4Sx0ROtr3L+IbX8Y+D92ulpCqb5kQXn9L79f7D8C:VDlTSFQ/CvSR9b+E8Y+R2uLCqb55tL7O
Threatray 139 similar samples on MalwareBazaar
TLSH T1D8E423A0B2879F36D5CC6DB784450D7B28AAC77CB30CFD9E089A3750AD66A014E457F8
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter Chainskilabs
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
326
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Qaxxckf.exe
Verdict:
Malicious activity
Analysis date:
2023-05-19 00:11:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d3b3dd72-df2e-4143-b00c-c391c8635889

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.83820.26785.14786.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Creating a window
Sending a custom TCP request
Sending an HTTP GET request
DNS request
Launching a process
Searching for synchronization primitives
Creating a service
Launching a service
Loading a system driver
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun for a service
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6466be5cc65707af644340ad/reports/78dbe39b-752c-49de-8aae-c8ef027d3533/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/03fcf785b17d2ef8014c2bc90129da267f899218312c789ce94ee24e9a97c105
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d8288abb-b68c-4a91-a228-7c26e1f3b959
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1236552
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Xmrig
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/03fcf785b17d2ef8014c2bc90129da267f899218312c789ce94ee24e9a97c105/
Threat name:
Win64.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2023-05-18 23:36:20 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
4
AV detection:
20 of 37 (54.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ap6ppbnrpuxpqakmfpeqcko2ez7yteqygewhrhhjj3re5guxyecq._file
Verdict:
malicious
Similar samples:
0fe833966ffd7dc6723991d4b4561f039f488ce774de7c5c6b6f9ad7a006b595
CoinMiner
29b5468c799dbba5a156b67c04f3082f41c647c0cf9330e824f57d456d2e234e
CoinMiner
33582086a3417a06bb5154cd9e1f878bff0d8717151cbccd539cd0505a8e5fcd
CoinMiner
509876bf98ee51fc5d7a4d6af1244227fccd94a556a9c85dd9bdf535d8619b39
CoinMiner
6620065fb747acd80ed59d91d4b76316b9402c739530a8436e36f188e9a3f03f
CoinMiner
66d3e2e7a164f88efb1aecc3c81dbf1d29590a0e852f7dcebda595467027ab3d
CoinMiner
6958b67fa4b8e6b4cb8a503cb6199b81c6df7491a97ec8edf51662e350078fda
CoinMiner
963f054c289e0855e2d119fa2e290bcc3a1d7787c60ed226fb6512b52b3750c5
CoinMiner
9fd84c71e3c3c85eb7ef456aa82d68223aa2ba2dfab716f1a34732227d009b6f
CoinMiner
e904870d3952bad327314df46c9fa32f9aac69ef0028123515da1cda4c1c6706
CoinMiner
+ 129 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/230519-af2ayseb96/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
XMRig Miner payload
xmrig
Unpacked files
SH256 hash:
03fcf785b17d2ef8014c2bc90129da267f899218312c789ce94ee24e9a97c105
MD5 hash:
6efa2cd0f1f512cddfad2faa457eddcb
SHA1 hash:
5ba6af2698c3a3a86d1132239c0033284762f755
Link:
https://www.unpac.me/results/2d49fda6-e6f7-420b-8ff7-b225e30c03e6/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/03fcf785b17d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/03fcf785b17d2ef8014c2bc90129da267f899218312c789ce94ee24e9a97c105

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 03fcf785b17d2ef8014c2bc90129da267f899218312c789ce94ee24e9a97c105

(this sample)

  
Delivery method
Distributed via web download

Comments