MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856
SHA3-384 hash: acb55ff86a0637792ac540635a892fe0e71b5f4e10335c84ac25a4ea04f927abe3e05ceae906efe853a547d872c08eae
SHA1 hash: 86f3d4d605561c516e08b36051cd5e1dd0adeead
MD5 hash: 56f4c85e8ff2a4e5861c5dcb5c3f85d2
humanhash: charlie-princess-ten-west
File name:file
Download: download sample
Signature CoinMiner
Create hunting rule
File size:407'264 bytes
First seen:2024-03-14 10:27:41 UTC
Last seen:2024-03-14 12:41:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:b0SHMfqxweNNr/YuWvAsFbmilOgCCw7qmyLik8DTsa:NsfqxweNNbYLaMDaSKsa
TLSH T1EF8402F3C72C7BABC90C26FE076061E43521F3561A5453982C70459FBAA63DC41EABE9
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter Bitsight
Tags:CoinMiner exe signed

Code Signing Certificate

Organisation:Microsoft Code Signing PCA 2011
Issuer:Microsoft Code Signing PCA 2011
Algorithm:sha256WithRSAEncryption
Valid from:2024-03-14T08:10:34Z
Valid to:2025-03-14T08:10:34Z
Serial number: 616dc28eeee9f179ecbc5a6795de4073
Thumbprint Algorithm:SHA256
Thumbprint: e4a9184a3e5845067fb19b0bce047c9dbe37d6f1a52baa88573c7743146d55a2
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
Bitsight
url: http://15.204.38.240/files/Akh.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
389
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe
Verdict:
Malicious activity
Analysis date:
2024-03-14 10:30:07 UTC
Tags:
opendir evasion loader qrcode
Link:
https://app.any.run/tasks/0e0faaa5-b1a1-4db4-8580-e4aec9ce7042

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/479013/
Detection(s):
SecuriteInfo.com.Win64.PWSX-gen.29255.20791.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Moving a file to the Program Files subdirectory
Replacing files
Blocking the User Account Control
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
89%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/65f2d1385cd908a33db20f76/reports/db72dcab-19c5-409b-b385-36f1d349369c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d3b39c36-bcdb-41a2-b4e2-c15f7e126e69
Result
Threat name:
Amadey, Mars Stealer, Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1408860
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables UAC (registry)
Drops script or batch files to the startup folder
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Capture Wi-Fi password
Sigma detected: Disable power options
Sigma detected: Drops script at startup location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Mars stealer
Yara detected Stealc
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1408860 Sample: file.exe Startdate: 14/03/2024 Architecture: WINDOWS Score: 100 149 pastebin.com 2->149 151 564675367.xyz 2->151 153 25 other IPs or domains 2->153 171 Snort IDS alert for network traffic 2->171 173 Found malware configuration 2->173 175 Malicious sample detected (through community Yara rule) 2->175 181 25 other signatures 2->181 11 file.exe 1 3 2->11         started        14 Dctooux.exe 2->14         started        18 svchost.exe 1 1 2->18         started        20 3 other processes 2->20 signatures3 177 Connects to a pastebin service (likely for C&C) 149->177 179 Performs DNS queries to domains with low reputation 151->179 process4 dnsIp5 199 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->199 201 Writes to foreign memory regions 11->201 203 Allocates memory in foreign processes 11->203 207 4 other signatures 11->207 22 MSBuild.exe 15 138 11->22         started        27 powershell.exe 23 11->27         started        29 MSBuild.exe 11->29         started        31 WerFault.exe 11->31         started        167 5.42.64.44, 49759, 49760, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 14->167 141 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 14->141 dropped 143 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 14->143 dropped 145 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32+ 14->145 dropped 147 2 other malicious files 14->147 dropped 205 Multi AV Scanner detection for dropped file 14->205 33 rundll32.exe 14->33         started        35 rundll32.exe 14->35         started        169 127.0.0.1 unknown unknown 18->169 37 WerFault.exe 20->37         started        39 conhost.exe 20->39         started        file6 signatures7 process8 dnsIp9 155 564675367.xyz 45.95.11.69 ULTRA-PACKETUS Italy 22->155 157 pastebin.com 104.20.68.143, 443, 49709, 49719 CLOUDFLARENETUS United States 22->157 159 18 other IPs or domains 22->159 105 C:\Users\...\xYtZMEJi0eTi4j0J6MHCLyJ7.exe, PE32 22->105 dropped 107 C:\Users\...\wq821m70U31tJs3iH22JwD9Q.exe, PE32 22->107 dropped 109 C:\Users\...\uuwMVHI5yKtjOHVNjNT1gOGU.exe, PE32 22->109 dropped 111 76 other malicious files 22->111 dropped 183 Drops script or batch files to the startup folder 22->183 185 Creates HTML files with .exe extension (expired dropper behavior) 22->185 41 k8aiddrACgF0bbJ70IqHXxT3.exe 22->41         started        45 Vhkv9hlnHnbsVNDqf5UKfNxA.exe 22->45         started        47 SdVoUb9JcCX1iQFGKGg6NNR9.exe 22->47         started        54 4 other processes 22->54 50 conhost.exe 27->50         started        52 rundll32.exe 33->52         started        187 System process connects to network (likely due to code injection or exploit) 35->187 file10 signatures11 process12 dnsIp13 163 185.172.128.90, 49748, 80 NADYMSS-ASRU Russian Federation 41->163 165 185.172.128.187, 49753, 80 NADYMSS-ASRU Russian Federation 41->165 127 C:\Users\user\AppData\Local\...\syncUpd.exe, PE32 41->127 dropped 129 C:\Users\user\AppData\Local\...\INetC.dll, PE32 41->129 dropped 131 C:\Users\user\AppData\...\BroomSetup.exe, PE32 41->131 dropped 56 syncUpd.exe 41->56         started        61 BroomSetup.exe 41->61         started        133 C:\Users\...\Vhkv9hlnHnbsVNDqf5UKfNxA.tmp, PE32 45->133 dropped 63 Vhkv9hlnHnbsVNDqf5UKfNxA.tmp 45->63         started        135 C:\ProgramDatabehaviorgraphoogle\Chrome\updater.exe, PE32+ 47->135 dropped 137 C:\Windows\System32\drivers\etc\hosts, ASCII 47->137 dropped 211 Multi AV Scanner detection for dropped file 47->211 213 Uses powercfg.exe to modify the power settings 47->213 215 Modifies the hosts file 47->215 225 2 other signatures 47->225 65 cmd.exe 47->65         started        67 sc.exe 47->67         started        69 powershell.exe 47->69         started        75 10 other processes 47->75 217 Tries to steal Instant Messenger accounts or passwords 52->217 219 Uses netsh to modify the Windows network and firewall settings 52->219 221 Tries to harvest and steal ftp login credentials 52->221 227 2 other signatures 52->227 71 powershell.exe 52->71         started        73 netsh.exe 52->73         started        139 C:\Users\user\AppData\Local\...\Dctooux.exe, PE32 54->139 dropped 223 Contains functionality to inject code into remote processes 54->223 file14 signatures15 process16 dnsIp17 161 185.172.128.145 NADYMSS-ASRU Russian Federation 56->161 113 C:\Users\user\AppData\...\freebl3[1].dll, PE32 56->113 dropped 115 C:\ProgramData\freebl3.dll, PE32 56->115 dropped 189 Detected unpacking (changes PE section rights) 56->189 191 Detected unpacking (overwrites its own PE header) 56->191 193 Tries to steal Mail credentials (via file / registry access) 56->193 197 4 other signatures 56->197 195 Multi AV Scanner detection for dropped file 61->195 77 cmd.exe 61->77         started        117 C:\Users\user\AppData\...\unins000.exe (copy), PE32 63->117 dropped 119 C:\Users\user\AppData\...\textultraedit.exe, PE32 63->119 dropped 121 C:\Users\user\...\libwinpthread-1.dll (copy), PE32 63->121 dropped 125 15 other files (14 malicious) 63->125 dropped 80 textultraedit.exe 63->80         started        83 conhost.exe 65->83         started        85 wusa.exe 65->85         started        93 2 other processes 67->93 87 conhost.exe 69->87         started        123 C:\Users\user\...\246122658369_Desktop.zip, Zip 71->123 dropped 89 conhost.exe 71->89         started        91 conhost.exe 73->91         started        95 10 other processes 75->95 file18 signatures19 process20 file21 209 Uses schtasks.exe or at.exe to add and modify task schedules 77->209 97 conhost.exe 77->97         started        99 chcp.com 77->99         started        101 schtasks.exe 77->101         started        103 C:\...\DirectSoundDriver 2.36.198.67.exe, PE32 80->103 dropped signatures22 process23
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856/
Threat name:
Win64.Trojan.Operaloader
Create hunting rule
Status:
Malicious
First seen:
2024-03-14 10:28:05 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
2
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bc4ggnihxov5ij2dt4p3ttqtgnob5mecvkpz2avtgmicb2cuvbla._file
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:glupteba family:socks5systemz family:stealc family:xmrig botnet discovery dropper evasion loader miner persistence rootkit stealer trojan upx
Link:
https://tria.ge/reports/240314-mhnh4abh68/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
NSIS installer
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMonFS driver.
Modifies boot configuration data using bcdedit
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
UPX packed file
Windows security modification
Stops running service(s)
Creates new service(s)
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
XMRig Miner payload
Amadey
Detect Socks5Systemz Payload
Glupteba
Glupteba payload
Socks5Systemz
Stealc
UAC bypass
Windows security bypass
xmrig
Malware Config
C2 Extraction:
http://5.42.64.44
http://185.172.128.145
Unpacked files
SH256 hash:
08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856
MD5 hash:
56f4c85e8ff2a4e5861c5dcb5c3f85d2
SHA1 hash:
86f3d4d605561c516e08b36051cd5e1dd0adeead
Link:
https://www.unpac.me/results/25c30ce3-6e03-41a4-bf01-3c761d52e376/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/08b8633507bb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2781338/
Cape
Cape
https://www.capesandbox.com/analysis/479013/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments