MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f26e57fdaae826c1af166660c08d2bde4a6b03864f30c7c6e1ce3cb036bcafa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f26e57fdaae826c1af166660c08d2bde4a6b03864f30c7c6e1ce3cb036bcafa
SHA3-384 hash: 19de106b34464e12c07623b0300f871fe01595fed21df9e3f7b6296a0991b0b8b6c1d6270b36e972745a7c0b8ac2c9bb
SHA1 hash: 3205b6e75684a05e1afa1e0e15eedfe5548bb1b0
MD5 hash: 84862aeda4f10279f6c1181bbc842ca1
humanhash: cold-magnesium-crazy-alanine
File name:install.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:72'704 bytes
First seen:2023-02-08 00:45:43 UTC
Last seen:2023-02-08 02:35:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 768:GgccWWhZ6V5rkNUQ36xOA82qLNm+N+Bek8j0X3/zEn2cUxsvpNg9F:GgcfWho5rkNp0OA8Fg8erEn2c/m9F
Threatray 34 similar samples on MalwareBazaar
TLSH T118638E15238B46A2D16D467688B3BB742322DD2274E2E38F768C352D6B733C605537AF
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon e4e4c4a01210b0e6 (1 x CoinMiner)
Reporter r3dbU7z
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
245
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
install.exe
Verdict:
Malicious activity
Analysis date:
2023-02-08 00:46:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/04cc2df1-d5af-4edd-a1f5-9782012c89e5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/361697/
Detection(s):
SecuriteInfo.com.Win64.DropperX-gen.14386.21914.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Running batch commands
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/63e2f0cd96add6d1cf49ff83/reports/d220e618-0e89-4fe9-9a45-fc1cf28c234e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/0f26e57fdaae826c1af166660c08d2bde4a6b03864f30c7c6e1ce3cb036bcafa
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/41de0202-5e2e-4c62-9c13-f0d438a7259e
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1168325
Signature
.NET source code contains potential unpacker
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Snort IDS alert for network traffic
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 801101 Sample: install.exe Startdate: 08/02/2023 Architecture: WINDOWS Score: 100 52 Snort IDS alert for network traffic 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 .NET source code contains potential unpacker 2->56 58 3 other signatures 2->58 7 install.exe 14 4 2->7         started        12 updater.exe 14 2 2->12         started        14 cmd.exe 1 2->14         started        16 2 other processes 2->16 process3 dnsIp4 48 cdn.discordapp.com 162.159.130.233, 443, 49709 CLOUDFLARENETUS United States 7->48 46 C:\Users\user\AppData\...\install.exe.log, CSV 7->46 dropped 68 Encrypted powershell cmdline option found 7->68 70 Modifies the context of a thread in another process (thread injection) 7->70 72 Injects a PE file into a foreign processes 7->72 18 cmd.exe 1 7->18         started        21 powershell.exe 16 7->21         started        23 install.exe 3 7->23         started        50 162.159.133.233, 443, 49718 CLOUDFLARENETUS United States 12->50 74 Multi AV Scanner detection for dropped file 12->74 76 Machine Learning detection for dropped file 12->76 78 Modifies power options to not sleep / hibernate 14->78 26 conhost.exe 14->26         started        28 powercfg.exe 1 14->28         started        36 3 other processes 14->36 30 conhost.exe 16->30         started        32 conhost.exe 16->32         started        34 schtasks.exe 1 16->34         started        file5 signatures6 process7 file8 60 Encrypted powershell cmdline option found 18->60 62 Uses powercfg.exe to modify the power settings 18->62 64 Modifies power options to not sleep / hibernate 18->64 38 powershell.exe 15 18->38         started        40 conhost.exe 18->40         started        66 Uses schtasks.exe or at.exe to add and modify task schedules 21->66 42 conhost.exe 21->42         started        44 C:\Users\user\AppData\Roaming\...\updater.exe, PE32+ 23->44 dropped signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0f26e57fdaae826c1af166660c08d2bde4a6b03864f30c7c6e1ce3cb036bcafa/
Threat name:
ByteCode-MSIL.Trojan.Miner
Create hunting rule
Status:
Malicious
First seen:
2023-02-08 00:46:23 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
24
AV detection:
11 of 26 (42.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b4tok762v2bgygxrmztaycgsxxsknmbymtzqy7dodtr4wa3lzl5a._file
Verdict:
unknown
Similar samples:
009b4de6d61871ef45ca8a91d5918d6940a9ad8470bc9b746d398033c3b9557a
CoinMiner
0e02e6a114b1d11170578a5742eb65a51940b2adbb8c1dac260e942068728060
CoinMiner
376510f81da04b06b0ea217c5cf45b7798459f50a7162dc09737faaefd8a4232
CoinMiner
7c2afe7ddb9bace6a0b1c8876c27790612b3d21b542c980357910d5b6644c37b
CoinMiner
9a4dba9c3d3c74e021c2a07cb5d44aee1f36f697394d729f9735cb38792a86eb
CoinMiner
d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36
CoinMiner
d8bfac190a02982a1df4b78937e75be37887d6d158d021391db60f9af2ca45c0
CoinMiner
dfa4b25bb9a1534192d30dc3f10acd6a72c21a36bfaecae14c5d7a22dff88fd5
CoinMiner
e876ad440761c60b772b110b7e6f08c4e156ebdb17d78c55aa4594edc65ff78a
CoinMiner
+ 24 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner upx
Link:
https://tria.ge/reports/230208-a4msgafh2v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
UPX packed file
XMRig Miner payload
xmrig
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
0f26e57fdaae826c1af166660c08d2bde4a6b03864f30c7c6e1ce3cb036bcafa
MD5 hash:
84862aeda4f10279f6c1181bbc842ca1
SHA1 hash:
3205b6e75684a05e1afa1e0e15eedfe5548bb1b0
Link:
https://www.unpac.me/results/de15bc38-66ac-4667-bdd9-3c1b95be0c0e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/0f26e57fdaae826c1af166660c08d2bde4a6b03864f30c7c6e1ce3cb036bcafa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 0f26e57fdaae826c1af166660c08d2bde4a6b03864f30c7c6e1ce3cb036bcafa

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/361697/
  
URLhaus
https://urlhaus.abuse.ch/url/2533826/

Comments