MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f975de9620a33d9ce23d0754e248f1ffa6f1c4a572bc2b4dc8b6b6736d70e10. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 12


Intelligence 12 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f975de9620a33d9ce23d0754e248f1ffa6f1c4a572bc2b4dc8b6b6736d70e10
SHA3-384 hash: 3e94846160aaa74cc21d85bb434f0920f26c9e89b386d1a12aa84d4350d32025b95c0914cc156e08004102d932a0802e
SHA1 hash: 5d918f8945b66044b3833fbfd7c6e540421866a4
MD5 hash: 6b7465de74c38692e7072c1f48c13782
humanhash: pennsylvania-potato-sixteen-one
File name:SecuriteInfo.com.Win64.Evo-gen.25073.24639
Download: download sample
Signature CoinMiner
Create hunting rule
File size:18'746'368 bytes
First seen:2024-01-23 22:28:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6776d1a14285e6e41d63673627273c93 (3 x CoinMiner)
ssdeep 393216:1zkQk7KRrH/mW+0hvqXplKlu+ny9VQkpukHb+:15k+9mlXplKUekph
Threatray 126 similar samples on MalwareBazaar
TLSH T1F51723D089C557F4C3EA870C928B174FB7D16662D69BAE0D25D0DC032BC1E1B660BF6A
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter SecuriteInfoCom
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
435
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0f975de9620a33d9ce23d0754e248f1ffa6f1c4a572bc2b4dc8b6b6736d70e10.exe
Verdict:
Malicious activity
Analysis date:
2024-01-23 22:33:38 UTC
Tags:
miner
Link:
https://app.any.run/tasks/417ba374-e919-4d0c-b581-8b4b316dfd26

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.Evo-gen.25073.24639.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Running batch commands
Launching a process
Creating a file in the %temp% directory
Deleting a recently created file
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Setting browser functions hooks
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Changing the hosts file
Unauthorized injection to a system process
Enabling autorun by creating a file
Unauthorized injection to a browser process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug packed
Link:
https://www.filescan.io/uploads/65b03db5f3cf17c17b771a99/reports/bb802cc2-136b-45fe-82a9-b78fc285e27e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/0f975de9620a33d9ce23d0754e248f1ffa6f1c4a572bc2b4dc8b6b6736d70e10
Result
Verdict:
MALICIOUS
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/65ff2f6a-6eb4-4b7d-b7f9-cf3e0a93b7bb
Result
Threat name:
n/a
Detection:
malicious
Classification:
adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1379909
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found hidden mapped module (file has been removed from disk)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Stop multiple services
Stops critical windows services
Tries to detect debuggers (CloseHandle check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction (VM detection)
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1379909 Sample: SecuriteInfo.com.Win64.Evo-... Startdate: 23/01/2024 Architecture: WINDOWS Score: 100 54 Antivirus detection for dropped file 2->54 56 Antivirus / Scanner detection for submitted sample 2->56 58 Multi AV Scanner detection for dropped file 2->58 60 7 other signatures 2->60 8 SecuriteInfo.com.Win64.Evo-gen.25073.24639.exe 4 2->8         started        12 WindowsAutHost 2->12         started        14 cmd.exe 1 2->14         started        16 4 other processes 2->16 process3 file4 48 C:\Users\user\AppData\...\bybyvhosusgk.tmp, PE32+ 8->48 dropped 50 C:\Program Files\...\WindowsAutHost, PE32+ 8->50 dropped 52 C:\Windows\System32\drivers\etc\hosts, ASCII 8->52 dropped 62 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->62 64 Query firmware table information (likely to detect VMs) 8->64 66 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->66 78 7 other signatures 8->78 18 dialer.exe 8->18         started        68 Tries to detect debuggers (CloseHandle check) 12->68 70 Hides threads from debuggers 12->70 72 Uses powercfg.exe to modify the power settings 14->72 74 Stops critical windows services 14->74 76 Modifies power options to not sleep / hibernate 14->76 20 sc.exe 1 14->20         started        22 conhost.exe 14->22         started        24 sc.exe 1 14->24         started        32 3 other processes 14->32 26 conhost.exe 16->26         started        28 conhost.exe 16->28         started        30 powercfg.exe 1 16->30         started        34 5 other processes 16->34 signatures5 process6 process7 36 lsass.exe 18->36 injected 38 winlogon.exe 18->38 injected 40 dwm.exe 18->40 injected 44 11 other processes 18->44 42 conhost.exe 20->42         started        process8 46 svchost.exe 36->46 injected
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0f975de9620a33d9ce23d0754e248f1ffa6f1c4a572bc2b4dc8b6b6736d70e10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0f975de9620a33d9ce23d0754e248f1ffa6f1c4a572bc2b4dc8b6b6736d70e10/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-01-23 22:29:09 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
18 of 24 (75.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=b6lv32lcbiz5ttrd2b2u4jepd75g6hckk4v4fng4rnvwonwxbyia._file
Verdict:
malicious
Similar samples:
0bbfe17f684a3946b76fc48fd788b632cac3ad8b4a60ab6207a35d0d80584758
CoinMiner
5690f5208387bba02ca4f4954d9d479c57ca556d553795d813603a2b1f83121b
CoinMiner
8462485220bfcba052d89e06bb3eaf38343b92bc246e391050f6019e70dba6a6
CoinMiner
9c2d872fbf03c564452ffd898153a5a869a1210ab27212b8d4952ec11e158356
CoinMiner
d6e7ccaafc7a6641ce67c75483994806c20cd2a8d5235c0e74dbad4ef10ddc53
CoinMiner
e380482fc3d8c4fe11073f9734238d60ab66385e3261231358f7d02082b235cd
CoinMiner
e5e1c5b0d30a39877025ff980e81c9737ff12d5e9b742f9fd1f308082abf1606
CoinMiner
ed58046044e126ab8b740bd4d37aa52dd8eebbfd539b607bda4425e6cd3e8c66
CoinMiner
+ 116 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/240123-2d8qssbfe2/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Drops file in Drivers directory
Sets service image path in registry
Stops running service(s)
Modifies security service
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
0f975de9620a33d9ce23d0754e248f1ffa6f1c4a572bc2b4dc8b6b6736d70e10
MD5 hash:
6b7465de74c38692e7072c1f48c13782
SHA1 hash:
5d918f8945b66044b3833fbfd7c6e540421866a4
Link:
https://www.unpac.me/results/26c72705-c477-4975-9428-67c4b6c01c65/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0f975de9620a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
CoinMiner
Score:
0.60
Link:
https://yomi.yoroi.company/submissions/0f975de9620a33d9ce23d0754e248f1ffa6f1c4a572bc2b4dc8b6b6736d70e10

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MALWARE_Win_R77
Create hunting rule
Author:ditekSHen
Description:Detects r77 rootkit
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Rootkit_R77_d0367e28
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 0f975de9620a33d9ce23d0754e248f1ffa6f1c4a572bc2b4dc8b6b6736d70e10

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2750863/
  
Delivery method
Distributed via web download

Comments