MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0fe833966ffd7dc6723991d4b4561f039f488ce774de7c5c6b6f9ad7a006b595. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0fe833966ffd7dc6723991d4b4561f039f488ce774de7c5c6b6f9ad7a006b595
SHA3-384 hash: 3ad0eef0d43667728b186e332762687720623866c798852ec54f06c2032fbd7ddd0e5e0de7aef6475927d0b902993dac
SHA1 hash: d4d05ffa11bc90f009edb8f028439989c68322bb
MD5 hash: b6afd95db7ddc6dc0cd39a22e8512cad
humanhash: johnny-virginia-early-south
File name:file
Download: download sample
Signature CoinMiner
Create hunting rule
File size:488'448 bytes
First seen:2022-11-20 01:46:56 UTC
Last seen:2022-11-20 03:32:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:1lf77aSAG42UMcKkbRSw/D26shoz/M+1gQPM4B:vj7AGtUMcKs/D26sez/M+tMg
Threatray 2'440 similar samples on MalwareBazaar
TLSH T152A4231249C44234CF6CED3BA7EEEBDAABF455CFB40C430DA217B21299911728BD94D5
TrID 63.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon a4c8382646d2464e (1 x CoinMiner)
Reporter jstrosch
Tags:.NET CoinMiner exe MSIL X64

Intelligence

File Origin
# of uploads :
2
# of downloads :
201
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2022-11-20 01:50:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8681a85f-293f-4a46-a337-6c0c55b125d7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/336266/
Detection(s):
SecuriteInfo.com.Win64.CrypterX-gen.5831.30682.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% directory
Using the Windows Management Instrumentation requests
Creating a window
DNS request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6379871b5f223762e6ede6ac/reports/e263954f-5758-40f1-a9a6-e43dd5b41f8b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0bdb8418-bf37-492c-9dde-6a4d46a2709e
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1117416
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Xmrig
Snort IDS alert for network traffic
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 750128 Sample: file.exe Startdate: 20/11/2022 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic 2->38 40 Sigma detected: Xmrig 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 6 other signatures 2->44 7 file.exe 18 4 2->7         started        12 file.exe 1 2->12         started        14 file.exe 2->14         started        process3 dnsIp4 30 176.124.215.147, 33245, 49696, 49697 GULFSTREAMUA Russian Federation 7->30 32 github.com 140.82.121.3, 443, 49699, 49703 GITHUBUS United States 7->32 34 4 other IPs or domains 7->34 24 C:\Users\user\AppData\Roaming\file.exe, PE32+ 7->24 dropped 46 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 7->46 48 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->48 50 Writes to foreign memory regions 7->50 56 2 other signatures 7->56 16 AddInProcess.exe 7->16         started        20 powershell.exe 19 7->20         started        26 C:\Users\user\AppData\Local\...\file.exe.log, CSV 12->26 dropped 52 Antivirus detection for dropped file 12->52 54 Machine Learning detection for dropped file 12->54 file5 signatures6 process7 dnsIp8 28 pool.hashvault.pro 45.76.89.70, 49843, 80 AS-CHOOPAUS United States 16->28 36 Query firmware table information (likely to detect VMs) 16->36 22 conhost.exe 20->22         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0fe833966ffd7dc6723991d4b4561f039f488ce774de7c5c6b6f9ad7a006b595/
Threat name:
ByteCode-MSIL.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-11-20 01:47:17 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
6
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b7udhftp7v64m4rzshklivq7aopurdhhotphyxdln6nnpiagwwkq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
7e7ec7610373a200dcf87da34869f28d29ec2947fb5defd0dfa5886e12b6b1cd
CoinMiner
b2e31ed9833299ec3c166877db92ff5d477858f5867ca5494b26a82558e4616e
CoinMiner
bec2c4c72b0297624093232878a45e9f5e467a9f838268a4403bc9416bde8189
CoinMiner
d57321805b57d9a004d652b7d8b00d9045d6940800653374e2a47c7dad2e9196
CoinMiner
d5d8501413231217f31c6b614fbc4e5cba5ba8cabb6da772e5ed82e484238088
CoinMiner
de41596200eab56b30eddafa626ae24de9cf7ee54e0c2c35be0554af08207a63
CoinMiner
e8b057817c2bbda7191f4b4e53b913caff6f2cbda1a0cbf68f32e2f4d45f1c42
CoinMiner
fa8d8657315c0ff3057652f4b34194de08fa9d2ff3028ad2043b53c551851358
CoinMiner
+ 2'430 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/221120-b7jewsee7s/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/87874f6e-b6ec-4d6b-840d-4441e35e741c
Unpacked files
SH256 hash:
0fe833966ffd7dc6723991d4b4561f039f488ce774de7c5c6b6f9ad7a006b595
MD5 hash:
b6afd95db7ddc6dc0cd39a22e8512cad
SHA1 hash:
d4d05ffa11bc90f009edb8f028439989c68322bb
Link:
https://www.unpac.me/results/758c3f81-53ae-4ccc-bdee-3ad8e879c947/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 0fe833966ffd7dc6723991d4b4561f039f488ce774de7c5c6b6f9ad7a006b595

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/336266/
  
URLhaus
https://urlhaus.abuse.ch/url/2427365/

Comments