MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12bac7c5ff97dec030964d932091a946ce36cbfdae47030f387838da9d6e08db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 12bac7c5ff97dec030964d932091a946ce36cbfdae47030f387838da9d6e08db
SHA3-384 hash: ff5333b627ada31bd12e44385f51644cf0ad248d4c054ff08aa9a5d7aa6870f2da321d0e08b516767a538fc9baf8b2aa
SHA1 hash: 1c3ec1975793a20fcc260edc206d90af9f9bc97e
MD5 hash: 355e758c66e73f61dbaaeb7174f74de0
humanhash: tennis-chicken-comet-mango
File name:355e758c66e73f61dbaaeb7174f74de0
Download: download sample
Signature CoinMiner
Create hunting rule
File size:3'614'488 bytes
First seen:2023-10-19 13:06:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9aebf3da4677af9275c461261e5abde3 (25 x YTStealer, 12 x CobaltStrike, 11 x Hive)
ssdeep 98304:o1s/4jpy2gmxkKe53H1UczNjj/Gm6XQahEb3OsPTyPw7O6c/7cB15XXX0UXE:EpyYw1U29jWLYOsPTAw7Of/7cpXtE
Threatray 13 similar samples on MalwareBazaar
TLSH T103F5338BCD064497EC830DF4262BD1A0E1D952BE48DCE251EA34E16B9BFCE25125DED3
TrID 63.5% (.EXE) UPX compressed Win64 Executable (70117/5/12)
24.5% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.8% (.ICL) Windows Icons Library (generic) (2059/9)
1.8% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter zbetcheckin
Tags:64 CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
390
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
355e758c66e73f61dbaaeb7174f74de0
Verdict:
Malicious activity
Analysis date:
2023-10-19 13:10:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/048be35f-3562-424d-aed6-50ae5b13cd33

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.25284.10882.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Running batch commands
Launching a process
Creating a file in the %temp% directory
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Adding an exclusion to Microsoft Defender
Changing the hosts file
Enabling autorun by creating a file
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug coinminer overlay packed packed packed upx
Link:
https://www.filescan.io/uploads/653129fa10dbe5fb92cefd39/reports/ed5aa4ed-585d-4205-87ef-57caf0185f64/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/12bac7c5ff97dec030964d932091a946ce36cbfdae47030f387838da9d6e08db
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/342740a0-31b9-40bd-b378-7f525faf99dc
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1328702
Signature
Adds a directory exclusion to Windows Defender
Found hidden mapped module (file has been removed from disk)
Found strings related to Crypto-Mining
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Self deletion via cmd or bat file
Sigma detected: Stop multiple services
System process connects to network (likely due to code injection or exploit)
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1328702 Sample: eQhfv0yv7V.exe Startdate: 19/10/2023 Architecture: WINDOWS Score: 100 47 minexmr2.com 2->47 53 Malicious sample detected (through community Yara rule) 2->53 55 Multi AV Scanner detection for dropped file 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 6 other signatures 2->59 7 updater.exe 4 2->7         started        11 eQhfv0yv7V.exe 4 2->11         started        13 cmd.exe 1 2->13         started        15 6 other processes 2->15 signatures3 process4 file5 37 C:\Users\user\AppData\...\yiqbhrcvzqgl.sys, PE32+ 7->37 dropped 39 C:\Users\user\AppData\...\lpsdpjvuplib.tmp, PE32+ 7->39 dropped 61 Multi AV Scanner detection for dropped file 7->61 63 Protects its processes via BreakOnTermination flag 7->63 65 Machine Learning detection for dropped file 7->65 77 6 other signatures 7->77 17 explorer.exe 7->17         started        21 conhost.exe 7->21         started        41 C:\Users\user\AppData\Roaming\...\updater.exe, PE32+ 11->41 dropped 43 C:\Windows\System32\drivers\etc\hosts, ASCII 11->43 dropped 67 Self deletion via cmd or bat file 11->67 69 Modifies the hosts file 11->69 71 Adds a directory exclusion to Windows Defender 11->71 73 Uses powercfg.exe to modify the power settings 13->73 75 Modifies power options to not sleep / hibernate 13->75 23 conhost.exe 13->23         started        25 sc.exe 1 13->25         started        33 4 other processes 13->33 27 conhost.exe 15->27         started        29 conhost.exe 15->29         started        31 conhost.exe 15->31         started        35 17 other processes 15->35 signatures6 process7 dnsIp8 45 minexmr2.com 199.85.209.60, 49745, 8443 VIMRO-AS15189US United States 17->45 49 System process connects to network (likely due to code injection or exploit) 17->49 51 Query firmware table information (likely to detect VMs) 17->51 signatures9
Score:
81%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/12bac7c5ff97dec030964d932091a946ce36cbfdae47030f387838da9d6e08db
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/12bac7c5ff97dec030964d932091a946ce36cbfdae47030f387838da9d6e08db/
Threat name:
Win64.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2023-10-19 13:07:07 UTC
File Type:
PE+ (Exe)
Extracted files:
3
AV detection:
16 of 22 (72.73%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ck5mprp7s7pmamewjwjsbenji3hdns75vzdqgdzypa4nvhlobdnq._file
Verdict:
malicious
Similar samples:
0949ed19896c7add471a5caa7fd5018113d602921a185d911f0cbbadb0ce35c8
CoinMiner
2d972eea915c809d3c76c56a960c82a58881c9c98db4c8e53d894227f958a4c9
CoinMiner
36409da21c9c35416d4bf8c12e76042a7bcb09b8ab659545a33bd1d078e0dd86
CoinMiner
3a5854283ec8b747cb9bec546ba88ac630e65f00ecf77e25bb89d791c1c0005b
CoinMiner
3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9
CoinMiner
597b4d64fc95e5c2178a08140e349190a0eab7eeca2d311e60df8e9a5937f5ae
CoinMiner
e0e37df0cc94853d1740756e47de53a24a185e71ec4aab36061950a8e648650f
CoinMiner
fdbb6e0a160bc94da37c53e26298f29cce2b834f1e24a8ad3dd3f8f176823fc2
CoinMiner
+ 3 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion miner upx
Link:
https://tria.ge/reports/231019-qcnhpahe89/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Deletes itself
Executes dropped EXE
UPX packed file
Drops file in Drivers directory
Stops running service(s)
XMRig Miner payload
Suspicious use of NtCreateUserProcessOtherParentProcess
xmrig
Unpacked files
SH256 hash:
8209ef9a2f16b4c8c19fee2474cf529e7b7aa8deacdc4cdc7dfca440e5ea9526
MD5 hash:
3116accdf600733cc968f731d5560220
SHA1 hash:
f3d6b48d046c0376db730c00a156b0641d4a86a9
Link:
https://www.unpac.me/results/d3812ade-0b53-49c8-9a2f-a1b151a9690b/
SH256 hash:
12bac7c5ff97dec030964d932091a946ce36cbfdae47030f387838da9d6e08db
MD5 hash:
355e758c66e73f61dbaaeb7174f74de0
SHA1 hash:
1c3ec1975793a20fcc260edc206d90af9f9bc97e
Link:
https://www.unpac.me/results/d3812ade-0b53-49c8-9a2f-a1b151a9690b/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/12bac7c5ff97/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 12bac7c5ff97dec030964d932091a946ce36cbfdae47030f387838da9d6e08db

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2722211/

Comments


Avatar
zbet commented on 2023-10-19 13:06:56 UTC

url : hxxp://165.227.154.84:7480/yes.exe