MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 161c8b407d317897a6f55a2812eecbb1fe4e999156ae666933c9999f602ab81c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 161c8b407d317897a6f55a2812eecbb1fe4e999156ae666933c9999f602ab81c
SHA3-384 hash: 15d2ce3ae250a84d9e8d4a0e754807653f82214c4b11ae6d17b708efc7fa4216b5f0b3b4594c0aa504a212486b92520e
SHA1 hash: fd60ace5feea5d813deebc007c0e1933931982c5
MD5 hash: 60f4d01e21f14e48af9f2024d5a7ad59
humanhash: illinois-oregon-freddie-batman
File name:ExloaderSetup.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:19'869'696 bytes
First seen:2023-04-01 01:19:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a9c887a4f18a3fede2cc29ceea138ed3 (33 x CoinMiner, 17 x AsyncRAT, 15 x BlankGrabber)
ssdeep 393216:VYvVgx3oBkGQsA33cmlCcUEGxkeq/OzxMpBt7sZxYL3of4m46:VwVgp6kGQfHcmlh6Keq/gMtQZxMo
Threatray 1 similar samples on MalwareBazaar
TLSH T13817332499BCF44DDB44A8315C15C30DA438BB61AE74EA1B9F722CAF410EF2E4B4E65D
TrID 45.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
13.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.4% (.EXE) Win32 Executable (generic) (4505/5/1)
5.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
5.6% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon cc227131697192cc (2 x CoinMiner)
Reporter Chainskilabs
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
342
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ExloaderSetup.exe
Verdict:
Malicious activity
Analysis date:
2023-04-01 01:20:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c523a187-bd85-45d5-b4b3-1a6872a41466

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Lazy.182248.20443.24946.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Searching for the window
Searching for synchronization primitives
Creating a file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Running batch commands
Creating a file in the %AppData% subdirectories
Sending an HTTP GET request
DNS request
Creating a file in the Program Files subdirectories
Unauthorized injection to a system process
Using obfuscated Powershell scripts
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/75922/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
coinminer dcrat nitol packed shell32.dll tiny
Link:
https://www.filescan.io/uploads/642786c42574f671607cdba7/reports/a8ae99c6-0643-41a2-bdaf-3a5e770d3844/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/161c8b407d317897a6f55a2812eecbb1fe4e999156ae666933c9999f602ab81c
Result
Verdict:
MALICIOUS
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/472a5d65-c18a-46d9-b385-777672aeaa92
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1206175
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates files in the system32 config directory
Encrypted powershell cmdline option found
Found hidden mapped module (file has been removed from disk)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Potential dropper URLs found in powershell memory
Protects its processes via BreakOnTermination flag
Sample is not signed and drops a device driver
Uses cmd line tools excessively to alter registry or file data
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 839091 Sample: ExloaderSetup.exe Startdate: 01/04/2023 Architecture: WINDOWS Score: 100 84 Antivirus detection for dropped file 2->84 86 Antivirus / Scanner detection for submitted sample 2->86 88 Multi AV Scanner detection for dropped file 2->88 90 7 other signatures 2->90 8 ExloaderSetup.exe 3 2->8         started        12 updater.exe 2->12         started        14 cmd.exe 1 2->14         started        16 11 other processes 2->16 process3 file4 70 C:\Users\user\AppData\Local\...xloader.exe, PE32+ 8->70 dropped 72 C:\Users\user\...xLoader_Installer.exe, PE32+ 8->72 dropped 100 Encrypted powershell cmdline option found 8->100 18 Exloader.exe 2 8->18         started        22 ExLoader_Installer.exe 1 289 8->22         started        24 powershell.exe 7 8->24         started        74 C:\Windows\Temp\xtseyldy.tmp, PE32+ 12->74 dropped 76 C:\Program Filesbehaviorgraphoogle\Libs\WR64.sys, PE32+ 12->76 dropped 102 Protects its processes via BreakOnTermination flag 12->102 104 Writes to foreign memory regions 12->104 106 Modifies the context of a thread in another process (thread injection) 12->106 118 3 other signatures 12->118 108 Uses cmd line tools excessively to alter registry or file data 14->108 110 Uses powercfg.exe to modify the power settings 14->110 112 Modifies power options to not sleep / hibernate 14->112 26 sc.exe 14->26         started        28 conhost.exe 14->28         started        34 9 other processes 14->34 114 Creates files in the system32 config directory 16->114 116 Uses schtasks.exe or at.exe to add and modify task schedules 16->116 30 conhost.exe 16->30         started        32 conhost.exe 16->32         started        36 29 other processes 16->36 signatures5 process6 file7 58 C:\Users\user\AppData\Local\...\xtseyldy.tmp, PE32+ 18->58 dropped 60 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 18->60 dropped 92 Multi AV Scanner detection for dropped file 18->92 94 Writes to foreign memory regions 18->94 96 Modifies the context of a thread in another process (thread injection) 18->96 98 3 other signatures 18->98 38 dialer.exe 18->38         started        62 C:\Users\user\AppData\Local\...\msvcp140.dll, PE32+ 22->62 dropped 64 C:\Users\user\AppData\...\flutter_windows.dll, PE32+ 22->64 dropped 66 C:\Users\user\...xLoader_Installer.exe, PE32+ 22->66 dropped 68 3 other files (none is malicious) 22->68 dropped 40 ExLoader_Installer.exe 22->40         started        43 conhost.exe 24->43         started        45 cmd.exe 26->45         started        48 cmd.exe 26->48         started        signatures8 process9 dnsIp10 78 meteum.ai 213.180.193.146, 443, 49700 YANDEXRU Russian Federation 40->78 80 ds-global3.l7.search.ystg1.b.yahoo.com 212.82.100.137, 443, 49701 YAHOO-IRDGB United Kingdom 40->80 82 2 other IPs or domains 40->82 120 Uses cmd line tools excessively to alter registry or file data 45->120 50 conhost.exe 45->50         started        52 reg.exe 45->52         started        54 conhost.exe 48->54         started        56 reg.exe 48->56         started        signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/161c8b407d317897a6f55a2812eecbb1fe4e999156ae666933c9999f602ab81c/
Threat name:
Win32.Trojan.Lazy
Create hunting rule
Status:
Malicious
First seen:
2023-03-31 23:40:17 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
27 of 36 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cyoiwqd5gf4jpjxvliubf3wlwh7e5gmrk2xgm2jtzgmz6ybkxaoa._file
Verdict:
malicious
Similar samples:
1c14ef28ffa377c7e45d048614826ecfb30cd292e7462214be3de7e4505b56c2
CoinMiner
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion miner persistence upx
Link:
https://tria.ge/reports/230401-bp4ccagc8y/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Program Files directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
UPX packed file
Sets service image path in registry
Stops running service(s)
XMRig Miner payload
Modifies security service
Suspicious use of NtCreateUserProcessOtherParentProcess
xmrig
Unpacked files
SH256 hash:
161c8b407d317897a6f55a2812eecbb1fe4e999156ae666933c9999f602ab81c
MD5 hash:
60f4d01e21f14e48af9f2024d5a7ad59
SHA1 hash:
fd60ace5feea5d813deebc007c0e1933931982c5
Link:
https://www.unpac.me/results/0a223896-bd00-4917-8b90-2c94e66ae569/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/161c8b407d31/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/161c8b407d317897a6f55a2812eecbb1fe4e999156ae666933c9999f602ab81c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 161c8b407d317897a6f55a2812eecbb1fe4e999156ae666933c9999f602ab81c

(this sample)

  
Delivery method
Distributed via web download

Comments