MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16a11d885f34f4bb1efd610f77264287ae7b0d2504ff486cd5287fb9be5ecc0b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 16a11d885f34f4bb1efd610f77264287ae7b0d2504ff486cd5287fb9be5ecc0b
SHA3-384 hash: 0e95af5086eb3580b9719c4c65c3edc061698f537efb2496fc349d62a38ab4dcef9649193df9a936bc161dcab0fd601b
SHA1 hash: e436b532fbaed896a5942b4dd6d3cc30eb11a9eb
MD5 hash: 801962c1e74a04cbfbd691581104a5a1
humanhash: apart-bluebird-carpet-burger
File name:winrar-x64.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:4'817'008 bytes
First seen:2023-12-10 11:20:26 UTC
Last seen:2023-12-10 13:15:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 608505ff1e7e27ff4a42ea9c4e9f4192 (5 x LummaStealer, 3 x NetSupport, 2 x ConnectWise)
ssdeep 98304:l9iZasQra4ios7RjnRU4UApr2Y52kFjmiO32k:qZa5+osNbxrpRw
TLSH T156268D31724AC52FE96201B1192C9A9F512CBF360BB254CBB3DC2E7E1BB55C21636E17
TrID 68.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
12.5% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.4% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 6ded69c7b130b2c0 (12 x CryptBot, 8 x ValleyRAT, 4 x NetSupport)
Reporter Xev
Tags:CoinMiner CoinMiner.XMRig Downloader exe GuLoader signed

Code Signing Certificate

Organisation:Siam Computer (MD Kamrul Hassan)
Issuer:Sectigo Public Code Signing CA EV R36
Algorithm:sha256WithRSAEncryption
Valid from:2022-03-03T00:00:00Z
Valid to:2025-03-02T23:59:59Z
Serial number: e9e59f1418040e5a1e8ae92f0aec83d8
Intelligence: 21 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 80b7c22c5659dd209dc6750bc8141ccc53130dd903eeff9b382be9a8c8164347
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
NIXLovesCooper
Distributed via: https://freesoftplace.com/

https://ewr1.vultrobjects.com/7347c867/FreeFire-GarenaLauncher.exe
https://ewr1.vultrobjects.com/7347c867/Minecraft-Launcher.exe
https://ewr1.vultrobjects.com/7347c867/AmongUs-Installer.exe
https://ewr1.vultrobjects.com/7347c867/Roblox-Launcher.exe
https://ewr1.vultrobjects.com/7347c867/winrar-x64-br.exe
https://ewr1.vultrobjects.com/7347c867/winrar-x64.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
390
Origin country :
GR GR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/464218/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader46.11564.5453.18695.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a file
Launching a process
Modifying a system file
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Searching for the browser window
DNS request
Sending a custom TCP request
Possible injection to a system process
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
89%
Tags:
control fingerprint lolbin msiexec overlay packed powershell setupapi shell32
Link:
https://www.filescan.io/uploads/65759f1ebb9490c89ccc71e4/reports/f6e62d41-a792-47b0-badb-9ca543e5606f/overview
Verdict:
Malicious
Labled as:
Trojan.Stealerc
Link:
https://www.hybrid-analysis.com/sample/16a11d885f34f4bb1efd610f77264287ae7b0d2504ff486cd5287fb9be5ecc0b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5cee7562-df5f-41b3-9387-d52b6ee56518
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
90 / 100
Link:
https://www.joesandbox.com/analysis/1357270
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Drops executables to the windows directory (C:\Windows) and starts them
Encrypted powershell cmdline option found
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Potential dropper URLs found in powershell memory
Powershell drops PE file
Query firmware table information (likely to detect VMs)
Uses whoami command line tool to query computer and username
Very long command line found
Yara detected MalDoc
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1357270 Sample: winrar-x64.exe Startdate: 10/12/2023 Architecture: WINDOWS Score: 90 100 files.goriem.com 2->100 102 ewr1.vultrobjects.com 2->102 118 Multi AV Scanner detection for domain / URL 2->118 120 Antivirus detection for URL or domain 2->120 122 Multi AV Scanner detection for dropped file 2->122 124 4 other signatures 2->124 10 msiexec.exe 3 31 2->10         started        14 winrar-x64.exe 26 2->14         started        16 svchost.exe 1 2 2->16         started        signatures3 process4 dnsIp5 76 C:\Windows\Installer\MSIF829.tmp, PE32 10->76 dropped 78 C:\Windows\Installer\MSICE46.tmp, PE32 10->78 dropped 80 C:\Windows\Installer\MSI917F.tmp, PE32 10->80 dropped 88 9 other malicious files 10->88 dropped 134 Drops executables to the windows directory (C:\Windows) and starts them 10->134 19 msiexec.exe 32 10->19         started        23 msiexec.exe 10->23         started        25 MSI916E.tmp 2 16 10->25         started        82 C:\Users\user\AppData\Local\...\MSI8D44.tmp, PE32 14->82 dropped 84 C:\Users\user\AppData\Local\...\MSI8D05.tmp, PE32 14->84 dropped 86 C:\Users\user\AppData\Local\...\MSI8CC5.tmp, PE32 14->86 dropped 90 3 other files (2 malicious) 14->90 dropped 27 msiexec.exe 14->27         started        98 127.0.0.1 unknown unknown 16->98 file6 signatures7 process8 file9 72 C:\Users\user\AppData\Local\...\scr9214.ps1, Unicode 19->72 dropped 74 C:\Users\user\AppData\Local\...\pss9225.ps1, Unicode 19->74 dropped 126 Query firmware table information (likely to detect VMs) 19->126 29 powershell.exe 16 19->29         started        32 powershell.exe 19->32         started        34 powershell.exe 19->34         started        36 powershell.exe 19->36         started        128 Bypasses PowerShell execution policy 23->128 38 chrome.exe 1 25->38         started        signatures10 process11 dnsIp12 136 Very long command line found 29->136 138 Encrypted powershell cmdline option found 29->138 140 Uses whoami command line tool to query computer and username 29->140 142 Powershell drops PE file 29->142 41 powershell.exe 2 31 29->41         started        44 conhost.exe 29->44         started        46 powershell.exe 32->46         started        50 conhost.exe 32->50         started        52 powershell.exe 34->52         started        54 conhost.exe 34->54         started        56 powershell.exe 36->56         started        58 conhost.exe 36->58         started        104 192.168.2.4 unknown unknown 38->104 106 239.255.255.250 unknown Reserved 38->106 60 chrome.exe 38->60         started        signatures13 process14 dnsIp15 130 Potential dropper URLs found in powershell memory 41->130 132 Uses whoami command line tool to query computer and username 41->132 62 chcp.com 41->62         started        64 whoami.exe 41->64         started        108 ewr1.vultrobjects.com 108.61.0.122 AS-CHOOPAUS United States 46->108 110 files.goriem.com 149.28.239.184 AS-CHOOPAUS United States 46->110 92 C:\ProgramData\BraveCrashHandler.exe, PE32 46->92 dropped 66 chcp.com 46->66         started        94 C:\Users\user\...behaviorgraphoogleCrashHandler.exe, PE32 52->94 dropped 68 chcp.com 52->68         started        96 C:\Users\user\...behaviorgraphoogleCrashHandler64.exe, PE32 56->96 dropped 70 chcp.com 56->70         started        112 www.google.com 142.250.189.132 GOOGLEUS United States 60->112 114 accounts.google.com 142.250.217.173 GOOGLEUS United States 60->114 116 7 other IPs or domains 60->116 file16 signatures17 process18
Score:
24%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/16a11d885f34f4bb1efd610f77264287ae7b0d2504ff486cd5287fb9be5ecc0b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/16a11d885f34f4bb1efd610f77264287ae7b0d2504ff486cd5287fb9be5ecc0b/
Threat name:
Win32.Trojan.Malagent
Create hunting rule
Status:
Malicious
First seen:
2023-12-10 11:21:06 UTC
File Type:
PE (Exe)
Extracted files:
73
AV detection:
15 of 23 (65.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c2qr3cc7gt2lwhx5mehxojscq6xhwdjfat7uq3gvfb73tps6zqfq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion persistence ransomware trojan
Link:
https://tria.ge/reports/231210-nfzn1sege3/
Behaviour
Delays execution with timeout.exe
Enumerates system info in registry
Interacts with shadow copies
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Drops file in System32 directory
Adds Run key to start application
Checks whether UAC is enabled
Enumerates connected drives
Drops startup file
Blocklisted process makes network request
Downloads MZ/PE file
Deletes shadow copies
Unpacked files
SH256 hash:
16a11d885f34f4bb1efd610f77264287ae7b0d2504ff486cd5287fb9be5ecc0b
MD5 hash:
801962c1e74a04cbfbd691581104a5a1
SHA1 hash:
e436b532fbaed896a5942b4dd6d3cc30eb11a9eb
Link:
https://www.unpac.me/results/05e64a60-faae-4af7-ae73-1901a53ccb05/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/16a11d885f34/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/16a11d885f34f4bb1efd610f77264287ae7b0d2504ff486cd5287fb9be5ecc0b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_Sandworm_ArguePatch_Apr_2022_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect ArguePatch loader used by Sandworm group for load CaddyWiper
Reference:https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 16a11d885f34f4bb1efd610f77264287ae7b0d2504ff486cd5287fb9be5ecc0b

(this sample)

Executable exe b8dd4a784dda6eba1e23db2b1a8efe64c213136ea8d92680324af4bb2035416e

  
Dropping
SHA256 b8dd4a784dda6eba1e23db2b1a8efe64c213136ea8d92680324af4bb2035416e
  
Dropping
SHA256 282e89ab3858800c8fbce89effebd7b9f7b1c280a5ff7639767a6c520f85b350
  
Dropping
SHA256 973351c6e94ef6a171e914bff05861091ccf76ac1f4d38a81faa25b8e0cd8038
  
Dropping
SHA256 8533255994dc6fa22f021e4ffec0a878257da481c97a75b37ad8841e493e9596
  
Dropping
SHA256 4de6e6c9c7bc0be888edd0b0cca866cbee745d6df2c0f34d762055cef879a0cc
  
Dropping
SHA256 83a61ace576b458db3215a3215e25b1ea0bc98f3177f49c28951e4f36e547f2b
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/464218/
  
URLhaus
https://urlhaus.abuse.ch/url/2739270/
  
URLhaus
https://urlhaus.abuse.ch/url/2739271/
  
URLhaus
https://urlhaus.abuse.ch/url/2739272/
  
URLhaus
https://urlhaus.abuse.ch/url/2739273/
  
URLhaus
https://urlhaus.abuse.ch/url/2739274/
  
URLhaus
https://urlhaus.abuse.ch/url/2739275/
  
Dropping
MD5 9651ede72bae625a1acf243c43e46c15
  
Dropping
MD5 a82cbfdc35b514daf6c4ce754eb24ffb
  
Dropping
MD5 c39cff08202cc032a0bf46f63e57aeb8
  
Dropping
MD5 9ac2eaf81fe372b44d2663f00f8a3c8c
  
Dropping
MD5 817c61d5014f8c26ef6a0c4d4e5d8d82
  
Dropping
MD5 688e3439d196b920936a08d5d70fbfa2

Comments