MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 172998995b63bc4a4efc8f6d1d879e00822f6fe338f5bb04360b81e2b4c48473. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	172998995b63bc4a4efc8f6d1d879e00822f6fe338f5bb04360b81e2b4c48473
SHA3-384 hash:	e109351403ce23d1cbbe77ba478b26b87219e95837aa586eac87c93cf461859fbeadf456c59ba0700c449169fa9fbfe7
SHA1 hash:	c1541db0eca07cfc55bd836625679eea9152f924
MD5 hash:	b4ebe61a7e0eff941669d74aedf44448
humanhash:	washington-glucose-georgia-tango
File name:	file
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	2'608'640 bytes
First seen:	2023-08-09 17:42:09 UTC
Last seen:	2023-08-09 18:56:21 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	24576:nhf0px22bHPywbdqzqeiTt6AbqLorDi6abtLjGmGYb6Y7vRs/+pOG4:qDvyq4qvFWL0ocG
Threatray	3'078 similar samples on MalwareBazaar
TLSH	T1B3C5A70E75486C6FDC1D04B28D1FA614875587BE56C3A647394B10E84B3F283AECDBBA
TrID	40.9% (.EXE) Win64 Executable (generic) (10523/12/4) 19.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.0% (.EXE) Win16/32 Executable Delphi generic (2072/23) 8.0% (.ICL) Windows Icons Library (generic) (2059/9) 7.8% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	andretavare5
Tags:	CoinMiner exe

andretavare5

Sample downloaded from http://red.mk/netTime.exe

Intelligence

File Origin

# of uploads :

# of downloads :

288

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-08-09 18:03:15 UTC

Tags:

miner phonk loader

Link:

https://app.any.run/tasks/65cb0d22-3065-4c8a-8f7b-859f2da33ab5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/441760/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.2228.25292.12780.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file

Gathering data

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/172998995b63bc4a4efc8f6d1d879e00822f6fe338f5bb04360b81e2b4c48473

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/fe187b06-7c82-4050-9321-580cc191c83b

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/1288851

Signature

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/172998995b63bc4a4efc8f6d1d879e00822f6fe338f5bb04360b81e2b4c48473/

Threat name:

Win64.Trojan.Privateloader

Status:

Malicious

First seen:

2023-08-09 10:30:45 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

13 of 38 (34.21%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=c4uzrgk3mo6eutx4r5wr3b46acbc637dhd23wbbwboa6fngeqrzq._file

Verdict:

malicious

CoinMiner

23156e92c3d2349bbc1a03ed2c29b2d8c52bd1c6228528eba4d5e04c39e5533a

CoinMiner

3bccf05eee144854cca885ab816b75f6ce8135dd35792c6fd4470d4f7dbf9d1e

CoinMiner

4caaca2890a24087d048b3bee2a5ebd606583d12783af9544d2027bfbfb6e220

CoinMiner

67ed4226089a037258ae9c039e93f9ba85dc75409ff0c3402c69597de654cb5d

CoinMiner

88fac3e4be2eac3fec29fc706990d7afedc7960a1d659040e915e9d313f58944

CoinMiner

8ac5061d3b24f6c8d7a60a8199fc4d631bafc71b2b5b3fadaf3ce78c776df466

CoinMiner

c6380b44bb9310fcfb2c80e3b0e16e3c75970d35fb5dd412a23b31ee3772d8c6

CoinMiner

ce7a9a4a88a1a9f154bb4e0650864933d87fd75bef94ec000faf24f75d0a308f

CoinMiner

d0fbf3474aaa13885c128e535f5a02585a4a7b75140d0679d1fc0d0f66bb07e8

CoinMiner

+ 3'068 additional samples on MalwareBazaar

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:xmrig miner

Link:

https://tria.ge/reports/230809-walh7sea76/

Behaviour

Creates scheduled task(s)

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Executes dropped EXE

Loads dropped DLL

XMRig Miner payload

xmrig

Unpacked files

SH256 hash:

172998995b63bc4a4efc8f6d1d879e00822f6fe338f5bb04360b81e2b4c48473

MD5 hash:

b4ebe61a7e0eff941669d74aedf44448

SHA1 hash:

c1541db0eca07cfc55bd836625679eea9152f924

Link:

https://www.unpac.me/results/1b355510-7c39-4ca7-8c54-7233a18d4755/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/172998995b63/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/172998995b63bc4a4efc8f6d1d879e00822f6fe338f5bb04360b81e2b4c48473

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BAZT_B5_NOCEXInvalidStream Create hunting rule

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2662087/

Cape

https://www.capesandbox.com/analysis/441760/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample