MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19aedf2b14d90e4cf5df0a8d533b1b9024ffa46ed56434ddc5d0ebcaec2487e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PripyatMiner


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 19aedf2b14d90e4cf5df0a8d533b1b9024ffa46ed56434ddc5d0ebcaec2487e9
SHA3-384 hash: 703e2e11014c934c1764a7a2ff3382047b5be0193ef131cbdd115d7ae3f86436124493710651c30f62eb121a93f134b4
SHA1 hash: f08103e661d2b6647471e8d43097674e3fbefd1f
MD5 hash: cda9cad10259f666b2274e711e2ed9fb
humanhash: social-foxtrot-floor-montana
File name:file
Download: download sample
Signature PripyatMiner
Create hunting rule
File size:10'384'384 bytes
First seen:2023-06-09 11:28:10 UTC
Last seen:2023-06-09 12:54:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f7505c167603909b7180406402fef19e (36 x CoinMiner, 3 x PripyatMiner)
ssdeep 196608:EoIRq1Ed0LseErZ4ZHafDIl7lf6YC1zmAuIV:EoEq1Ey5Erqkfkl7ezuu
Threatray 2'323 similar samples on MalwareBazaar
TLSH T1C3A6D1719C962E8BF712CD3C58B0023A8C95718374992CD52A6572F3446DFDA2FF9A32
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10523/12/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter jstrosch
Tags:exe PripyatMiner X64

Intelligence

File Origin
# of uploads :
2
# of downloads :
281
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-06-09 11:30:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/97d03ef0-4e5b-4bf7-afc1-c2fb5144cd4d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/397369/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67393881.1383.21434.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Launching a process
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Creating a file in the Windows subdirectories
Forced system process termination
Сreating synchronization primitives
Creating a file in the system32 subdirectories
Deleting a recently created file
Replacing files
DNS request
Connecting to a cryptocurrency mining pool
Creating a service
Launching a service
Loading a system driver
Setting browser functions hooks
Unauthorized injection to a recently created process
Enabling autorun for a service
Unauthorized injection to a system process
Unauthorized injection to a browser process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/90125/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug packed
Link:
https://www.filescan.io/uploads/64830cff60dff9842c54f47c/reports/b4ae6fad-7a0b-4123-a147-c9575bce2704/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/19aedf2b14d90e4cf5df0a8d533b1b9024ffa46ed56434ddc5d0ebcaec2487e9
Result
Verdict:
MALICIOUS
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8eb093c6-76c4-4189-b36f-70e9f1187a49
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1251905
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates files in the system32 config directory
Found hidden mapped module (file has been removed from disk)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 884925 Sample: file.exe Startdate: 09/06/2023 Architecture: WINDOWS Score: 100 78 Snort IDS alert for network traffic 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 Antivirus detection for dropped file 2->82 84 9 other signatures 2->84 11 file.exe 4 2->11         started        15 powershell.exe 33 2->15         started        process3 file4 52 C:\Users\user\AppData\...\myizvwovhmrf.tmp, PE32+ 11->52 dropped 54 C:\Program Filesdge\Microsoft\service.exe, PE32+ 11->54 dropped 98 Writes to foreign memory regions 11->98 100 Modifies the context of a thread in another process (thread injection) 11->100 102 Found hidden mapped module (file has been removed from disk) 11->102 104 Maps a DLL or memory area into another process 11->104 17 dialer.exe 1 11->17         started        20 conhost.exe 15->20         started        signatures5 process6 signatures7 70 Contains functionality to inject code into remote processes 17->70 72 Writes to foreign memory regions 17->72 74 Allocates memory in foreign processes 17->74 76 3 other signatures 17->76 22 svchost.exe 17->22 injected 24 lsass.exe 17->24 injected 27 winlogon.exe 17->27 injected 29 22 other processes 17->29 process8 signatures9 31 service.exe 5 22->31         started        94 Writes to foreign memory regions 24->94 35 svchost.exe 24->35 injected process10 file11 56 C:\Windows\Temp\myizvwovhmrf.tmp, PE32+ 31->56 dropped 58 C:\Program Filesbehaviorgraphoogle\Libs\WR64.sys, PE32+ 31->58 dropped 62 Writes to foreign memory regions 31->62 64 Modifies the context of a thread in another process (thread injection) 31->64 66 Maps a DLL or memory area into another process 31->66 68 Sample is not signed and drops a device driver 31->68 37 dialer.exe 31->37         started        signatures12 process13 dnsIp14 60 192.168.2.1 unknown unknown 37->60 86 Injects code into the Windows Explorer (explorer.exe) 37->86 88 Writes to foreign memory regions 37->88 90 Allocates memory in foreign processes 37->90 92 2 other signatures 37->92 41 powershell.exe 32 37->41         started        44 svchost.exe 37->44 injected 46 svchost.exe 37->46 injected 48 6 other processes 37->48 signatures15 process16 signatures17 96 Creates files in the system32 config directory 41->96 50 conhost.exe 41->50         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/19aedf2b14d90e4cf5df0a8d533b1b9024ffa46ed56434ddc5d0ebcaec2487e9/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-06-04 19:59:22 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
22 of 37 (59.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dgxn6kyu3ehez5o7bkgvgoy3sasp7jdo2vsdjxof2dv4v3beq7uq._file
Verdict:
malicious
Similar samples:
00939e25e104ed776c705ef7bbafe2aaf3f684a77a55385597f319b364241196
PripyatMiner
06e2a779b34fbd168fb85d4ee1331967a87187fa810bd3739f96bb9222869ad4
PripyatMiner
35ceaeaffaa5c91725d87076da0209f8a81feed770c8efda22bd80e8e44184bb
PripyatMiner
6320b40b4809bd711e6a50eebacce6ac51d3cbb92f84d467116f79489c668a04
PripyatMiner
95a69137e57a900e7f2721395b6aaf1695d74f16f5e44410557514dca8849ef3
PripyatMiner
a7efca5d1cbdc8b4d5d113865af0b2eb04396cca2653c269831d207a239e83d8
PripyatMiner
adad69d9a6bf24c7739cc25cf4def1b96d05accc349ed86e9200d404c039ad03
PripyatMiner
b9d131247fa8488311afe5da12d699c984cbbf71ba7edf8b560d11c18ea9872c
PripyatMiner
ecd60313ba990f1300b37db4064977e83f109fdf93a728cf434106c1b5b5a2d5
PripyatMiner
efaaa8ecbfb81f33bbfb791209f0e386756b6a5242428d178efda0ad93ac64bf
PripyatMiner
+ 2'313 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/230609-nlkgaaca43/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Enumerates connected drives
Executes dropped EXE
Sets service image path in registry
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
19aedf2b14d90e4cf5df0a8d533b1b9024ffa46ed56434ddc5d0ebcaec2487e9
MD5 hash:
cda9cad10259f666b2274e711e2ed9fb
SHA1 hash:
f08103e661d2b6647471e8d43097674e3fbefd1f
Link:
https://www.unpac.me/results/90ee872c-0d38-4d93-9ec8-92149fb05b05/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/19aedf2b14d9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/19aedf2b14d90e4cf5df0a8d533b1b9024ffa46ed56434ddc5d0ebcaec2487e9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PripyatMiner

Executable exe 19aedf2b14d90e4cf5df0a8d533b1b9024ffa46ed56434ddc5d0ebcaec2487e9

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/397369/

Comments