MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 350b4cf73ee727528bb558b35390d3b38d1a8e9c7ac55e05ec19c0ff91272c96. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	350b4cf73ee727528bb558b35390d3b38d1a8e9c7ac55e05ec19c0ff91272c96
SHA3-384 hash:	1dc74dd354953c1ffc4b6a13e6506fb11a899a7d3e0b3894f4dced476e91f2c7a4735e2028312d65933461605dbe35f4
SHA1 hash:	e8baa9529016ef1aa457df336a03f9bc1f1c1d66
MD5 hash:	727c482723317a4b9c43562f5a7a6815
humanhash:	cold-lamp-idaho-single
File name:	file
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	857'600 bytes
First seen:	2023-01-09 11:53:53 UTC
Last seen:	2023-01-09 13:29:52 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	2a414deee0a3888787cdc53e7539a092 (1 x CoinMiner)
ssdeep	24576:dx0cvng/ho6FxkgkOJ56wnJB3aLDJtnjgmrbmAO:jZvng/hNxkgk9jh
Threatray	2'510 similar samples on MalwareBazaar
TLSH	T1EB05BF0AED750B08E9AE8D330A7D53640FA66D0B373184587D327659D8EDB522EEC738
File icon (PE):
dhash icon	b2f0f08acab2b296 (3 x CoinMiner, 1 x RedLineStealer)
Reporter	andretavare5
Tags:	CoinMiner exe

andretavare5

Sample downloaded from http://orderedami.com/svcrun.exe

Intelligence

File Origin

# of uploads :

# of downloads :

188

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-01-09 11:56:46 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/65e3b930-a40b-4a0b-a346-6aee3c5aa493

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/351082/

Detection(s):

SecuriteInfo.com.Win64.Evo-gen.5793.1632.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Сreating synchronization primitives

Creating a file

Enabling the 'hidden' option for recently created files

Using the Windows Management Instrumentation requests

Running batch commands

Creating a process with a hidden window

Creating a window

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/63bc005e40e878e304240b97/reports/53f806ce-ca02-4be4-b158-e099af121189/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f4285eaa-3bda-4251-96ec-0c028758face

Result

Threat name:

Xmrig

Detection:

malicious

Classification:

evad.mine

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1147931

Signature

Adds a directory exclusion to Windows Defender

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

DNS related to crypt mining pools

Found strings related to Crypto-Mining

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sets debug register (to hijack the execution of another thread)

Snort IDS alert for network traffic

Tries to evade debugger and weak emulator (self modifying code)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Xmrig cryptocurrency miner

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/350b4cf73ee727528bb558b35390d3b38d1a8e9c7ac55e05ec19c0ff91272c96/

Threat name:

Win64.Trojan.Privateloader

Status:

Malicious

First seen:

2023-01-09 11:54:09 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

15 of 26 (57.69%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=gufuz5z644tvfc5vlczvhegtwogrvdu4plcv4bpmdhap7ejhfsla._file

Verdict:

unknown

CoinMiner

373d65f3354cfcee2776e9769348bc731ece35716ed9fa9d7b7b05f46b72ef0a

CoinMiner

3f271463809e635db89f37ae4a252605054d97e62c13f5cc696af8ca5f6d9e42

CoinMiner

46f8f11c73025c6b52c57ce3e5f98a560d30e6ddfec8f176b917255fbdf89010

CoinMiner

4b832681660bd5727a36443544b83d5a69ccc47143220f7b3ea924b81bfe2fc4

CoinMiner

7bd34b7923a17098175c99070569b5a49e8dea6921edcbce273ec7f59e8ab9d1

CoinMiner

8be2caee636b007be2f3f6a6154457877113e2538ffcbad2984e1372a089759f

CoinMiner

b2f4f507571ff0b863c431e03fc40893e651f2a887ed1db62f16ff84ad61aa07

CoinMiner

d0fbf3474aaa13885c128e535f5a02585a4a7b75140d0679d1fc0d0f66bb07e8

CoinMiner

d2b55acbf3aa2b30df7033794577c5cf5ebd57a4372e4f64c32bfb5b5445ca6d

CoinMiner

+ 2'500 additional samples on MalwareBazaar

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:xmrig miner

Link:

https://tria.ge/reports/230109-n2v8qaea76/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Checks computer location settings

Uses the VBS compiler for execution

XMRig Miner payload

xmrig

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/bd2ab7f0-45c2-408b-ab10-c0e9b9d00b71

Unpacked files

SH256 hash:

350b4cf73ee727528bb558b35390d3b38d1a8e9c7ac55e05ec19c0ff91272c96

MD5 hash:

727c482723317a4b9c43562f5a7a6815

SHA1 hash:

e8baa9529016ef1aa457df336a03f9bc1f1c1d66

Link:

https://www.unpac.me/results/ee7f1025-1128-4961-b3ad-80b1380e542d/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/350b4cf73ee7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.19

Link:

https://yomi.yoroi.company/submissions/350b4cf73ee727528bb558b35390d3b38d1a8e9c7ac55e05ec19c0ff91272c96

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2497706/

Cape

https://www.capesandbox.com/analysis/351082/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample