MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f271463809e635db89f37ae4a252605054d97e62c13f5cc696af8ca5f6d9e42. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f271463809e635db89f37ae4a252605054d97e62c13f5cc696af8ca5f6d9e42
SHA3-384 hash: 8c7baf737e5ab83a9ff821be0f7f624795369a0ef6b198460dde568ab711b0dd8e1af03ff7814860130726cd3a0783f1
SHA1 hash: 94f6ff29fdd3643b222fd2268eb856eed666349c
MD5 hash: 6593086d6339125748f10b47b18d0796
humanhash: freddie-west-enemy-three
File name:file
Download: download sample
Signature CoinMiner
Create hunting rule
File size:1'492'112 bytes
First seen:2022-11-22 06:14:41 UTC
Last seen:2022-11-22 09:38:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1e7294129e47758c077ccbe7cdb2d27b (3 x CoinMiner)
ssdeep 24576:7XyX6Zwpe0HjF/eTSY5hbJhx71gNKbFtvYVuONcXLz7rW/n:7Wjpe0FQ3Dh1gN+FKuONcXL/rc
Threatray 2'310 similar samples on MalwareBazaar
TLSH T19E658C0127A4FA00C19F59B158BA49A526E37FD64C30512767E839CA9FB32C03D6D7EE
File icon (PE):PE icon
dhash icon ca939c8683e79cdc (2 x CoinMiner, 1 x RedLineStealer)
Reporter andretavare5
Tags:CoinMiner exe signed

Code Signing Certificate

Organisation:Logitech Z-706 Template NET
Issuer:Logitech Z-706 Template NET
Algorithm:sha1WithRSAEncryption
Valid from:2022-11-20T19:56:50Z
Valid to:2032-11-21T19:56:50Z
Serial number: 5418d18f550806894d6a458c32cc4d85
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 8f14641df904c0f86c6aaad6653187f1b4af213d38feec8da3b34ad2a31ebb1a
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from http://smart.klarerp.com/svcrun.exe

Intelligence

File Origin
# of uploads :
6
# of downloads :
202
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2022-11-22 06:17:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/73a0280f-629a-44c3-8559-9e1b10b5fc99

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/337071/
Detection(s):
SecuriteInfo.com.Win64.Evo-gen.29444.20475.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a file
Creating a file in the %temp% directory
Enabling the 'hidden' option for recently created files
Running batch commands
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Creating a process with a hidden window
Creating a window
Sending an HTTP POST request
Searching for synchronization primitives
DNS request
Connecting to a cryptocurrency mining pool
Sending a custom TCP request
Creating a service
Launching a service
Loading a system driver
Enabling autorun for a service
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/637c68e9a0efd596b82f1668/reports/34298d50-5ab2-42a1-8621-8acccce71174/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d2bbc0a0-c789-45a5-bc65-1cf519c99e88
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1118677
Signature
Adds a directory exclusion to Windows Defender
Contains functionality to detect virtual machines (IN, VMware)
Detected unpacking (changes PE section rights)
DNS related to crypt mining pools
Found strings related to Crypto-Mining
PE file has nameless sections
Sets debug register (to hijack the execution of another thread)
Tries to evade debugger and weak emulator (self modifying code)
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3f271463809e635db89f37ae4a252605054d97e62c13f5cc696af8ca5f6d9e42/
Threat name:
Win64.Trojan.Privateloader
Create hunting rule
Status:
Suspicious
First seen:
2022-11-22 06:15:14 UTC
File Type:
PE+ (Exe)
Extracted files:
386
AV detection:
9 of 26 (34.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h4triy4atzrv3oe7g6xeujjgaucu3f7gfqj7ltdjnl4mux3ntzba._file
Verdict:
unknown
Similar samples:
119b74aee8f21aaa186847b21d1a3f044f0da37cc90eac7eb11fdfddefb97ecb
CoinMiner
22f8e3e67026a0c0cc124733c97fde78810a8283745136684227a09ae2adb7d1
CoinMiner
373d65f3354cfcee2776e9769348bc731ece35716ed9fa9d7b7b05f46b72ef0a
CoinMiner
76157646cba06f9895750597b70f8f0aadf2028f8c16f2f23cb06100b7f76d06
CoinMiner
7e9cb3b696913bfdef0f58ca98b7d74f03d6aa836f871d5df788f4f56ad13496
CoinMiner
8ac627582027452e0d1cf2f8c30eded210faf94e01dcebe7cc4864f2bf1b23e9
CoinMiner
949da0a80e3d9fba5e97b8d7a9c4706f9c5bc6e0d72912f3bbc3c774c861e11d
CoinMiner
cbb7c0a2ff54a2d77daecd0e6750b52b8ef674a3709c2d4802eb0ad616f9d47b
CoinMiner
e871eaface7a5ec475a1fc46de2db3e184459b5b5c5c6229741999a8bf62528b
CoinMiner
edb7491e35601c51676c772425cf762ff753b4ecd5ec939f3a4edc3f3e7cd2df
CoinMiner
+ 2'300 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/221122-gzxv7sce22/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Uses the VBS compiler for execution
Executes dropped EXE
XMRig Miner payload
xmrig
Unpacked files
SH256 hash:
3f271463809e635db89f37ae4a252605054d97e62c13f5cc696af8ca5f6d9e42
MD5 hash:
6593086d6339125748f10b47b18d0796
SHA1 hash:
94f6ff29fdd3643b222fd2268eb856eed666349c
Link:
https://www.unpac.me/results/85307562-186d-4833-a785-5d882e296582/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3f271463809e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/3f271463809e635db89f37ae4a252605054d97e62c13f5cc696af8ca5f6d9e42

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/337071/
  
URLhaus
https://urlhaus.abuse.ch/url/2408852/

Comments