MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3fde84a46aea58ba4ddb5fb0473fc756ff209ba96b1a63a2759d13b8adc01a69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 14


Intelligence 14 IOCs YARA 29 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3fde84a46aea58ba4ddb5fb0473fc756ff209ba96b1a63a2759d13b8adc01a69
SHA3-384 hash: 353da3bb3cb17c67bafd379b16db65b24f7e52c93d1f910b8ce0ee3b0d298e89aefd05b53f74578bb37c72cb08326dce
SHA1 hash: bfc2de8f0b376a6f1ff1930a4f261709a27e92ec
MD5 hash: ca1fb1ad30189110cc225620dc537368
humanhash: oklahoma-mockingbird-high-high
File name:Photo.scr
Download: download sample
Signature CoinMiner
Create hunting rule
File size:6'227'230 bytes
First seen:2023-08-23 07:12:49 UTC
Last seen:2025-02-17 20:23:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 91ae93ed3ff0d6f8a4f22d2edd30a58e (48 x CoinMiner)
ssdeep 98304:RLNSThOfTCiFBXmfFs+JhTpCVoR8oMEOJ6Ty3RvX+A0eVObApY:bBfTCiUsBVSLOJgyBG3KTp
Threatray 3 similar samples on MalwareBazaar
TLSH T1C4563395F0806422F13D183615BA84F2B07CFCB343654A9F539E2A756D383D9263AB8F
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10523/12/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4505/5/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 7c70747474d67274 (47 x CoinMiner)
Reporter JAMESWT_WT
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
5
# of downloads :
329
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
xmrig
Create hunting rule
ID:
1
File name:
http://180.137.67.16:1080/
Verdict:
Malicious activity
Analysis date:
2022-07-11 00:15:37 UTC
Tags:
xmrig miner
Link:
https://app.any.run/tasks/a6a1998c-387c-43e7-9b35-d43112e66860

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/444281/
Detection(s):
Win.Malware.Ymacco-9950875-0
Create hunting rule

Win.Malware.Ymacco-9951150-0
Create hunting rule

SecuriteInfo.com.Python.Stealer.22.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Running batch commands
Creating a process with a hidden window
Creating a file
Sending a custom TCP request
Creating a process from a recently created file
Creating a service
Launching a service
Creating a file in the Windows subdirectories
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Launching cmd.exe command interpreter
Creating a window
Launching a process
DNS request
Sending a UDP request
Enabling autorun for a service
Launching a tool to kill processes
Forced shutdown of a system process
Launching the process to change the firewall settings
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/108352/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control crypren greyware lolbin masquerade overlay packed python virus
Link:
https://www.filescan.io/uploads/64e5b1809489ac1ead3d9c06/reports/26fafe73-ce10-464b-a97c-c77615115544/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/3fde84a46aea58ba4ddb5fb0473fc756ff209ba96b1a63a2759d13b8adc01a69
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XMRig Miner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8f904fcb-f798-4a6c-80f2-9437c0fb4095
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1295685
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to infect the boot sector
Creates files with lurking names (e.g. Crack.exe)
Drops PE files to the user root directory
Found API chain indicative of debugger detection
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1295685 Sample: Photo.scr.exe Startdate: 23/08/2023 Architecture: WINDOWS Score: 100 107 xmr.crypto-pool.fr 2->107 109 router.utorrent.com 2->109 111 4 other IPs or domains 2->111 121 Snort IDS alert for network traffic 2->121 123 Malicious sample detected (through community Yara rule) 2->123 125 Antivirus detection for dropped file 2->125 127 7 other signatures 2->127 10 Photo.scr.exe 35 2->10         started        14 HelpPane.exe 35 2->14         started        16 svchost.exe 2->16         started        18 4 other processes 2->18 signatures3 process4 file5 69 C:\Users\user\AppData\Local\...\xmrig.exe, PE32 10->69 dropped 71 C:\Users\user\AppData\...\win32service.pyd, PE32 10->71 dropped 73 C:\Users\user\AppData\...\win32evtlog.pyd, PE32 10->73 dropped 81 24 other files (23 malicious) 10->81 dropped 129 Found API chain indicative of debugger detection 10->129 131 Contains functionality to infect the boot sector 10->131 133 Creates files with lurking names (e.g. Crack.exe) 10->133 20 Photo.scr.exe 10->20         started        75 C:\Windows\Temp\_MEI60722\xmrig.exe, PE32 14->75 dropped 77 C:\Windows\Temp\_MEI60722\win32service.pyd, PE32 14->77 dropped 79 C:\Windows\Temp\_MEI60722\win32evtlog.pyd, PE32 14->79 dropped 83 23 other files (22 malicious) 14->83 dropped 22 HelpPane.exe 2 14->22         started        signatures6 process7 dnsIp8 26 cmd.exe 1 20->26         started        28 cmd.exe 1 20->28         started        30 cmd.exe 3 20->30         started        113 178.72.78.141 TNGS-SOUTHRU Russian Federation 22->113 115 178.72.78.142 TNGS-SOUTHRU Russian Federation 22->115 117 104 other IPs or domains 22->117 67 C:\Windows\Temp\config, ASCII 22->67 dropped 34 cmd.exe 2 22->34         started        36 cmd.exe 22->36         started        38 xmrig.exe 22->38         started        41 3 other processes 22->41 file9 process10 dnsIp11 43 HelpPane.exe 35 26->43         started        47 conhost.exe 26->47         started        49 HelpPane.exe 35 28->49         started        51 conhost.exe 28->51         started        101 C:\Users\user\HelpPane.exe, PE32 30->101 dropped 143 Drops PE files to the user root directory 30->143 53 conhost.exe 30->53         started        103 C:\Windows\Temp\xmrig.exe, PE32 34->103 dropped 55 conhost.exe 34->55         started        105 C:\Windows\Temp\config.json, JSON 36->105 dropped 57 conhost.exe 36->57         started        119 xmr.crypto-pool.fr 38->119 59 conhost.exe 38->59         started        61 3 other processes 41->61 file12 signatures13 process14 file15 85 C:\Users\user\AppData\Local\...\xmrig.exe, PE32 43->85 dropped 87 C:\Users\user\AppData\...\win32service.pyd, PE32 43->87 dropped 89 C:\Users\user\AppData\...\win32evtlog.pyd, PE32 43->89 dropped 97 24 other files (23 malicious) 43->97 dropped 135 Multi AV Scanner detection for dropped file 43->135 137 Creates files with lurking names (e.g. Crack.exe) 43->137 139 Uses netsh to modify the Windows network and firewall settings 43->139 141 Modifies the windows firewall 43->141 63 HelpPane.exe 1 43->63         started        91 C:\Users\user\AppData\Local\...\xmrig.exe, PE32 49->91 dropped 93 C:\Users\user\AppData\...\win32service.pyd, PE32 49->93 dropped 95 C:\Users\user\AppData\...\win32evtlog.pyd, PE32 49->95 dropped 99 24 other files (23 malicious) 49->99 dropped 65 HelpPane.exe 49->65         started        signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3fde84a46aea58ba4ddb5fb0473fc756ff209ba96b1a63a2759d13b8adc01a69/
Threat name:
Win32.Coinminer.Malxmr
Create hunting rule
Status:
Malicious
First seen:
2020-02-22 10:29:00 UTC
File Type:
PE (Exe)
Extracted files:
499
AV detection:
31 of 37 (83.78%)
Threat level:
  4/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h7pijjdk5jmluto3l6yeop6hk37sbg5jnmnghitvtuj3rloadjuq._file
Verdict:
malicious
Similar samples:
ee86f083fdb8d5e2f4d1d609faf964fa08a01875bc0abb364aeb09bb83c35f8c
CoinMiner
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery evasion persistence pyinstaller upx
Link:
https://tria.ge/reports/230823-h13zaabh5x/
Behaviour
Kills process with taskkill
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Creates a large amount of network flows
ACProtect 1.3x - 1.4x DLL software
Executes dropped EXE
Loads dropped DLL
UPX packed file
Contacts a large (1143) amount of remote hosts
Contacts a large (1176) amount of remote hosts
Modifies Windows Firewall
Registers new Print Monitor
Unpacked files
SH256 hash:
05508fcece26d5de9205fab70af8e81297b145e5d8a812f03df1136de49dcd8a
MD5 hash:
808c7ba93a495d70a840680e852a2db3
SHA1 hash:
ea6a20629abd748613e2cc8f9897b568ae696639
Link:
https://www.unpac.me/results/8348be3e-3df4-4c75-90d5-4d5e2e99e856/
Parent samples :
ebcdf536447cba219a13756c00c97b4ed5fea47f2cbf2283ea86e80216d3822e
af94ddf7c35b9d9f016a5a4b232b43e071d59c6beb1560ba76df20df7b49ca4c
SH256 hash:
e82510adc44c4ea1fb0f22b1c3550d0a0152061e7489e5fbcf51952a55c8a4ce
MD5 hash:
a42c81a1edeeeed6a24de8b8cbeaf8f4
SHA1 hash:
7e904cfe7765a947e93a72d05354abdefbcba84c
Link:
https://www.unpac.me/results/8348be3e-3df4-4c75-90d5-4d5e2e99e856/
SH256 hash:
3fde84a46aea58ba4ddb5fb0473fc756ff209ba96b1a63a2759d13b8adc01a69
MD5 hash:
ca1fb1ad30189110cc225620dc537368
SHA1 hash:
bfc2de8f0b376a6f1ff1930a4f261709a27e92ec
Link:
https://www.unpac.me/results/8348be3e-3df4-4c75-90d5-4d5e2e99e856/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3fde84a46aea/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3fde84a46aea58ba4ddb5fb0473fc756ff209ba96b1a63a2759d13b8adc01a69

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MacOS_Cryptominer_Generic_333129b7
Create hunting rule
Author:Elastic Security
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:MAL_XMR_Miner_May19_1_RID2E1B
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects XMRIG crypto coin miners
Reference:https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Rule name:PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20_RID33BA
Create hunting rule
Author:Florian Roth
Description:Detects XMRIG crypto coin miners
Reference:https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:UPXProtectorv10x2
Create hunting rule
Author:malware-lu
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants
Rule name:XMRIG_Monero_Miner
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Monero mining software
Reference:https://github.com/xmrig/xmrig/releases

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/444281/

Comments