MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41a8b4bbde769dd1d866ea6bfb8912d092234cc6f80c37893b3797e2b7f4f612. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	41a8b4bbde769dd1d866ea6bfb8912d092234cc6f80c37893b3797e2b7f4f612
SHA3-384 hash:	1d434b18a1ebf0b99e70d2a4485a26aa1a6c021bf1bce82aaabeb16063105785469d064cf2a0b0da635c4b04a5c642ae
SHA1 hash:	1e7b4bc92d75322b3c73df9f5f5b4f2f08cb314d
MD5 hash:	99fefc78f54dc27321dd31d51e841bb2
humanhash:	alanine-mobile-kilo-thirteen
File name:	er5thygfd.zip
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	7'734'693 bytes
First seen:	2024-03-18 15:00:13 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	196608:XcigPpk6YzSiTm2/ZAaSBr6sQuqgWu0k/2RxkL9dyAE8KZgx:XExpY7S2aqgWKqxUby18KC
TLSH	T10F763355EE0048C2D8952631CDBB5F1BBBF7D2C1D38D1A4289FA1578DCC2B909E9EC86
TrID	80.0% (.ZIP) ZIP compressed archive (4000/1) 20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter	e24111111111111
Tags:	CoinMiner CoinMiner.XMRig file-pumped zip

Intelligence

File Origin

# of uploads :

# of downloads :

350

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	EdUpdMachine.exe
Pumped file	This file is pumped. MalwareBazaar has de-pumped it.
File size:	138'000'000 bytes
SHA256 hash:	d373492b42a14e6b91b4a64c89086e19d2a166710fa237bbda80b6d0c1a7ad8a
MD5 hash:	0aabf386604e94f11fdbd56778bb8234
De-pumped file size:	7'616'512 bytes (Vs. original size of 138'000'000 bytes)
De-pumped SHA256 hash:	15033900d35cd3096c6196dfd8c14ad926d0ffad0928b6b45bcd4b1109130929
De-pumped MD5 hash:	0bffc4361338d1d65cb44b2d67bce076
MIME type:	application/x-dosexec
Signature	CoinMiner

Vendor Threat Intelligence

Result

Verdict:

Malicious

File Type:

ZIP File - Malicious

Link:

https://app.docguard.net/41a8b4bbde769dd1d866ea6bfb8912d092234cc6f80c37893b3797e2b7f4f612/results/dashboard

Behaviour

SuspiciousEmbeddedObjects detected

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

overlay packed zgrat

Link:

https://www.filescan.io/uploads/65f85736757c624818b25fb1/reports/6b21d1f0-93fa-475e-b305-9dba49d8e9f8/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/41a8b4bbde769dd1d866ea6bfb8912d092234cc6f80c37893b3797e2b7f4f612

Score:

100%

Verdict:

Malware

File Type:

Result

Malware family:

zgrat

Score:

10/10

Tags:

family:purelogstealer family:zgrat evasion rat stealer

Link:

https://tria.ge/reports/240318-ta3flscd76/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Launches sc.exe

Suspicious use of SetThreadContext

Drops file in Drivers directory

Stops running service(s)

Detect ZGRat V1

PureLog Stealer

PureLog Stealer payload

Suspicious use of NtCreateUserProcessOtherParentProcess

ZGRat

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/41a8b4bbde769dd1d866ea6bfb8912d092234cc6f80c37893b3797e2b7f4f612

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

zip 41a8b4bbde769dd1d866ea6bfb8912d092234cc6f80c37893b3797e2b7f4f612

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2786663/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample