MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 432747c04ab478a654328867d7ca806b52fedf1572c74712fa8b7c0edb71df67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 432747c04ab478a654328867d7ca806b52fedf1572c74712fa8b7c0edb71df67
SHA3-384 hash: 44e60d1653f0970fd667f4e5b043a3cd797a0c973ea8614a880d4580e05b85f99fce8cb936048c1f38e483f0948b8bf0
SHA1 hash: 1628635f073c61ad744d406a16d46dfac871c9c2
MD5 hash: de08b70c1b36bce2c90a34b9e5e61f09
humanhash: seventeen-magazine-massachusetts-bakerloo
File name:de08b70c1b36bce2c90a34b9e5e61f09
Download: download sample
Signature CoinMiner
Create hunting rule
File size:5'582'848 bytes
First seen:2024-03-27 17:04:10 UTC
Last seen:2024-05-01 17:46:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 98304:/+p+LLypykV4RJGIfsv7RynHr/x1leOzcv0nbzKIKFStIJ:/+pMLCYJ/svlUr/x1vzcvib+Ir
Threatray 5'117 similar samples on MalwareBazaar
TLSH T1EB46E1337B521966E7C23B32D9AB4012DB3EE1F06B72DBAF298933095907363585570B
TrID 59.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.6% (.SCR) Windows screen saver (13097/50/3)
8.5% (.EXE) Win64 Executable (generic) (10523/12/4)
5.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter zbetcheckin
Tags:32 CoinMiner exe

Intelligence

File Origin
# of uploads :
6
# of downloads :
507
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
432747c04ab478a654328867d7ca806b52fedf1572c74712fa8b7c0edb71df67.exe
Verdict:
Malicious activity
Analysis date:
2024-03-27 17:04:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a210397f-30da-4faa-b2b8-0ff76d9f23dc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Restart of the analyzed sample
Creating a process with a hidden window
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Forced system process termination
Deleting a recently created file
Launching a process
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
expand lolbin net_reactor packed packed remote
Link:
https://www.filescan.io/uploads/660451c01c5277edcec22979/reports/9f15cc2f-2d7f-4099-bb76-b7bd7cbedcc8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/432747c04ab478a654328867d7ca806b52fedf1572c74712fa8b7c0edb71df67
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/54629cd6-d523-456d-bd01-ede0a17dcb2b
Result
Threat name:
PureLog Stealer, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1416652
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Connects to many ports of the same IP (likely port scanning)
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Ping/Del Command Combination
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected PersistenceViaHiddenTask
Yara detected PureLog Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1416652 Sample: LQ2sKCMmXw.exe Startdate: 27/03/2024 Architecture: WINDOWS Score: 100 77 nickshort.ug 2->77 79 kodedea.ug 2->79 81 3 other IPs or domains 2->81 87 Malicious sample detected (through community Yara rule) 2->87 89 Antivirus detection for URL or domain 2->89 91 Multi AV Scanner detection for submitted file 2->91 93 14 other signatures 2->93 12 IsInvalid.exe 2->12         started        15 Tags.exe 2->15         started        17 muetou.exe 2->17         started        19 5 other processes 2->19 signatures3 process4 file5 123 Antivirus detection for dropped file 12->123 125 Multi AV Scanner detection for dropped file 12->125 127 Machine Learning detection for dropped file 12->127 22 IsInvalid.exe 12->22         started        129 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 15->129 131 Injects a PE file into a foreign processes 15->131 25 Tags.exe 15->25         started        133 Modifies the context of a thread in another process (thread injection) 17->133 27 muetou.exe 17->27         started        71 C:\Users\user\AppData\Local\...\BLHisbnd.exe, PE32 19->71 dropped 135 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 19->135 30 BLHisbnd.exe 1 19->30         started        32 LQ2sKCMmXw.exe 19->32         started        34 conhost.exe 19->34         started        36 3 other processes 19->36 signatures6 process7 file8 95 Writes to foreign memory regions 22->95 97 Modifies the context of a thread in another process (thread injection) 22->97 99 Injects a PE file into a foreign processes 22->99 38 RegSvcs.exe 22->38         started        41 InstallUtil.exe 25->41         started        73 C:\Users\user\AppData\...\IsInvalid.exe, PE32+ 27->73 dropped 101 Machine Learning detection for dropped file 30->101 103 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 30->103 43 BLHisbnd.exe 5 30->43         started        46 WerFault.exe 21 16 32->46         started        signatures9 process10 file11 105 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 38->105 107 Modifies the context of a thread in another process (thread injection) 38->107 109 Injects a PE file into a foreign processes 38->109 48 RegSvcs.exe 38->48         started        51 InstallUtil.exe 41->51         started        75 C:\Users\user\AppData\Local\...\Tags.exe, PE32 43->75 dropped signatures12 process13 dnsIp14 67 C:\Users\user\AppData\Local\...\lscrzxaf.exe, PE32+ 48->67 dropped 54 lscrzxaf.exe 48->54         started        57 cmd.exe 48->57         started        83 badhabits.ug 94.156.69.232, 24317, 49741, 49743 TERASYST-ASBG Bulgaria 51->83 85 prakitik.ug 91.215.85.223, 49742, 49757, 49760 PINDC-ASRU Russian Federation 51->85 69 C:\Users\user\AppData\Local\Temp\muetou.exe, PE32+ 51->69 dropped file15 process16 signatures17 111 Antivirus detection for dropped file 54->111 113 Multi AV Scanner detection for dropped file 54->113 115 Machine Learning detection for dropped file 54->115 121 3 other signatures 54->121 59 lscrzxaf.exe 54->59         started        117 Uses ping.exe to sleep 57->117 119 Uses ping.exe to check the status of other devices and networks 57->119 61 conhost.exe 57->61         started        63 PING.EXE 57->63         started        process18 process19 65 WerFault.exe 59->65         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/432747c04ab478a654328867d7ca806b52fedf1572c74712fa8b7c0edb71df67
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/432747c04ab478a654328867d7ca806b52fedf1572c74712fa8b7c0edb71df67/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-03-27 15:58:34 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=imtupqckwr4kmvbsrbt5psuannjp5xyvolduoex2rn6a5w3r35tq._file
Verdict:
malicious
Similar samples:
415f5fa648158c6b38db8c701b39159a4b5eef7ec174616fd9204b2ea96a48f4
CoinMiner
4acddc15352051552d4684fff6d07d18305cf7276d208adf7e2f59c5a70c909a
CoinMiner
68d282c16c83a849e29fb395b3e1864c3df158edf47a92ffb078b81dcafd7888
CoinMiner
8afcc55b59e124b3840bbee5afb30e70354590eee693480a43fe7d586e909a9e
CoinMiner
9df4aaa956d54f55f1bb038f3e8f086169983e094ef8432cd71df928a888a2d0
CoinMiner
ddd3762a1f95e1f86b86a92e54f2d52b2e9b96499a6fdc07fab98813eeaca8a2
CoinMiner
ff0179442402fa306c85ba83a87df2cc46d13012a1e2819e73a6b3586c5c8dc3
CoinMiner
+ 5'107 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat rat
Link:
https://tria.ge/reports/240327-vlttaagf33/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
3ac07494c9f66a88f6d67332df784404df49184e1a8368b8703c96b18c21b1cd
MD5 hash:
654302b4b7207ed1cacdd2df635c9ae1
SHA1 hash:
a3cbabc5573b1730c35ed9184ce640b7a31d4300
Link:
https://www.unpac.me/results/b87e22f4-1601-4f1e-b81b-66b60122945f/
SH256 hash:
0f3b0fac11d54d42923e2ef103acf1c7b4df9f64d6d406c0fb686b5d53de6d02
MD5 hash:
64670f35037d0168749ae0e605c2faf9
SHA1 hash:
7e2192f0ea4fb36c02cc5a0d66d405ee9a60f436
Link:
https://www.unpac.me/results/b87e22f4-1601-4f1e-b81b-66b60122945f/
SH256 hash:
b594af5864bc7a59aeca375e65b55ef79ece941a405c78612e18f6a9e2daa169
MD5 hash:
8e6e3c801825ac5dfced7add749188f8
SHA1 hash:
34834b2ca636cf7c8ae15c87d99ad95ba6bae97c
Link:
https://www.unpac.me/results/b87e22f4-1601-4f1e-b81b-66b60122945f/
SH256 hash:
ac148aa09cb74a9676a4bb81ce6de0d21aac9c76b09ebc3d4e99fd74640c0dab
MD5 hash:
f807ef15ea9489b9647e87c65012d0ed
SHA1 hash:
687b91c8586700984bc690e725322be52f10a448
Link:
https://www.unpac.me/results/b87e22f4-1601-4f1e-b81b-66b60122945f/
SH256 hash:
bbc7b714d1fef6f51e4d92ab415cd3206736e1ce7737e93a99de161a4aa97ff2
MD5 hash:
58b0b24325810751da19a7a2297a3fbd
SHA1 hash:
6496feff7784abdc8c3024198c81b0ffe2ea21f2
Link:
https://www.unpac.me/results/b87e22f4-1601-4f1e-b81b-66b60122945f/
SH256 hash:
36ad4acfe5535d11dfe1e66243c8a891699d5c904c05ff647b1a4efd505e5485
MD5 hash:
e7c24057691cb0098303ead1e06ec862
SHA1 hash:
3294913ef313c4850dec5b6cfd8e0ae72fd3f015
Link:
https://www.unpac.me/results/b87e22f4-1601-4f1e-b81b-66b60122945f/
SH256 hash:
a9fd36a8577af86818c4d6428036ca72e45da876b7362574970b37d1d338fc2d
MD5 hash:
9082172e6c73ef206fbf9e68c01551e9
SHA1 hash:
1bebb2171f6c8c5eca4187219410b6dced0644e4
Link:
https://www.unpac.me/results/b87e22f4-1601-4f1e-b81b-66b60122945f/
SH256 hash:
d2bd62c508f19aaeda1332ab1cdb547b914dd955b43fce698808ca2ebef36565
MD5 hash:
e5e929d0f96358f04b9d212847330f9d
SHA1 hash:
8bc3945167c780fa735f9b9632fde48281c0dc0b
Link:
https://www.unpac.me/results/b87e22f4-1601-4f1e-b81b-66b60122945f/
SH256 hash:
7e0c898d6c36eedc88931390f3ef821d4f53fdc946858db423057701ec5daa6c
MD5 hash:
d9cec5af71482276867ba5a555bbd1b1
SHA1 hash:
82f1f4a04293aa172064a0e28170b2231c014861
Link:
https://www.unpac.me/results/b87e22f4-1601-4f1e-b81b-66b60122945f/
SH256 hash:
407e9094206a37707a368f4cd0103269c50b8c0c03edba87b4f20664d259f207
MD5 hash:
e13e6f7986b9d1eff55fe30133592c40
SHA1 hash:
8299d50b76990e9dc7e0a8cc67e2f4d44cb810f5
Link:
https://www.unpac.me/results/b87e22f4-1601-4f1e-b81b-66b60122945f/
SH256 hash:
301dd9e149979605013438e865d1cc1755d76c05c306b5f2bb4a8874e8ffcc3d
MD5 hash:
0ae993de6665ae3b54a46c9c1fd9bfc3
SHA1 hash:
393842e2d3a88b8d7b1c2b8579a741361b1248a0
Link:
https://www.unpac.me/results/b87e22f4-1601-4f1e-b81b-66b60122945f/
SH256 hash:
75dc0a83d585a9789575a794212888360fbb56229dbf5cdc11d9147eb6a40a19
MD5 hash:
c351c3c95985184040946b33a072b756
SHA1 hash:
36652be706c1ce9f64f7b2a358f06fb3bab8b372
Link:
https://www.unpac.me/results/b87e22f4-1601-4f1e-b81b-66b60122945f/
SH256 hash:
432747c04ab478a654328867d7ca806b52fedf1572c74712fa8b7c0edb71df67
MD5 hash:
de08b70c1b36bce2c90a34b9e5e61f09
SHA1 hash:
1628635f073c61ad744d406a16d46dfac871c9c2
Link:
https://www.unpac.me/results/b87e22f4-1601-4f1e-b81b-66b60122945f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/432747c04ab4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/432747c04ab478a654328867d7ca806b52fedf1572c74712fa8b7c0edb71df67

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:PureCrypter
Create hunting rule
Author:@bartblaze
Description:Identifies PureCrypter, .NET loader and obfuscator.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 432747c04ab478a654328867d7ca806b52fedf1572c74712fa8b7c0edb71df67

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2758177/
  
URLhaus
https://urlhaus.abuse.ch/url/2758251/
  
URLhaus
https://urlhaus.abuse.ch/url/2757869/
  
URLhaus
https://urlhaus.abuse.ch/url/2758176/
  
URLhaus
https://urlhaus.abuse.ch/url/2757870/
  
URLhaus
https://urlhaus.abuse.ch/url/1514098/
  
URLhaus
https://urlhaus.abuse.ch/url/265919/
  
URLhaus
https://urlhaus.abuse.ch/url/2758276/
  
URLhaus
https://urlhaus.abuse.ch/url/2758165/
  
URLhaus
https://urlhaus.abuse.ch/url/2757873/
  
URLhaus
https://urlhaus.abuse.ch/url/2758173/
  
URLhaus
https://urlhaus.abuse.ch/url/2758183/
  
URLhaus
https://urlhaus.abuse.ch/url/2758153/
  
URLhaus
https://urlhaus.abuse.ch/url/2758168/
  
URLhaus
https://urlhaus.abuse.ch/url/2758725/
  
URLhaus
https://urlhaus.abuse.ch/url/2758162/
  
URLhaus
https://urlhaus.abuse.ch/url/2757871/
  
URLhaus
https://urlhaus.abuse.ch/url/1514313/
  
URLhaus
https://urlhaus.abuse.ch/url/2758152/
  
URLhaus
https://urlhaus.abuse.ch/url/2758169/
  
URLhaus
https://urlhaus.abuse.ch/url/2271067/
  
URLhaus
https://urlhaus.abuse.ch/url/2758184/
  
URLhaus
https://urlhaus.abuse.ch/url/2758217/
  
URLhaus
https://urlhaus.abuse.ch/url/2758167/
  
URLhaus
https://urlhaus.abuse.ch/url/2758697/
  
URLhaus
https://urlhaus.abuse.ch/url/2758156/
  
URLhaus
https://urlhaus.abuse.ch/url/2758178/
  
URLhaus
https://urlhaus.abuse.ch/url/2758182/
  
URLhaus
https://urlhaus.abuse.ch/url/2757874/
  
URLhaus
https://urlhaus.abuse.ch/url/2758250/
  
URLhaus
https://urlhaus.abuse.ch/url/2758166/
  
URLhaus
https://urlhaus.abuse.ch/url/2758155/
  
URLhaus
https://urlhaus.abuse.ch/url/2758274/
  
URLhaus
https://urlhaus.abuse.ch/url/2758163/
  
URLhaus
https://urlhaus.abuse.ch/url/2758723/
  
URLhaus
https://urlhaus.abuse.ch/url/2758151/
  
URLhaus
https://urlhaus.abuse.ch/url/2757872/
  
URLhaus
https://urlhaus.abuse.ch/url/2757867/
  
URLhaus
https://urlhaus.abuse.ch/url/2758154/
  
URLhaus
https://urlhaus.abuse.ch/url/2758164/
  
URLhaus
https://urlhaus.abuse.ch/url/2654454/
  
URLhaus
https://urlhaus.abuse.ch/url/2758179/
  
URLhaus
https://urlhaus.abuse.ch/url/2441296/
  
URLhaus
https://urlhaus.abuse.ch/url/2758724/
  
URLhaus
https://urlhaus.abuse.ch/url/1514297/
  
URLhaus
https://urlhaus.abuse.ch/url/2758275/
  
URLhaus
https://urlhaus.abuse.ch/url/2758249/
  
URLhaus
https://urlhaus.abuse.ch/url/2271066/
  
URLhaus
https://urlhaus.abuse.ch/url/906880/
  
URLhaus
https://urlhaus.abuse.ch/url/1514315/
  
URLhaus
https://urlhaus.abuse.ch/url/2758180/
  
URLhaus
https://urlhaus.abuse.ch/url/2758181/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments


Avatar
zbet commented on 2024-03-27 17:04:12 UTC

url : hxxp://91.215.85.223/ghjk.exe