MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4389bf5a0f08ab1d8f22c9e4acf3021ccaa5f0b04823a2726fafa77d845608b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4389bf5a0f08ab1d8f22c9e4acf3021ccaa5f0b04823a2726fafa77d845608b4
SHA3-384 hash: f6c6fd0ecd68efb4362f21dd2aeab3660d266f59d63ac1640dacebb36163d734f99ed8205adc4cf1579f865ea7bec5a4
SHA1 hash: 69685be6852368b91011cf0fc50cc7c483d5b488
MD5 hash: f05ed2c6ce9669cd1d9a59e582cff441
humanhash: north-september-mountain-lactose
File name:FortnitePatch.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:7'219'008 bytes
First seen:2023-06-26 16:02:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0b5552dccd9d0a834cea55c0c8fc05be (16 x LunaLogger, 16 x BlankGrabber, 8 x CrealStealer)
ssdeep 196608:C5cyW+qX4FMIZETKwjPePdrQJ/BNOqgYP8:lhQETKwvJHOqgl
Threatray 3 similar samples on MalwareBazaar
TLSH T1767623C2E1DB02FCDC578C3491024C9B9AB76D3E87A9A16703E1B59F85B34A3597B603
TrID 66.5% (.EXE) InstallShield setup (43053/19/16)
16.2% (.EXE) Win64 Executable (generic) (10523/12/4)
7.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.1% (.EXE) OS/2 Executable (generic) (2029/13)
3.0% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 003030b0301a1800 (2 x CoinMiner)
Reporter Anonymous
Tags:CoinMiner exe mining Monero pyinstaller xmr youtube


Avatar
Anonymous
Found on youtube as fortnite cheat

Intelligence

File Origin
# of uploads :
1
# of downloads :
504
Origin country :
RU RU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FortnitePatch.exe
Verdict:
Malicious activity
Analysis date:
2023-06-26 16:04:18 UTC
Tags:
installer
Link:
https://app.any.run/tasks/a36db410-b0af-4818-a57a-0b45d34009e8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/403041/
Detection(s):
SecuriteInfo.com.HEUR.Trojan-PSW.Python.Agent.gen.8588.26986.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/92770/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware lolbin overlay packed
Link:
https://www.filescan.io/uploads/6499b6b754672ac65f4ca36d/reports/6b7b48c8-2109-4005-aa51-a611d793d918/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/4389bf5a0f08ab1d8f22c9e4acf3021ccaa5f0b04823a2726fafa77d845608b4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ab70859a-a3d0-4e7f-9505-c1b3f68a00a4
Result
Threat name:
n/a
Detection:
suspicious
Classification:
evad
Score:
28 / 100
Link:
https://www.joesandbox.com/analysis/1261579
Signature
Potentially malicious time measurement code found
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4389bf5a0f08ab1d8f22c9e4acf3021ccaa5f0b04823a2726fafa77d845608b4/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ioe36wqpbcvr3dzczhskz4ycdtfkl4fqjar2e4tpv6tx3bcwbc2a._file
Verdict:
unknown
Similar samples:
12dce304f7dd9fbe88d7d8bfe943540c3fd0121fb5fb471ea080c5b4f182d39c
CoinMiner
271724c5ff157be6c9c596f8728894a3de24a6cbbf23b89afec313f4e6212bf8
CoinMiner
d2803b97a3cdb1787df9e3bd60818968fecb86bf7eb48bfa51e0757f055b95e4
CoinMiner
Result
Malware family:
n/a
Score:
  7/10
Tags:
pyinstaller
Link:
https://tria.ge/reports/230626-thb9dsbc51/
Behaviour
Suspicious use of WriteProcessMemory
Loads dropped DLL
Unpacked files
SH256 hash:
4389bf5a0f08ab1d8f22c9e4acf3021ccaa5f0b04823a2726fafa77d845608b4
MD5 hash:
f05ed2c6ce9669cd1d9a59e582cff441
SHA1 hash:
69685be6852368b91011cf0fc50cc7c483d5b488
Link:
https://www.unpac.me/results/9df6d249-468c-4420-9d48-81f76e511a7a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4389bf5a0f08ab1d8f22c9e4acf3021ccaa5f0b04823a2726fafa77d845608b4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.
Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 4389bf5a0f08ab1d8f22c9e4acf3021ccaa5f0b04823a2726fafa77d845608b4

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/403041/

Comments