MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b075ba1680ba307886ad8aaf4376b5cf645b016b8e2604c77034168afc5989d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 8

Intelligence 8 IOCs YARA 5 File information Comments

SHA256 hash:	4b075ba1680ba307886ad8aaf4376b5cf645b016b8e2604c77034168afc5989d
SHA3-384 hash:	387d3736307c649633aabfb4aac1604e00a08b2555bc53a6e9124cc11d86573e95231cc98c08f698184f3f7a465f10d9
SHA1 hash:	036f586e650d9f5fc4c481309bc1ff03f00e7f7a
MD5 hash:	786cb215a41e63d3ee01496e25989dec
humanhash:	kilo-indigo-india-delta
File name:	file
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	879'616 bytes
First seen:	2023-01-05 23:08:26 UTC
Last seen:	2023-01-06 03:25:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	734dca4ddcf3a12d99f4e060e562f200 (1 x CoinMiner)
ssdeep	12288:eBQztfHccRNPu6iFtNc8vsSR8d0HFsUcE7JFL9GEsKW9Bgl615Lrm0SYZYfiPy:yQp1u9FpE0HJxoEsKmB915u0biia
Threatray	2'595 similar samples on MalwareBazaar
TLSH	T14715D008F3E65A12F1B3BA34FAF9A64744687E229519C00D5354324F05B2F9CB96F72B
File icon (PE):
dhash icon	10f079f892ea78b0 (18 x Emmenhtal, 7 x LummaStealer, 4 x CoinMiner)
Reporter	andretavare5
Tags:	CoinMiner exe

andretavare5

Sample downloaded from http://orderedami.com/svcrun.exe

Intelligence

File Origin

# of uploads :

# of downloads :

190

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-01-05 23:09:45 UTC

Tags:

trojan

Link:

https://app.any.run/tasks/9def74aa-eeae-4ac0-9c81-9562020a5716

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/349828/

Detection(s):

Win.Malware.Zusy-9908145-0

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Launching a process

Сreating synchronization primitives

Creating a file

Enabling the 'hidden' option for recently created files

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/63b75890b9b1c17375207f84/reports/b85e4bbf-b19e-4b12-82fb-ae8e02e6ca44/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/afbfbea7-2cdf-4621-b9ea-30f2071b86b5

Result

Threat name:

Xmrig

Detection:

malicious

Classification:

evad.mine

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1145970

Signature

Adds a directory exclusion to Windows Defender

Antivirus detection for URL or domain

Contains functionality to detect virtual machines (IN, VMware)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

DNS related to crypt mining pools

Found strings related to Crypto-Mining

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sets debug register (to hijack the execution of another thread)

Snort IDS alert for network traffic

Tries to evade debugger and weak emulator (self modifying code)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Xmrig cryptocurrency miner

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4b075ba1680ba307886ad8aaf4376b5cf645b016b8e2604c77034168afc5989d/

Threat name:

Win64.Trojan.Privateloader

Status:

Malicious

First seen:

2023-01-05 23:09:09 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

15 of 26 (57.69%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jmdvxiliborqpcdk3cvpin3llt3elmawxdrgatdxanawrl6ftcoq._file

Verdict:

unknown

CoinMiner

58f91bbad5f643691f54434b42213c8a05cfbde5772d62bc38d5da13124ede9e

CoinMiner

67ed4226089a037258ae9c039e93f9ba85dc75409ff0c3402c69597de654cb5d

CoinMiner

7bd34b7923a17098175c99070569b5a49e8dea6921edcbce273ec7f59e8ab9d1

CoinMiner

83b1b9c12f9b5af0480bef4eb18b745ae009d9597c023929bcdfd4ab96700010

CoinMiner

a08decf9a9fd94df4e235da6bc1e8bb7444984de5f9016033f2aa89d690bb9b9

CoinMiner

d6d728c1c24d9e6f05a81e8d54846be4c89ca6d9a1a59e52a1ccfb32d9b65d42

CoinMiner

e6d721a289c4f4976f8501ae50c373513230533c1f2aea486ca88b5c431a918a

CoinMiner

ebb258225e1534c2acd3d803d6075d578f8d23da4c3bc1977e6aeef02a6eac37

CoinMiner

fc52bdc35a10badcd4f88cd91d0c071bc05520c78097501f5f23fd5114e15e64

CoinMiner

+ 2'585 additional samples on MalwareBazaar

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:xmrig miner

Link:

https://tria.ge/reports/230105-244jrsde94/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Uses the VBS compiler for execution

XMRig Miner payload

xmrig

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/18b75512-fb82-49d0-a730-e154103c13b6

Unpacked files

SH256 hash:

4b075ba1680ba307886ad8aaf4376b5cf645b016b8e2604c77034168afc5989d

MD5 hash:

786cb215a41e63d3ee01496e25989dec

SHA1 hash:

036f586e650d9f5fc4c481309bc1ff03f00e7f7a

Link:

https://www.unpac.me/results/0762ca3e-e520-428b-b11e-62892dc73606/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4b075ba1680b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.19

Link:

https://yomi.yoroi.company/submissions/4b075ba1680ba307886ad8aaf4376b5cf645b016b8e2604c77034168afc5989d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BAZT_B5_NOCEXInvalidStream Create hunting rule

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	win_xfilesstealer_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.xfilesstealer.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2497706/

Cape

https://www.capesandbox.com/analysis/349828/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample