MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51006bf3a6177381b7f80048084f52d770046c3bf6389097233e64b5340bdfcd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 9

Intelligence 9 IOCs YARA 10 File information Comments

SHA256 hash:	51006bf3a6177381b7f80048084f52d770046c3bf6389097233e64b5340bdfcd
SHA3-384 hash:	b50000c4151f77c2b313aa218e6e2f230ca36bcbc583e251fa746856a8a3b29f281c2f1aac76236ec010bfd56511a692
SHA1 hash:	fab50fe166d3156df4359b8cd09dcc6722e8d483
MD5 hash:	1389b218641d2b72efda9936eb03ef04
humanhash:	mike-sierra-vegan-triple
File name:	file
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	1'578'656 bytes
First seen:	2023-02-24 13:13:22 UTC
Last seen:	2023-02-24 23:56:28 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	5351a983d2d0c281e807bdd8bc5d40e7 (1 x CoinMiner)
ssdeep	49152:0EVQsqyOVqjAHg9rlmgBXPGty03Q1FZMI7Rr9:0EXqxA59rgCPEyaQ1FqI9r9
Threatray	2'320 similar samples on MalwareBazaar
TLSH	T1D7752212EA8548FBF40F1A71990FD13509506CAA97A8196F1BDC3E2B09F3395B8F9D1C
File icon (PE):
dhash icon	008280b28eaa9600 (2 x CoinMiner)
Reporter	andretavare5
Tags:	CoinMiner exe signed

Code Signing Certificate

Organisation:	Samsung Q32R504FHI QC46R537FHIZCI
Issuer:	Samsung Q32R504FHI QC46R537FHIZCI
Algorithm:	sha1WithRSAEncryption
Valid from:	2023-02-23T12:04:45Z
Valid to:	2033-02-24T12:04:45Z
Serial number:	6d98043ca8d139a346084cc6dd4b92a8
Thumbprint Algorithm:	SHA256
Thumbprint:	21183c12af03230df4a4df6868663c3806e3c1d50f4c210c07c079ec4e3be7cc
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

andretavare5

Sample downloaded from https://covidguardeth.com/svcrun.exe

Intelligence

File Origin

# of uploads :

# of downloads :

248

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-02-24 13:17:16 UTC

Tags:

miner

Link:

https://app.any.run/tasks/2b7f166d-ac55-426a-94e9-f3873ad2bb64

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/369436/

Detection(s):

SecuriteInfo.com.Win64.Trojan-gen.11962.2327.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a window

Searching for analyzing tools

Сreating synchronization primitives

Launching a process

Creating a file

Enabling the 'hidden' option for recently created files

Using the Windows Management Instrumentation requests

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/63f8b81b124864afb39e3268/reports/40ce06a5-93dd-4ca8-affc-293e7494d8cd/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/51006bf3a6177381b7f80048084f52d770046c3bf6389097233e64b5340bdfcd

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/6b47f85f-4318-4832-905a-f619624b3092

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad.mine

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1181873

Signature

Adds a directory exclusion to Windows Defender

Antivirus detection for URL or domain

DNS related to crypt mining pools

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sets debug register (to hijack the execution of another thread)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade debugger and weak emulator (self modifying code)

Uses schtasks.exe or at.exe to add and modify task schedules

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/51006bf3a6177381b7f80048084f52d770046c3bf6389097233e64b5340bdfcd/

Threat name:

Win64.Trojan.Privateloader

Status:

Malicious

First seen:

2023-02-24 13:14:09 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

16 of 25 (64.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=keagx45gc5zydn7yabeaqt2s25yai3b36y4jbfzdhzslknal37gq._file

Verdict:

unknown

CoinMiner

3b30521dff6aa28278d902f36399ad0f8dbfdeb37800e3c6648d480766582c4c

CoinMiner

532d8d05263ecb3453da330b6213c9d5cb1f1eb5db77b40664c7ec722b9f9475

CoinMiner

89373f83f2101957b75bd4323f22c6c7e0449ab2044f3d061b8417ba8b29c7a3

CoinMiner

8ac5c11ba9b64658cf080e1d05cbb594fdd4cdaef46db4da24a5a5d809bb50e6

CoinMiner

8be2caee636b007be2f3f6a6154457877113e2538ffcbad2984e1372a089759f

CoinMiner

9b0ef0ee14f17c72c5e246b6b7e51da46a2f263a810028f793da55a50250bf16

CoinMiner

9cd84cf345a355c7fafb27dceeb9d6a8dc910f4812578edd396dd2fad42b5e1b

CoinMiner

f082cd415175b1648459065f5ad5e80104fc296255da51d79e4c99c4a39bbd96

CoinMiner

fa1a3d581f285e49916ae65313639b598e84715e6bef215d492f21c163490e10

CoinMiner

+ 2'310 additional samples on MalwareBazaar

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:xmrig miner

Link:

https://tria.ge/reports/230224-qgmrysdc7x/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Enumerates physical storage devices

Suspicious use of SetThreadContext

.NET Reactor proctector

Checks computer location settings

Uses the VBS compiler for execution

XMRig Miner payload

xmrig

Unpacked files

SH256 hash:

51006bf3a6177381b7f80048084f52d770046c3bf6389097233e64b5340bdfcd

MD5 hash:

1389b218641d2b72efda9936eb03ef04

SHA1 hash:

fab50fe166d3156df4359b8cd09dcc6722e8d483

Link:

https://www.unpac.me/results/5879dd4b-0a3f-4137-b4cd-554ef027697c/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/51006bf3a617/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/51006bf3a6177381b7f80048084f52d770046c3bf6389097233e64b5340bdfcd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BAZT_B5_NOCEXInvalidStream Create hunting rule

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	INDICATOR_EXE_Packed_DotNetReactor Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with unregistered version of .NET Reactor

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	win_xfilesstealer_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.xfilesstealer.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/369436/

URLhaus

https://urlhaus.abuse.ch/url/2550406/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample