MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 536737be15ffd29968dfc5bd8b3a3fd366af4172c97774f8c62e20f3e30f4e8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 16


Intelligence 16 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 536737be15ffd29968dfc5bd8b3a3fd366af4172c97774f8c62e20f3e30f4e8f
SHA3-384 hash: 3cbb2b68e838fbc1ebba3ae2838b0fba2d9723da4d5a1e824d9e666a6186cc07c0e389c5a512d66f430e23c29c2e0216
SHA1 hash: 470d278d6ecae7282f474347717ea8783200e009
MD5 hash: cb97153b035e929cd70cf68605b7c205
humanhash: burger-montana-six-black
File name:setup1.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:4'772'864 bytes
First seen:2025-02-01 18:08:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0fdd3d21d2193b717f076a70dfaa659c (14 x CoinMiner)
ssdeep 98304:gwNPxQcKN8fq1vzdTAFb6YLhf3Akwt1/L:gwNpQcc8fqJzdTAhbLhtwb
Threatray 238 similar samples on MalwareBazaar
TLSH T196267D5C037B86ABADC858EA0D9C2317C3495B4C1574EDE6B25630D4DF2ACF7B120A6B
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10522/11/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter aachum
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
438
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
hacn.exe
Verdict:
Malicious activity
Analysis date:
2024-12-23 14:54:06 UTC
Tags:
auto generic github python telegram pyinstaller dcrat rat remote darkcrystal miner exfiltration stealer ims-api rust netreactor wmi-base64 api-base64
Link:
https://app.any.run/tasks/b0d225b1-f808-4b7b-9997-d766c35b0afa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=679e6352416a81ccc3c4e868
Tags:
rozena cobalt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for the window
Running batch commands
Launching a process
Creating a file in the %temp% directory
Deleting a recently created file
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Searching for synchronization primitives
Creating a file in the Windows subdirectories
Setting browser functions hooks
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Unauthorized injection to a browser process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug packed packed packer_detected
Link:
https://www.filescan.io/uploads/679e6353cc3811d265363d10/reports/a197c3e4-d3bf-4d7c-a33c-36c1b44eec6a/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/536737be15ffd29968dfc5bd8b3a3fd366af4172c97774f8c62e20f3e30f4e8f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CoinMiner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e1576945-094e-4aa6-bd79-14244d5417f8
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1604607
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found strings related to Crypto-Mining
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs new ROOT certificates
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop multiple services
Stops critical windows services
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1604607 Sample: setup1.exe Startdate: 01/02/2025 Architecture: WINDOWS Score: 100 77 Antivirus detection for dropped file 2->77 79 Multi AV Scanner detection for dropped file 2->79 81 Multi AV Scanner detection for submitted file 2->81 83 11 other signatures 2->83 7 setup1.exe 3 2->7         started        11 update.exe 3 2->11         started        13 cmd.exe 1 2->13         started        15 3 other processes 2->15 process3 file4 55 C:\Users\user\AppData\...\kdrzhuypomjz.tmp, PE32+ 7->55 dropped 57 C:\Program Filesbehaviorgraphoogle\Chrome\update.exe, PE32+ 7->57 dropped 87 Writes to foreign memory regions 7->87 89 Modifies the context of a thread in another process (thread injection) 7->89 91 Found hidden mapped module (file has been removed from disk) 7->91 17 dialer.exe 1 7->17         started        59 C:\Windows\Temp\kdrzhuypomjz.tmp, PE32+ 11->59 dropped 93 Adds a directory exclusion to Windows Defender 11->93 95 Maps a DLL or memory area into another process 11->95 97 Found direct / indirect Syscall (likely to bypass EDR) 11->97 20 dialer.exe 11->20         started        22 dialer.exe 11->22         started        99 Stops critical windows services 13->99 24 conhost.exe 13->24         started        32 5 other processes 13->32 101 Loading BitLocker PowerShell Module 15->101 26 conhost.exe 15->26         started        28 conhost.exe 15->28         started        30 conhost.exe 15->30         started        34 5 other processes 15->34 signatures5 process6 signatures7 61 Contains functionality to inject code into remote processes 17->61 63 Writes to foreign memory regions 17->63 65 Allocates memory in foreign processes 17->65 67 Contains functionality to compare user and computer (likely to detect sandboxes) 17->67 36 lsass.exe 17->36 injected 39 dwm.exe 17->39 injected 41 winlogon.exe 17->41 injected 43 svchost.exe 17->43 injected 69 Injects code into the Windows Explorer (explorer.exe) 20->69 71 Creates a thread in another existing process (thread injection) 20->71 73 Injects a PE file into a foreign processes 20->73 45 svchost.exe 20->45 injected 47 svchost.exe 20->47 injected 49 svchost.exe 20->49 injected 53 13 other processes 20->53 75 Found strings related to Crypto-Mining 22->75 51 conhost.exe 26->51         started        process8 signatures9 85 Installs new ROOT certificates 36->85
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/536737be15ffd29968dfc5bd8b3a3fd366af4172c97774f8c62e20f3e30f4e8f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/536737be15ffd29968dfc5bd8b3a3fd366af4172c97774f8c62e20f3e30f4e8f/
Threat name:
Win64.Trojan.SilentCryptoMiner
Create hunting rule
Status:
Malicious
First seen:
2024-12-16 20:13:00 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=knttppqv77jjs2g7yw6ywor72ntk6qlszf3xj6ggfyqphyypj2hq._file
Verdict:
malicious
Label(s):
r77
Create hunting rule
Similar samples:
5690f5208387bba02ca4f4954d9d479c57ca556d553795d813603a2b1f83121b
CoinMiner
68231c9b195a3987bc26bb9af2543f49a04c1343bbb17982bc6302a21138e33a
CoinMiner
8462485220bfcba052d89e06bb3eaf38343b92bc246e391050f6019e70dba6a6
CoinMiner
93f357da57abc8674b201846e4284568b121ae4c06be4889d5092b6d23cb0146
CoinMiner
bbe5544c408a6eb95dd9980c61a63c4ebc8ccbeecade4de4fae8332361e27278
CoinMiner
d0c18b8e222e3b9c09c05145bab139b63e010ba754f4ff688ee71ac69697a402
CoinMiner
ed58046044e126ab8b740bd4d37aa52dd8eebbfd539b607bda4425e6cd3e8c66
CoinMiner
error
CoinMiner
feb1cc6e909be612e822cc7b40b1c2b262836020c719e25ea5a0152b4de87829
CoinMiner
+ 228 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion execution
Link:
https://tria.ge/reports/250201-wrlkjawlgq/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks BIOS information in registry
Executes dropped EXE
Indicator Removal: Clear Windows Event Logs
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Stops running service(s)
Modifies security service
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ec43ece0-ce5a-498e-80b2-41d7e98d2d6a
Unpacked files
SH256 hash:
536737be15ffd29968dfc5bd8b3a3fd366af4172c97774f8c62e20f3e30f4e8f
MD5 hash:
cb97153b035e929cd70cf68605b7c205
SHA1 hash:
470d278d6ecae7282f474347717ea8783200e009
Link:
https://www.unpac.me/results/3ce4c2ec-e13a-4477-8bf8-0cdb6335dab0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/536737be15ff/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.72
Link:
https://yomi.yoroi.company/submissions/536737be15ffd29968dfc5bd8b3a3fd366af4172c97774f8c62e20f3e30f4e8f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MALWARE_Win_R77
Create hunting rule
Author:ditekSHen
Description:Detects r77 rootkit
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Rootkit_R77_d0367e28
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe b84d06eb8b490a54bdd252a58d25eb54f5580018ecbf3066e0cd5d03ef284c96

CoinMiner

Executable exe 765e63e1c60120f2b2c9f249526049a5312567ab219ba1e22881ebb65c0ce560

CoinMiner

Executable exe 536737be15ffd29968dfc5bd8b3a3fd366af4172c97774f8c62e20f3e30f4e8f

(this sample)

  
Link
https://tria.ge/250201-wlbhdatmfx/
  
Dropped by
SHA256 765e63e1c60120f2b2c9f249526049a5312567ab219ba1e22881ebb65c0ce560
  
Dropped by
MD5 f73648b12faad92f981744f7ad02c06e

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high

Comments