MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55c97066f408cdbdec892b89cf8eca10f48d9566a7bd36767ed0f3e8ed311e94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 55c97066f408cdbdec892b89cf8eca10f48d9566a7bd36767ed0f3e8ed311e94
SHA3-384 hash: c5bc24d8427c44d903bffed1975fd0ff99055c03113f71e5dfb5e0d3543546297ec47131eb0563ebabd109a8885ddb41
SHA1 hash: 4da702a31d5a3fa62d71923be4b85be494e62b62
MD5 hash: b9341eca3593111f5a8545e2d4101064
humanhash: apart-helium-spaghetti-twenty
File name:file
Download: download sample
Signature CoinMiner
Create hunting rule
File size:3'566'592 bytes
First seen:2023-02-03 09:30:27 UTC
Last seen:2023-02-03 12:52:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 69592e0cf045e2d24989c22013a2a660 (1 x CoinMiner)
ssdeep 24576:6qxsO9r2JQraBpA7NblIFX0oQwvohAOzj/zNx9vLcmdgj9e/z0mSlLi:6qSBQaCcXdQwOr3zj9vLcxJC0mS
Threatray 3'885 similar samples on MalwareBazaar
TLSH T140F5702D3B79EC34E406A6BBC7A285A2D506DC31D923CA1B3509FF99B536F5012F134A
File icon (PE):PE icon
dhash icon 71ecd4aaaab2e071 (2 x CoinMiner, 2 x AgentTesla)
Reporter andretavare5
Tags:CoinMiner exe


Avatar
andretavare5
Sample downloaded from http://lara.amiyon.com/svcrun.exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
210
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-02-03 09:31:56 UTC
Tags:
miner
Link:
https://app.any.run/tasks/40da34db-ecf8-4434-af33-3213ab96f944

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/359812/
Detection(s):
SecuriteInfo.com.Win64.Evo-gen.25140.9749.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a window
Searching for analyzing tools
Сreating synchronization primitives
Launching a process
Creating a file
Enabling the 'hidden' option for recently created files
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
DNS request
Verdict:
No Threat
Threat level:
  2/10
Confidence:
83%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/63dcd45889bd67c10fdc52d9/reports/8bf55f11-e28a-4e96-b268-118fa6820685/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/55c97066f408cdbdec892b89cf8eca10f48d9566a7bd36767ed0f3e8ed311e94
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/65c6a7bb-9341-4c1f-9d8a-bde82a8c58a6
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1164969
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to detect virtual machines (IN, VMware)
Detected unpacking (changes PE section rights)
DNS related to crypt mining pools
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sets debug register (to hijack the execution of another thread)
Sigma detected: Xmrig
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 797738 Sample: file.exe Startdate: 03/02/2023 Architecture: WINDOWS Score: 100 49 xmr-eu1.nanopool.org 2->49 55 Sigma detected: Xmrig 2->55 57 Multi AV Scanner detection for domain / URL 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 7 other signatures 2->61 8 file.exe 14 7 2->8         started        13 SRIKA.exe 3 2->13         started        15 svchost.exe 8 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 53 179.43.140.229, 49841, 80 PLI-ASCH Panama 8->53 47 C:\ProgramData\versionApp\SRIKA.exe, PE32+ 8->47 dropped 67 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->67 69 Sets debug register (to hijack the execution of another thread) 8->69 71 Writes to foreign memory regions 8->71 81 3 other signatures 8->81 19 cmd.exe 1 8->19         started        22 vbc.exe 8->22         started        25 powershell.exe 27 8->25         started        73 Detected unpacking (changes PE section rights) 13->73 75 Tries to detect sandboxes and other dynamic analysis tools (window names) 13->75 77 Contains functionality to detect virtual machines (IN, VMware) 13->77 79 Contains functionality to detect hardware virtualization (CPUID execution measurement) 13->79 27 cmd.exe 13->27         started        29 powershell.exe 13->29         started        31 WerFault.exe 16 13->31         started        33 WerFault.exe 2 15->33         started        file6 signatures7 process8 dnsIp9 63 Uses schtasks.exe or at.exe to add and modify task schedules 19->63 35 conhost.exe 19->35         started        37 schtasks.exe 1 19->37         started        51 51.15.58.224, 14433, 49843 OnlineSASFR France 22->51 65 Query firmware table information (likely to detect VMs) 22->65 39 conhost.exe 25->39         started        41 conhost.exe 27->41         started        43 schtasks.exe 27->43         started        45 conhost.exe 29->45         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/55c97066f408cdbdec892b89cf8eca10f48d9566a7bd36767ed0f3e8ed311e94/
Threat name:
Win64.Trojan.Tasker
Create hunting rule
Status:
Malicious
First seen:
2023-02-03 09:31:10 UTC
File Type:
PE+ (Exe)
Extracted files:
231
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kxexazxubdg333ejfoe47dwkcd2i3flgu66tm5t62dz6r3jrd2ka._file
Verdict:
unknown
Similar samples:
165c3d7d3dc86dca618fea2808bf7257f8c07b8262104171c63146d69cda6ab3
CoinMiner
430ff29b0c10268ae2db7594fcb18c00241d4481068089f3becf3a7b1b8fb8b0
CoinMiner
48a5e7f90442be5e239b6d58adce2ca6be2f7564c906ccfd72589bf64e80b26e
CoinMiner
5fb75666d15c43a83951ba8c261080a50d6228008947555ae2ab1ad5e01a8767
CoinMiner
6c90dd61f4fb62c923098bd71d01fc8bcd8a4bbafd47d168e9ad92d38628b63f
CoinMiner
705b15734bf127d846734775e424cd6764c7e7ea12de6d74cd58298f450027bd
CoinMiner
acb681b62bc1f02493e67fbdc2ddc5dd037e013a6e17b3dc2cda92efbed8e891
CoinMiner
b096adc2fe8a57bc18abc7432abce80e9e59b0b6924422d615a78f36bf944e39
CoinMiner
ea94fc3e2b22d4f4b7c81e8db9c69310385f986f24f9da4856eb897cf84fe5ee
CoinMiner
+ 3'875 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/230203-lg2tnadg59/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
.NET Reactor proctector
Checks computer location settings
Uses the VBS compiler for execution
XMRig Miner payload
xmrig
Unpacked files
SH256 hash:
55c97066f408cdbdec892b89cf8eca10f48d9566a7bd36767ed0f3e8ed311e94
MD5 hash:
b9341eca3593111f5a8545e2d4101064
SHA1 hash:
4da702a31d5a3fa62d71923be4b85be494e62b62
Link:
https://www.unpac.me/results/144bfad5-0bd6-4383-beb7-b7fce9b3f3cf/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/55c97066f408/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/55c97066f408cdbdec892b89cf8eca10f48d9566a7bd36767ed0f3e8ed311e94

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with unregistered version of .NET Reactor
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:win_xfilesstealer_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.xfilesstealer.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2511168/
Cape
Cape
https://www.capesandbox.com/analysis/359812/

Comments