MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59ef1708305d54ef1a59f399591f122bf110aefd623fa79d956e3e3c495e5807. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 59ef1708305d54ef1a59f399591f122bf110aefd623fa79d956e3e3c495e5807
SHA3-384 hash: ef10339f70a030804512a603d30eb72cc724aa87519c0cc5ccdfb49c86f106d8681a24b975b2b76fa3bf681f96131292
SHA1 hash: a0e5688d0196bfddb51b2d2c2e401188e29feab0
MD5 hash: c10d50207f7e8cf9335645d9ead13786
humanhash: magazine-green-stream-pluto
File name:file
Download: download sample
Signature CoinMiner
Create hunting rule
File size:1'244'392 bytes
First seen:2022-11-08 21:17:13 UTC
Last seen:2022-11-08 23:05:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3ce18a0f04eaf836c8d127a65e263c45 (2 x CoinMiner)
ssdeep 24576:bMBewog5OJ6BAfk+FrZcC3OwPvl/y49nvVik3Oi:aPoTfkrC+wPt/y4VvVb3Oi
Threatray 2'136 similar samples on MalwareBazaar
TLSH T11545126B72D65655F1AB38F3EC09DCB447A3BEADF061E90E1182B74F50321610AC762B
File icon (PE):PE icon
dhash icon 23b0f0e0e0c0f0a2 (5 x CoinMiner)
Reporter andretavare5
Tags:CoinMiner exe signed

Code Signing Certificate

Organisation:Logitech ZC-9016 USA State of Washington
Issuer:Logitech ZC-9016 USA State of Washington
Algorithm:sha1WithRSAEncryption
Valid from:2021-12-15T11:48:33Z
Valid to:2031-12-16T11:48:33Z
Serial number: 5fcd5e9349261c9449b88b4124df5004
Intelligence: 27 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 63aa80362de14c7d27647ef57cf3a4928f5dda32e3a54c46c72902172a42dea0
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from http://restaurantela73.com/svcruntime.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2022-11-08 21:20:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3b3aad08-67f4-445c-afda-5a54084fdf0d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/330836/
Detection(s):
SecuriteInfo.com.Win64.Evo-gen.6110.16114.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
Creating a file
Creating a file in the %temp% directory
Enabling the 'hidden' option for recently created files
Running batch commands
Sending a custom TCP request
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Creating a process with a hidden window
Creating a window
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/636ac78b4965a861c71fc9da/reports/60731357-a490-42d4-a20e-a72e1e4e54c5/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/12e57faf-be13-485c-983e-032cce83d6c7
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1108668
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/59ef1708305d54ef1a59f399591f122bf110aefd623fa79d956e3e3c495e5807/
Threat name:
Win64.Spyware.Bobik
Create hunting rule
Status:
Malicious
First seen:
2022-11-08 21:18:09 UTC
File Type:
PE+ (Exe)
Extracted files:
46
AV detection:
15 of 26 (57.69%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lhxrocbqlvko6gsz6omvshysfpyrblx5mi72phmvny7dysk6ladq._file
Verdict:
unknown
Similar samples:
072630cd3b821f7b12292a7044c2a18e4c45985acf5bd50161a5e0ed13f491e1
CoinMiner
0888fc4761c83d95a42325d58611f798d488a467c7a5aa306cb798ba36f183cf
CoinMiner
5d5e5331ca75a4c6d921ddc110d29af0c17c2aceef4dcbfb868bffd08ca1d31f
CoinMiner
5dc72a06a4554b286374b223bbf1bfd2eb3884f3952088a1193f6fc770991a51
CoinMiner
afa6e0b7cd564e4ce430f011a53baece9995952df817624643b95d6a0d9c08e5
CoinMiner
b302f4f0f0f5f3f86497f005e73154e14afbccc13e1ebdfde664ab258a55cbbc
CoinMiner
c182ca3a04a79bf82dcbc6a23eef914a1ff4edd58c343f95655410689ac2856a
CoinMiner
e34e5d0bab748e72166ba8e74ef57acfda6a795bb95772139bd5c7a597ff4f6c
CoinMiner
+ 2'126 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/221108-z5k3psbacl/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
59ef1708305d54ef1a59f399591f122bf110aefd623fa79d956e3e3c495e5807
MD5 hash:
c10d50207f7e8cf9335645d9ead13786
SHA1 hash:
a0e5688d0196bfddb51b2d2c2e401188e29feab0
Link:
https://www.unpac.me/results/fcb4a678-0753-4ae1-87a9-2df4363ae037/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/59ef1708305d54ef1a59f399591f122bf110aefd623fa79d956e3e3c495e5807

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/330836/
  
URLhaus
https://urlhaus.abuse.ch/url/2401639/

Comments