MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67ed4226089a037258ae9c039e93f9ba85dc75409ff0c3402c69597de654cb5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	67ed4226089a037258ae9c039e93f9ba85dc75409ff0c3402c69597de654cb5d
SHA3-384 hash:	0137fee510ab24d5f924c44f60980cb306993a59edb306dcf85c966518f00f706252f9a03806f89c6510be3d7112be8d
SHA1 hash:	0e57b088d2b978f195d8c9d01132c3c78a577bc1
MD5 hash:	e679f9ca51a1cf08ef83a8a5c9dc7e3c
humanhash:	august-coffee-magnesium-finch
File name:	file
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	1'405'072 bytes
First seen:	2022-11-23 17:45:59 UTC
Last seen:	2022-11-24 05:26:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	7f3042474b65617353ef0264b23b3f6b (3 x CoinMiner)
ssdeep	24576:HdcgTewpeuCLZQ5wrS7j5G1bDD6egAmkI+:HdcgT1pehZQYYKTXt
Threatray	3'335 similar samples on MalwareBazaar
TLSH	T1BF556B013BA4B900D15E497458BA47A427E3FFD64D715167A2E839CA9FB32803D2D3EE
File icon (PE):
dhash icon	60e4f2daaabac200 (3 x CoinMiner, 1 x PrivateLoader)
Reporter	andretavare5
Tags:	CoinMiner exe Logitech Z-708 Template GIT signed

Code Signing Certificate

Organisation:	Logitech Z-708 Template GIT
Issuer:	Logitech Z-708 Template GIT
Algorithm:	sha1WithRSAEncryption
Valid from:	2022-11-22T16:12:54Z
Valid to:	2032-11-23T16:12:54Z
Serial number:	6ef2dafe55f9978e4689f39416055f55
Intelligence:	3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	5e883f6b22e7c443f468fe84cf3def1ca5175a897a48816c1cc716b4703e3f18
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

andretavare5

Sample downloaded from http://al-durra.com.kw/uploads/svcrun.exe

Intelligence

File Origin

# of uploads :

# of downloads :

191

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

No threats detected

Analysis date:

2022-11-23 17:47:11 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/04fb29de-6bbf-44c3-bc03-baec15afa755

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/337781/

Detection(s):

SecuriteInfo.com.Win64.Malware-gen.519.1263.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for analyzing tools

Launching a process

Сreating synchronization primitives

Creating a file

Creating a file in the %temp% directory

Enabling the 'hidden' option for recently created files

Running batch commands

Creating a process from a recently created file

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Sending an HTTP POST request

Searching for synchronization primitives

DNS request

Connecting to a cryptocurrency mining pool

Sending a custom TCP request

Creating a service

Launching a service

Loading a system driver

Enabling autorun for a service

Enabling autorun by creating a file

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/637e5c5c24da1c12cfe18709/reports/d8d16f65-6817-4209-990a-1207c1a33e94/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/a0a027a2-7a9d-4c16-b1db-53258837562a

Result

Threat name:

Xmrig

Detection:

malicious

Classification:

evad.mine

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1120042

Signature

Adds a directory exclusion to Windows Defender

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

DNS related to crypt mining pools

Multi AV Scanner detection for submitted file

PE file has nameless sections

Sets debug register (to hijack the execution of another thread)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade debugger and weak emulator (self modifying code)

Yara detected Xmrig cryptocurrency miner

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/67ed4226089a037258ae9c039e93f9ba85dc75409ff0c3402c69597de654cb5d/

Threat name:

Win64.Trojan.Privateloader

Status:

Malicious

First seen:

2022-11-23 17:46:13 UTC

File Type:

PE+ (Exe)

Extracted files:

384

AV detection:

20 of 41 (48.78%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=m7wuejqitibxewfotqbz5e7zxkc5y5kat7ymgqbmnfmx3zsuznoq._file

Verdict:

malicious

CoinMiner

200fade8a686306db978fb4092b3dff5793f6fbafdfd216b2c3973393aa2619a

CoinMiner

3a40d13ba6b30c31d8d5380b61806ec76355f4c10a3c242eff71ddc020907be7

CoinMiner

596b8d2ea9be082c0eea726b7217597fe293eef85069a8dd03a6024b48c7a199

CoinMiner

60a79ee81b8cddb7dd3dfce0855e2eb6597540fd33249ac41c381f5787f17ef8

CoinMiner

6f8683626e582db605ecdcafea662267c998b5f7066759867aa4f7db5dc71599

CoinMiner

955bce112c0abfd0b1c695f51f3300bc2ff9cfc85bcae914abd435d564432c86

CoinMiner

9ca85db909ababb84b0ea3fc5b0156dc01bb940999a91466cea93f683f53f11e

CoinMiner

b3af5a1af48b27b5ac7647d5bf81941c9abf6be899372119cb5eb887026e1409

CoinMiner

f9bff1ac8e6c15dde928e87a8bf733006ca805d42302387b2c24e11e555b7ee6

CoinMiner

+ 3'325 additional samples on MalwareBazaar

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:xmrig miner

Link:

https://tria.ge/reports/221123-wb98ysed7v/

Behaviour

Creates scheduled task(s)

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Checks computer location settings

Loads dropped DLL

Uses the VBS compiler for execution

Executes dropped EXE

XMRig Miner payload

xmrig

Unpacked files

SH256 hash:

67ed4226089a037258ae9c039e93f9ba85dc75409ff0c3402c69597de654cb5d

MD5 hash:

e679f9ca51a1cf08ef83a8a5c9dc7e3c

SHA1 hash:

0e57b088d2b978f195d8c9d01132c3c78a577bc1

Link:

https://www.unpac.me/results/ee544976-bd36-456f-8dfc-7cee718a2c10/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/67ed4226089a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/67ed4226089a037258ae9c039e93f9ba85dc75409ff0c3402c69597de654cb5d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2431652/

Cape

https://www.capesandbox.com/analysis/337781/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample