MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 717dfc6fa41b8517420dfef7b8685f5ae3fe4754806229a6e794fec562e5deff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 717dfc6fa41b8517420dfef7b8685f5ae3fe4754806229a6e794fec562e5deff
SHA3-384 hash: 0cca89edee95060b9b0e5aa67af368d134ff9a797825f3d6f55c1ac7f7e6b9acd9048b663f049dc20c337c92cdaf509b
SHA1 hash: aacc5c9475f77491b766a7c3a6bdf1511051f34b
MD5 hash: 4ebecfe32b68b7979873ddb9053cda4e
humanhash: potato-moon-india-video
File name:view.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:24'844'800 bytes
First seen:2022-02-22 04:59:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8121da246ea94cbab5bbea46d181bdcb (1 x CoinMiner)
ssdeep 393216:2AYWhnCW3M6rcfNA7SmTqX6cvncQea1Xn6ZCwc+2ziVwtMX4oOZI59xrPMMRT:2AzCeM60NAm5vTwKzawtMITZM9BJT
Threatray 5'312 similar samples on MalwareBazaar
TLSH T1D1473379F983B664C090C3FA031A62FB7E924DFA2BC34425E1D47B3E8A6177419D507A
File icon (PE):PE icon
dhash icon b4b0385e5858b0b4 (1 x CoinMiner)
Reporter adm1n_usa32
Tags:CoinMiner exe XMRIG

Intelligence

File Origin
# of uploads :
1
# of downloads :
272
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://bazaar.abuse.ch/download/717dfc6fa41b8517420dfef7b8685f5ae3fe4754806229a6e794fec562e5deff/
Verdict:
Malicious activity
Analysis date:
2022-02-22 06:24:50 UTC
Tags:
loader
Link:
https://app.any.run/tasks/c915ad77-be87-4ad8-9a36-6e50fa6605c0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.Upx-4
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a file
Running batch commands
Launching a process
Launching cmd.exe command interpreter
Using the Windows Management Instrumentation requests
Searching for the window
Sending a custom TCP request
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Deleting a system file
Launching a tool to kill processes
Launching the process to interact with network services
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint greyware packed stealer
Link:
https://www.filescan.io/uploads/62146dda875593a3cc006e89/reports/fbd5d4b6-e033-4140-b755-b36973f8d403/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/943625
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Drops executable to a common third party application directory
Found strings related to Crypto-Mining
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sigma detected: Active Directory User Backdoors
Sigma detected: File Created with System Process Name
Sigma detected: Powershell Defender Exclusion
Sigma detected: Windows Shell File Write to Suspicious Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 576099 Sample: view.exe Startdate: 22/02/2022 Architecture: WINDOWS Score: 100 96 Multi AV Scanner detection for domain / URL 2->96 98 Malicious sample detected (through community Yara rule) 2->98 100 Antivirus detection for URL or domain 2->100 102 13 other signatures 2->102 13 view.exe 10 2->13         started        17 svchost.exe 1 2->17         started        19 svchost.exe 1 2->19         started        process3 file4 86 C:\Users\Public\PublicDelVr.cmd, DOS 13->86 dropped 88 C:\Users\Public\Public.cmd, DOS 13->88 dropped 90 C:\ProgramData\xmrig.cmd, DOS 13->90 dropped 92 3 other files (1 malicious) 13->92 dropped 120 Contains functionality to detect sleep reduction / modifications 13->120 21 cmd.exe 1 13->21         started        signatures5 process6 signatures7 104 Uses cmd line tools excessively to alter registry or file data 21->104 106 Uses schtasks.exe or at.exe to add and modify task schedules 21->106 108 Adds a directory exclusion to Windows Defender 21->108 24 screen.exe 1 21->24         started        26 cmd.exe 1 21->26         started        28 taskkill.exe 1 21->28         started        30 7 other processes 21->30 process8 process9 32 screen.exe 24->32         started        34 WMIC.exe 1 26->34         started        36 find.exe 1 26->36         started        process10 38 cmd.exe 33 32->38         started        file11 78 C:\Users\Public\Music\loadhost.exe, PE32 38->78 dropped 80 C:\ProgramData\RuntimeBroker.exe, PE32 38->80 dropped 82 C:\ProgramData\Microsoft\...\WinRing0x64.sys, PE32+ 38->82 dropped 84 20 other files (9 malicious) 38->84 dropped 110 Uses cmd line tools excessively to alter registry or file data 38->110 112 Sample is not signed and drops a device driver 38->112 114 Drops executable to a common third party application directory 38->114 42 screen.exe 38->42         started        44 net.exe 1 38->44         started        46 net.exe 1 38->46         started        48 11 other processes 38->48 signatures12 process13 dnsIp14 51 screen.exe 42->51         started        53 screen.exe 44->53         started        55 net1.exe 1 44->55         started        57 net1.exe 1 46->57         started        94 192.168.2.1 unknown unknown 48->94 process15 process16 59 cmd.exe 51->59         started        62 cmd.exe 53->62         started        signatures17 116 Uses cmd line tools excessively to alter registry or file data 59->116 118 Adds a directory exclusion to Windows Defender 59->118 64 conhost.exe 59->64         started        66 powershell.exe 59->66         started        68 powershell.exe 59->68         started        76 2 other processes 59->76 70 conhost.exe 62->70         started        72 mode.com 62->72         started        74 timeout.exe 62->74         started        process18
Gathering data
Threat name:
Win32.Hacktool.DefenderControl
Create hunting rule
Status:
Malicious
First seen:
2021-11-25 09:23:20 UTC
File Type:
PE (Exe)
Extracted files:
159
AV detection:
23 of 28 (82.14%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=of67y35edocroqqn7333q2c7llr74r2uqbrctjxhst7mkyxf337q._file
Verdict:
malicious
Similar samples:
080e155065338954032cfbd27b1aa26668e65e44193c30cb86a88ba0bb229815
CoinMiner
0b1396805e736275f16550f3ecc5361cfcccc468094b4ea910ded8eaf430a5b3
CoinMiner
32bf6a730cca597011b8e619bad0168190337b8e96db09e2fe214b436d8f2f69
CoinMiner
32f62f812e0b22d8227fd1cc681eae6f4484e94bef2d4abbfea0342a62a4e34b
CoinMiner
361ced68c7680745d536ecd6a4c9dcbc867234c4fe10e419553d24a2514c3840
CoinMiner
5b74eb73697a853a9d2d138a270a97a4edbcdc38ba46c5ea3cd79076ba4cecb4
CoinMiner
6afa8f79af9fd9ec79a3ebd4fd0932c496afdd4766df779a796e9ee502553562
CoinMiner
affd6e89b3357f6a8418ceb96c5a101eb38ea0af16b2d8a0ac256459130740ff
CoinMiner
da66b50a26a1b91eef2e102293a9086df408502b9aa00df5a684e2ce33ea72e1
CoinMiner
ee2e455231053433cc4d8718e0fb69e0f11d9875c5d1d3b3eebba4426148fb6d
CoinMiner
+ 5'302 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig bootkit discovery evasion miner persistence trojan upx
Link:
https://tria.ge/reports/220222-fm2syscgg2/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates processes with tasklist
Kills process with WMI
Kills process with taskkill
Modifies data under HKEY_USERS
Runs net.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Adds Run key to start application
Writes to the Master Boot Record (MBR)
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Windows security modification
Adds policy Run key to start application
Blocks application from running via registry modification
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Sets file execution options in registry
Sets service image path in registry
Stops running service(s)
UPX packed file
XMRig Miner Payload
Modifies Windows Defender Real-time Protection settings
Modifies security service
UAC bypass
xmrig
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/717dfc6fa41b8517420dfef7b8685f5ae3fe4754806229a6e794fec562e5deff

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/adm1n_usa32/status/1495985775179186176
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2026300/

Comments