MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 765e63e1c60120f2b2c9f249526049a5312567ab219ba1e22881ebb65c0ce560. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 12


Intelligence 12 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 765e63e1c60120f2b2c9f249526049a5312567ab219ba1e22881ebb65c0ce560
SHA3-384 hash: 7c2890f6ead48ac6e9d3ea89237f3f4794daf4133d4e521206d8269dd66f5ec40ed0edff32f58ed1b527ae6b3e4deed9
SHA1 hash: 8da914dde7483ad54d66dc2a8ec75e28f1437673
MD5 hash: f73648b12faad92f981744f7ad02c06e
humanhash: salami-california-carolina-carolina
File name:svchost.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:22'529'870 bytes
First seen:2025-02-01 18:02:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1e92fd54d65284238a0e3b74b2715062 (21 x Empyrean, 4 x Gh0stRAT, 4 x Telemiris)
ssdeep 393216:sKf8nlCURvYEVPH9/ykib5rFJJX1cg6WWQA+JjkFrdo:sK0flfByXb11XGgywWd
TLSH T176373346D74458B1EAF6827CC2B7E62EE1137A1893C1FB2B972C876C5F378A4CD55A00
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
File icon (PE):PE icon
dhash icon 92e0b496a6cada72 (12 x RedLineStealer, 7 x RaccoonStealer, 5 x BlankGrabber)
Reporter aachum
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
420
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
svchost.exe
Verdict:
Malicious activity
Analysis date:
2025-02-01 18:00:59 UTC
Tags:
github python stealer sfx dropper screenshot evasion discord blankgrabber pyinstaller telegram susp-powershell growtopia discordgrabber generic umbralstealer ims-api upx
Link:
https://app.any.run/tasks/a03be611-55a0-4676-bd1c-a1e33b7ccd96

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Agent.Script.1713931.10438.20114.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=679e615aa9881a7a01c4f0f7
Tags:
installer extens virus spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Creating a process from a recently created file
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Running batch commands
Creating a process with a hidden window
DNS request
Connection attempt
Sending a custom TCP request
Reading critical registry keys
Launching a process
Launching the process to change network settings
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Stealing user critical data
Adding an exclusion to Microsoft Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
compiled-script expand fingerprint lolbin microsoft_visual_cc overlay packed packer_detected pyinstaller pyinstaller
Link:
https://www.filescan.io/uploads/679e61e88e6a79ee02ce3795/reports/9c2393e2-bacc-4cff-8906-5262891a2ae9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/765e63e1c60120f2b2c9f249526049a5312567ab219ba1e22881ebb65c0ce560
Result
Verdict:
UNKNOWN
Result
Threat name:
HackBrowser, Blank Grabber
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1604599
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found pyInstaller with non standard icon
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Modifies existing user documents (likely ransomware behavior)
Modifies the context of a thread in another process (thread injection)
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries Google from non browser process on port 80
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Removes signatures from Windows Defender
Sigma detected: Capture Wi-Fi password
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Rar Usage with Password and Compression Level
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Uses the Telegram API (likely for C&C communication)
Writes or reads registry keys via WMI
Yara detected Amnesia Stealer
Yara detected Blank Grabber
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1604599 Sample: svchost.exe Startdate: 01/02/2025 Architecture: WINDOWS Score: 100 103 api.telegram.org 2->103 105 www.google.com 2->105 107 4 other IPs or domains 2->107 121 Suricata IDS alerts for network traffic 2->121 123 Found malware configuration 2->123 125 Sigma detected: Capture Wi-Fi password 2->125 129 12 other signatures 2->129 14 svchost.exe 13 2->14         started        signatures3 127 Uses the Telegram API (likely for C&C communication) 103->127 process4 file5 95 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 14->95 dropped 97 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 14->97 dropped 99 C:\Users\user\AppData\Local\...\python310.dll, PE32+ 14->99 dropped 101 8 other files (7 malicious) 14->101 dropped 175 Found pyInstaller with non standard icon 14->175 18 svchost.exe 14->18         started        signatures6 process7 process8 20 Build.exe 6 18->20         started        file9 75 C:\ProgramData\Microsoft\hacn.exe, PE32+ 20->75 dropped 77 C:\ProgramData\Microsoft\based.exe, PE32+ 20->77 dropped 23 based.exe 22 20->23         started        27 hacn.exe 67 20->27         started        process10 file11 79 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 23->79 dropped 81 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 23->81 dropped 83 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 23->83 dropped 91 15 other files (14 malicious) 23->91 dropped 147 Antivirus detection for dropped file 23->147 149 Multi AV Scanner detection for dropped file 23->149 151 Machine Learning detection for dropped file 23->151 155 4 other signatures 23->155 29 based.exe 1 70 23->29         started        85 C:\Users\...\backend_c.cp310-win_amd64.pyd, PE32+ 27->85 dropped 87 C:\Users\user\...\_cffi.cp310-win_amd64.pyd, PE32+ 27->87 dropped 89 C:\Users\user\AppData\...\win32event.pyd, PE32+ 27->89 dropped 93 36 other files (33 malicious) 27->93 dropped 153 Queries Google from non browser process on port 80 27->153 33 hacn.exe 27->33         started        signatures12 process13 dnsIp14 109 ip-api.com 208.95.112.1, 49898, 80 TUT-ASUS United States 29->109 111 api.telegram.org 149.154.167.220, 443, 49915 TELEGRAMRU United Kingdom 29->111 113 canary.discord.com 162.159.137.232, 443, 49904 CLOUDFLARENETUS United States 29->113 157 Found many strings related to Crypto-Wallets (likely being stolen) 29->157 159 Tries to harvest and steal browser information (history, passwords, etc) 29->159 161 Modifies Windows Defender protection settings 29->161 167 5 other signatures 29->167 35 cmd.exe 29->35         started        38 cmd.exe 29->38         started        40 cmd.exe 29->40         started        44 23 other processes 29->44 115 www.google.com 142.250.186.36, 49733, 80 GOOGLEUS United States 33->115 117 github.com 140.82.121.4, 443, 49740 GITHUBUS United States 33->117 119 raw.githubusercontent.com 185.199.109.133, 443, 49736 FASTLYUS Netherlands 33->119 163 Modifies the context of a thread in another process (thread injection) 33->163 165 Hides threads from debuggers 33->165 42 cmd.exe 33->42         started        signatures15 process16 signatures17 131 Modifies Windows Defender protection settings 35->131 133 Removes signatures from Windows Defender 35->133 46 powershell.exe 35->46         started        62 2 other processes 35->62 49 powershell.exe 38->49         started        52 conhost.exe 38->52         started        135 Adds a directory exclusion to Windows Defender 40->135 54 powershell.exe 40->54         started        56 conhost.exe 40->56         started        137 Suspicious powershell command line found 42->137 139 Encrypted powershell cmdline option found 42->139 141 Bypasses PowerShell execution policy 42->141 143 Uses netsh to modify the Windows network and firewall settings 42->143 58 conhost.exe 42->58         started        145 Tries to harvest and steal WLAN passwords 44->145 60 getmac.exe 44->60         started        64 45 other processes 44->64 process18 file19 169 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 46->169 171 Writes or reads registry keys via WMI 46->171 173 Loading BitLocker PowerShell Module 46->173 71 C:\Users\user\AppData\...\y1aqvv5e.cmdline, Unicode 49->71 dropped 66 csc.exe 49->66         started        signatures20 process21 file22 73 C:\Users\user\AppData\Local\...\y1aqvv5e.dll, PE32 66->73 dropped 69 cvtres.exe 66->69         started        process23
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/765e63e1c60120f2b2c9f249526049a5312567ab219ba1e22881ebb65c0ce560
Gathering data
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-02-01 08:29:52 UTC
File Type:
PE+ (Exe)
Extracted files:
454
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ozpghyogaeqpfmwj6jeveycjuuyskz5legn2dyriqhv3mxam4vqa._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
collection credential_access defense_evasion discovery execution persistence privilege_escalation pyinstaller spyware stealer upx
Link:
https://tria.ge/reports/250201-wm54datndy/
Behaviour
Checks processor information in registry
Detects videocard installed
Enumerates system info in registry
Gathers system information
Modifies data under HKEY_USERS
Modifies registry key
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Detects Pyinstaller
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Drops file in Program Files directory
Launches sc.exe
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Checks computer location settings
Clipboard Data
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Command and Scripting Interpreter: PowerShell
Contacts a large (666) amount of remote hosts
Stops running service(s)
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/38d4c59b-120b-409f-9f95-c83598ddb3e8
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/765e63e1c601/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/765e63e1c60120f2b2c9f249526049a5312567ab219ba1e22881ebb65c0ce560

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe b84d06eb8b490a54bdd252a58d25eb54f5580018ecbf3066e0cd5d03ef284c96

CoinMiner

Executable exe 765e63e1c60120f2b2c9f249526049a5312567ab219ba1e22881ebb65c0ce560

(this sample)

BlankGrabber

Executable exe 0e66e467ce2a42b3e978da4e7d26c4c0e75716881d46e5cbe1ea23ad8a062a88

  
Link
https://tria.ge/250201-whgvzstlcy/
  
Dropped by
SHA256 b84d06eb8b490a54bdd252a58d25eb54f5580018ecbf3066e0cd5d03ef284c96
  
Dropping
SHA256 0e66e467ce2a42b3e978da4e7d26c4c0e75716881d46e5cbe1ea23ad8a062a88
  
Dropping
MD5 39b96b128c5732a9eb723de56187a0e2
  
Dropping
SHA256 be318ea6019f0ab72aed2679b3dc8f6aee143e54040e6d0d2df94c498799a203
  
Dropping
MD5 47e66713dea096e4de977ea03f172073
  
Dropping
SHA256 c59f20641310e8a1c2a04bea95458425903a63859c77a8e9c13e2631c6e39800
  
Dropping
MD5 f07ff81c4c60944a81c97d268dd630a2
  
Dropping
SHA256 f16df2bc688ee1e31cfd4040ded359006c73092fdc310fbd7a9ba4c023085ccc
  
Dropping
MD5 fd100ec6f3dd7fc22be320a984e1aa7d
  
Dropping
SHA256 536737be15ffd29968dfc5bd8b3a3fd366af4172c97774f8c62e20f3e30f4e8f
  
Dropping
MD5 cb97153b035e929cd70cf68605b7c205
  
Dropping
SHA256 b1e467856b81f28826739e4d452b8063c1acf8a59ac9ceadea441882c8411e18
  
Dropping
MD5 39e3bba8eee5758e4fb04b74851433aa
  
Dropped by
MD5 d85711a9d52862c3e538d79217244059

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::ConvertSidToStringSidW
ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::RemoveDirectoryW
KERNEL32.dll::SetDllDirectoryW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments