MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7cad2a9590e2f63ac4115fa2879cb9e5aeb48aa80f324945d82f0efe5baf7da3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 14


Intelligence 14 IOCs YARA 11 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7cad2a9590e2f63ac4115fa2879cb9e5aeb48aa80f324945d82f0efe5baf7da3
SHA3-384 hash: 221084c758968769307e207b80adb1e872763ee45483b4b8a7c8c9a3062e8cfc17679da62da9cc725ca3ba2d980a6a07
SHA1 hash: cf3e85f2a8f58e4998c49f1655220fff335e3e68
MD5 hash: f5a52d7f38e29a3749139aef116c1809
humanhash: spaghetti-kansas-arkansas-crazy
File name:f5a52d7f38e29a3749139aef116c1809
Download: download sample
Signature CoinMiner
Create hunting rule
File size:5'496'472 bytes
First seen:2024-04-30 04:21:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 203d63d5d9a088e2d84cef737227986b (55 x CoinMiner)
ssdeep 98304:oxIp9iL+rmZm/ZV2yUz+0WT55CzN5BVv6K+Dil7Whfi0yTV38ImupL:oxIbiL+rMGvUz+z552N1v69DixWha0Md
Threatray 154 similar samples on MalwareBazaar
TLSH T11C46228F43D825A1D8F8DE3C5A9304F83593A47F275EB260E9CE4122DEB9660D835F64
TrID 49.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
31.8% (.EXE) Win64 Executable (generic) (10523/12/4)
6.1% (.EXE) OS/2 Executable (generic) (2029/13)
6.0% (.EXE) Generic Win/DOS Executable (2002/3)
6.0% (.EXE) DOS Executable Generic (2000/1)
Reporter zbetcheckin
Tags:64 CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
522
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
xmrig
Create hunting rule
ID:
1
File name:
7cad2a9590e2f63ac4115fa2879cb9e5aeb48aa80f324945d82f0efe5baf7da3.exe
Verdict:
Malicious activity
Analysis date:
2024-04-30 04:24:49 UTC
Tags:
miner silentcryptominer xmrig
Link:
https://app.any.run/tasks/bc3f5073-7631-49bf-82d0-ede52839c357

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.Genkryptik-10016533-0
Create hunting rule

Win.Malware.Genkryptik-10016586-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Deleting a system file
Launching a process
Creating a service
Creating a file
Launching a service
Creating a process from a recently created file
Creating a file in the Windows subdirectories
Searching for synchronization primitives
Creating a file in the system32 subdirectories
Setting browser functions hooks
Enabling autorun for a service
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug coinminer overlay packed
Link:
https://www.filescan.io/uploads/663071ecc5dabc22b20cc5e1/reports/48e4aefc-450a-42ce-a0ed-00b7cfa39ba7/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/7cad2a9590e2f63ac4115fa2879cb9e5aeb48aa80f324945d82f0efe5baf7da3
Result
Verdict:
MALICIOUS
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d6c3902f-c457-403f-b7ca-852098444fdd
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1433813
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Found strings related to Crypto-Mining
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs new ROOT certificates
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Disable power options
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop EventLog
Snort IDS alert for network traffic
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1433813 Sample: 8Yt3TCmYCq.exe Startdate: 30/04/2024 Architecture: WINDOWS Score: 100 62 miner1.squezz.com 2->62 64 pool.supportxmr.com 2->64 66 pool-nyc.supportxmr.com 2->66 84 Snort IDS alert for network traffic 2->84 86 Malicious sample detected (through community Yara rule) 2->86 88 Multi AV Scanner detection for submitted file 2->88 90 9 other signatures 2->90 8 8Yt3TCmYCq.exe 1 2 2->8         started        12 msjfqwbsivjo.exe 2->12         started        14 chrome.exe 4 2->14         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 58 C:\ProgramData\...\msjfqwbsivjo.exe, PE32+ 8->58 dropped 118 Uses powercfg.exe to modify the power settings 8->118 120 Modifies the context of a thread in another process (thread injection) 8->120 122 Adds a directory exclusion to Windows Defender 8->122 19 dialer.exe 1 8->19         started        22 sc.exe 1 8->22         started        24 powershell.exe 23 8->24         started        33 13 other processes 8->33 60 C:\Windows\Temp\zafotxwnwuef.sys, PE32+ 12->60 dropped 124 Multi AV Scanner detection for dropped file 12->124 126 Sample is not signed and drops a device driver 12->126 128 Modifies power options to not sleep / hibernate 12->128 26 dialer.exe 12->26         started        28 dialer.exe 12->28         started        35 12 other processes 12->35 78 192.168.2.4, 138, 443, 49638 unknown unknown 14->78 80 239.255.255.250 unknown Reserved 14->80 31 chrome.exe 14->31         started        82 127.0.0.1 unknown unknown 17->82 37 2 other processes 17->37 file6 signatures7 process8 dnsIp9 92 Contains functionality to inject code into remote processes 19->92 94 Writes to foreign memory regions 19->94 96 Allocates memory in foreign processes 19->96 98 Contains functionality to compare user and computer (likely to detect sandboxes) 19->98 39 lsass.exe 19->39 injected 42 winlogon.exe 19->42 injected 50 3 other processes 19->50 100 Adds a directory exclusion to Windows Defender 22->100 102 Modifies power options to not sleep / hibernate 22->102 44 conhost.exe 22->44         started        104 Loading BitLocker PowerShell Module 24->104 46 conhost.exe 24->46         started        106 Injects code into the Windows Explorer (explorer.exe) 26->106 108 Creates a thread in another existing process (thread injection) 26->108 110 Injects a PE file into a foreign processes 26->110 52 2 other processes 26->52 68 miner1.squezz.com 185.250.47.93, 49758, 49770, 49776 SILVERSTAR-ASGB Russian Federation 28->68 70 pool-nyc.supportxmr.com 104.243.33.118, 443, 49757, 49771 RELIABLESITEUS United States 28->70 112 Query firmware table information (likely to detect VMs) 28->112 72 www.google.com 142.250.190.100, 443, 49737, 49738 GOOGLEUS United States 31->72 74 dl.google.com 142.250.190.78, 49773, 80 GOOGLEUS United States 31->74 76 2 other IPs or domains 31->76 48 conhost.exe 33->48         started        54 12 other processes 33->54 56 12 other processes 35->56 signatures10 process11 signatures12 114 Installs new ROOT certificates 39->114 116 Writes to foreign memory regions 39->116
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7cad2a9590e2f63ac4115fa2879cb9e5aeb48aa80f324945d82f0efe5baf7da3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7cad2a9590e2f63ac4115fa2879cb9e5aeb48aa80f324945d82f0efe5baf7da3/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-04-26 21:43:13 UTC
File Type:
PE+ (Exe)
AV detection:
20 of 24 (83.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pswsvfmq4l3dvrarl6riphfz4wxljcvib4zesroyf4hp4w5ppwrq._file
Verdict:
malicious
Similar samples:
017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455
CoinMiner
176468f01cd7ca28f666e4b3ffed69b76b4306a6081bed0859c984950d344d83
CoinMiner
6607d552accc951f2cd068bb394200987d7d1e90e34f8cdab3afe6e3ccedee4e
CoinMiner
82ff14d43cb47b9956733b03996b4596cd2ad3787e1fbe0e091f2845c290d29d
CoinMiner
87eb7f02f97c135ae0d2e28201bbf91575f69e625cc483886020cf8cc678c79a
CoinMiner
bc84c3a9cfeb083fe41a238c55ea3163b5c9e5103fee0a7d7f4d8a1236b6d22d
CoinMiner
cb470d77087518ed7bc53ca624806c265ae2485d40ec212acc2559720940fb27
CoinMiner
dbbe21f14ca93d658be3606974e289edf4b205b22d967324c49cba1950f29b9e
CoinMiner
fcc22a367ed0a8d8de94f5159ab12c32606f97326b832eb47327b7707ba457a6
CoinMiner
+ 144 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/240430-ey86qscb46/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks BIOS information in registry
Executes dropped EXE
Loads dropped DLL
Creates new service(s)
Sets service image path in registry
Stops running service(s)
Modifies security service
Unpacked files
SH256 hash:
7cad2a9590e2f63ac4115fa2879cb9e5aeb48aa80f324945d82f0efe5baf7da3
MD5 hash:
f5a52d7f38e29a3749139aef116c1809
SHA1 hash:
cf3e85f2a8f58e4998c49f1655220fff335e3e68
Link:
https://www.unpac.me/results/a4f7b19e-a60e-4a98-b382-4b6ec56d1683/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7cad2a9590e2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/7cad2a9590e2f63ac4115fa2879cb9e5aeb48aa80f324945d82f0efe5baf7da3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MALWARE_Win_R77
Create hunting rule
Author:ditekSHen
Description:Detects r77 rootkit
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Rootkit_R77_d0367e28
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 7cad2a9590e2f63ac4115fa2879cb9e5aeb48aa80f324945d82f0efe5baf7da3

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2832154/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments


Avatar
zbet commented on 2024-04-30 04:21:55 UTC

url : hxxp://dcpanel.squezz.com/svchostMon.exe