MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82e7098d2ce0d47e28b6f33ce657a50cef57f3112506700ec9d3379bb4431a6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 13


Intelligence 13 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 82e7098d2ce0d47e28b6f33ce657a50cef57f3112506700ec9d3379bb4431a6b
SHA3-384 hash: 8e4e922252ed764749e5032f8dd0fdc401c3965fff00eed0e38e8b897dfb322f0bf0e46ad3b5a06d450214d6acdc146c
SHA1 hash: c64d76c2762b896d90989628e3efa3a42fd87dac
MD5 hash: 932995418300bee0f9d7ecb9ae6157ca
humanhash: may-floor-april-december
File name:SecuriteInfo.com.Trojan.BankBot.566.23380.17040
Download: download sample
Signature CoinMiner
Create hunting rule
File size:18'374'656 bytes
First seen:2025-02-11 09:52:54 UTC
Last seen:2025-02-11 11:10:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c7b7b517cf49febe9724e1b897a98881 (22 x CoinMiner)
ssdeep 393216:OyLTX9ufOqPnX7sjbNGYK1hVeEGYGn4iOoS6j9Mlh:Nf9GOAQj1UUE44iOoSuKr
Threatray 261 similar samples on MalwareBazaar
TLSH T1D90723C792CE5BB8E1C34741584323CB7CC5A4759ABDE99C3AC14C02B566EAC09CBB67
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter SecuriteInfoCom
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
374
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
yt.exe
Verdict:
Malicious activity
Analysis date:
2025-02-10 21:22:41 UTC
Tags:
lumma stealer loader netreactor amadey botnet stealc cryptbot gcleaner auto autoit generic redline rat asyncrat remote telegram vidar arch-exec lefthook tofsee miner credentialflusher themida phoenixstealer alfonsostealer hunterstealer github screenconnect
Link:
https://app.any.run/tasks/c69e7baf-84ab-4717-a74a-993b414d5753

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.BankBot.566.23380.17040.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67ab1e5a49f32dfb0d82f465
Tags:
vmprotect virus
Result
Verdict:
Malware
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67ab4e69b14095ae85fb4783/reports/0da01b31-d1c9-4863-addc-d78ee61adad0/overview
Verdict:
Malicious
Labled as:
Trojan[Packed]/Win64.VMProtect
Link:
https://www.hybrid-analysis.com/sample/82e7098d2ce0d47e28b6f33ce657a50cef57f3112506700ec9d3379bb4431a6b
Result
Verdict:
UNKNOWN
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/54fb2987-9832-45eb-b836-3314ddc029e7
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1611949
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Disable power options
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop EventLog
Tries to detect debuggers (CloseHandle check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction (VM detection)
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1611949 Sample: SecuriteInfo.com.Trojan.Ban... Startdate: 11/02/2025 Architecture: WINDOWS Score: 100 58 Multi AV Scanner detection for submitted file 2->58 60 Yara detected Xmrig cryptocurrency miner 2->60 62 Sigma detected: Stop EventLog 2->62 64 8 other signatures 2->64 8 SecuriteInfo.com.Trojan.BankBot.566.23380.17040.exe 1 2 2->8         started        12 WindowsAutHost 1 2->12         started        process3 file4 52 C:\ProgramData\...\WindowsAutHost, PE32+ 8->52 dropped 54 C:\Windows\System32\drivers\etc\hosts, ASCII 8->54 dropped 66 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->66 68 Query firmware table information (likely to detect VMs) 8->68 70 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->70 80 8 other signatures 8->80 14 dialer.exe 1 8->14         started        17 powershell.exe 23 8->17         started        19 cmd.exe 1 8->19         started        27 13 other processes 8->27 56 C:\Windows\Temp\xilveeazvwhm.sys, PE32+ 12->56 dropped 72 Multi AV Scanner detection for dropped file 12->72 74 Protects its processes via BreakOnTermination flag 12->74 76 Modifies the context of a thread in another process (thread injection) 12->76 78 Sample is not signed and drops a device driver 12->78 21 powershell.exe 12->21         started        23 cmd.exe 12->23         started        25 sc.exe 1 12->25         started        29 5 other processes 12->29 signatures5 process6 signatures7 82 Contains functionality to inject code into remote processes 14->82 84 Writes to foreign memory regions 14->84 86 Allocates memory in foreign processes 14->86 90 3 other signatures 14->90 31 lsass.exe 14->31 injected 40 10 other processes 14->40 88 Loading BitLocker PowerShell Module 17->88 34 conhost.exe 17->34         started        42 2 other processes 19->42 36 conhost.exe 21->36         started        44 2 other processes 23->44 38 conhost.exe 25->38         started        46 13 other processes 27->46 48 4 other processes 29->48 process8 signatures9 92 Writes to foreign memory regions 31->92 50 svchost.exe 31->50 injected process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/82e7098d2ce0d47e28b6f33ce657a50cef57f3112506700ec9d3379bb4431a6b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/82e7098d2ce0d47e28b6f33ce657a50cef57f3112506700ec9d3379bb4431a6b/
Threat name:
Win64.Trojan.Amadey
Create hunting rule
Status:
Suspicious
First seen:
2025-02-10 20:23:21 UTC
File Type:
PE+ (Exe)
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qltqtdjm4dkh4kfw6m6omv5fbtxvp4yreudhadwj2m3zxncddjvq._file
Verdict:
malicious
Label(s):
r77
Create hunting rule
Similar samples:
3c818d91af1ad7aaa0e599d76ff395e5b694bd2cf05d65d0b53d2036fea726c8
CoinMiner
68231c9b195a3987bc26bb9af2543f49a04c1343bbb17982bc6302a21138e33a
CoinMiner
6b7e8e31e1346fbdff6f98d02e07c69b77b251f85b3b98288086b38c98216da3
CoinMiner
8462485220bfcba052d89e06bb3eaf38343b92bc246e391050f6019e70dba6a6
CoinMiner
93f357da57abc8674b201846e4284568b121ae4c06be4889d5092b6d23cb0146
CoinMiner
d6787107b40d3d9c65b07aea10e10fa14ff04efbb497b6caf5854812d8e7648b
CoinMiner
error
CoinMiner
fde56e00761a85ad495bd2d05654f3657922f665f58edfabcf43d2fa769f0d79
CoinMiner
ff0a72d1860c9cad62aa4e48afe58831edc35ef4947661c7335dd08e5f26e05b
CoinMiner
+ 251 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery execution persistence
Link:
https://tria.ge/reports/250211-lwxs9aspgn/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Power Settings
Checks BIOS information in registry
Executes dropped EXE
Indicator Removal: Clear Windows Event Logs
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Downloads MZ/PE file
Drops file in Drivers directory
Sets service image path in registry
Stops running service(s)
Modifies security service
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a4238bea-c2e7-4d7e-b486-0a5bfbb7f4f5
Unpacked files
SH256 hash:
82e7098d2ce0d47e28b6f33ce657a50cef57f3112506700ec9d3379bb4431a6b
MD5 hash:
932995418300bee0f9d7ecb9ae6157ca
SHA1 hash:
c64d76c2762b896d90989628e3efa3a42fd87dac
Link:
https://www.unpac.me/results/d18b0506-10b0-4275-9264-416f1c493030/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/82e7098d2ce0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/82e7098d2ce0d47e28b6f33ce657a50cef57f3112506700ec9d3379bb4431a6b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MALWARE_Win_R77
Create hunting rule
Author:ditekSHen
Description:Detects r77 rootkit
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Rootkit_R77_d0367e28
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 82e7098d2ce0d47e28b6f33ce657a50cef57f3112506700ec9d3379bb4431a6b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3435942/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA

Comments