MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84c18f78f11b9bc3fd3e96925d2a7b76ab5ecfb927c377ad27456e191815b24a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 84c18f78f11b9bc3fd3e96925d2a7b76ab5ecfb927c377ad27456e191815b24a
SHA3-384 hash: 20d6f7a189b28352e03c72675d8135b8f22bb7f94559beaab84fa3b2c2a3d0aa18eb0adbc76e6407c3fce65f912e29a1
SHA1 hash: 342de51363d15f8fc6b5099ad0bf5f5191452b74
MD5 hash: 9453b414b969dc9b52b9327e324dc1eb
humanhash: ack-rugby-rugby-timing
File name:9453b414b969dc9b52b9327e324dc1eb.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:3'490'304 bytes
First seen:2023-05-08 16:25:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 49152:WUGS9ZE245CHyDNPLno4A0pRxnNQpSKqemCcAfpX:
Threatray 12 similar samples on MalwareBazaar
TLSH T1ABF512B32FC7FDFA93640A74B84216595E8028B74B2CF191B88CB5AB71A4564DE1DCF0
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:CoinMiner exe


Avatar
abuse_ch
CoinMiner C2:
http://valong.ug/index.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
308
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9453b414b969dc9b52b9327e324dc1eb.exe
Verdict:
Malicious activity
Analysis date:
2023-05-08 16:28:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/660ecf86-0064-4d65-b8c9-1c46d7975c74

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/387575/
Detection(s):
SecuriteInfo.com.Heur.MSIL.Krypt.11.19442.19331.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6459229c1c5e6717120749d6/reports/461f5ecf-4615-4f2d-94df-4d969379713f/overview
Verdict:
Malicious
Labled as:
MSIL.Krypt.Generic
Link:
https://www.hybrid-analysis.com/sample/84c18f78f11b9bc3fd3e96925d2a7b76ab5ecfb927c377ad27456e191815b24a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/23a83a01-beb2-4a90-b715-21914679ac61
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1228475
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Encrypted powershell cmdline option found
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 861439 Sample: AR9qt4n5eK.exe Startdate: 08/05/2023 Architecture: WINDOWS Score: 100 45 nickshort.ug 2->45 47 Antivirus / Scanner detection for submitted sample 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Yara detected AntiVM3 2->51 53 5 other signatures 2->53 9 AR9qt4n5eK.exe 3 2->9         started        13 Method.exe 1 2->13         started        signatures3 process4 file5 39 C:\Users\...\Uaohplnznpqjblablyawgradz.exe, PE32 9->39 dropped 41 C:\Users\user\AppData\...\AR9qt4n5eK.exe.log, ASCII 9->41 dropped 55 Encrypted powershell cmdline option found 9->55 57 Injects a PE file into a foreign processes 9->57 15 Uaohplnznpqjblablyawgradz.exe 1 9->15         started        18 AR9qt4n5eK.exe 1 9->18         started        20 powershell.exe 14 9->20         started        24 2 other processes 9->24 59 Antivirus detection for dropped file 13->59 61 Multi AV Scanner detection for dropped file 13->61 63 Machine Learning detection for dropped file 13->63 22 Method.exe 13->22         started        signatures6 process7 signatures8 65 Antivirus detection for dropped file 15->65 67 Machine Learning detection for dropped file 15->67 69 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 15->69 71 Injects a PE file into a foreign processes 15->71 26 Uaohplnznpqjblablyawgradz.exe 5 15->26         started        29 Uaohplnznpqjblablyawgradz.exe 15->29         started        73 Hides threads from debuggers 18->73 31 certreq.exe 1 18->31         started        33 conhost.exe 20->33         started        process9 file10 43 C:\Users\user\AppData\Local\...\Method.exe, PE32 26->43 dropped 35 WerFault.exe 24 9 26->35         started        37 conhost.exe 31->37         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/84c18f78f11b9bc3fd3e96925d2a7b76ab5ecfb927c377ad27456e191815b24a/
Threat name:
ByteCode-MSIL.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2023-05-08 16:26:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qtay66hrdon4h7j6s2jf2kt3o2vv5t5ze7bxpljhivxbsgavwjfa._file
Verdict:
malicious
Similar samples:
112466c6694ff308605d790a0c91b702d949a635a4f8a3e8129f65d6fbcb58df
CoinMiner
12a5158d4768fb51739e6b0fc155057116e20228c7ab22ef3e08dbfdca2e13ad
CoinMiner
272872a41e4e0ae720f6f61e50320720cf0313fe65d4c039334ed6c0cb7f37b0
CoinMiner
6885a9ebd3e4a2d367b385f8d846f528bacfc944b7be6f1e2eca12d6c951a7d5
CoinMiner
71664ca9b4d0ca2030a0bb792ae8d6c6791fb57f71ed061899af6dda9c06630a
CoinMiner
82a3a3234c7dbddf79b32b1cf05cd7d5806512824d0536edcbce4dc529519d92
CoinMiner
9142931e43055d6363ee826270edf47ada8acc56ebca1084ca9ee2fcca579536
CoinMiner
9206df8f28b1540fa4f76fc385b2d786fadaef5cf7b0e24e5218ff7fff0fcbad
CoinMiner
a0959f72e13211452dc49f9359f43d5b7df3a98fb24f0fbaf0ec2c29d85bb1ec
CoinMiner
fd24ac75f267d1cc406697651273087eaf7c5f86ff59d323fdf66a41915429b0
CoinMiner
+ 2 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult collection discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/230508-txh1gsdc9z/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Azorult
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://195.245.112.115/index.php
Unpacked files
SH256 hash:
11c5db094e3e0b008b37d795def2b474db3c45cf70bd0f0c802da0334e886206
MD5 hash:
337a6be3981afac464c7041723f14917
SHA1 hash:
f3688abdbf66029b9d207086cce7f9bdc7e888ce
Link:
https://www.unpac.me/results/b9be3539-84a7-4b72-8465-ea44a32a797a/
SH256 hash:
6b77e2bfff019609c509c3e559c6870dbb7e8d8b9979affb98440e079c99e354
MD5 hash:
958e4d62824c29a594256646c3d6bbf9
SHA1 hash:
e2f2004a3932381c8e70ecde39a129f0f6add9b0
Link:
https://www.unpac.me/results/b9be3539-84a7-4b72-8465-ea44a32a797a/
SH256 hash:
148f698ec7089a2c42839b3c695c3f771b913daec2d8e9099c6095c8e8975566
MD5 hash:
371b7d96bde3e8a86edaa0c9a41d34cb
SHA1 hash:
92072509163a87cde3a80cb1b548e69f4a759f0a
Link:
https://www.unpac.me/results/b9be3539-84a7-4b72-8465-ea44a32a797a/
SH256 hash:
c9eb7ccc1efade694ef121502e0304a94163118d9949a2ca7c35943000fee6e0
MD5 hash:
9655ef312eaf08158ff48b602282c291
SHA1 hash:
475b3f337c19d1ca51c85a017822956fb423ca98
Link:
https://www.unpac.me/results/b9be3539-84a7-4b72-8465-ea44a32a797a/
SH256 hash:
9d955ab5bd4846f6ca06aa571827d4ecc079c86a6ff44036d1d9681ae09646c1
MD5 hash:
f4760b41f99836f22f1676ac8df6970a
SHA1 hash:
a49060839091d95fb341aa16ff1bcd7797ba5bdc
Link:
https://www.unpac.me/results/b9be3539-84a7-4b72-8465-ea44a32a797a/
SH256 hash:
e5dd0215f5b66eae43f208bad8a8eac373ba1f16ebc10878a2a0d0dd8da3360b
MD5 hash:
f41bf69356ca2134fb829c7af5eae89f
SHA1 hash:
0d88d70c2e1796612c205929124886b75673780b
Link:
https://www.unpac.me/results/b9be3539-84a7-4b72-8465-ea44a32a797a/
SH256 hash:
b30a06c7863aa9622692adc8d65f5e3a872505c7fb44f02cfb669a51fab8fa9a
MD5 hash:
7abd8273972b0235d0c81ab4019cdc6e
SHA1 hash:
eda5d010cc55d0848aa2b3a250fd36eaea2c0135
Detections:
win_brute_ratel_c4_w0
Create hunting rule
Link:
https://www.unpac.me/results/b9be3539-84a7-4b72-8465-ea44a32a797a/
SH256 hash:
ff8c24bce1eb009f0d5c47a09b96caf02726c285cea0d635082ad4da27e63d1b
MD5 hash:
9d6ec6072ee1814a4a01d1eb3fb67ba1
SHA1 hash:
d0b416de1c900b6bcb35dc182b2e8744f16c3289
Link:
https://www.unpac.me/results/b9be3539-84a7-4b72-8465-ea44a32a797a/
SH256 hash:
0a1022b53263279b762393fcd7fa3400adc5b910023174f8f2b9d55995a46462
MD5 hash:
ca306caa7bc6f3d921b7027f22c9abec
SHA1 hash:
c113beb1d95486871518259c2dce29ac6cca4a63
Link:
https://www.unpac.me/results/b9be3539-84a7-4b72-8465-ea44a32a797a/
SH256 hash:
0bb4a19d54dcfded8d3e16924cd40af9d528e7f62984ada62df80061d92069e2
MD5 hash:
51f44a42cc93906188a9dadf61394cef
SHA1 hash:
64c7c36a51305e63b3f4da853af84f33662921a4
Detections:
win_brute_ratel_c4_w0
Create hunting rule
Link:
https://www.unpac.me/results/b9be3539-84a7-4b72-8465-ea44a32a797a/
Parent samples :
84c18f78f11b9bc3fd3e96925d2a7b76ab5ecfb927c377ad27456e191815b24a
3a60b811771921ba75cd82dedb4c98b15419e2487ac00ba78ca7d19b04a3747c
SH256 hash:
84c18f78f11b9bc3fd3e96925d2a7b76ab5ecfb927c377ad27456e191815b24a
MD5 hash:
9453b414b969dc9b52b9327e324dc1eb
SHA1 hash:
342de51363d15f8fc6b5099ad0bf5f5191452b74
Link:
https://www.unpac.me/results/b9be3539-84a7-4b72-8465-ea44a32a797a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/84c18f78f11b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/84c18f78f11b9bc3fd3e96925d2a7b76ab5ecfb927c377ad27456e191815b24a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 84c18f78f11b9bc3fd3e96925d2a7b76ab5ecfb927c377ad27456e191815b24a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2271067/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1514098/
  
URLhaus
https://urlhaus.abuse.ch/url/2254174/
  
URLhaus
https://urlhaus.abuse.ch/url/1514313/
  
URLhaus
https://urlhaus.abuse.ch/url/2506772/
  
URLhaus
https://urlhaus.abuse.ch/url/2254177/
  
URLhaus
https://urlhaus.abuse.ch/url/2578024/
  
URLhaus
https://urlhaus.abuse.ch/url/2577943/
  
URLhaus
https://urlhaus.abuse.ch/url/1514315/
  
URLhaus
https://urlhaus.abuse.ch/url/1514297/
Cape
Cape
https://www.capesandbox.com/analysis/387575/
  
URLhaus
https://urlhaus.abuse.ch/url/2271066/
  
URLhaus
https://urlhaus.abuse.ch/url/2257580/
  
URLhaus
https://urlhaus.abuse.ch/url/1596393/
  
URLhaus
https://urlhaus.abuse.ch/url/2441296/
  
URLhaus
https://urlhaus.abuse.ch/url/265919/
  
URLhaus
https://urlhaus.abuse.ch/url/906880/
  
URLhaus
https://urlhaus.abuse.ch/url/2254175/
  
URLhaus
https://urlhaus.abuse.ch/url/2257588/
  
URLhaus
https://urlhaus.abuse.ch/url/2627573/
  
URLhaus
https://urlhaus.abuse.ch/url/2627575/

Comments