MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8af00bf775390ea0d90e5d0db1d6ea1149d8a2da3e024948d3a4dce7b11f3237. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8af00bf775390ea0d90e5d0db1d6ea1149d8a2da3e024948d3a4dce7b11f3237
SHA3-384 hash: e2e37c0eb43d7da1f53682e2ac6b112116dfcfcb330351e1fc6603cd493de7518471632a695580140495da76dc509251
SHA1 hash: d04f3d6734114529981cafaf4a573405a7ea1acf
MD5 hash: 3091bb66ad892875e365d39c6c94c0e2
humanhash: indigo-bulldog-steak-uniform
File name:3091bb66ad892875e365d39c6c94c0e2
Download: download sample
Signature CoinMiner
Create hunting rule
File size:8'622'912 bytes
First seen:2023-02-22 03:51:55 UTC
Last seen:2023-02-22 05:32:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 35a81d16af9f2ba6d515f11152d0364b (58 x CoinMiner, 2 x CobaltStrike)
ssdeep 196608:LcDO0MQBAMP3ydwu/yJpgbrvhLn15bVFv6w3tksLo2WT6ot6J:LKTBAxaevhTPhQw32sL9WOoM
Threatray 842 similar samples on MalwareBazaar
TLSH T1B79633D5B5808FAAD2D59E397A68F7F74F54F306EE04458F4C69404B87B2E6B18A3083
TrID 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon d292b0b2da36bcbe (11 x AsyncRAT, 7 x Metasploit, 6 x CoinMiner)
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
260
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3091bb66ad892875e365d39c6c94c0e2
Verdict:
Malicious activity
Analysis date:
2023-02-22 03:55:15 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/43a24a2b-bcc1-4eb7-b685-1b7663a0f6bb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/368807/
Detection(s):
SecuriteInfo.com.Win64.Evo-gen.15653.28561.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Searching for analyzing tools
Sending a custom TCP request
Running batch commands
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/63f59165a6ba2f75a97884da/reports/1b25009e-cf7e-4bff-ae83-3deea596774f/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/8af00bf775390ea0d90e5d0db1d6ea1149d8a2da3e024948d3a4dce7b11f3237
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c2ef6cad-a14f-4234-8f97-eabf91cec098
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1180241
Signature
Antivirus detection for dropped file
Creates files in the system32 config directory
Found hidden mapped module (file has been removed from disk)
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 813076 Sample: QdYANqlmBw.exe Startdate: 22/02/2023 Architecture: WINDOWS Score: 100 41 pool.hashvault.pro 2->41 43 Snort IDS alert for network traffic 2->43 45 Antivirus detection for dropped file 2->45 47 Multi AV Scanner detection for dropped file 2->47 49 6 other signatures 2->49 7 QdYANqlmBw.exe 3 2->7         started        11 nvdrivesllapi32.exe 2->11         started        13 cmd.exe 1 2->13         started        15 7 other processes 2->15 signatures3 process4 file5 35 C:\Users\user\AppData\...\nvdrivesllapi32.exe, PE32+ 7->35 dropped 37 C:\Users\user\AppData\Local\...\lzjyhojz.tmp, PE32+ 7->37 dropped 39 C:\Windows\System32\drivers\etc\hosts, ASCII 7->39 dropped 51 Query firmware table information (likely to detect VMs) 7->51 53 Self deletion via cmd or bat file 7->53 55 Writes to foreign memory regions 7->55 71 5 other signatures 7->71 17 dialer.exe 2 7->17         started        57 Multi AV Scanner detection for dropped file 11->57 59 Tries to detect sandboxes and other dynamic analysis tools (window names) 11->59 61 Hides threads from debuggers 11->61 63 Uses powercfg.exe to modify the power settings 13->63 65 Modifies power options to not sleep / hibernate 13->65 19 conhost.exe 13->19         started        21 powercfg.exe 1 13->21         started        23 powercfg.exe 1 13->23         started        31 2 other processes 13->31 67 Creates files in the system32 config directory 15->67 69 Uses schtasks.exe or at.exe to add and modify task schedules 15->69 25 conhost.exe 15->25         started        27 conhost.exe 15->27         started        29 conhost.exe 15->29         started        33 10 other processes 15->33 signatures6 process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8af00bf775390ea0d90e5d0db1d6ea1149d8a2da3e024948d3a4dce7b11f3237/
Threat name:
Win64.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-02-22 03:52:11 UTC
File Type:
PE+ (Exe)
Extracted files:
13
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rlyax53vhehkbwiolug3dvxkcfe5riw2hybessgtutoopmi7gi3q._file
Verdict:
malicious
Similar samples:
211abb138fdb4df615ae9d97a39fd06c29d7140da2ea5192ab92b6ec94e0cd61
CoinMiner
4d7de57abd009b6bc6e16e3a135d19788b576bc67c75d697ba77f297453fe1fa
CoinMiner
50c2bec0fbc955824b6b2648d30fc42a5fc64994411fdb6026f560d0aa8e178e
CoinMiner
65938e02d2a41a676e7883789f03b13aa9b311ec7c30450448f143a24058e1f9
CoinMiner
84374cb55c56fb530ef4f83f655ffeb7463e8c0452d7f13d57535d9e032e761f
CoinMiner
8bd2ae95df444e91d6f69cd4b8555928e8f456afd7cab4cbdf04949835296ff3
CoinMiner
cde83c58766ae18bd516cfa78098c411fd1d0ebff083896f35fc33b10afa0e50
CoinMiner
dcdf6845df1e1aed6f335dd6f2a3ff7351984522235937e5c4a1c746c7fe4371
CoinMiner
eab9a40c5379d460e7d5f3d11c2b766ce8674c2240110e063fecb0c651e0dd67
CoinMiner
ef1cb9555d780addb510d052b41f070dbdeb931c3f916bf345a419a4d437a167
CoinMiner
+ 832 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion miner themida trojan upx
Link:
https://tria.ge/reports/230222-ee3vlsbe8s/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Executes dropped EXE
Loads dropped DLL
Themida packer
UPX packed file
Drops file in Drivers directory
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
Suspicious use of NtCreateUserProcessOtherParentProcess
xmrig
Unpacked files
SH256 hash:
8af00bf775390ea0d90e5d0db1d6ea1149d8a2da3e024948d3a4dce7b11f3237
MD5 hash:
3091bb66ad892875e365d39c6c94c0e2
SHA1 hash:
d04f3d6734114529981cafaf4a573405a7ea1acf
Link:
https://www.unpac.me/results/cbabc4e3-beb7-4dc4-84ba-991028441e62/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8af00bf77539/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/8af00bf775390ea0d90e5d0db1d6ea1149d8a2da3e024948d3a4dce7b11f3237

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:INDICATOR_KB_CERT_0be3f393d1ef0272aed0e2319c1b5dd0
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 8af00bf775390ea0d90e5d0db1d6ea1149d8a2da3e024948d3a4dce7b11f3237

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2547387/
Cape
Cape
https://www.capesandbox.com/analysis/368807/

Comments


Avatar
zbet commented on 2023-02-22 03:51:57 UTC

url : hxxp://94.130.228.214/nvdrivesllapi.exe