MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 92b790e2afdc33ba7f943f4a4abba407c124fb2d80fd744b7cbd90654bac9e1e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 92b790e2afdc33ba7f943f4a4abba407c124fb2d80fd744b7cbd90654bac9e1e
SHA3-384 hash: 6b78dc36a73663f33db05875e99e425ace7a7b4350d4376290cb74300b8c8a0703ac50d815534856a97ddb3b79740667
SHA1 hash: a4bc35f5029077f304e3a1cd72ff75d219e4a022
MD5 hash: 679a446a9df957ab96bd8eaa059f1edc
humanhash: pasta-social-kilo-georgia
File name:file
Download: download sample
Signature CoinMiner
Create hunting rule
File size:1'203'712 bytes
First seen:2022-11-11 21:21:08 UTC
Last seen:2022-11-12 01:51:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9736d66db92ba306c6ffd910a5e89138 (2 x CoinMiner)
ssdeep 24576:R2mXXqubsl7Jai7amH4jiISg7+h8FpaZUVI601bI1R4M:Tbbs18iOOIl0IWUWRbc
Threatray 2'155 similar samples on MalwareBazaar
TLSH T1DB4522E6E5B8D606C18AB2334C27DC54AB6DF9247B1F5B0BD294F94DF0942133C866AC
File icon (PE):PE icon
dhash icon b2a2e3e3e3a3a200 (6 x CoinMiner, 1 x Memento, 1 x RecordBreaker)
Reporter andretavare5
Tags:CoinMiner exe


Avatar
andretavare5
Sample downloaded from http://c3arquitectos.mx/svcruntime.exe

Intelligence

File Origin
# of uploads :
5
# of downloads :
176
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/332652/
Detection(s):
SecuriteInfo.com.Win64.Evo-gen.25852.29153.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a file
Creating a file in the %temp% directory
Enabling the 'hidden' option for recently created files
Running batch commands
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Creating a process with a hidden window
Creating a window
Sending an HTTP POST request
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/636ebcfb37a53af3a7f56ac4/reports/1003ad8d-9873-4985-9861-ceb602b6a65f/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a6098e4c-f5a4-40b1-90d0-e4039a2c6efc
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1111559
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
DNS related to crypt mining pools
Found strings related to Crypto-Mining
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
PE file has nameless sections
Sets debug register (to hijack the execution of another thread)
Tries to evade debugger and weak emulator (self modifying code)
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 744256 Sample: file.exe Startdate: 11/11/2022 Architecture: WINDOWS Score: 100 29 xmr-eu1.nanopool.org 2->29 35 Multi AV Scanner detection for domain / URL 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus detection for URL or domain 2->39 41 4 other signatures 2->41 8 file.exe 5 2->8         started        signatures3 process4 file5 25 C:\ProgramData\WindowsMail\AVPTQBAEW.exe, MS-DOS 8->25 dropped 27 C:\Users\user\AppData\Local\...\file.exe.log, CSV 8->27 dropped 43 Sets debug register (to hijack the execution of another thread) 8->43 45 Tries to evade debugger and weak emulator (self modifying code) 8->45 47 Adds a directory exclusion to Windows Defender 8->47 12 cmd.exe 1 8->12         started        14 powershell.exe 20 8->14         started        signatures6 process7 process8 16 AVPTQBAEW.exe 12->16         started        19 conhost.exe 12->19         started        21 timeout.exe 1 12->21         started        23 conhost.exe 14->23         started        signatures9 31 Detected unpacking (changes PE section rights) 16->31 33 Tries to evade debugger and weak emulator (self modifying code) 16->33
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/92b790e2afdc33ba7f943f4a4abba407c124fb2d80fd744b7cbd90654bac9e1e/
Threat name:
Win64.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-11-11 21:22:11 UTC
File Type:
PE+ (Exe)
Extracted files:
152
AV detection:
16 of 25 (64.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sk3zbyvp3qz3u74uh5fevo5ea7asj6znqd6xis34xwigks5mtypa._file
Verdict:
unknown
Similar samples:
0888fc4761c83d95a42325d58611f798d488a467c7a5aa306cb798ba36f183cf
CoinMiner
3e609c3712aa32c0496a09c203f3487d06f2947f4e729ef2715b2ff5989d5dd7
CoinMiner
4e5379b783c36ca07f22c4203d203616228c1cd4411c11aa52808033e24d2ece
CoinMiner
5861abdbc493839d5852498effe891d6207377f708b54fa8b33059d6db82305f
CoinMiner
5d5e5331ca75a4c6d921ddc110d29af0c17c2aceef4dcbfb868bffd08ca1d31f
CoinMiner
5dc72a06a4554b286374b223bbf1bfd2eb3884f3952088a1193f6fc770991a51
CoinMiner
8577874f6a08a1f7e9a5f326dc8e7c9d7d396a683d3b24589062168f8dd7889c
CoinMiner
aeb1b15ec38f208611bba606eda298287a42064db8acb6a189183a3711778aa0
CoinMiner
b302f4f0f0f5f3f86497f005e73154e14afbccc13e1ebdfde664ab258a55cbbc
CoinMiner
+ 2'145 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/221111-z7wl8aee6t/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Uses the VBS compiler for execution
Executes dropped EXE
XMRig Miner payload
xmrig
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/889e2cbc-a619-4584-8722-d665ee6bee22
Unpacked files
SH256 hash:
92b790e2afdc33ba7f943f4a4abba407c124fb2d80fd744b7cbd90654bac9e1e
MD5 hash:
679a446a9df957ab96bd8eaa059f1edc
SHA1 hash:
a4bc35f5029077f304e3a1cd72ff75d219e4a022
Link:
https://www.unpac.me/results/e2aad785-793d-4a54-a57c-855f28dd601b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/92b790e2afdc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
CoinMiner
Score:
0.60
Link:
https://yomi.yoroi.company/submissions/92b790e2afdc33ba7f943f4a4abba407c124fb2d80fd744b7cbd90654bac9e1e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/332652/
  
URLhaus
https://urlhaus.abuse.ch/url/2407127/

Comments