MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93b23a6c53538ac84e7d374ad19c7e427f04e08ae3ebb72c8c6ee8f125c4b33c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 93b23a6c53538ac84e7d374ad19c7e427f04e08ae3ebb72c8c6ee8f125c4b33c
SHA3-384 hash: 00fb819352be0b00f1b72dff78e1d86f3cc4c266e69639f6040d2112ce3a11c9e63a9e82f08da23262674a5ec2bac4de
SHA1 hash: 7468fd5c8824c1e940f043e06afe2276bb72e4c1
MD5 hash: 5ecfc245636e3740f27ae5fe6a964bc3
humanhash: double-enemy-mango-muppet
File name:file
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'639'408 bytes
First seen:2023-12-12 18:18:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f6baa5eaa8231d4fe8e922a2e6d240ea (37 x CoinMiner, 22 x DCRat, 15 x LummaStealer)
ssdeep 49152:4K5TDJL0xEGPrSOh7W58zed7IaaMHqgez6ILEE10FpBJbME7uRIdCLF:4K5T10rl6pzHqge2cO7IEiRIYF
Threatray 416 similar samples on MalwareBazaar
TLSH T191C53352BBD098F8E3422870945897911776D3240B2D68C793B57A136D3A3C3AE7DECB
TrID 43.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
27.6% (.EXE) Win64 Executable (generic) (10523/12/4)
13.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) OS/2 Executable (generic) (2029/13)
5.2% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon f4f4ccccdcd4d4d4 (1 x CoinMiner)
Reporter jstrosch
Tags:CoinMiner exe signed

Code Signing Certificate

Organisation:ESET NOD32
Issuer:ESET NOD32
Algorithm:sha256WithRSAEncryption
Valid from:2023-11-27T00:00:00Z
Valid to:2025-11-27T00:00:00Z
Serial number: 7b425d1257eae6bf
Intelligence: 6 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: c5f5f5f2b604f0dfa160c4f72f8051307fd075551c133e218bfe1882eb55a1b7
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
266
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
https://www.mediafire.com/folder/bhzkt4wjxzkmr/Installer_2.0
Verdict:
Malicious activity
Analysis date:
2023-12-12 11:10:01 UTC
Tags:
stealer redline kelihos trojan loader
Link:
https://app.any.run/tasks/cf6cd5ff-76ae-4876-a0a5-8bb439852f2c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/466973/
Detection(s):
Win.Keylogger.Gencbl-9969771-0
Create hunting rule

Win.Malware.7zip-10013374-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
Sending a custom TCP request
Replacing files
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
coinminer hook installer keylogger lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/6578a41bda3178d99ce317fa/reports/3c3f5036-7e19-4482-9ef6-0ccc7f5cc0e9/overview
Verdict:
Malicious
Labled as:
Keylogger.Gencbl
Link:
https://www.hybrid-analysis.com/sample/93b23a6c53538ac84e7d374ad19c7e427f04e08ae3ebb72c8c6ee8f125c4b33c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/eaff6bbf-2273-404f-b24f-f29fb8474943
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1360708
Behaviour
Behavior Graph:
n/a
Score:
84%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/93b23a6c53538ac84e7d374ad19c7e427f04e08ae3ebb72c8c6ee8f125c4b33c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/93b23a6c53538ac84e7d374ad19c7e427f04e08ae3ebb72c8c6ee8f125c4b33c/
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Suspicious
First seen:
2023-12-11 18:03:39 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
10 of 37 (27.03%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sozdu3ctkofmqtt5g5fndhd6ij7qjyek4pv3olemn3upcjoewm6a._file
Verdict:
malicious
Similar samples:
0730faacdd88a3ff3ee83498e4c8665c8d023f6979da74a4168ea1673c432384
CoinMiner
2767d4128fc88d587b6681fcff44a8694833e95da510eca60750540e42f2e418
CoinMiner
84f515bfed1a8fa9f055a9f3bddb3851618ce0b0b940a5d548aadc24c19362bb
CoinMiner
86f5b4f32c68f9337a19363da77d77b6275923da37d2e4144b8f0740620fd3ac
CoinMiner
aa89562efabab44187a1813c2ad73254d12e6ef92ede28d0a6054ee1ea09a175
CoinMiner
ac660e725f1484dfe6b6d4f8606a4711fd9354c2bf8d5d4f63bad03c39849894
CoinMiner
ae68aa627df4a3fd10e5416195e29203ea60227560f3e1de22fb907e86c369ad
CoinMiner
c89400e70500cd0faad8ea9d0c8d3cc2fc58408c1123dd3fbcd02e80d4bbed65
CoinMiner
+ 406 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231212-wx64esbdb9/
Behaviour
Creates scheduled task(s)
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
62e050bbcf1866a212b64b138fdaac2f959bc89ce99455833dba36e4e189e274
MD5 hash:
b996c5dbabfd6ae41a4ddb878fc49064
SHA1 hash:
eac10778f93957ed5c9c4c0e630f5c2c637ef545
Link:
https://www.unpac.me/results/97df1961-2c60-4d9e-8fa2-e4b46530c240/
SH256 hash:
93b23a6c53538ac84e7d374ad19c7e427f04e08ae3ebb72c8c6ee8f125c4b33c
MD5 hash:
5ecfc245636e3740f27ae5fe6a964bc3
SHA1 hash:
7468fd5c8824c1e940f043e06afe2276bb72e4c1
Link:
https://www.unpac.me/results/97df1961-2c60-4d9e-8fa2-e4b46530c240/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/93b23a6c53538ac84e7d374ad19c7e427f04e08ae3ebb72c8c6ee8f125c4b33c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 93b23a6c53538ac84e7d374ad19c7e427f04e08ae3ebb72c8c6ee8f125c4b33c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2736330/
Cape
Cape
https://www.capesandbox.com/analysis/466973/

Comments