MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94f489213a0ee29acccf38e860fe1c988fa96f44b492b32b9b32d1b50dfc652a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94f489213a0ee29acccf38e860fe1c988fa96f44b492b32b9b32d1b50dfc652a
SHA3-384 hash: e59f1c8e1ed7ebced5ea874f4c577d43d246836503a6f08f8bf0fc1e4c99651e68316ad6306efbf521bc7457dd67bf09
SHA1 hash: 2e2320a7c2edbaa08eee810ad6a00e8364462b6d
MD5 hash: 4e5d629bef51480521e9640644dc572c
humanhash: mars-sixteen-princess-kitten
File name:4e5d629bef51480521e9640644dc572c
Download: download sample
Signature CoinMiner
Create hunting rule
File size:4'337'664 bytes
First seen:2023-07-07 06:28:29 UTC
Last seen:2023-07-07 07:39:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 49152:6kXtYb44uvaisvNRkvn6N+O5t3Q5xDrI4u3IlHS:6kXoVwfs3kv6kwoHE4ly
Threatray 9 similar samples on MalwareBazaar
TLSH T1A31601A1F7E4F500C4BAAB38B12464948DB2DDFBD530857F48C4B2CA7BF5A443A4166E
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon b230e086c0d0cccc (1 x CoinMiner)
Reporter zbetcheckin
Tags:64 CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
331
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4e5d629bef51480521e9640644dc572c
Verdict:
Malicious activity
Analysis date:
2023-07-07 06:38:42 UTC
Tags:
miner
Link:
https://app.any.run/tasks/74ebf475-d52d-49c6-9172-92d8ea6ab1e5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/410345/
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.23398.17714.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/64a7b0af8583eaadb34f588a/reports/76ffbca9-889a-454c-ac80-d2397c2e872d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/94f489213a0ee29acccf38e860fe1c988fa96f44b492b32b9b32d1b50dfc652a
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/6f004e17-4024-44c5-9c17-f239a77ebbe0
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1268904
Signature
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Uses powercfg.exe to modify the power settings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1268904 Sample: zP4L86FV4d.exe Startdate: 07/07/2023 Architecture: WINDOWS Score: 80 38 i.ibb.co 2->38 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for submitted file 2->50 9 zP4L86FV4d.exe 14 3 2->9         started        signatures3 process4 dnsIp5 40 i.ibb.co 162.19.58.160, 443, 49698, 49699 CENTURYLINK-US-LEGACY-QWESTUS United States 9->40 42 192.168.2.1 unknown unknown 9->42 36 C:\Users\user\AppData\...\zP4L86FV4d.exe.log, CSV 9->36 dropped 52 Encrypted powershell cmdline option found 9->52 54 Modifies the context of a thread in another process (thread injection) 9->54 56 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->56 58 Injects a PE file into a foreign processes 9->58 14 zP4L86FV4d.exe 1 9->14         started        file6 signatures7 process8 signatures9 60 Encrypted powershell cmdline option found 14->60 17 cmd.exe 1 14->17         started        20 powershell.exe 36 14->20         started        22 powershell.exe 19 14->22         started        process10 signatures11 44 Uses powercfg.exe to modify the power settings 17->44 46 Modifies power options to not sleep / hibernate 17->46 24 conhost.exe 17->24         started        26 powercfg.exe 1 17->26         started        28 powercfg.exe 1 17->28         started        34 2 other processes 17->34 30 conhost.exe 20->30         started        32 conhost.exe 22->32         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/94f489213a0ee29acccf38e860fe1c988fa96f44b492b32b9b32d1b50dfc652a/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-07-06 07:19:00 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
123
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=st2isij2b3rjvtgphdugb7q4tch2s32ewsjlgk43gli3kdp4muva._file
Verdict:
malicious
Similar samples:
11ec89ea5da82e62e0a851d6bc49f38b39cd7ab6db3b254029fe9f923fce0d7b
CoinMiner
3a8813ca6b82fb6237ed81b288f0887686a54004e8408c38442206176275a082
CoinMiner
509876bf98ee51fc5d7a4d6af1244227fccd94a556a9c85dd9bdf535d8619b39
CoinMiner
624238f70f727064dea6756cdf10cf7673ffc2d627f0c5d34099baf910a75ec8
CoinMiner
6d47f8ada452dc27e95a28f8a81289605e672ccc37535ead55be796bd1eb861f
CoinMiner
a20d62110e3e9d2659ee55299033ff3542bdce0b669f299dad18dddce4ddc1af
CoinMiner
a8d0ac5762f61683d7cbcbfc53e0b650e632625d7ffabf08b45986908891ee96
CoinMiner
d560cfb59c61c87d0d4b33aecc98b74c58475c6dd8a3cf6f3bcff2ee05d4c45f
CoinMiner
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/230707-g8xa2aff25/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
XMRig Miner payload
xmrig
Unpacked files
SH256 hash:
94f489213a0ee29acccf38e860fe1c988fa96f44b492b32b9b32d1b50dfc652a
MD5 hash:
4e5d629bef51480521e9640644dc572c
SHA1 hash:
2e2320a7c2edbaa08eee810ad6a00e8364462b6d
Link:
https://www.unpac.me/results/99aa073f-6480-415c-9281-649187444bae/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/94f489213a0ee29acccf38e860fe1c988fa96f44b492b32b9b32d1b50dfc652a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 94f489213a0ee29acccf38e860fe1c988fa96f44b492b32b9b32d1b50dfc652a

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/410345/
  
URLhaus
https://urlhaus.abuse.ch/url/2678002/

Comments


Avatar
zbet commented on 2023-07-07 06:28:30 UTC

url : hxxp://45.142.182.146/keysmaftehotim/nvdaiaContainer.exe