MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9598b077e43d52e3a506e23a96eaca924aa406f5374afa5139283646c448dfc3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9598b077e43d52e3a506e23a96eaca924aa406f5374afa5139283646c448dfc3
SHA3-384 hash: 27aa747da6b0f0a40b69daaa34f7cbd5177c22a8e2e18a6c8a11a2296e086bb3f222cbf914557404545f4a4f258f0e67
SHA1 hash: 4fa202b925a1f82996e3004a92be552c459188e1
MD5 hash: e5f2fe6deb1c1f6bd3622f5f15cf28ec
humanhash: ohio-hotel-snake-washington
File name:Miner.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:6'372'449 bytes
First seen:2022-10-09 06:37:35 UTC
Last seen:2022-10-09 06:38:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1e92fd54d65284238a0e3b74b2715062 (21 x Empyrean, 4 x Gh0stRAT, 4 x Telemiris)
ssdeep 196608:Zq47uyqWd9e+q2WWmQqh+ZZRCnFGEkotEaZGte:Duy1d9vqZQCn0faA
Threatray 2'712 similar samples on MalwareBazaar
TLSH T1D1563321836018FBFD7A9239D993E116EAB3B4002760D0DF47858A766F136E43EBDB54
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter JAMESWT_WT
Tags:afterburner-msi CoinMiner exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
334
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/317991/
Detection(s):
SecuriteInfo.com.Mal.Generic-S.5621.7552.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a process
Creating a file in the %temp% subdirectories
Creating a process with a hidden window
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/42077/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63426c4d0113594da3e9c2d9/reports/4c859746-5201-43cc-a1fe-4fa0947c95d6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7b7fee5e-c12c-4a25-883e-1ceb67a275b5
Result
Threat name:
Crypto Miner, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1086436
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sample is not signed and drops a device driver
Suspicious powershell command line found
Very long command line found
Writes to foreign memory regions
Yara detected Crypto Miner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 718993 Sample: Miner.exe Startdate: 09/10/2022 Architecture: WINDOWS Score: 100 39 xmr.2miners.com 2->39 41 pastebin.com 2->41 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for URL or domain 2->53 55 Antivirus / Scanner detection for submitted sample 2->55 57 5 other signatures 2->57 9 Miner.exe 59 2->9         started        signatures3 process4 file5 27 C:\Users\user\AppData\...\win32evtlog.pyd, PE32+ 9->27 dropped 29 C:\Users\user\AppData\Local\...\win32api.pyd, PE32+ 9->29 dropped 31 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 9->31 dropped 33 54 other files (none is malicious) 9->33 dropped 59 Suspicious powershell command line found 9->59 61 Very long command line found 9->61 63 Bypasses PowerShell execution policy 9->63 13 Miner.exe 9->13         started        signatures6 process7 signatures8 65 Suspicious powershell command line found 13->65 67 Very long command line found 13->67 16 powershell.exe 14 11 13->16         started        process9 dnsIp10 35 raw.githubusercontent.com 185.199.108.133, 443, 49703, 49704 FASTLYUS Netherlands 16->35 37 pastebin.com 104.20.67.143, 443, 49702 CLOUDFLARENETUS United States 16->37 25 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 16->25 dropped 43 Injects code into the Windows Explorer (explorer.exe) 16->43 45 Writes to foreign memory regions 16->45 47 Sample is not signed and drops a device driver 16->47 49 2 other signatures 16->49 21 conhost.exe 16->21         started        23 explorer.exe 16->23         started        file11 signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9598b077e43d52e3a506e23a96eaca924aa406f5374afa5139283646c448dfc3/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-09-04 03:24:21 UTC
File Type:
PE+ (Exe)
Extracted files:
418
AV detection:
11 of 41 (26.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=swmla57ehvjohjig4i5jn2wksjfkibxvg5fpuujzfa3enrci37bq._file
Verdict:
malicious
Similar samples:
0d275600019499df54ffc79e785d448bbb73d19bcc34f015f4b2272bdc6f9fa3
CoinMiner
1d3de5af7ff87d3202b4d595ea84b7e9aa28ebca236302eed698a5773cecbb86
CoinMiner
45f30d468d40cd3dd30d6a9b7e61a1f4c96c1cbbbe073750e2cbbb93f87ba24d
CoinMiner
46c9851a885a5107ee0e777e5603c2dee3444616eb6a9ec23c63434c7236c7ca
CoinMiner
5ddc2cf610e2d96fd8c46286bf28c201d3435f2e848302657376ff6feace226b
CoinMiner
5f45f47d879bf54f44ab26b4eaafbc80cd276dd72acc648220e95cac385b6ede
CoinMiner
842573dbd650df89baf277cd8659a9c532c67d657f830e98f38c2df305f3991d
CoinMiner
ad7e91af55a1e48ca702b1d8d4127a830688dd026df1c485a3e6c2bdd72ac336
CoinMiner
+ 2'702 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner pyinstaller
Link:
https://tria.ge/reports/221009-hd24gagdh6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Blocklisted process makes network request
XMRig Miner payload
xmrig
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d8941d42-b04d-48bd-b08c-61ff6f36aaea
Unpacked files
SH256 hash:
9598b077e43d52e3a506e23a96eaca924aa406f5374afa5139283646c448dfc3
MD5 hash:
e5f2fe6deb1c1f6bd3622f5f15cf28ec
SHA1 hash:
4fa202b925a1f82996e3004a92be552c459188e1
Link:
https://www.unpac.me/results/fdc852b1-1853-43c9-85d0-c097e1d2cf6f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9598b077e43d52e3a506e23a96eaca924aa406f5374afa5139283646c448dfc3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/317991/

Comments