MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a45c640e91c9140c994f9e9ca5cfaea2f11000f988d538482356aa385ece7ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9a45c640e91c9140c994f9e9ca5cfaea2f11000f988d538482356aa385ece7ba
SHA3-384 hash: 70b8c74c375213f8421d104c29bce2892fe705b63505ec5d26521f6655ef4a1f97bda13953166e0244f2adc9a9c9d642
SHA1 hash: ff4c40e1ad450f60b4c7ecb8bce15d27a622beed
MD5 hash: ffb7bbf6e3e3199555b979b46d3789a6
humanhash: louisiana-snake-whiskey-florida
File name:servies.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:8'705'904 bytes
First seen:2022-03-08 22:53:15 UTC
Last seen:2022-04-19 21:05:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash dc12932426806b6b47a373d7ae42c21d (12 x CoinMiner, 1 x StealeriumStealer)
ssdeep 196608:ueC2yhvhGj3d4iEIopsTmIHvJifK3f1h+FDGs7+dPTYM+NGYvlaTkD:ueCThvMWISsHJBP/+F1+dPM9NbvlaTk
Threatray 8 similar samples on MalwareBazaar
TLSH T1F29622F315E12EAEC219E4F5C241B83FCADFB0B5072AB6E3909A325195779D07178B09
Reporter 3xp0rtblog
Tags:CoinMiner exe miner Pripyat

Intelligence

File Origin
# of uploads :
4
# of downloads :
610
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/248513/
Detection(s):
SecuriteInfo.com.Trojan.Siggen16.7368.1125.3563.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Using the Windows Management Instrumentation requests
Running batch commands
Launching a process
Creating a file in the %AppData% subdirectories
Creating a file
Creating a process from a recently created file
Сreating synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm overlay packed wacatac
Link:
https://www.filescan.io/uploads/6227de90dfdfa8501c7ca93e/reports/b2b1c8b7-7061-4b37-b4c8-edd8b6f144cd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CoinMiner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eea4a27d-c633-4dd5-b7c4-4ad2225156c8
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/953039
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Allocates memory in foreign processes
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Detected unpacking (changes PE section rights)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Suspicius Schtasks From Env Var Folder
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 585520 Sample: servies.exe Startdate: 08/03/2022 Architecture: WINDOWS Score: 100 64 Malicious sample detected (through community Yara rule) 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 Yara detected Xmrig cryptocurrency miner 2->68 70 4 other signatures 2->70 8 servies.exe 5 2->8         started        12 servies.exe 3 2->12         started        14 svchost.exe 2->14         started        16 10 other processes 2->16 process3 dnsIp4 48 C:\Users\user\AppData\Roaming\...\servies.exe, PE32+ 8->48 dropped 50 C:\Users\user\...\servies.exe:Zone.Identifier, ASCII 8->50 dropped 52 C:\Users\user\AppData\...\servies.exe.log, ASCII 8->52 dropped 74 Detected unpacking (changes PE section rights) 8->74 76 Tries to detect virtualization through RDTSC time measurements 8->76 19 cmd.exe 1 8->19         started        21 cmd.exe 1 8->21         started        78 Multi AV Scanner detection for dropped file 12->78 80 Tries to detect sandboxes and other dynamic analysis tools (window names) 12->80 24 sihost64.exe 3 12->24         started        82 Changes security center settings (notifications, updates, antivirus, firewall) 14->82 26 MpCmdRun.exe 14->26         started        58 127.0.0.1 unknown unknown 16->58 file5 signatures6 process7 signatures8 28 servies.exe 7 19->28         started        32 conhost.exe 19->32         started        72 Uses schtasks.exe or at.exe to add and modify task schedules 21->72 34 conhost.exe 21->34         started        36 schtasks.exe 1 21->36         started        38 servies.exe 24->38         started        40 conhost.exe 26->40         started        process9 file10 54 C:\Users\user\AppData\...\sihost64.exe, PE32+ 28->54 dropped 56 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 28->56 dropped 92 Injects code into the Windows Explorer (explorer.exe) 28->92 94 Writes to foreign memory regions 28->94 96 Allocates memory in foreign processes 28->96 98 3 other signatures 28->98 42 explorer.exe 28->42         started        46 sihost64.exe 28->46         started        signatures11 process12 dnsIp13 60 92.63.97.156, 80 THEFIRST-ASRU Russian Federation 42->60 62 131.153.76.130, 443, 49737 PHOENIXNAP-AS-SG1PhoenixNAPSG United States 42->62 84 System process connects to network (likely due to code injection or exploit) 42->84 86 Query firmware table information (likely to detect VMs) 42->86 88 Antivirus detection for dropped file 46->88 90 Multi AV Scanner detection for dropped file 46->90 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9a45c640e91c9140c994f9e9ca5cfaea2f11000f988d538482356aa385ece7ba/
Threat name:
Win64.Trojan.Fsysna
Create hunting rule
Status:
Malicious
First seen:
2021-12-15 12:16:21 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
21 of 42 (50.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
51037666d1982db93e3123e88594d409805d3f1d970e9f926dcadb99f77f50f6
CoinMiner
5f5dd9783ee79a7097f47c023015c07c76d5b9e5562362fa54cc28b2f7d1744a
CoinMiner
ca46cdaacb0f193d203f135cd546310e06125405c9c44648f10f1dbcdb343ca0
CoinMiner
d5b1a96dc7d4007a9228abee105cd77305827ed28aac77932e7c416c888c9d30
CoinMiner
eb639e9d45ed4d4cf911195b7ef53d61897dd8f826c542ae411854ddec3aea87
CoinMiner
edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f
CoinMiner
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/220308-2vjg8sedcj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
9a45c640e91c9140c994f9e9ca5cfaea2f11000f988d538482356aa385ece7ba
MD5 hash:
ffb7bbf6e3e3199555b979b46d3789a6
SHA1 hash:
ff4c40e1ad450f60b4c7ecb8bce15d27a622beed
Link:
https://www.unpac.me/results/fe4be6a7-0b5d-44e2-aea7-c18dcc9f407e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9a45c640e91c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/9a45c640e91c9140c994f9e9ca5cfaea2f11000f988d538482356aa385ece7ba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_62e745e92165213c971f5c490aea12a5
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/3xp0rtblog/status/1501330153900703745
Cape
Cape
https://www.capesandbox.com/analysis/248513/

Comments