MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9af34ca7397ffb95cfe45763bcb525eec130c4c5e97a6f82e0d471eee808b291. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9af34ca7397ffb95cfe45763bcb525eec130c4c5e97a6f82e0d471eee808b291
SHA3-384 hash: dbd81044b426e2ce533e01a88811b31662eda83bc0093146722577a7648c0a351019f6ba8dbc0ca30faff6843e0b0e8b
SHA1 hash: ba9fd9a8e1b6a1543ffec7c6149d7799352f0e8b
MD5 hash: 879c5159c15fb3a80628bc964eb77c4d
humanhash: oxygen-texas-missouri-item
File name:tesy - Copy (6) - Copy.bat
Download: download sample
Signature CoinMiner
Create hunting rule
File size:700 bytes
First seen:2023-12-10 09:59:49 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 12:20ziYtWxdtsrpGfDbrvI4Bac9598U7Vs6BaA9598QYSvywDwc2RLsD/Zv:0xdRDbrvI4F9DhB9nYSvyQCLU/R
TLSH T1E8019E12B2D51408C6F6855578BD1A40FC4F112BD9D3784A32F6B42D581C097F76E9EC
Reporter Xev
Tags:bat CoinMiner CoinMiner.XMRig Downloader

Intelligence

File Origin
# of uploads :
1
# of downloads :
160
Origin country :
GR GR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/464204/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
86%
Tags:
cmd powershell
Link:
https://www.filescan.io/uploads/65758c2456f85d0de4161509/reports/45235399-01f0-4a41-bf51-67ead2c2fe3a/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/9af34ca7397ffb95cfe45763bcb525eec130c4c5e97a6f82e0d471eee808b291
Result
Verdict:
MALICIOUS
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1357251
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Powershell drops PE file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Xmrig
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1357251 Sample: tesy_-_Copy_(6)_-_Copy.bat Startdate: 10/12/2023 Architecture: WINDOWS Score: 100 36 cdn.nest.rip 2->36 38 xmr.2miners.com 2->38 42 Sigma detected: Xmrig 2->42 44 Multi AV Scanner detection for domain / URL 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 3 other signatures 2->48 8 cmd.exe 1 2->8         started        signatures3 process4 signatures5 62 Suspicious powershell command line found 8->62 64 Tries to download and execute files (via powershell) 8->64 11 cmd.exe 1 8->11         started        13 powershell.exe 28 8->13         started        17 powershell.exe 14 16 8->17         started        20 conhost.exe 8->20         started        process6 dnsIp7 22 xmrig.exe 1 11->22         started        26 conhost.exe 11->26         started        28 C:\Users\user\Desktop\...\xmrig.exe, PE32+ 13->28 dropped 30 C:\Users\user\Desktop\...\WinRing0x64.sys, PE32+ 13->30 dropped 32 C:\Users\user\Desktop\...\start.cmd, ASCII 13->32 dropped 66 Sample is not signed and drops a device driver 13->66 34 cdn.nest.rip 104.21.2.108, 443, 49705 CLOUDFLARENETUS United States 17->34 68 Powershell drops PE file 17->68 file8 signatures9 process10 dnsIp11 40 xmr.2miners.com 162.19.139.184, 2222, 49706 CENTURYLINK-US-LEGACY-QWESTUS United States 22->40 50 Antivirus detection for dropped file 22->50 52 Multi AV Scanner detection for dropped file 22->52 54 Query firmware table information (likely to detect VMs) 22->54 56 Machine Learning detection for dropped file 22->56 58 Found strings related to Crypto-Mining 26->58 signatures12 60 Detected Stratum mining protocol 40->60
Score:
2%
Verdict:
Benign
File Type:
ASCII
Link:
https://malprob.io/report/9af34ca7397ffb95cfe45763bcb525eec130c4c5e97a6f82e0d471eee808b291
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9af34ca7397ffb95cfe45763bcb525eec130c4c5e97a6f82e0d471eee808b291/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-08-24 02:53:07 UTC
File Type:
Text (Batch)
AV detection:
6 of 23 (26.09%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tlzuzjzzp75zlt7ek5r3znjf53atbrgf5f5g7axa2ry652aiwkiq._file
Verdict:
unknown
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/231210-l1m5lsdaan/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Executes dropped EXE
Blocklisted process makes network request
XMRig Miner payload
xmrig
Malware Config
Dropper Extraction:
https://cdn.nest.rip/uploads/422d676c-8e4d-4d44-a5f3-76537ee06a9c.zip
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9af34ca7397f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.70
Link:
https://yomi.yoroi.company/submissions/9af34ca7397ffb95cfe45763bcb525eec130c4c5e97a6f82e0d471eee808b291

File information

The table below shows additional information about this malware sample such as delivery method and external references.

CoinMiner

Batch (bat) bat 9af34ca7397ffb95cfe45763bcb525eec130c4c5e97a6f82e0d471eee808b291

(this sample)

CoinMiner

zip 366b88c9d03a02d78217b6f707a34f7d8592a60b2d08ef66845698c304837de0

  
Dropping
SHA256 366b88c9d03a02d78217b6f707a34f7d8592a60b2d08ef66845698c304837de0
Cape
Cape
https://www.capesandbox.com/analysis/464204/

Comments