MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9afe33b20b66ef154c1f2cba4634bcc3b2eecdeb0bfb56942240e782b476f9db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9afe33b20b66ef154c1f2cba4634bcc3b2eecdeb0bfb56942240e782b476f9db
SHA3-384 hash: 585627386779fe3832853b5b10a653b2c96abf81fa848791a1f8e462036611123baad0fb0619d4f799b47d34f461fce3
SHA1 hash: 3657c5d7246fc8b94e108a2066deefe568113604
MD5 hash: 590167981561a80410867f08935a0584
humanhash: king-six-fix-uniform
File name:file
Download: download sample
Signature CoinMiner
Create hunting rule
File size:8'234'496 bytes
First seen:2022-12-22 21:52:12 UTC
Last seen:2022-12-22 23:31:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 196608:fyyiPdIqpZwjUyeMldetbmteTaz9HnGj:fyy6ppSIMreta4TM9
Threatray 2'963 similar samples on MalwareBazaar
TLSH T1868633B4B5F376F9CFA080F7580296B179C2EA4DB12BC51526390B764A9C30F71E6E42
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter jstrosch
Tags:.NET CoinMiner exe MSIL X64

Intelligence

File Origin
# of uploads :
2
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
DCRatLoader.exe
Verdict:
Malicious activity
Analysis date:
2022-12-22 15:42:39 UTC
Tags:
trojan opendir loader rat redline
Link:
https://app.any.run/tasks/8c9980bf-4e2e-4465-b0bf-66b9566428c3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/349205/
Detection(s):
SecuriteInfo.com.Win64.PWSX-gen.144.8214.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Running batch commands
Enabling autorun by creating a file
Gathering data
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3e9415eb-3cce-4f64-81d3-5465816b7a54
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1139637
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Uses cmd line tools excessively to alter registry or file data
Uses powercfg.exe to modify the power settings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 772367 Sample: file.exe Startdate: 22/12/2022 Architecture: WINDOWS Score: 100 46 Antivirus detection for dropped file 2->46 48 Antivirus / Scanner detection for submitted sample 2->48 50 Multi AV Scanner detection for dropped file 2->50 52 5 other signatures 2->52 7 file.exe 5 2->7         started        11 cmd.exe 1 2->11         started        13 cmd.exe 1 2->13         started        15 2 other processes 2->15 process3 file4 38 C:\Users\user\AppData\Roaming\...\svhos.exe, PE32+ 7->38 dropped 40 C:\Users\user\...\svhos.exe:Zone.Identifier, ASCII 7->40 dropped 42 C:\Users\user\AppData\Local\...\file.exe.log, CSV 7->42 dropped 54 Creates an undocumented autostart registry key 7->54 56 Encrypted powershell cmdline option found 7->56 58 Modifies the context of a thread in another process (thread injection) 7->58 60 Injects a PE file into a foreign processes 7->60 17 file.exe 7->17         started        20 powershell.exe 16 7->20         started        62 Uses cmd line tools excessively to alter registry or file data 11->62 64 Uses powercfg.exe to modify the power settings 11->64 66 Modifies power options to not sleep / hibernate 11->66 22 reg.exe 1 11->22         started        24 reg.exe 1 11->24         started        26 reg.exe 1 11->26         started        32 8 other processes 11->32 34 5 other processes 13->34 28 conhost.exe 15->28         started        30 conhost.exe 15->30         started        signatures5 process6 signatures7 44 Adds a directory exclusion to Windows Defender 17->44 36 conhost.exe 20->36         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9afe33b20b66ef154c1f2cba4634bcc3b2eecdeb0bfb56942240e782b476f9db/
Threat name:
Win64.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2022-12-22 21:53:09 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tl7dhmqlm3xrkta7fs5emnf4yozo5tplbp5vnfbcidtyfndw7hnq._file
Verdict:
malicious
Similar samples:
2876a4b04f3d5d2803ae93fb9d3a827f2edbabf44e4327ac4dfa7b71a55b81ef
CoinMiner
55466ebc5b9c9e17e47e2af745c118001c1163eaa9aa945760f90b2af3f8362c
CoinMiner
60758b6b4ebbaa83e0db9c18686dd093961be3c87a30b14cc924ac0aa0f5c71c
CoinMiner
701f68aa98d570229fd0009b583ab60bb0360e802477777281ee71dbb6e93bbe
CoinMiner
81bf53fbfc3cac4f4e2a4d35692127d7a5f32d8b2c06fc44e30775c4ac0be8af
CoinMiner
a88df82e4b619c1586b5640c801616486f08b3bd32f766847f468d6a23b6c23e
CoinMiner
b13700f6b5654760b7462c832b65592d6cccd3498f4094293fff020fb2b40970
CoinMiner
f58a5c7c34a09860c8aaf590ce7cd9de51267edf6b3153f575a7caf6d8832364
CoinMiner
fa7378e0cfb14dd80a72c29d787d670725bcaed8eb0040e983f03b89282ff73e
CoinMiner
+ 2'953 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion miner upx
Link:
https://tria.ge/reports/221222-1rlyhsfc69/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Stops running service(s)
UPX packed file
XMRig Miner payload
Modifies security service
Suspicious use of NtCreateUserProcessOtherParentProcess
xmrig
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a685dc61-a2a8-4ba6-bdf8-22272a778ead
Unpacked files
SH256 hash:
9afe33b20b66ef154c1f2cba4634bcc3b2eecdeb0bfb56942240e782b476f9db
MD5 hash:
590167981561a80410867f08935a0584
SHA1 hash:
3657c5d7246fc8b94e108a2066deefe568113604
Link:
https://www.unpac.me/results/5cd0dc77-a774-468f-b40d-a7a69bdab742/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/9afe33b20b66ef154c1f2cba4634bcc3b2eecdeb0bfb56942240e782b476f9db

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 9afe33b20b66ef154c1f2cba4634bcc3b2eecdeb0bfb56942240e782b476f9db

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/349205/
  
URLhaus
https://urlhaus.abuse.ch/url/2482456/

Comments