MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9bf1cce15686f2e3ea815d9e9ae5add34c1534f3cf139b612c0b07e630e72a64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9bf1cce15686f2e3ea815d9e9ae5add34c1534f3cf139b612c0b07e630e72a64
SHA3-384 hash: 778a7e5b5dcc1c92c71e6582a306e9cbc7c801c6eb20c76c8c7cb4180732fc2e912a73e46d57e93ee8d284800797078d
SHA1 hash: 4f4ef99c2153711607dee4ea1d127ebff532c7a8
MD5 hash: a9bae2ce770aa1fc344032e9730ed886
humanhash: massachusetts-oven-red-hotel
File name:a9bae2ce770aa1fc344032e9730ed886
Download: download sample
Signature CoinMiner
Create hunting rule
File size:18'432 bytes
First seen:2022-05-25 15:10:23 UTC
Last seen:2022-05-25 15:47:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 384:+5Bekd2vzfJjqI6ENs4hf9vwEG9/XwJwq6uJfq2GSLwq3ezHvG:ZkdXwNA2GzS
Threatray 1'197 similar samples on MalwareBazaar
TLSH T1B682E721F3879274C82A0B335C6697500775EF4599778B2F38C8322EEF7278717A2A60
TrID 63.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger)
Reporter zbetcheckin
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
457
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a9bae2ce770aa1fc344032e9730ed886
Verdict:
No threats detected
Analysis date:
2022-05-25 15:50:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/71480fa3-9c0c-4708-a9b1-14114d5f59bb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/274568/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm obfuscated wacatac
Link:
https://www.filescan.io/uploads/628e470b370bb1455cc581a9/reports/ea9f3af6-2804-4788-a2c0-16cae9dad562/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/80cf8e43-40fe-4799-a226-481b941d5734
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.troj.evad.mine
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1001675
Signature
.NET source code contains potential unpacker
Creates an undocumented autostart registry key
DNS related to crypt mining pools
Encrypted powershell cmdline option found
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Potential malicious icon found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 634170 Sample: zJ76cv6IC8 Startdate: 25/05/2022 Architecture: WINDOWS Score: 76 34 xmr-eu1.nanopool.org 2->34 36 www-bing-com.dual-a-0001.a-msedge.net 2->36 38 dual-a-0001.dc-msedge.net 2->38 44 Potential malicious icon found 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 .NET source code contains potential unpacker 2->48 50 2 other signatures 2->50 8 zJ76cv6IC8.exe 15 6 2->8         started        13 svchost.exe 9 1 2->13         started        15 svchost.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 40 thddghdd2.com 31.31.196.48, 49736, 80 AS-REGRU Russian Federation 8->40 32 C:\Users\user\AppData\...\Aqqgxkxtv1.exe, PE32+ 8->32 dropped 54 Creates an undocumented autostart registry key 8->54 19 cmd.exe 1 8->19         started        22 cmd.exe 1 8->22         started        42 127.0.0.1 unknown unknown 13->42 file6 signatures7 process8 signatures9 52 Encrypted powershell cmdline option found 19->52 24 powershell.exe 21 19->24         started        26 conhost.exe 19->26         started        28 conhost.exe 22->28         started        30 timeout.exe 1 22->30         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9bf1cce15686f2e3ea815d9e9ae5add34c1534f3cf139b612c0b07e630e72a64/
Threat name:
ByteCode-MSIL.Ransomware.Rakhni
Create hunting rule
Status:
Malicious
First seen:
2022-05-25 15:11:06 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
11
AV detection:
12 of 26 (46.15%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
2e09804cfcf88736779693667b5832e1380d3dc3e156dfb5ca6473f3d272d40c
CoinMiner
44bcfeba9debc5478934ba33fcda33194a2bfc1260acb0a6bd2c6832cd4e0522
CoinMiner
5e01bf2630fe5ff7186049cce2468f8de09dcaf411b21a0a7d91f844c63daf31
CoinMiner
78e187e1318e74767b22c668d8ff398af5dad9a9668d4ef183db3d4bb818e865
CoinMiner
92bee76273f728934ca7a3fcace5b58c7fc99a20a4c166e05ccc920d7c2f46a8
CoinMiner
a68b5e0572d9c79d90ef87d413a499fd87ac6d8afa93fcfc285a2ba1fbc5381e
CoinMiner
ac23d509999ba6aeffbf49a41e104a7e876872740dbf24ccff54f5bc36ee3eb6
CoinMiner
bb46fb813b1a0a9429642cdcf8a41e56e5b893339a3cb550acdf322acb3399e4
CoinMiner
+ 1'187 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig discovery evasion exploit miner persistence
Link:
https://tria.ge/reports/220525-skk4msbed4/
Behaviour
Delays execution with timeout.exe
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks computer location settings
Modifies file permissions
Possible privilege escalation attempt
Stops running service(s)
XMRig Miner Payload
Modifies WinLogon for persistence
Modifies security service
xmrig
Unpacked files
SH256 hash:
9bf1cce15686f2e3ea815d9e9ae5add34c1534f3cf139b612c0b07e630e72a64
MD5 hash:
a9bae2ce770aa1fc344032e9730ed886
SHA1 hash:
4f4ef99c2153711607dee4ea1d127ebff532c7a8
Link:
https://www.unpac.me/results/56122de5-6a33-4951-b32b-73bf4740f1b6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.76
Link:
https://yomi.yoroi.company/submissions/9bf1cce15686f2e3ea815d9e9ae5add34c1534f3cf139b612c0b07e630e72a64

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 9bf1cce15686f2e3ea815d9e9ae5add34c1534f3cf139b612c0b07e630e72a64

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2210879/
Cape
Cape
https://www.capesandbox.com/analysis/274568/

Comments


Avatar
zbet commented on 2022-05-25 15:10:32 UTC

url : hxxp://thddghdd2.com/Adetij.exe