MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c321a1be7ac4172b0edfc2b91a41d689e44a4dc8b9931bf40bedfb4f0f5f6d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c321a1be7ac4172b0edfc2b91a41d689e44a4dc8b9931bf40bedfb4f0f5f6d6
SHA3-384 hash: 3adbfada27093e58ec99958d8d24ac8b25a752f31fc06384f73d1b39c506b6854223ef2dca2dcf24f6deed79c7f9ab08
SHA1 hash: 4ccf75ba953cf9eeef0a682fc9d39e52787288aa
MD5 hash: eeaecc3b9fbf9b4c73121003d75375bb
humanhash: sweet-skylark-emma-pizza
File name:m2.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:7'083'520 bytes
First seen:2024-11-15 20:40:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3fac356340f08f787f93cbf317f090cd (13 x CoinMiner)
ssdeep 196608:3P+jtixYCSOXEwnExyzjbDFAswiaJxvmk0D:3P+8xlreujbRA7/xe
Threatray 222 similar samples on MalwareBazaar
TLSH T13B6633857C8AAA76C568F371C02365AE73A17F528A524D263ECDBE510CFE7401A363C7
TrID 33.6% (.EXE) OS/2 Executable (generic) (2029/13)
33.1% (.EXE) Generic Win/DOS Executable (2002/3)
33.1% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
File icon (PE):PE icon
dhash icon 66cea83062c99ca4 (2 x CoinMiner)
Reporter aachum
Tags:CoinMiner exe


Avatar
iamaachum
Dropped by .zip in https://www.soft-got.org/adobephotoshop => https://softgot.su/2024-11-15_Adobe_Photoshop.rar

Intelligence

File Origin
# of uploads :
1
# of downloads :
478
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
xmrig
Create hunting rule
ID:
1
File name:
m2.exe
Verdict:
Malicious activity
Analysis date:
2024-11-15 20:44:15 UTC
Tags:
miner github xmrig xor-url upx generic
Link:
https://app.any.run/tasks/726c31cf-e54c-4143-916a-7d7a885215c7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.12618.22753.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6737b1ef6bc7caf979b2f3cd
Tags:
virus gates
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug packed packed packer_detected
Link:
https://www.filescan.io/uploads/6737b1e40e978fb6d3ddd9cd/reports/88bb888b-f028-46bf-8d58-3a29266cd493/overview
Verdict:
Malicious
Labled as:
Trojan[Packed]/Win64.VMProtect
Link:
https://www.hybrid-analysis.com/sample/9c321a1be7ac4172b0edfc2b91a41d689e44a4dc8b9931bf40bedfb4f0f5f6d6
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1ebcf7fd-8fb5-4c31-9617-d08b9afb3a4e
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1556725
Signature
.NET source code contains process injector
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Detected Stratum mining protocol
Found direct / indirect Syscall (likely to bypass EDR)
Found strings related to Crypto-Mining
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs new ROOT certificates
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Disable power options
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop EventLog
Suspicious powershell command line found
Tries to detect debuggers (CloseHandle check)
Tries to evade analysis by execution special instruction (VM detection)
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1556725 Sample: m2.exe Startdate: 15/11/2024 Architecture: WINDOWS Score: 100 72 moym1.com 2->72 74 raw.githubusercontent.com 2->74 76 2 other IPs or domains 2->76 88 Malicious sample detected (through community Yara rule) 2->88 90 Multi AV Scanner detection for submitted file 2->90 92 Yara detected Xmrig cryptocurrency miner 2->92 94 17 other signatures 2->94 10 kuytqawknxye.exe 1 2->10         started        14 m2.exe 1 2 2->14         started        16 powershell.exe 2 15 2->16         started        18 powershell.exe 2->18         started        signatures3 process4 file5 68 C:\Windows\Temp\dncgghieiqot.sys, PE32+ 10->68 dropped 118 Multi AV Scanner detection for dropped file 10->118 120 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->120 122 Query firmware table information (likely to detect VMs) 10->122 134 7 other signatures 10->134 20 dialer.exe 10->20         started        24 powershell.exe 23 10->24         started        36 11 other processes 10->36 70 C:\ProgramData\...\kuytqawknxye.exe, PE32+ 14->70 dropped 124 Uses powercfg.exe to modify the power settings 14->124 126 Modifies the context of a thread in another process (thread injection) 14->126 128 Adds a directory exclusion to Windows Defender 14->128 26 powershell.exe 23 14->26         started        28 sc.exe 1 14->28         started        38 14 other processes 14->38 130 Writes to foreign memory regions 16->130 132 Injects a PE file into a foreign processes 16->132 30 dllhost.exe 16->30         started        32 conhost.exe 16->32         started        34 conhost.exe 18->34         started        signatures6 process7 dnsIp8 78 moym1.com 194.87.31.45, 3333, 49704 ASBAXETNRU Russian Federation 20->78 80 raw.githubusercontent.com 185.199.111.133, 443, 49708 FASTLYUS Netherlands 20->80 82 2 other IPs or domains 20->82 96 Query firmware table information (likely to detect VMs) 20->96 98 Found strings related to Crypto-Mining 20->98 40 conhost.exe 24->40         started        100 Found suspicious powershell code related to unpacking or dynamic code loading 26->100 102 Loading BitLocker PowerShell Module 26->102 42 conhost.exe 26->42         started        104 Adds a directory exclusion to Windows Defender 28->104 106 Modifies power options to not sleep / hibernate 28->106 44 conhost.exe 28->44         started        108 Contains functionality to inject code into remote processes 30->108 110 Writes to foreign memory regions 30->110 112 Creates a thread in another existing process (thread injection) 30->112 116 2 other signatures 30->116 46 winlogon.exe 30->46 injected 48 lsass.exe 30->48 injected 53 2 other processes 30->53 55 11 other processes 36->55 51 conhost.exe 38->51         started        57 13 other processes 38->57 signatures9 114 Detected Stratum mining protocol 78->114 process10 signatures11 59 dllhost.exe 46->59         started        84 Installs new ROOT certificates 48->84 86 Writes to foreign memory regions 48->86 process12 signatures13 136 Injects code into the Windows Explorer (explorer.exe) 59->136 138 Writes to foreign memory regions 59->138 140 Creates a thread in another existing process (thread injection) 59->140 142 Injects a PE file into a foreign processes 59->142 62 svchost.exe 59->62 injected 64 svchost.exe 59->64 injected 66 svchost.exe 59->66 injected process14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9c321a1be7ac4172b0edfc2b91a41d689e44a4dc8b9931bf40bedfb4f0f5f6d6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9c321a1be7ac4172b0edfc2b91a41d689e44a4dc8b9931bf40bedfb4f0f5f6d6/
Threat name:
Win64.Trojan.Reflo
Create hunting rule
Status:
Malicious
First seen:
2024-11-15 20:41:06 UTC
File Type:
PE+ (Exe)
Extracted files:
10
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tqzbug7hvraxfmhn7qvzdja5ncpejjg4romtdp2ax3p3j4hv63la._file
Verdict:
malicious
Label(s):
r77
Create hunting rule
r77_core
Create hunting rule
r77_stager
Create hunting rule
Similar samples:
1a45c674c9c80cee378a210c83c2492baae976727c62bbaf262ee06e6b88c1db
CoinMiner
1ad6c91825f9ad0179bc20f4f53d5f2c0860270d251aa23c8a607b1e2cde35ec
CoinMiner
52e2f57489e8cabde628e4d477bfff50504b92cabba78ffaba9fd632e924932d
CoinMiner
5f7c6cdea3c4e825af1d796cbd34b2d45b2b6fabed130e717a30a6d871993f5d
CoinMiner
6c99b8348aaf2c00eb161a754eab7b6f54632e1bd5b9ae9bede5f0062dabe727
CoinMiner
a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
CoinMiner
bc919d4fa285e2891889c6cf592c7f1707d69adead1af792e005e4d58cd02bbf
CoinMiner
cac0056b23a93519a5f4e526e52187f37b88373c76aa065b9f895d1ecd4f4169
CoinMiner
dbbe21f14ca93d658be3606974e289edf4b205b22d967324c49cba1950f29b9e
CoinMiner
error
CoinMiner
+ 212 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion execution persistence
Link:
https://tria.ge/reports/241115-zgek1svqeq/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Power Settings
Checks BIOS information in registry
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Stops running service(s)
Modifies security service
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3744d314-719c-42ce-afa3-592b2bf0b027
Unpacked files
SH256 hash:
9c321a1be7ac4172b0edfc2b91a41d689e44a4dc8b9931bf40bedfb4f0f5f6d6
MD5 hash:
eeaecc3b9fbf9b4c73121003d75375bb
SHA1 hash:
4ccf75ba953cf9eeef0a682fc9d39e52787288aa
Link:
https://www.unpac.me/results/d2bbba51-0645-4bfb-8cd1-426a9ed9e03d/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9c321a1be7ac/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9c321a1be7ac4172b0edfc2b91a41d689e44a4dc8b9931bf40bedfb4f0f5f6d6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 9c321a1be7ac4172b0edfc2b91a41d689e44a4dc8b9931bf40bedfb4f0f5f6d6

(this sample)

  
Link
https://tria.ge/241115-zbhqgs1jey/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments