MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c474206c922b92256780088023c21fcf09bc9ab1d7d06f36f3c4c0934b82e23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	9c474206c922b92256780088023c21fcf09bc9ab1d7d06f36f3c4c0934b82e23
SHA3-384 hash:	2a4e301e25be388c373e20470d36ec53004dae17eba30cf112f7756072fc59a90d135d57af543a43c6075ebc572c64b2
SHA1 hash:	fcf5af86031130b3764d76d64e296345fc88c25e
MD5 hash:	3e69d56846083241547bd1a10c273115
humanhash:	violet-finch-nineteen-nebraska
File name:	file
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	869'376 bytes
First seen:	2023-01-08 09:29:30 UTC
Last seen:	2023-01-08 11:28:26 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a632cf690b3f41c3e04efb53662f2a77 (1 x CoinMiner)
ssdeep	24576:pQVx1ovng/hoBnKTl/z8sLhJRrEl95Tqto4:pQLivng/h+nU58P7w
Threatray	2'613 similar samples on MalwareBazaar
TLSH	T11305CF0AEE740B04E8AE8D334A7D53640FA67C0B373195187D32766AD8DDB522DB9738
File icon (PE):
dhash icon	e4aceeeeebfbefee (4 x CoinMiner, 1 x ArkeiStealer)
Reporter	andretavare5
Tags:	CoinMiner exe

andretavare5

Sample downloaded from http://orderedami.com/svcrun.exe

Intelligence

File Origin

# of uploads :

# of downloads :

183

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/350715/

Detection(s):

SecuriteInfo.com.Variant.Lazy.282909.20560.6565.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Сreating synchronization primitives

Creating a file

Enabling the 'hidden' option for recently created files

Using the Windows Management Instrumentation requests

Running batch commands

Creating a process with a hidden window

Creating a window

Enabling autorun by creating a file

Sending an HTTP POST request to an infection source

Unauthorized injection to a system process

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/63ba8d1c0fdf1633326dc484/reports/267eb38d-ca71-4afb-a7e0-1b6e7febe970/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/61531e70-91f1-4a47-a6c1-758590251560

Result

Threat name:

Xmrig

Detection:

malicious

Classification:

evad.mine

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1147327

Signature

Adds a directory exclusion to Windows Defender

Antivirus detection for URL or domain

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Contains functionality to detect virtual machines (IN, VMware)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

DNS related to crypt mining pools

Found strings related to Crypto-Mining

Machine Learning detection for dropped file

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sets debug register (to hijack the execution of another thread)

Snort IDS alert for network traffic

Tries to evade debugger and weak emulator (self modifying code)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Xmrig cryptocurrency miner

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9c474206c922b92256780088023c21fcf09bc9ab1d7d06f36f3c4c0934b82e23/

Threat name:

Win64.Trojan.Privateloader

Status:

Malicious

First seen:

2023-01-08 09:30:09 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

12 of 26 (46.15%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=trduebwjek4sevtyaceaepbb7tyjxsnldv6qn43phrgasnfyfyrq._file

Verdict:

malicious

CoinMiner

2edd00e586bcfb09d7472eb14e05fc723a84219dbddd4b461fb2373761c0052e

CoinMiner

44f1aaf95883848667641344f16ba2e56729057e9b581bac449b66efbbbb6094

CoinMiner

4caaca2890a24087d048b3bee2a5ebd606583d12783af9544d2027bfbfb6e220

CoinMiner

5950196adf1ba037d91fb9b9687e9f3e471b905c36975ee238266fd0236f837f

CoinMiner

65ffd967cb5fbab3e1cf9c7fc67acebfb5bf28e77061d202f2d9eb7116ba8476

CoinMiner

6fa9af2985ae51764b5821c16287abcb1e02f8e184d50383f5615c687cb00d22

CoinMiner

9d01c4590df8cd82e9030a2aa6bdbaf3ca49649a0c154f2fbdf34e9d35b2aa38

CoinMiner

b393b414296444936286f40d0648e996412707789d6bd6417e71a10fda824621

CoinMiner

dc27f1a2e3285428ddd71705f053ba1fab028608a08a08824720484c30b1ec0e

CoinMiner

+ 2'603 additional samples on MalwareBazaar

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:xmrig miner

Link:

https://tria.ge/reports/230108-lgg49adb85/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Checks computer location settings

Uses the VBS compiler for execution

XMRig Miner payload

xmrig

Unpacked files

SH256 hash:

9c474206c922b92256780088023c21fcf09bc9ab1d7d06f36f3c4c0934b82e23

MD5 hash:

3e69d56846083241547bd1a10c273115

SHA1 hash:

fcf5af86031130b3764d76d64e296345fc88c25e

Link:

https://www.unpac.me/results/99b7ecae-67f9-4325-905c-2dbc0c784994/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9c474206c922/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.19

Link:

https://yomi.yoroi.company/submissions/9c474206c922b92256780088023c21fcf09bc9ab1d7d06f36f3c4c0934b82e23

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/350715/

URLhaus

https://urlhaus.abuse.ch/url/2497706/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample