MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa4bbc0296b28232d20ca66e74e55dea3f82ca212db912fbc0825c93403654a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa4bbc0296b28232d20ca66e74e55dea3f82ca212db912fbc0825c93403654a9
SHA3-384 hash: b41e9c06bee698ce8b365433f10faafa42dae10362bbeeb775e3637453d2516c0f60984cb36849d5959cd3fa4dfd1897
SHA1 hash: 5d497c936ee71cc18125793bba524e4832a10789
MD5 hash: e80264156b7c26f7495709faa23ffdb7
humanhash: snake-december-comet-apart
File name:file
Download: download sample
Signature CoinMiner
Create hunting rule
File size:419'840 bytes
First seen:2023-05-19 13:06:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:9+cpD7KsRbSQ82gxVB5mSNDtdLCXZC/QuQ/g+LjQRohyqBoHCK0iOEfoh4c3QCNo:HpD0b
Threatray 4 similar samples on MalwareBazaar
TLSH T1789401AD725076DFC86BC472DAA81CA8FB6034BB931B4207906715EDAE4D997CF140F2
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter andretavare5
Tags:CoinMiner exe


Avatar
andretavare5
Sample downloaded from https://www.4sync.com/web/directDownload/eCQC4jRG/ncNrDnxs.007f609beb6990697b5cdbd1bdf1cfde

Intelligence

File Origin
# of uploads :
1
# of downloads :
324
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-05-19 13:07:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/240d6708-223e-4d4d-80b8-26c1485a20b6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Heur.20230519153059526245228.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a window
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
confuserex crypto lolbin packed packed
Link:
https://www.filescan.io/uploads/6467747aecbbc103831cbc0f/reports/14c801ad-4cd4-4b0f-b7a1-d48ec6fd6164/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/aa4bbc0296b28232d20ca66e74e55dea3f82ca212db912fbc0825c93403654a9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6d6eb9d7-1ab3-430e-8a5a-8be602420a59
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1237214
Signature
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates files in the system32 config directory
Found hidden mapped module (file has been removed from disk)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sigma detected: Stop multiple services
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 870209 Sample: file.exe Startdate: 19/05/2023 Architecture: WINDOWS Score: 100 76 central-cee-doja.ru 2->76 86 Antivirus detection for URL or domain 2->86 88 Antivirus detection for dropped file 2->88 90 Antivirus / Scanner detection for submitted sample 2->90 92 8 other signatures 2->92 10 file.exe 15 22 2->10         started        15 cmd.exe 1 2->15         started        17 cmd.exe 2->17         started        19 9 other processes 2->19 signatures3 process4 dnsIp5 78 www.4sync.com 199.101.134.238, 443, 49720 WZCOM-US United States 10->78 80 dc535.4sync.com 204.155.145.49, 443, 49721 WZCOM-US United States 10->80 84 6 other IPs or domains 10->84 64 C:\Users\user\Desktop\...\SQLite.Interop.dll, PE32 10->64 dropped 66 C:\Users\user\Desktop\...\SQLite.Interop.dll, PE32+ 10->66 dropped 68 C:\Users\user\...\System.Data.SQLite.dll, PE32 10->68 dropped 70 6 other malicious files 10->70 dropped 114 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 10->114 116 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->116 118 Tries to harvest and steal browser information (history, passwords, etc) 10->118 120 Tries to steal Crypto Currency Wallets 10->120 21 664556.exe 2 10->21         started        25 863315.exe 10->25         started        122 Uses cmd line tools excessively to alter registry or file data 15->122 124 Uses powercfg.exe to modify the power settings 15->124 126 Modifies power options to not sleep / hibernate 15->126 27 conhost.exe 15->27         started        29 sc.exe 1 15->29         started        35 4 other processes 15->35 37 11 other processes 17->37 82 192.168.2.1 unknown unknown 19->82 128 Creates files in the system32 config directory 19->128 130 Uses schtasks.exe or at.exe to add and modify task schedules 19->130 31 conhost.exe 19->31         started        33 conhost.exe 19->33         started        39 16 other processes 19->39 file6 signatures7 process8 file9 58 C:\Users\user\AppData\...\rqvqdatlqmuo.tmp, PE32+ 21->58 dropped 60 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 21->60 dropped 62 C:\Windows\System32\drivers\etc\hosts, ASCII 21->62 dropped 94 Multi AV Scanner detection for dropped file 21->94 96 Writes to foreign memory regions 21->96 98 Modifies the context of a thread in another process (thread injection) 21->98 104 3 other signatures 21->104 41 dialer.exe 21->41         started        100 Antivirus detection for dropped file 25->100 102 Adds a directory exclusion to Windows Defender 25->102 signatures10 process11 signatures12 106 Injects code into the Windows Explorer (explorer.exe) 41->106 108 Contains functionality to inject code into remote processes 41->108 110 Writes to foreign memory regions 41->110 112 4 other signatures 41->112 44 updater.exe 41->44         started        48 lsass.exe 41->48 injected 50 powershell.exe 41->50         started        52 7 other processes 41->52 process13 file14 72 C:\Windows\Temp\sonpbxor.tmp, PE32+ 44->72 dropped 74 C:\Program Filesbehaviorgraphoogle\Libs\WR64.sys, PE32+ 44->74 dropped 132 Protects its processes via BreakOnTermination flag 44->132 134 Modifies the context of a thread in another process (thread injection) 44->134 136 Adds a directory exclusion to Windows Defender 44->136 138 Sample is not signed and drops a device driver 44->138 140 Writes to foreign memory regions 48->140 54 conhost.exe 50->54         started        56 Conhost.exe 52->56         started        signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aa4bbc0296b28232d20ca66e74e55dea3f82ca212db912fbc0825c93403654a9/
Threat name:
ByteCode-MSIL.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-05-19 13:07:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vjf3yauwwkbdfuqmuzxhjzk55i7yfsrbfw4rf66aqjojgqbwksuq._file
Verdict:
malicious
Similar samples:
098393055d675f101b5a98d50f08a140c3d753f0dd7583cc8cc3bc9efc08506a
CoinMiner
5618be4b10205d3fb67baf5dfdfd2d8089b0858578b59e06bdc9e98dfc164220
CoinMiner
679ecde4cd6afa60eaf6ab07179310def1cc22b0790b1efeb52ce1d80b06531c
CoinMiner
df35ae0d0b0981dcee4616fc5f7e5fa69d6d2b73cbd500fb9950eb0bbaabdc74
CoinMiner
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery evasion spyware stealer
Link:
https://tria.ge/reports/230519-qcmw6aea49/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Launches sc.exe
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Drops file in Drivers directory
Stops running service(s)
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
aa4bbc0296b28232d20ca66e74e55dea3f82ca212db912fbc0825c93403654a9
MD5 hash:
e80264156b7c26f7495709faa23ffdb7
SHA1 hash:
5d497c936ee71cc18125793bba524e4832a10789
Link:
https://www.unpac.me/results/0de8c411-152e-478f-98cf-ecab919bbbac/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aa4bbc0296b2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/aa4bbc0296b28232d20ca66e74e55dea3f82ca212db912fbc0825c93403654a9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2637025/

Comments