MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad2ac8f51fefe49c234155309eb8cc0faa4e1e05b2b30317691950d5f4dd8ea1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad2ac8f51fefe49c234155309eb8cc0faa4e1e05b2b30317691950d5f4dd8ea1
SHA3-384 hash: f4ebef4525c59b825815c6811d707750c61fd203e937c6b7162d49d851c6ec091613507f1fc4202344769aa84c65a5cb
SHA1 hash: 85323deccfdd24d8b4a8bcb8ec6d3ed973415f21
MD5 hash: 8d868a206455746c8d3a2e653d86406e
humanhash: delta-twelve-vegan-whiskey
File name:their.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:4'180'992 bytes
First seen:2022-10-10 07:19:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a1e1db4ddf300b66a3afa3056ec32bfd (14 x CoinMiner, 2 x PripyatMiner)
ssdeep 98304:YzQ7QFYA6K/6gtrUFbwaEXTdwutEoV5pPfl:aQU/6KygyFsawThb
Threatray 2'756 similar samples on MalwareBazaar
TLSH T1CD162326F5420468C56601F4D16AD27376AFBCC5C669A55F4B8BE7222D23CB00FAFB70
TrID 43.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
27.6% (.EXE) Win64 Executable (generic) (10523/12/4)
13.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) OS/2 Executable (generic) (2029/13)
5.2% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter JAMESWT_WT
Tags:bitbucket-org CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
212
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
their.exe
Verdict:
No threats detected
Analysis date:
2022-10-08 13:58:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c0f5c4f5-e0d0-4ff8-a578-03bf5498ccde

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/318214/
Detection(s):
Win.Malware.Generic-9968329-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Launching a process
Using the Windows Management Instrumentation requests
Running batch commands
Sending a custom TCP request
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Creating a file in the Windows subdirectories
Searching for synchronization primitives
Sending an HTTP GET request
Changing the hosts file
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/42167/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug packed shell32.dll
Link:
https://www.filescan.io/uploads/6343c7a81565eeb6424f39f9/reports/d5e9efca-5576-4d23-8fc4-b6f72f9e10db/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/573838c4-65e9-4802-8021-c3bc89f9e860
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1087525
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Creates files in the system32 config directory
Found hidden mapped module (file has been removed from disk)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Sample is not signed and drops a device driver
Uses cmd line tools excessively to alter registry or file data
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 720100 Sample: their.exe Startdate: 11/10/2022 Architecture: WINDOWS Score: 100 72 Antivirus detection for dropped file 2->72 74 Multi AV Scanner detection for dropped file 2->74 76 Multi AV Scanner detection for submitted file 2->76 78 3 other signatures 2->78 7 updaterload.exe 2->7         started        11 their.exe 1 2->11         started        13 svchost.exe 2->13         started        15 8 other processes 2->15 process3 file4 52 C:\Windows\Temp\5EB.tmp, PE32+ 7->52 dropped 54 C:\Windows\Temp\2FC.tmp, PE32+ 7->54 dropped 56 C:\Program Filesbehaviorgraphoogle\Libs\WR64.sys, PE32+ 7->56 dropped 80 Protects its processes via BreakOnTermination flag 7->80 82 Writes to foreign memory regions 7->82 84 Modifies the context of a thread in another process (thread injection) 7->84 94 2 other signatures 7->94 17 cmd.exe 7->17         started        20 cmd.exe 7->20         started        22 powershell.exe 7->22         started        24 powershell.exe 7->24         started        58 C:\Program Filesbehaviorgraphoogle\...\updaterload.exe, PE32+ 11->58 dropped 60 C:\Windows\System32\drivers\etc\hosts, data 11->60 dropped 86 Uses cmd line tools excessively to alter registry or file data 11->86 88 Modifies the hosts file 11->88 90 Adds a directory exclusion to Windows Defender 11->90 26 cmd.exe 1 11->26         started        28 cmd.exe 1 11->28         started        30 powershell.exe 19 11->30         started        32 2 other processes 11->32 92 Changes security center settings (notifications, updates, antivirus, firewall) 13->92 signatures5 process6 signatures7 40 9 other processes 17->40 42 5 other processes 20->42 62 Creates files in the system32 config directory 22->62 34 conhost.exe 22->34         started        36 conhost.exe 24->36         started        64 Uses cmd line tools excessively to alter registry or file data 26->64 66 Uses powercfg.exe to modify the power settings 26->66 68 Modifies power options to not sleep / hibernate 26->68 38 reg.exe 1 26->38         started        44 10 other processes 26->44 46 5 other processes 28->46 70 Uses schtasks.exe or at.exe to add and modify task schedules 30->70 48 2 other processes 30->48 50 3 other processes 32->50 process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ad2ac8f51fefe49c234155309eb8cc0faa4e1e05b2b30317691950d5f4dd8ea1/
Threat name:
Win64.Trojan.CobaltStrike
Create hunting rule
Status:
Malicious
First seen:
2022-10-05 00:09:36 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vuvmr5i757sjyi2bkuyj5ogmb6ve4hqfwkzqgf3jdfinl5g5r2qq._file
Verdict:
malicious
Similar samples:
02aeff4e07664864d428440cab4be050ddc1504ff997ce0fef7068899139318d
CoinMiner
202fb4f80fa9790ba37aed5cf78a54b21391d4f42a2d49d68d9c15f4f6507893
CoinMiner
2980402300cdd466b4dd068c4352fde25c5d9edd68536b8a8911603e9a10cc94
CoinMiner
2d149bca64703b7cf996a772ba91423da1e1f11dbae522f3e4d3b34095d3b89d
CoinMiner
67ad330292443e6a92c2ac01a855a8edf9ea82fa0bbd5a371b66b765bbc3d0f5
CoinMiner
6d0429bb3533ea8cd3b10d207ec5505ac0d38692f7f4cd1375db7cd1aba0be6e
CoinMiner
713b5821fb297bf6fda93ad5fe11dabebc2cba0aa38f4c66d02c75703a0d0bce
CoinMiner
b2c7dfbe576c1962cd647917207e957d17dbe367c36dde071054f12beac68499
CoinMiner
c555bd99e5d32975594127b66602319349f1db161287b533915d92b4eb8420d3
CoinMiner
+ 2'746 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion miner upx
Link:
https://tria.ge/reports/221010-h5425sbaa9/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Loads dropped DLL
Drops file in Drivers directory
Executes dropped EXE
Stops running service(s)
UPX packed file
XMRig Miner payload
Modifies security service
xmrig
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a39227b8-dc1c-48bd-a83b-b3b87915e65b
Unpacked files
SH256 hash:
ad2ac8f51fefe49c234155309eb8cc0faa4e1e05b2b30317691950d5f4dd8ea1
MD5 hash:
8d868a206455746c8d3a2e653d86406e
SHA1 hash:
85323deccfdd24d8b4a8bcb8ec6d3ed973415f21
Link:
https://www.unpac.me/results/28fc963f-f206-40bf-ba34-64c0094c4337/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ad2ac8f51fefe49c234155309eb8cc0faa4e1e05b2b30317691950d5f4dd8ea1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/318214/

Comments