MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae2e7547c8d73f63d7d1f8b428c8475d14e86d66faa48cfb17b5fc025d5731a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 8

Intelligence 8 IOCs YARA 6 File information Comments

SHA256 hash:	ae2e7547c8d73f63d7d1f8b428c8475d14e86d66faa48cfb17b5fc025d5731a7
SHA3-384 hash:	baab21df91525ceec2267828c62259b96e31ee2c526e25d4aebeb9f7c75ffc3c338d6826d4d99fd28c54dec6968039b5
SHA1 hash:	63bc73007ca3654b1ecda5f255d6b482424be3ad
MD5 hash:	e9d0db5f69e7fa442ce70b2aa1433eaa
humanhash:	washington-pizza-thirteen-saturn
File name:	file
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	980'480 bytes
First seen:	2022-12-29 16:30:01 UTC
Last seen:	2022-12-29 18:29:53 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f7a88557d4088e362443235be25c3e85 (1 x CoinMiner)
ssdeep	24576:QtVSn52JQY2nTHf3eEZie/slFsNdIZ8xU:ySn52JQYotZPsodU
Threatray	2'290 similar samples on MalwareBazaar
TLSH	T16625F178E5F0D248D5BD4A328F75D4F00D913D02FCA1A46B71E7BA5F38362891C19AAE
File icon (PE):
dhash icon	10f079f892ea78b0 (18 x Emmenhtal, 7 x LummaStealer, 4 x CoinMiner)
Reporter	andretavare5
Tags:	CoinMiner exe

andretavare5

Sample downloaded from http://affito.amiyon.com/svcrun.exe

Intelligence

File Origin

# of uploads :

# of downloads :

194

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-12-29 16:30:34 UTC

Tags:

trojan

Link:

https://app.any.run/tasks/3d6e16d9-8b3c-474b-a18b-1499467c883e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win64.Evo-gen.30350.23202.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Launching a process

Creating a file

Enabling the 'hidden' option for recently created files

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Using the Windows Management Instrumentation requests

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/63adc08fa66e2eb2973789d0/reports/bff1e19f-549c-456d-9c08-bc6e8ec61f54/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/de264a82-7bef-496e-9420-99ee32daddf8

Result

Threat name:

Xmrig

Detection:

malicious

Classification:

evad.mine

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1142795

Signature

Adds a directory exclusion to Windows Defender

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Contains functionality to detect virtual machines (IN, VMware)

Detected unpacking (changes PE section rights)

DNS related to crypt mining pools

Found strings related to Crypto-Mining

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sets debug register (to hijack the execution of another thread)

Snort IDS alert for network traffic

Tries to evade debugger and weak emulator (self modifying code)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Xmrig cryptocurrency miner

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ae2e7547c8d73f63d7d1f8b428c8475d14e86d66faa48cfb17b5fc025d5731a7/

Threat name:

Win64.Trojan.Privateloader

Status:

Suspicious

First seen:

2022-12-29 16:30:16 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

15 of 26 (57.69%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vyxhkr6i247whv6r7c2crschlukoq3lg7ksiz6yxwx6aexkxggtq._file

Verdict:

unknown

CoinMiner

15f360013119d7049c4bc4466604717a05cda9c95f0eca787383df0d3089f0f0

CoinMiner

275b845c4beaf34c3f5a78e8dde1134489e9a27467bed2da8f2dd4bdbac0cf78

CoinMiner

334b8c0681f7876ea9108a19da9d216e8c9a9248511ea56dc0ac02fadc0a2e00

CoinMiner

381673cfb37435a51471986ab25e0c35ec935cfa59d1c1ab149be99015fa0acc

CoinMiner

4b832681660bd5727a36443544b83d5a69ccc47143220f7b3ea924b81bfe2fc4

CoinMiner

5a329d76898db05611e2dad04c55e316f1c4bb2dd6c9d223eb85af92bc2e1893

CoinMiner

b0302fe3b0973c3f18a2cebccad7920fda170c9a52ce8151940cd2e267e22eb2

CoinMiner

b5ed948dd84aa5fdecf011400ced88f20a8c376795672445c41275a974f26318

CoinMiner

bd8322ca81f42d51423c11ba7a4a772c47d5a0abc5d9cc5da4fcb0c83f725b22

CoinMiner

+ 2'280 additional samples on MalwareBazaar

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:xmrig miner

Link:

https://tria.ge/reports/221229-tzt6jade44/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Checks computer location settings

Uses the VBS compiler for execution

XMRig Miner payload

xmrig

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/b64e17ac-5a1c-41df-bb2f-f0bb9782140e

Unpacked files

SH256 hash:

ae2e7547c8d73f63d7d1f8b428c8475d14e86d66faa48cfb17b5fc025d5731a7

MD5 hash:

e9d0db5f69e7fa442ce70b2aa1433eaa

SHA1 hash:

63bc73007ca3654b1ecda5f255d6b482424be3ad

Link:

https://www.unpac.me/results/5409ad9d-1286-48e2-a115-9bbbbd3d9ce7/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ae2e7547c8d7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.19

Link:

https://yomi.yoroi.company/submissions/ae2e7547c8d73f63d7d1f8b428c8475d14e86d66faa48cfb17b5fc025d5731a7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BAZT_B5_NOCEXInvalidStream Create hunting rule

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	win_xfilesstealer_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.xfilesstealer.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2452741/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample