MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae3ae350218998f35fe4582d010844c4f62490af30af438c1735e5037d115fc1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae3ae350218998f35fe4582d010844c4f62490af30af438c1735e5037d115fc1
SHA3-384 hash: fb9a883a68f9f5645dc64e96e94cc013481bddf0c940b243a8fae693d5be238341cd94f932e395d4f78c819b3e6f6cd1
SHA1 hash: 76e5ab8eda5c292b4f602e8a73c037f4623cb172
MD5 hash: b280cc4e78a7bff8d072713f8b4beb29
humanhash: two-five-rugby-early
File name:file
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'136'576 bytes
First seen:2023-02-26 20:45:07 UTC
Last seen:2023-02-26 21:34:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash df9a7bc1c6c6cd97d04c3762fdde6719 (18 x CoinMiner, 2 x CoinMiner.XMRig, 1 x PripyatMiner)
ssdeep 49152:BMJt5dwHjwTFKLpVI1M5crh/XBSgqJXEjvZ80eYcZxXBkK8jXCv:Bot4DrVaEcugqJUDDcZl4C
Threatray 61 similar samples on MalwareBazaar
TLSH T1DCA523425243579ACA8249F6C38DAF38E855BFF0393A8C79354C4C694D325DEDB8BB09
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10523/12/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter andretavare5
Tags:CoinMiner exe


Avatar
andretavare5
Sample downloaded from https://vk.com/doc139074685_656819319?hash=IzoWwBNzesv6ZN8CiVgG8s4etPvprFpucI3zuptKXZw&dl=GEZTSMBXGQ3DQNI:1677442528:zbcV0wCIpxf6r2zimxuYhH4dRzkJCRpUXOnB7agTxXz&api=1&no_preview=1#1_141

Intelligence

File Origin
# of uploads :
2
# of downloads :
259
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-02-26 20:45:38 UTC
Tags:
miner trojan
Link:
https://app.any.run/tasks/dde1805b-74a3-45a1-988e-ab37bb3ec8d9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/369883/
Detection(s):
Win.Malware.Miner-9978777-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the system32 subdirectories
Сreating synchronization primitives
Running batch commands
Deleting a recently created file
Replacing files
Launching a process
Using the Windows Management Instrumentation requests
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Creating a file in the Windows subdirectories
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug barys coinminer packed
Link:
https://www.filescan.io/uploads/63fbc50cab9a586446066c35/reports/27dc74d9-a501-45b3-8c81-a7ffd4ecb720/overview
Verdict:
Malicious
Labled as:
Barys.Generic
Link:
https://www.hybrid-analysis.com/sample/ae3ae350218998f35fe4582d010844c4f62490af30af438c1735e5037d115fc1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eb7d402e-2a85-4724-9e3c-78d9af48be3f
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1182784
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Creates files in the system32 config directory
Detected Stratum mining protocol
Found hidden mapped module (file has been removed from disk)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 815615 Sample: file.exe Startdate: 26/02/2023 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic 2->47 49 Antivirus detection for dropped file 2->49 51 Antivirus / Scanner detection for submitted sample 2->51 53 5 other signatures 2->53 7 updater.exe 3 2->7         started        11 svchost.exe 2->11         started        13 powershell.exe 35 2->13         started        15 12 other processes 2->15 process3 file4 36 C:\Windows\Temp\jwlsgmng.tmp, PE32+ 7->36 dropped 38 C:\Program Filesbehaviorgraphoogle\Libs\WR64.sys, PE32+ 7->38 dropped 55 Writes to foreign memory regions 7->55 57 Modifies the context of a thread in another process (thread injection) 7->57 59 Maps a DLL or memory area into another process 7->59 61 Sample is not signed and drops a device driver 7->61 17 conhost.exe 7->17         started        20 conhost.exe 1 7->20         started        63 Changes security center settings (notifications, updates, antivirus, firewall) 11->63 22 MpCmdRun.exe 1 11->22         started        65 Uses schtasks.exe or at.exe to add and modify task schedules 13->65 24 conhost.exe 13->24         started        40 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 15->40 dropped 67 Creates files in the system32 config directory 15->67 26 WMIC.exe 1 15->26         started        28 conhost.exe 15->28         started        30 conhost.exe 15->30         started        32 3 other processes 15->32 signatures5 process6 dnsIp7 42 xmr.2miners.com 162.19.139.184, 2222, 49684 CENTURYLINK-US-LEGACY-QWESTUS United States 17->42 45 miner1.zzz.com.ua 95.211.16.66, 49685, 80 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 17->45 34 conhost.exe 22->34         started        signatures8 69 Detected Stratum mining protocol 42->69 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ae3ae350218998f35fe4582d010844c4f62490af30af438c1735e5037d115fc1/
Threat name:
Win64.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-02-26 20:47:14 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
23 of 25 (92.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vy5ogubbrgmpgx7elawqccceyt3cjefpgcxuhdaxgxsqg7irl7aq._file
Verdict:
malicious
Similar samples:
1ea28978334fa03b2714b5c22abd580cdd8b5b0a6fcdf895fe1367ac96da0e8b
CoinMiner
4589f71870479cdddc1439394eb7c27da1c95d1f7a89016168f32f6791f541ab
CoinMiner
5b7b0e71f4c87a7613b0ce686eb6ad70c9fc4b2e4f1cb696a3e5541a8d69a093
CoinMiner
7812b5f5fd710358255d8847f61729386cb982c55beb12a77e240d3377aaeafb
CoinMiner
89a342bb20ad895c86665599e40ecd591b2993f5a1b343768dbb7af038aebd31
CoinMiner
9a938f47030e9b34dcee96382fae40ed2f980299e1ced3a04c19c859b24ae40c
CoinMiner
cb8cd78c09c1a9dd7b2cf6a4288c984b4b5619ab8301d1a963e089024bb314d0
CoinMiner
dd84819f9d2e108ac8dbbfedf10d61f787b6082f02ddb63ca05c98d78e877597
CoinMiner
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
CoinMiner
ffa4485b730b662d6c9e65a4e6b8687c3037838f582839821eefae481c327baf
CoinMiner
+ 51 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner upx
Link:
https://tria.ge/reports/230226-zkaq8sad27/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
UPX packed file
XMRig Miner payload
Suspicious use of NtCreateUserProcessOtherParentProcess
xmrig
Unpacked files
SH256 hash:
ae3ae350218998f35fe4582d010844c4f62490af30af438c1735e5037d115fc1
MD5 hash:
b280cc4e78a7bff8d072713f8b4beb29
SHA1 hash:
76e5ab8eda5c292b4f602e8a73c037f4623cb172
Link:
https://www.unpac.me/results/cefea5df-0fcb-47eb-82b7-61ddada2341c/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ae3ae3502189/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ae3ae350218998f35fe4582d010844c4f62490af30af438c1735e5037d115fc1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/369883/

Comments