MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb3af0c03e6b0833fa268d98e5a8b19e78fb108a830b58b2ade50c57e9fc9bed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	bb3af0c03e6b0833fa268d98e5a8b19e78fb108a830b58b2ade50c57e9fc9bed
SHA3-384 hash:	3b2fd4592ad7415fbbdfc03987524084a63c87f13ac030b189ea5f5f39acb304f72547c4ede4cc1f62d4ac076a02b25a
SHA1 hash:	e3a6e33cb751dd81f4f6a62405df2930e9ede400
MD5 hash:	a7400236ffab02ae5af5c9a0f61e7300
humanhash:	three-papa-lithium-kentucky
File name:	Search.exe
Download:	download sample
File size:	11'974'704 bytes
First seen:	2023-12-04 16:49:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bd5e4e5f645408e15fe7064ed8f7b46d
ssdeep	196608:A5uVpY9sN2r7spYYB4M25DsvfnCcqBxsfQTQLMU+5tkFXfnTXfWhfDMwhT9GN9FB:A5+pY9k2r7smIss3C/ab+5twTPgN69FB
Threatray	1 similar samples on MalwareBazaar
TLSH	T1FCC6237C638873E8C02ACD345533ED4DF3B6560D06E9E9EBB3CE7580AB539219952B48
TrID	38.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 15.6% (.ICL) Windows Icons Library (generic) (2059/9) 15.4% (.EXE) OS/2 Executable (generic) (2029/13) 15.2% (.EXE) Generic Win/DOS Executable (2002/3) 15.2% (.EXE) DOS Executable Generic (2000/1)
Reporter	Xev
Tags:	CoinMiner exe signed

Code Signing Certificate

Organisation:	珠海源泽咨询有限公司
Issuer:	Sectigo RSA Code Signing CA
Algorithm:	sha256WithRSAEncryption
Valid from:	2020-12-14T00:00:00Z
Valid to:	2021-12-14T23:59:59Z
Serial number:	a7f39e96e042fb85de053131f53e5351
Intelligence:	2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	fec4f25a8fd8892425fa0d3dd00d62a6d4df9288e253da37dad44f1d920de94f
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

340

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

c9de13edf1891e477c74aa5cd93e260a.exe

Verdict:

Malicious activity

Analysis date:

2023-02-27 10:47:05 UTC

Tags:

miner

Link:

https://app.any.run/tasks/3a81fc74-571a-4b20-9758-f0403e142479

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/462406/

Detection(s):

Win.Coinminer.Nbminer-10005650-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Restart of the analyzed sample

Creating a window

Searching for the window

Gathering data

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug coinminer coinminer lolbin overlay packed shell32 virus virus

Link:

https://www.filescan.io/uploads/656e036618cffa73b1d97a42/reports/e80253d3-e242-442c-9346-629fa2d286d2/overview

Verdict:

Malicious

Labled as:

Win64/CoinMiner.SD potentially unwanted application

Link:

https://www.hybrid-analysis.com/sample/bb3af0c03e6b0833fa268d98e5a8b19e78fb108a830b58b2ade50c57e9fc9bed

Result

Verdict:

MALICIOUS

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/f6d33daa-ed68-4da0-8710-36d0e0873ba0

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad.mine

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1353345

Signature

Found strings related to Crypto-Mining

Hides threads from debuggers

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Tries to detect debuggers (CloseHandle check)

Tries to detect virtualization through RDTSC time measurements

Tries to evade analysis by execution special instruction (VM detection)

Uses Windows timers to delay execution

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bb3af0c03e6b0833fa268d98e5a8b19e78fb108a830b58b2ade50c57e9fc9bed/

Threat name:

Win64.Trojan.Miner

Status:

Malicious

First seen:

2022-09-02 16:15:09 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

12 of 37 (32.43%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xm5pbqb6nmedh6rgrwmolkfrtz4pweekqmfvrmvn4ugfp2p4tpwq._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/231204-vcadaada95/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Unpacked files

SH256 hash:

bb3af0c03e6b0833fa268d98e5a8b19e78fb108a830b58b2ade50c57e9fc9bed

MD5 hash:

a7400236ffab02ae5af5c9a0f61e7300

SHA1 hash:

e3a6e33cb751dd81f4f6a62405df2930e9ede400

Link:

https://www.unpac.me/results/2f6ca1a5-098a-4c5d-8e2f-b72b05ba2aa8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

CoinMiner

Score:

0.60

Link:

https://yomi.yoroi.company/submissions/bb3af0c03e6b0833fa268d98e5a8b19e78fb108a830b58b2ade50c57e9fc9bed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Sectigo_Code_Signed Create hunting rule
Description:	Detects code signed by the Sectigo RSA Code Signing CA
Reference:	https://bazaar.abuse.ch/export/csv/cscb/