MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c4cf9f8de6d0be53e5ba263fe8eeb33c199a21f70004d83e06bbded76dc5f322. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c4cf9f8de6d0be53e5ba263fe8eeb33c199a21f70004d83e06bbded76dc5f322
SHA3-384 hash: 56ff3c39922f186ecf447894a0dac9360f9af38b94b2d16d73d554047b383c8e6b5dbbb60362696ff5e9c1128be1261c
SHA1 hash: 17102ba25662c9e6ab60af5ede912e970878ce35
MD5 hash: 445a94e8de3af65b9fb3daa3be10d407
humanhash: seven-south-quiet-sodium
File name:lol.ps1
Download: download sample
Signature CoinMiner
Create hunting rule
File size:134'920 bytes
First seen:2022-12-29 22:27:21 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 1536:sYgeXDq2DQ6TVd/X0I3KbLDClAQuqFtb1/TNNzPBam9Uqu6kMMTtoKAT1s+wA9zj:sYXOGQYV9XinmX/rn9UnodT1s+wA9zzf
Threatray 3'787 similar samples on MalwareBazaar
TLSH T1F9D38495505FC52DFC53FAE2DD53E282D02141E34FA0174DBEAACE89C66C8E4A25FD82
Reporter atomiczsec
Tags:CoinMiner ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/63ae147340e878e304211eba/reports/aafcdf8b-a7d8-4893-a645-29b3ddcbc26a/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1142951
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Encrypted powershell cmdline option found
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Powershell drops PE file
Snort IDS alert for network traffic
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Powershell dedcode and execute
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 775681 Sample: lol.ps1 Startdate: 29/12/2022 Architecture: WINDOWS Score: 100 31 Snort IDS alert for network traffic 2->31 33 Multi AV Scanner detection for domain / URL 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 9 other signatures 2->37 8 powershell.exe 22 2->8         started        process3 file4 25 C:\Users\user\AppData\...\pscp_putty.exe, PE32+ 8->25 dropped 39 Powershell drops PE file 8->39 12 pscp_putty.exe 15 6 8->12         started        17 conhost.exe 8->17         started        signatures5 process6 dnsIp7 29 85.209.134.86, 49698, 49699, 49701 CMCSUS Germany 12->29 27 C:\Users\user\AppData\...\update_manager.exe, PE32+ 12->27 dropped 41 Antivirus detection for dropped file 12->41 43 Multi AV Scanner detection for dropped file 12->43 45 Machine Learning detection for dropped file 12->45 47 4 other signatures 12->47 19 powershell.exe 14 12->19         started        21 AppLaunch.exe 12->21         started        file8 signatures9 process10 process11 23 conhost.exe 19->23         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c4cf9f8de6d0be53e5ba263fe8eeb33c199a21f70004d83e06bbded76dc5f322/
Threat name:
Text.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-12-29 22:28:07 UTC
File Type:
Text (PowerShell)
AV detection:
3 of 38 (7.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ythz7dpg2c7fhzn2ey76r3vthqmzuipxaacnqpqgxppno3of6mra._file
Verdict:
malicious
Similar samples:
0f4929da9001eab23942eab268ece5da252c8b654273cc6ddaad9f87dcfbb1fa
CoinMiner
33a3bfb44d52e593191245c39b453475f7adac38721959590f7c258d3acf84a0
CoinMiner
40e33edbe3cc188d6a3c4e535344b8d2cc94ca910dcd7cf57f79958010338dcf
CoinMiner
68f9ad5ec23c835ad9509db0915d4065046933d06652eb79784a43fbb7290603
CoinMiner
8c85bc3ecc8b4aac2d61677da26f2846eb883a0137d28fcb8a59becd689f54ce
CoinMiner
8dc1691f86f99af947d8056784c28458396821c4b1ce288e8e2a882b0585304e
CoinMiner
a869ac3fa2ed34c5d13fc7ac4f8753f68cc2921959f8fe087cae9a1a7b646d39
CoinMiner
a88df82e4b619c1586b5640c801616486f08b3bd32f766847f468d6a23b6c23e
CoinMiner
b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73
CoinMiner
c180f58783642d9688ad20f32ce72e504accf1d101f1591b39b0d4e0f429fe3f
CoinMiner
+ 3'777 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner persistence
Link:
https://tria.ge/reports/221229-2dmtbshf3v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
XMRig Miner payload
xmrig
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c4cf9f8de6d0be53e5ba263fe8eeb33c199a21f70004d83e06bbded76dc5f322

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_PowerShell_Base64_Decode
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects PowerShell code to decode Base64 data. This can yield many FP

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments