MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6380b44bb9310fcfb2c80e3b0e16e3c75970d35fb5dd412a23b31ee3772d8c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	c6380b44bb9310fcfb2c80e3b0e16e3c75970d35fb5dd412a23b31ee3772d8c6
SHA3-384 hash:	845e0e6d0fc5ebac17963e926fb20c60174382796add0fd6294461f5b789472cd81bd8786048c8f44d76d35d43798ccd
SHA1 hash:	a09feb69e31d052c65e6897162faeeb38378c4dc
MD5 hash:	e8cb6ae5692bf56e9ad8ece71ddd34de
humanhash:	lake-quiet-robert-butter
File name:	file
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	973'824 bytes
First seen:	2022-12-30 06:36:08 UTC
Last seen:	2022-12-30 08:31:10 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c6d89dde9dc9ba3c6ab4557658a9a290 (1 x CoinMiner)
ssdeep	24576:EtVSn52pcSC6z5l+zCS8FsvRBDWmzYmO:OSn52pA6z5MeS8FaByoYX
Threatray	2'522 similar samples on MalwareBazaar
TLSH	T1CD25F1A8E5F09248E5BD4B718F75D4F01E953D02FC51646B62E7BB2F383358D0C09AAA
File icon (PE):
dhash icon	f2d3c3e5c4c8e878 (2 x CoinMiner)
Reporter	andretavare5
Tags:	CoinMiner exe

andretavare5

Sample downloaded from http://affito.amiyon.com/svcrun.exe

Intelligence

File Origin

# of uploads :

# of downloads :

182

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-12-30 06:36:57 UTC

Tags:

trojan

Link:

https://app.any.run/tasks/cae895da-1c1e-40c9-9c9a-e8c18bff077a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win64.Evo-gen.10906.29954.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Launching a process

Сreating synchronization primitives

Creating a file

Enabling the 'hidden' option for recently created files

Using the Windows Management Instrumentation requests

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

greyware overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/63ae870e0fdf1633326c964c/reports/20df356b-cc4d-446d-b566-739361b07b1a/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/44c1712b-8eb3-4482-9985-ef440afd7f50

Result

Threat name:

Xmrig

Detection:

malicious

Classification:

evad.mine

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1143081

Signature

Adds a directory exclusion to Windows Defender

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

DNS related to crypt mining pools

Found strings related to Crypto-Mining

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sets debug register (to hijack the execution of another thread)

Tries to evade debugger and weak emulator (self modifying code)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Xmrig cryptocurrency miner

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c6380b44bb9310fcfb2c80e3b0e16e3c75970d35fb5dd412a23b31ee3772d8c6/

Threat name:

Win64.Trojan.Privateloader

Status:

Suspicious

First seen:

2022-12-30 06:37:07 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

13 of 26 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yy4awrf3smipz6zmqdr3bylohr2zodjv7no5ievchmy64n3s3dda._file

Verdict:

unknown

CoinMiner

4b832681660bd5727a36443544b83d5a69ccc47143220f7b3ea924b81bfe2fc4

CoinMiner

532d8d05263ecb3453da330b6213c9d5cb1f1eb5db77b40664c7ec722b9f9475

CoinMiner

59f17c106736e65344e8482517117815bc178bcefd38aabc8286fdfd9ea99909

CoinMiner

5a329d76898db05611e2dad04c55e316f1c4bb2dd6c9d223eb85af92bc2e1893

CoinMiner

6c2ba87dd2fa43b8812d8400607aa3926b74ddf71def2de3247f2234d1413563

CoinMiner

85eea57d642c402e2a179198a5497e9173bbf7f7960fb0cc679c6d6980963abd

CoinMiner

ac33a4954a11cabb9fce2e006d671f385b136f51453eec5b63456bcc6d50171d

CoinMiner

b5ed948dd84aa5fdecf011400ced88f20a8c376795672445c41275a974f26318

CoinMiner

c09036b1e48b5fc1f692cdc09fb5e9086c4367a5021a1d16172e4d49a3f765e2

CoinMiner

+ 2'512 additional samples on MalwareBazaar

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:xmrig miner

Link:

https://tria.ge/reports/221230-hdggrsad51/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Uses the VBS compiler for execution

XMRig Miner payload

xmrig

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/db81b431-8545-4125-abbf-e21dbe74d129

Unpacked files

SH256 hash:

c6380b44bb9310fcfb2c80e3b0e16e3c75970d35fb5dd412a23b31ee3772d8c6

MD5 hash:

e8cb6ae5692bf56e9ad8ece71ddd34de

SHA1 hash:

a09feb69e31d052c65e6897162faeeb38378c4dc

Link:

https://www.unpac.me/results/58af0e6b-6501-45ae-91da-3e95b932996f/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c6380b44bb93/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.19

Link:

https://yomi.yoroi.company/submissions/c6380b44bb9310fcfb2c80e3b0e16e3c75970d35fb5dd412a23b31ee3772d8c6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2452741/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample