MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c8a83c6c8f797e36eb7a5edf0e5f85a8d985895c82932422b95bf628f4106dfb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c8a83c6c8f797e36eb7a5edf0e5f85a8d985895c82932422b95bf628f4106dfb
SHA3-384 hash: e7a70b939aceb54d1b2813f5b701bb8407455fad8866cd369615a21c318845554543fa452b95e6231553d0e4f14bb156
SHA1 hash: 25b4978fa938c9d8347fe132927ec992438b7c0a
MD5 hash: 0b2c34471fa6372be907560cad2a0b73
humanhash: missouri-juliet-north-foxtrot
File name:0b2c34471fa6372be907560cad2a0b73.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:17'380'352 bytes
First seen:2024-12-06 09:06:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (99 x LummaStealer, 85 x RedLineStealer, 62 x Rhadamanthys)
ssdeep 393216:ZEWr7OP9NWfEAVtXe3ziLd87w5hFSvlDm4TWEr7HvPjgfOYp1P9MD4:ZEWr7O1NgZe3zB9vlHTWEfHnjsOKdO8
Threatray 340 similar samples on MalwareBazaar
TLSH T19107333560F8D2D5E2A97979DC8778F69561FD20E6608C8F3D98BE1D78B2280F83460D
TrID 58.9% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
16.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
10.7% (.EXE) Win64 Executable (generic) (10522/11/4)
5.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.1% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon 316d4d4d5d554569 (4 x AgentTesla, 4 x Stealc, 3 x RemcosRAT)
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
420
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
xmrig
Create hunting rule
ID:
1
File name:
0b2c34471fa6372be907560cad2a0b73.exe
Verdict:
Malicious activity
Analysis date:
2024-12-06 09:54:37 UTC
Tags:
miner xmrig
Link:
https://app.any.run/tasks/b46af9ff-92d5-48e9-92bf-3af5945e5cf9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6752bebb19fba9940b49701f
Tags:
autorun xmrig
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Searching for the window
Searching for synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Creating a service
Launching a service
Loading a system driver
Enabling autorun for a service
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context adaptive-context anti-debug byovd CAB coinminer crypto explorer installer lolbin microsoft_visual_cc miner monero packed packed packer_detected pup rundll32 runonce sfx xcopy xmrig
Link:
https://www.filescan.io/uploads/6752beb9f158f0b6a3b2a5d7/reports/932c5dae-b0bf-48e9-9593-62344fd0047d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/c8a83c6c8f797e36eb7a5edf0e5f85a8d985895c82932422b95bf628f4106dfb
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/fb38e030-7011-4393-988f-3822b4265e75
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
adwa.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1569824
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates multiple autostart registry keys
Detected Stratum mining protocol
Drops PE files to the startup folder
Found strings related to Crypto-Mining
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Potentially Suspicious Malware Callback Communication
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1569824 Sample: iKvzvknzW1.exe Startdate: 06/12/2024 Architecture: WINDOWS Score: 100 58 zeph.kryptex.network 2->58 62 Malicious sample detected (through community Yara rule) 2->62 64 Antivirus detection for dropped file 2->64 66 Antivirus / Scanner detection for submitted sample 2->66 68 6 other signatures 2->68 10 iKvzvknzW1.exe 1 8 2->10         started        14 win.exe 3 2->14         started        16 rundll32.exe 2->16         started        18 rundll32.exe 2->18         started        signatures3 process4 file5 46 C:\Users\user\AppData\Local\...\xmrig.exe, PE32+ 10->46 dropped 48 C:\Users\user\AppData\Local\Temp\...\win.exe, PE32+ 10->48 dropped 50 C:\Users\user\AppData\Local\...\WINRIN~1.SYS, PE32+ 10->50 dropped 86 Found strings related to Crypto-Mining 10->86 88 Creates multiple autostart registry keys 10->88 90 Sample is not signed and drops a device driver 10->90 20 cmd.exe 1 2 10->20         started        22 cmd.exe 14->22         started        signatures6 process7 process8 24 win.exe 1 3 20->24         started        27 xcopy.exe 2 20->27         started        30 xcopy.exe 2 20->30         started        36 5 other processes 20->36 32 xmrig.exe 1 22->32         started        34 conhost.exe 22->34         started        file9 70 Creates multiple autostart registry keys 24->70 38 cmd.exe 1 24->38         started        52 C:\Users\user\AppData\Roaming\...\win.exe, PE32+ 27->52 dropped 72 Drops PE files to the startup folder 27->72 54 C:\Users\user\AppData\Roaming\...\win.exe, PE32+ 30->54 dropped 74 Query firmware table information (likely to detect VMs) 32->74 56 C:\Users\user\AppData\Roaming\...\xmrig.exe, PE32+ 36->56 dropped signatures10 process11 process12 40 xmrig.exe 1 38->40         started        44 conhost.exe 38->44         started        dnsIp13 60 135.125.128.34, 49730, 49735, 7777 AVAYAUS United States 40->60 76 Antivirus detection for dropped file 40->76 78 Multi AV Scanner detection for dropped file 40->78 80 Query firmware table information (likely to detect VMs) 40->80 82 Found strings related to Crypto-Mining 40->82 signatures14 84 Detected Stratum mining protocol 60->84
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c8a83c6c8f797e36eb7a5edf0e5f85a8d985895c82932422b95bf628f4106dfb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c8a83c6c8f797e36eb7a5edf0e5f85a8d985895c82932422b95bf628f4106dfb/
Threat name:
Win64.Coinminer.XMRig
Create hunting rule
Status:
Malicious
First seen:
2024-11-27 17:01:01 UTC
File Type:
PE+ (Exe)
Extracted files:
1364
AV detection:
18 of 23 (78.26%)
Threat level:
  4/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zcudy3eppf7dn232l3pq4x4fvdmylck4qkjsiivzlp3cr5aqnx5q._file
Verdict:
malicious
Label(s):
xmrig
Create hunting rule
Similar samples:
436b57eb4ebf6768af469abaabbb1de5ef33ee07a87a82e279f98c9a079a2497
CoinMiner
8982eecbc6365b0320c57d0d186f0b0569a6cb619da669f5a87ad3ad7b09e698
CoinMiner
9754bc10564077425803459cc91b0197ad96263e6994e9afc2a5fd0e932615d8
CoinMiner
a22b5e7005cd6d4e2c873ac93225be3002c7abb1de7159ef47f213346699977e
CoinMiner
be8e942ff8e30b01a840f745356bf6398bc57874e1d76f2515c40f057933abc5
CoinMiner
c8b92119a5b562bbcea0562512a45db5a9695166b8950617604ced871f604bc0
CoinMiner
error
CoinMiner
f38fa95a5c036c2193db7d9b9c28f6bb6b5173c89e61cb396f1fbe03c457988b
CoinMiner
+ 330 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner persistence
Link:
https://tria.ge/reports/241206-k3bzpawjhj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Drops startup file
Executes dropped EXE
XMRig Miner payload
Xmrig family
xmrig
Verdict:
Malicious
Tags:
stealer redline Win.Coinminer.Generic-7151250-0
YARA:
detect_Redline_Stealer
Link:
https://app.threat.zone/submission/14d0aa9b-e3f2-4e93-bf3b-9cb5b9df01c3
Unpacked files
SH256 hash:
d630134dea1d8be1120648244f8e3ae2fdca4721157528902bf5f421c2d26223
MD5 hash:
db07fbb43f5f0cdd925eb00c254adbe3
SHA1 hash:
fa88f67b9846fb1fcb987aaf662bb19594cf5e68
Detections:
SUSP_XMRIG_String
Create hunting rule
Link:
https://www.unpac.me/results/90a65ce5-7161-46d4-a7b0-e36020309ecc/
SH256 hash:
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
MD5 hash:
0c0195c48b6b8582fa6f6373032118da
SHA1 hash:
d25340ae8e92a6d29f599fef426a2bc1b5217299
Detections:
PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_11BD
Create hunting rule
Link:
https://www.unpac.me/results/90a65ce5-7161-46d4-a7b0-e36020309ecc/
Parent samples :
efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8
40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779
e6da05c053763230ec6ba48cb976d43f184604d9262799eadb0c27ef2e839ec6
e14d20d5a80507197245fc2b53eefc6c5b9de9a422857b376434f7dd03533bc0
01a976b80253450a09d0b89075f5fa923a3411265f7bc8f3413d059fd662aa83
f49dd9baed6ec113ad16bcd07e50ab5dc1ca98ef4797712cbf3f2f5463a16d41
22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184
21690a716f4d4f3af3ad00504dfd41ef4d11a5663ff96c3365838896ffcaedd7
c7eaff9d735d8eef42c73be4c093f7b31cf7d0df18c98d135eb915c13409d077
235c665b25c1e78fed3ca96e57c374e5a416aad1d27b4ae436a1c6c58604268b
c8a83c6c8f797e36eb7a5edf0e5f85a8d985895c82932422b95bf628f4106dfb
ed3ce2006fbfa402977bb026324637b905c5cc8228254b88037d3f68152463d3
a7a9d6a874f65ea3689930a2af208a025fee0a3dc1ad5cb9c964cbadd2cacf1f
67bf6d0a4de17f79de1347b75c9d1af3106448a806132cf50b38c2c8aa19d8ea
254a713d3ec2852b6657ecb8840efd2662e048ace42c2b4e0b30c589cdb9f8cb
6353b1218561a746bb3e009b611a1945bc2367b4d3ffef7849d4af4d369f184c
4f85b6d87dcc12f7904f95f3716b18930c63cb18bd624c1abcbdd9181ba4efc2
e93433169e2ec088a21ee58ae3e780f68215eb75dcd31b83d1fa31d6c16145e5
1214268764f9252ca840f1cc7e9b3698ed55f059802fa7ab7442f61144d898d0
803b90be4767757819d2be13b6d6a36d1af1383495a31a5932cfd50bacb4c717
9a2476c6474745cfacee35d15a3d4034d8d254304be3fa17a170ec0af9f9077e
SH256 hash:
c8a83c6c8f797e36eb7a5edf0e5f85a8d985895c82932422b95bf628f4106dfb
MD5 hash:
0b2c34471fa6372be907560cad2a0b73
SHA1 hash:
25b4978fa938c9d8347fe132927ec992438b7c0a
Link:
https://www.unpac.me/results/90a65ce5-7161-46d4-a7b0-e36020309ecc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c8a83c6c8f797e36eb7a5edf0e5f85a8d985895c82932422b95bf628f4106dfb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments