MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cacf2a81403b53afda568e4cfd9ff3896b20dbb85a4a4226d7ad98f21a9fe75f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cacf2a81403b53afda568e4cfd9ff3896b20dbb85a4a4226d7ad98f21a9fe75f
SHA3-384 hash: 25f3aba7896dc59aea032c9e9d3fe53407fb0659b6a6ea88df40718bfc050b866d0480c7cdec72b2d177f0325619cf30
SHA1 hash: 04797d186684f54089bd1fbd6b15161d904f3cea
MD5 hash: ccf45a2b8156c3214f68ddc2ff022877
humanhash: cold-green-helium-crazy
File name:file
Download: download sample
Signature CoinMiner
Create hunting rule
File size:1'004'032 bytes
First seen:2022-12-21 11:24:50 UTC
Last seen:2022-12-21 12:42:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 19dd557f052aaceb3f17755413e930ea (1 x CoinMiner)
ssdeep 24576:0G9QyyAUOrvcLzgYWFyO8tXLdyLApnvg8Fm8kr:LyAUhzg3F6psWnvXG
Threatray 5'561 similar samples on MalwareBazaar
TLSH T1D225F104F2818D02C23A013A7873AB705524EE84A21DD61FB54537FB7EF37952EA7E96
File icon (PE):PE icon
dhash icon c0dcdcbcfc6cf010 (3 x CoinMiner)
Reporter andretavare5
Tags:CoinMiner exe


Avatar
andretavare5
Sample downloaded from http://affito.amiyon.com/svcrun.exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-12-21 11:26:00 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/bfa3407f-347d-4823-9f1c-873f9e86def6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/348688/
Detection(s):
SecuriteInfo.com.Win64.Evo-gen.2272.12570.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
Creating a file
Creating a file in the %temp% directory
Enabling the 'hidden' option for recently created files
Running batch commands
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Creating a process with a hidden window
Creating a window
Sending a custom TCP request
Sending an HTTP POST request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Enabling autorun by creating a file
Verdict:
No Threat
Threat level:
  2/10
Confidence:
67%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63a2ed0fc5baedacd38c7445/reports/3957fc2f-612e-4589-a2c8-04d14f835a52/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3af94c8f-8cda-49fc-8a4e-022ab30c6a5e
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1138627
Signature
Adds a directory exclusion to Windows Defender
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DNS related to crypt mining pools
Sets debug register (to hijack the execution of another thread)
Snort IDS alert for network traffic
Tries to evade debugger and weak emulator (self modifying code)
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 771357 Sample: file.exe Startdate: 21/12/2022 Architecture: WINDOWS Score: 88 31 xmr-eu1.nanopool.org 2->31 35 Snort IDS alert for network traffic 2->35 37 Yara detected Xmrig cryptocurrency miner 2->37 39 DNS related to crypt mining pools 2->39 8 file.exe 5 2->8         started        signatures3 process4 file5 29 C:\ProgramData\JavaEPWA.exe, PE32+ 8->29 dropped 41 Detected unpacking (changes PE section rights) 8->41 43 Detected unpacking (overwrites its own PE header) 8->43 45 Sets debug register (to hijack the execution of another thread) 8->45 47 2 other signatures 8->47 12 cmd.exe 1 8->12         started        14 powershell.exe 19 8->14         started        16 powershell.exe 20 8->16         started        signatures6 process7 process8 18 EEPWA.exe 12->18         started        21 conhost.exe 12->21         started        23 timeout.exe 1 12->23         started        25 conhost.exe 14->25         started        27 conhost.exe 16->27         started        signatures9 33 Tries to evade debugger and weak emulator (self modifying code) 18->33
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cacf2a81403b53afda568e4cfd9ff3896b20dbb85a4a4226d7ad98f21a9fe75f/
Threat name:
Win64.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-12-21 11:25:09 UTC
File Type:
PE+ (Exe)
Extracted files:
240
AV detection:
12 of 26 (46.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zlhsvakahnj27wswrzgp3h7trfvsbw5yljfeejwxvwmpegu745pq._file
Verdict:
unknown
Similar samples:
46f8f11c73025c6b52c57ce3e5f98a560d30e6ddfec8f176b917255fbdf89010
CoinMiner
59f17c106736e65344e8482517117815bc178bcefd38aabc8286fdfd9ea99909
CoinMiner
5d19ae54d2385c07ac17c65f1fe8298b851597345c6e54d20833def2856ae449
CoinMiner
85eea57d642c402e2a179198a5497e9173bbf7f7960fb0cc679c6d6980963abd
CoinMiner
8be2caee636b007be2f3f6a6154457877113e2538ffcbad2984e1372a089759f
CoinMiner
9cd84cf345a355c7fafb27dceeb9d6a8dc910f4812578edd396dd2fad42b5e1b
CoinMiner
b2d0218bafb5d97e66fe6eb04a474cfd4182b43fb834db9617516c6af761a176
CoinMiner
b5ed948dd84aa5fdecf011400ced88f20a8c376795672445c41275a974f26318
CoinMiner
ca572a5efba385cd3e9edae5f64c6d6cea3608ebb18586629fe420357049b78c
CoinMiner
f612fed2c8845c7bacc9ac0d7263d0814932ec05939c28494d98ebbf7e163b79
CoinMiner
+ 5'551 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/221221-nh9xrscb76/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Uses the VBS compiler for execution
Executes dropped EXE
XMRig Miner payload
xmrig
Unpacked files
SH256 hash:
cacf2a81403b53afda568e4cfd9ff3896b20dbb85a4a4226d7ad98f21a9fe75f
MD5 hash:
ccf45a2b8156c3214f68ddc2ff022877
SHA1 hash:
04797d186684f54089bd1fbd6b15161d904f3cea
Link:
https://www.unpac.me/results/709785b4-ee23-434e-b23d-7e116a31737b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cacf2a81403b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.19
Link:
https://yomi.yoroi.company/submissions/cacf2a81403b53afda568e4cfd9ff3896b20dbb85a4a4226d7ad98f21a9fe75f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/348688/

Comments