MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d50748b418dc352001f3d20921549268758f9d2edddd3fea484a98f83ebd3227. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d50748b418dc352001f3d20921549268758f9d2edddd3fea484a98f83ebd3227
SHA3-384 hash: e0563ce9ff70ace75a20a23c12248d16b8cc4f44f89f45b055249f935d5e06a5b37efd1acf9b6de6040f56c406d2898b
SHA1 hash: 41b0182f4683af9ac1444393539cad5480379b4f
MD5 hash: 68557640db8a8e7225375079c5b74f58
humanhash: zulu-oranges-nineteen-white
File name:68557640db8a8e7225375079c5b74f58.bin
Download: download sample
Signature CoinMiner
Create hunting rule
File size:7'490'048 bytes
First seen:2023-03-01 18:19:47 UTC
Last seen:2023-03-01 22:29:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f0ea7b7844bbc5bfa9bb32efdcea957c (58 x Sliver, 17 x CobaltStrike, 12 x AsyncRAT)
ssdeep 98304:93EiL1pkOfylVETSX8zBVOzbtscJeikbAF5:1l5bFi8NVbbPkF5
TLSH T1B9767B43F85451A8C6E9D230C6768262BB717C880B3137D33FA5F6B92A73BD49A79350
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter abuse_ch
Tags:bin CoinMiner exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
283
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
68557640db8a8e7225375079c5b74f58.bin
Verdict:
Suspicious activity
Analysis date:
2023-03-01 18:25:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ab86e7f3-c7c4-49b3-a2dd-b5199eb142fa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/370858/
Detection(s):
SecuriteInfo.com.FileRepMalware.22120.21420.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Creating a file
Sending a custom TCP request
Creating a service
Launching a service
Searching for synchronization primitives
Searching for the window
Enabling autorun for a service
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm fingerprint golang greyware packed
Link:
https://www.filescan.io/uploads/63ff975647dff094b52808e4/reports/e5149ce6-f7e3-42ca-ac83-e9fd6f0581da/overview
Verdict:
Suspicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/d50748b418dc352001f3d20921549268758f9d2edddd3fea484a98f83ebd3227
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/92c5cf0a-049e-42c7-b6af-19c5ca3f57ab
Result
Threat name:
GMiner
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1185091
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates files in the system32 config directory
Drops executables to the windows directory (C:\Windows) and starts them
Found strings related to Crypto-Mining
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Suspicious powershell command line found
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Yara detected GMiner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 817947 Sample: LwdAHkFMw4.exe Startdate: 01/03/2023 Architecture: WINDOWS Score: 100 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus / Scanner detection for submitted sample 2->58 60 Yara detected GMiner 2->60 62 2 other signatures 2->62 8 LwdAHkFMw4.exe 1 2->8         started        13 LwdAHkFMw4.exe 2->13         started        process3 dnsIp4 54 tecnozona.site 37.140.192.25, 443, 49695 AS-REGRU Russian Federation 8->54 50 C:\Windows\System32\r.exe, PE32+ 8->50 dropped 64 Suspicious powershell command line found 8->64 15 powershell.exe 15 8->15         started        18 powershell.exe 8->18         started        66 Adds a directory exclusion to Windows Defender 13->66 20 powershell.exe 19 13->20         started        23 powershell.exe 35 13->23         started        25 sc.exe 1 13->25         started        27 sc.exe 1 13->27         started        file5 signatures6 process7 dnsIp8 80 Creates files in the system32 config directory 15->80 29 r.exe 1 15->29         started        32 conhost.exe 15->32         started        82 Drops executables to the windows directory (C:\Windows) and starts them 18->82 34 r.exe 1 18->34         started        36 conhost.exe 18->36         started        52 192.168.2.1 unknown unknown 20->52 38 conhost.exe 20->38         started        40 conhost.exe 23->40         started        42 conhost.exe 25->42         started        44 conhost.exe 27->44         started        signatures9 process10 signatures11 68 Antivirus detection for dropped file 29->68 70 Multi AV Scanner detection for dropped file 29->70 72 Query firmware table information (likely to detect VMs) 29->72 74 Tries to detect sandboxes and other dynamic analysis tools (window names) 29->74 46 conhost.exe 29->46         started        76 Hides threads from debuggers 34->76 78 Tries to detect sandboxes / dynamic malware analysis system (registry check) 34->78 48 conhost.exe 34->48         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d50748b418dc352001f3d20921549268758f9d2edddd3fea484a98f83ebd3227/
Threat name:
Win64.Trojan.Miner
Create hunting rule
Status:
Malicious
First seen:
2023-03-01 18:11:00 UTC
File Type:
PE+ (Exe)
AV detection:
19 of 25 (76.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2udurnay3q2saapt2iescvesnb2y7hjo3xot72sijkmpqpv5gitq._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion persistence themida trojan
Link:
https://tria.ge/reports/230301-wyr1wsha6s/
Behaviour
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Executes dropped EXE
Themida packer
Creates new service(s)
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
d50748b418dc352001f3d20921549268758f9d2edddd3fea484a98f83ebd3227
MD5 hash:
68557640db8a8e7225375079c5b74f58
SHA1 hash:
41b0182f4683af9ac1444393539cad5480379b4f
Link:
https://www.unpac.me/results/60514ba9-c523-472c-a959-a19fedd89bfa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.88
Link:
https://yomi.yoroi.company/submissions/d50748b418dc352001f3d20921549268758f9d2edddd3fea484a98f83ebd3227

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:Jupyter_infostealer
Create hunting rule
Author:CD_R0M_
Description:Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe d50748b418dc352001f3d20921549268758f9d2edddd3fea484a98f83ebd3227

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/370858/
  
URLhaus
https://urlhaus.abuse.ch/url/2554529/
  
Delivery method
Distributed via web download

Comments