MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7c42165fa7492a009949e9215003a22792aa8a1483ec9d4f82d6b288a2bf610. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments

SHA256 hash:	d7c42165fa7492a009949e9215003a22792aa8a1483ec9d4f82d6b288a2bf610
SHA3-384 hash:	5c21e0d9bc4bec8683610c180e43038df41e885115cff7b71229279a44d4784194bbbe6bb557378e9232408b459d29db
SHA1 hash:	817bf454e69c0256b39b1a7b5e9a99b83e859c69
MD5 hash:	e0fb32cda5597b5feba30a8ad54cd555
humanhash:	venus-nineteen-delaware-speaker
File name:	file
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	1'223'263 bytes
First seen:	2023-02-23 14:55:15 UTC
Last seen:	2023-02-23 14:56:01 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	24576:8tp3dDg6ZgLMRZXs0zqBa6rk65+oCyhKv+mGF8omJ:8tSajNoCn
Threatray	12 similar samples on MalwareBazaar
TLSH	T13F45F12BB56A8921C3C81B3AD4DF4A040B745D4575EBDB0A78C803D659033F7EE8BA97
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	ccc2d23eec90d2e4 (1 x CoinMiner)
Reporter	andretavare5
Tags:	CoinMiner exe

andretavare5

Sample downloaded from https://vk.com/doc10773776_660018918?hash=eFeyS0JknqRe1EnnKM2Xm1qSrk5TLBDBgtvdt9HVMfT&dl=GEYDONZTG43TM:1677163942:zJLtgZqLw9Dx9mzOOmJvW0SXi5qK1phkE8abp5FB4Ss&api=1&no_preview=1#opt1

Intelligence

File Origin

# of uploads :

# of downloads :

292

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-02-23 14:57:22 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/8d159004-7d76-4c38-9ead-5d3ff163e2d3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

zgRAT

Link:

https://www.capesandbox.com/analysis/369310/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Creating a file in the %AppData% directory

Using the Windows Management Instrumentation requests

DNS request

Launching a process

Searching for synchronization primitives

Creating a service

Launching a service

Loading a system driver

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Enabling autorun for a service

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

80%

Tags:

overlay

Link:

https://www.filescan.io/uploads/63f77e84e7c43c2f85d66c6a/reports/8e31a316-aada-4481-8455-30568489d013/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/d7c42165fa7492a009949e9215003a22792aa8a1483ec9d4f82d6b288a2bf610

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

MassLogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/343c4f11-9712-4fef-ad77-65e1814e84d4

Result

Threat name:

Xmrig, zgRAT

Detection:

malicious

Classification:

troj.evad.mine

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1181390

Signature

Detected Stratum mining protocol

Found strings related to Crypto-Mining

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sigma detected: Xmrig

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected Xmrig cryptocurrency miner

Yara detected zgRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d7c42165fa7492a009949e9215003a22792aa8a1483ec9d4f82d6b288a2bf610/

Threat name:

Win64.Trojan.Privateloader

Status:

Malicious

First seen:

2023-02-23 14:56:08 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

16 of 25 (64.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=27ccczp2osjkacmut2jbkab2ej4svkfbja7mtvhyfvvsrcrl6yia._file

Verdict:

malicious

CoinMiner

26b9cdc2b963ebb36d2a5c4ff6dc5e1ba49ff150fc0f179c92d71d22d275ee7f

CoinMiner

29b5468c799dbba5a156b67c04f3082f41c647c0cf9330e824f57d456d2e234e

CoinMiner

30afc0e58f7baf65a4e29aa3d556f7f3544542af0beadc5e670f8ce413dc682b

CoinMiner

33582086a3417a06bb5154cd9e1f878bff0d8717151cbccd539cd0505a8e5fcd

CoinMiner

6620065fb747acd80ed59d91d4b76316b9402c739530a8436e36f188e9a3f03f

CoinMiner

963f054c289e0855e2d119fa2e290bcc3a1d7787c60ed226fb6512b52b3750c5

CoinMiner

9fd84c71e3c3c85eb7ef456aa82d68223aa2ba2dfab716f1a34732227d009b6f

CoinMiner

bec2c4c72b0297624093232878a45e9f5e467a9f838268a4403bc9416bde8189

CoinMiner

e904870d3952bad327314df46c9fa32f9aac69ef0028123515da1cda4c1c6706

CoinMiner

+ 2 additional samples on MalwareBazaar

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:xmrig miner persistence

Link:

https://tria.ge/reports/230223-sa1rcagb97/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

XMRig Miner payload

xmrig

Unpacked files

SH256 hash:

d7c42165fa7492a009949e9215003a22792aa8a1483ec9d4f82d6b288a2bf610

MD5 hash:

e0fb32cda5597b5feba30a8ad54cd555

SHA1 hash:

817bf454e69c0256b39b1a7b5e9a99b83e859c69

Link:

https://www.unpac.me/results/b34e1f2b-e75e-49aa-9742-935adfa47b09/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d7c42165fa7492a009949e9215003a22792aa8a1483ec9d4f82d6b288a2bf610

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	MALWARE_Win_zgRAT Create hunting rule
Author:	ditekSHen
Description:	Detects zgRAT

Rule name:	reverse_http Create hunting rule
Author:	CD_R0M_
Description:	Identify strings with http reversed (ptth)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/369310/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample