MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PureMiner

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3
SHA3-384 hash:	a3ad91ea943435b2e7f6011433b242211a1f1a3fc85be37d7b52fb3bb5b991ad448cc45c5a462e9902dc8608a9e64882
SHA1 hash:	6958d74875566da3ae865ae765b31ca3633fce90
MD5 hash:	f2df64e2c65f44aa533a8daccd081976
humanhash:	six-south-edward-arizona
File name:	f2df64e2c65f44aa533a8daccd081976.exe
Download:	download sample
Signature	PureMiner Create hunting rule
File size:	251'904 bytes
First seen:	2022-09-27 06:13:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	384:zl9gFlW7zkFXP4WGzvsuj8Sf5dCuEMa/qunCmtJdh5R555Dg:59Ogs6bdCjquRr5R555U
Threatray	2'268 similar samples on MalwareBazaar
TLSH	T11A34B5B57603A512F86E06F54E99C97316236E95EA41C21E37DE7F8F3A342EEC560320
TrID	63.5% (.EXE) Win64 Executable (generic) (10523/12/4) 12.2% (.EXE) OS/2 Executable (generic) (2029/13) 12.0% (.EXE) Generic Win/DOS Executable (2002/3) 12.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	c6c7cbd991b10810 (3 x AsyncRAT, 2 x SnakeKeylogger, 2 x PureMiner)
Reporter	abuse_ch
Tags:	exe PureMiner

Intelligence

File Origin

# of uploads :

# of downloads :

251

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/313827/

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Сreating synchronization primitives

Sending an HTTP GET request

Launching a process

Creating a process with a hidden window

Sending a custom TCP request

Unauthorized injection to a recently created process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated

Link:

https://www.filescan.io/uploads/633294ad18a36c641c873b8b/reports/6e84110e-00aa-462d-9209-279a5877092f/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/15161af8-773d-4c47-872f-4bbdea088336

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1078037

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Encrypted powershell cmdline option found

Injects a PE file into a foreign processes

Machine Learning detection for sample

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Yara detected Costura Assembly Loader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3/

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2022-09-26 16:55:53 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

16 of 26 (61.54%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3c4ppubtjbl2g5ezmpaijeobkxdhioxzn6fno6iqcbqp64nj5srq._file

Verdict:

malicious

Label(s):

asyncrat

PureMiner

13ea07554dba891639dfd7da53ce65cae482b44655814a1792fcff4baf12ed05

PureMiner

15e2f966937440c34a383f8a2df6fa8b380fbc858b7560e3129f563296e17fbb

PureMiner

1628c7c85f687216c70bd768b4023e13693dfad1aef819de70d54cd82d39fe3a

PureMiner

1894ee1e31d02ce95f3fb5bfaaeade0718232866702e70bd19a70a0a15a3343c

PureMiner

3e85b31ff1780031f94570fc9801b6a886564a4caa2acc360d2c65f29b22dbb5

PureMiner

5c8aba016e4e7ead4912b35fdc8a05964a56cda420c7a0427810633d9fd448dc

PureMiner

8a63134b33062c4634272b96c12d130f3abe74270f958ac03049eaae8bb66de4

PureMiner

8c88e83a7d8ecdc337997e822c9ed368d6fe3bff0ff4e3b4b1b55a0cabeb09f1

PureMiner

+ 2'258 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/220927-gzb9hacga3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in System32 directory

Suspicious use of SetThreadContext

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/f6482d1b-2a85-4501-9d81-90e5a4bf7a91

Unpacked files

SH256 hash:

d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3

MD5 hash:

f2df64e2c65f44aa533a8daccd081976

SHA1 hash:

6958d74875566da3ae865ae765b31ca3633fce90

Link:

https://www.unpac.me/results/44d1b6a0-7b76-400c-84a3-825d39b618db/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d8b8f7d03348/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.60

Link:

https://yomi.yoroi.company/submissions/d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.