MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d90173296d8637b9f6c356a518f3a5d5dee7b2b94f8ffb2d5e23fa718c0ba0f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d90173296d8637b9f6c356a518f3a5d5dee7b2b94f8ffb2d5e23fa718c0ba0f0
SHA3-384 hash: c46571770e54627ab6eaede9e4f242246897ca9bb7693c92e2786fc89277ecac6ac0fd0b8f61eddcf371c416682f035a
SHA1 hash: 2dfabf824dae4b5926bcd52f95fa0ca2b73f03a5
MD5 hash: 1af3f00230f98c748968df76af6287c9
humanhash: uniform-high-ceiling-carolina
File name:setup.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:337'568 bytes
First seen:2023-04-16 00:14:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a938367ff1218e8ce81e8bf10050a38 (4 x RedLineStealer, 1 x DCRat, 1 x CoinMiner)
ssdeep 6144:jzA8OtquzAVhAOWLwjaGUxYM8wS3Y3avn4udWgld:o8OkuzAVhU2ajZPK4ud
Threatray 8 similar samples on MalwareBazaar
TLSH T18B74D0132260C0B2E677D5341CE9DE7AC77FB1502754D4E733C42A6A4F122E2AA727DA
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter Chainskilabs
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
279
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup.exe
Verdict:
Malicious activity
Analysis date:
2023-04-16 00:15:52 UTC
Tags:
miner
Link:
https://app.any.run/tasks/29f81980-0f69-4ae5-aa92-41bb2d4b5285

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/382502/
Detection(s):
SecuriteInfo.com.Variant.Zusy.458277.9111.25834.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
Creating a window
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/79805/overview
Behaviour
MalwareBazaar
MeasuringTime
CPUID_Instruction
SystemUptime
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
dcrat greyware overlay packed
Link:
https://www.filescan.io/uploads/643b3e0a8cbb8f4be303e3b0/reports/1f938556-886c-400d-be22-24d53db01408/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/d90173296d8637b9f6c356a518f3a5d5dee7b2b94f8ffb2d5e23fa718c0ba0f0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/290be69f-431b-46c9-b82f-261d9015888e
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1214447
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
Encrypted powershell cmdline option found
Found potential ransomware demand text
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Sigma detected: Schedule system process
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 847375 Sample: setup.exe Startdate: 16/04/2023 Architecture: WINDOWS Score: 100 79 Malicious sample detected (through community Yara rule) 2->79 81 Antivirus detection for dropped file 2->81 83 Multi AV Scanner detection for dropped file 2->83 85 8 other signatures 2->85 8 setup.exe 1 2->8         started        11 cmd.exe 2->11         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        process3 signatures4 103 Contains functionality to inject code into remote processes 8->103 105 Writes to foreign memory regions 8->105 107 Allocates memory in foreign processes 8->107 109 Injects a PE file into a foreign processes 8->109 17 AppLaunch.exe 15 30 8->17         started        22 conhost.exe 8->22         started        24 conhost.exe 8->24         started        26 schtasks.exe 1 8->26         started        28 winlogson.exe 11->28         started        30 conhost.exe 11->30         started        32 chcp.com 11->32         started        34 conhost.exe 13->34         started        36 chcp.com 13->36         started        process5 dnsIp6 73 github.com 140.82.121.3, 443, 49696, 49697 GITHUBUS United States 17->73 75 objects.githubusercontent.com 185.199.109.133, 443, 49698, 49699 FASTLYUS Netherlands 17->75 77 pastebin.com 104.20.67.143, 443, 49695 CLOUDFLARENETUS United States 17->77 65 C:\ProgramData\Dllhost\winlogson.exe, PE32+ 17->65 dropped 67 C:\ProgramData\Dllhost\dllhost.exe, PE32 17->67 dropped 69 C:\Windows\System32\drivers\etc\hosts, ASCII 17->69 dropped 71 C:\ProgramData\HostData\logs.uce, ASCII 17->71 dropped 87 Modifies the hosts file 17->87 38 cmd.exe 1 17->38         started        41 cmd.exe 1 17->41         started        43 cmd.exe 1 17->43         started        45 12 other processes 17->45 89 Antivirus detection for dropped file 28->89 91 Multi AV Scanner detection for dropped file 28->91 93 Machine Learning detection for dropped file 28->93 file7 signatures8 process9 signatures10 95 Encrypted powershell cmdline option found 38->95 97 Uses schtasks.exe or at.exe to add and modify task schedules 38->97 99 Uses powercfg.exe to modify the power settings 38->99 47 powershell.exe 5 38->47         started        49 conhost.exe 38->49         started        101 Modifies power options to not sleep / hibernate 41->101 61 7 other processes 41->61 51 powershell.exe 3 43->51         started        53 conhost.exe 43->53         started        55 powershell.exe 3 45->55         started        57 powershell.exe 45->57         started        59 conhost.exe 45->59         started        63 19 other processes 45->63 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d90173296d8637b9f6c356a518f3a5d5dee7b2b94f8ffb2d5e23fa718c0ba0f0/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3eaxgklnqy33t5wdk2srr45f2xpopmvzj6h7wlk6ep5hddaludya._file
Verdict:
malicious
Similar samples:
2a988d986f530d6005bd904674c86f56ad319073f912c73c8a85eac9e6b83bd8
CoinMiner
3a989ec907525ae8cb488002641bd24876c524141035430cb75562d08691f5c7
CoinMiner
7ca102e1ba7b7e6f886024178299d61461e4c4ed323b487be362926f9b1d4283
CoinMiner
9c88b05b2cc1381b441b53e8e0d20056334fe564f7965124a130471319a06bde
CoinMiner
e40fead052850b5d2c4ef6d699c15af82eaee437784b0f359abf5dcc78852b8a
CoinMiner
e5c9d1b6f77188c03e94713b41f00afc6d12e6f82daf3604d5f34c584c2389ff
CoinMiner
ef873cbbc63a247b0c37c0e1b08da86bbbd0526bfab6b5f5f1c699849a25bc9e
CoinMiner
f0a699a874942dc88a5c3d1bcccb0e24d4f43889500a69394c77651c2f9f4e17
CoinMiner
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/230416-ajxryahh3x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Executes dropped EXE
Downloads MZ/PE file
Drops file in Drivers directory
XMRig Miner payload
xmrig
Unpacked files
SH256 hash:
707e230eb04bdb6a20e04402c82fabc545f748d2226441bc265de98aa82466d1
MD5 hash:
8ce0a8d035c5ecb699f972acbf3ad801
SHA1 hash:
f79d03cd3492ba9f77bb4e3a8d2032fcdb77d78b
Link:
https://www.unpac.me/results/4c2efa92-5025-4218-a43b-7d56a5196c40/
SH256 hash:
d90173296d8637b9f6c356a518f3a5d5dee7b2b94f8ffb2d5e23fa718c0ba0f0
MD5 hash:
1af3f00230f98c748968df76af6287c9
SHA1 hash:
2dfabf824dae4b5926bcd52f95fa0ca2b73f03a5
Link:
https://www.unpac.me/results/4c2efa92-5025-4218-a43b-7d56a5196c40/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d90173296d86/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/d90173296d8637b9f6c356a518f3a5d5dee7b2b94f8ffb2d5e23fa718c0ba0f0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe d90173296d8637b9f6c356a518f3a5d5dee7b2b94f8ffb2d5e23fa718c0ba0f0

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/382502/

Comments