MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA3-384 hash: 9bb9f0292d502b354597958663b8dd32e58b187b80dd33e843d9b040b94caaea4e51d8b630a6bcb492c394aebd2bc448
SHA1 hash: 728a7a867d13ad0034c29283939d94f0df6c19df
MD5 hash: 3006b49f3a30a80bb85074c279acc7df
humanhash: helium-spaghetti-jig-spaghetti
File name:3006b49f3a30a80bb85074c279acc7df
Download: download sample
Signature CoinMiner
Create hunting rule
File size:3'890'176 bytes
First seen:2023-01-27 04:38:56 UTC
Last seen:2023-08-25 17:06:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash df9a7bc1c6c6cd97d04c3762fdde6719 (18 x CoinMiner, 2 x CoinMiner.XMRig, 1 x PripyatMiner)
ssdeep 49152:8Pu803iSM2N7aUjjqpEbUS2qv5MQBsSY/b7KoiTFUgxylC42lVJpiU71PP:s12BEE4vqxMQzub7OTFUgxylqTiU7J
Threatray 40 similar samples on MalwareBazaar
TLSH T145061224B7492F8EF465B8702BC8D721D6D93C2DB8CDBDA043E4659D2E72182E70685F
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10523/12/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 669c70e4c87c9e66 (2 x CoinMiner, 1 x AsyncRAT)
Reporter zbetcheckin
Tags:CoinMiner exe FruitMiX

Intelligence

File Origin
# of uploads :
5
# of downloads :
219
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
File_pass1234.zip
Verdict:
Malicious activity
Analysis date:
2023-01-26 20:09:21 UTC
Tags:
evasion opendir loader trojan amadey rat redline
Link:
https://app.any.run/tasks/aa490ead-b877-4d2e-be24-f3cd7a52f0eb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/357292/
Detection(s):
Win.Malware.Coins-9958870-0
Create hunting rule

Win.Malware.Trojanx-9977539-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Launching a process
Using the Windows Management Instrumentation requests
Running batch commands
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/63347/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug coinminer packed
Link:
https://www.filescan.io/uploads/63d355681c9cbf7d6253518c/reports/1c0c43f6-954f-4d2f-a9ca-b6edba082fdd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/761e28b5-255f-4e65-a5e1-2233fffdd674
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1160007
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to a pastebin service (likely for C&C)
Creates files in the system32 config directory
DNS related to crypt mining pools
Found hidden mapped module (file has been removed from disk)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Uses cmd line tools excessively to alter registry or file data
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 792744 Sample: kkCN9ago2j.exe Startdate: 27/01/2023 Architecture: WINDOWS Score: 100 63 Antivirus detection for dropped file 2->63 65 Multi AV Scanner detection for dropped file 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 5 other signatures 2->69 7 updater.exe 2->7         started        11 cmd.exe 1 2->11         started        13 kkCN9ago2j.exe 3 2->13         started        15 18 other processes 2->15 process3 file4 47 C:\Windows\Temp\aadgyxmr.tmp, PE32+ 7->47 dropped 49 C:\Program Filesbehaviorgraphoogle\Libs\WR64.sys, PE32+ 7->49 dropped 71 Uses cmd line tools excessively to alter registry or file data 7->71 73 Writes to foreign memory regions 7->73 75 Modifies the context of a thread in another process (thread injection) 7->75 89 2 other signatures 7->89 17 cmd.exe 7->17         started        20 conhost.exe 7->20         started        22 conhost.exe 7->22         started        77 Uses powercfg.exe to modify the power settings 11->77 79 Modifies power options to not sleep / hibernate 11->79 25 reg.exe 1 11->25         started        27 reg.exe 1 11->27         started        29 reg.exe 1 11->29         started        33 8 other processes 11->33 51 C:\Program Files51otepad\Chrome\updater.exe, PE32+ 13->51 dropped 81 Adds a directory exclusion to Windows Defender 13->81 83 Creates files in the system32 config directory 15->83 85 Changes security center settings (notifications, updates, antivirus, firewall) 15->85 87 Uses schtasks.exe or at.exe to add and modify task schedules 15->87 31 MpCmdRun.exe 15->31         started        35 28 other processes 15->35 signatures5 process6 dnsIp7 59 Modifies power options to not sleep / hibernate 17->59 37 conhost.exe 17->37         started        39 powercfg.exe 17->39         started        41 powercfg.exe 17->41         started        45 2 other processes 17->45 61 Adds a directory exclusion to Windows Defender 20->61 53 51.15.58.224, 14433, 49703 OnlineSASFR France 22->53 55 152.228.216.245, 14433, 49701 ILIGHT-NETUS United States 22->55 57 3 other IPs or domains 22->57 43 conhost.exe 31->43         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-01-25 23:22:55 UTC
File Type:
PE+ (Exe)
Extracted files:
18
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6kb3jqfnjkic4hfwiiaxilfeyuiy6j26poiru7np3ippag4ckkaa._file
Verdict:
malicious
Similar samples:
4087249b32bc81f6df39a587acd55b0f0cf59a53d14f734a05886ff3e1bdaaa2
CoinMiner
505a09c5be91d9e44a7b459ac5e8961fe01a234c1633a789ba290e94e81fa5f5
CoinMiner
7812b5f5fd710358255d8847f61729386cb982c55beb12a77e240d3377aaeafb
CoinMiner
89a342bb20ad895c86665599e40ecd591b2993f5a1b343768dbb7af038aebd31
CoinMiner
94e2fe84aeea801b0ddcf49c74375bb23ec242d30edc39fccd296ed2e7b64f72
CoinMiner
b2f930118a0446e664ce121628a1897dbb62e04ccbf8df07cdf24230f4393b28
CoinMiner
dd84819f9d2e108ac8dbbfedf10d61f787b6082f02ddb63ca05c98d78e877597
CoinMiner
ef1cb9555d780addb510d052b41f070dbdeb931c3f916bf345a419a4d437a167
CoinMiner
ffa4485b730b662d6c9e65a4e6b8687c3037838f582839821eefae481c327baf
CoinMiner
+ 30 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion miner upx
Link:
https://tria.ge/reports/230127-e9yt5shg9w/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Executes dropped EXE
Stops running service(s)
UPX packed file
XMRig Miner payload
Modifies security service
Suspicious use of NtCreateUserProcessOtherParentProcess
xmrig
Unpacked files
SH256 hash:
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
MD5 hash:
3006b49f3a30a80bb85074c279acc7df
SHA1 hash:
728a7a867d13ad0034c29283939d94f0df6c19df
Link:
https://www.unpac.me/results/332b187d-2bfa-422a-8c9f-d1851e450758/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f283b4c0ad4a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2519593/
Cape
Cape
https://www.capesandbox.com/analysis/357292/

Comments


Avatar
zbet commented on 2023-01-27 04:39:14 UTC

url : hxxp://77.73.134.27/XandETC.exe