MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3a92a0b974cbe0f0c2b1236f098dde0763c220d391a83d8334d6e56946c57c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f3a92a0b974cbe0f0c2b1236f098dde0763c220d391a83d8334d6e56946c57c3
SHA3-384 hash: 119491c4eebb9ed0152c7a6085fd45e6563456a2f2da81ad2ddcba4cb5e3498ef5a861e3b87f391a88bd78231c495c90
SHA1 hash: cd359dd69118acf4f9ca875442891da7e1a9d884
MD5 hash: b0b1dbd803da35aaeba33c2a8af98364
humanhash: bakerloo-green-butter-colorado
File name:file
Download: download sample
Signature CoinMiner
Create hunting rule
File size:1'735'680 bytes
First seen:2023-01-18 20:13:47 UTC
Last seen:2023-01-18 21:30:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e4811e3ef82f57d63a1ca7e48a959915 (4 x CoinMiner)
ssdeep 49152:B+WgFA6o5+8Uc/jFaZWgt97mj/Ek3GqI22yX:BAA6SD78ZWEIjE6I22
Threatray 5'393 similar samples on MalwareBazaar
TLSH T19E851392E2D078D8E009717244FF85B2572BFEFC910B5A2E1499B3BE46B3A037593D16
File icon (PE):PE icon
dhash icon fbffbae8e4f0e1c2 (3 x CoinMiner)
Reporter andretavare5
Tags:CoinMiner exe


Avatar
andretavare5
Sample downloaded from http://lara.amiyon.com/svcrun.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
271
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-01-18 20:15:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/91acf2e3-d374-402e-af88-aa596dd23756

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/354251/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Generic.31134.6013.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed shell32.dll
Link:
https://www.filescan.io/uploads/63c8530dafdaca54d4392d88/reports/795f61bc-d00c-4f2f-85a6-605c56f899ec/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c9660c10-ef4c-4657-be60-1c1c4dae8273
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1154155
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to detect virtual machines (IN, VMware)
Detected unpacking (changes PE section rights)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sets debug register (to hijack the execution of another thread)
Sigma detected: Xmrig
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 786886 Sample: file.exe Startdate: 18/01/2023 Architecture: WINDOWS Score: 100 52 Sigma detected: Xmrig 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Antivirus detection for URL or domain 2->56 58 4 other signatures 2->58 7 file.exe 14 7 2->7         started        12 NOLAB.exe 3 2->12         started        14 svchost.exe 43 2->14         started        16 9 other processes 2->16 process3 dnsIp4 46 179.43.140.229 PLI-ASCH Panama 7->46 42 C:\ProgramData\Maker42OLAB.exe, PE32+ 7->42 dropped 64 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->64 66 Sets debug register (to hijack the execution of another thread) 7->66 68 Writes to foreign memory regions 7->68 80 2 other signatures 7->80 18 cmd.exe 1 7->18         started        21 vbc.exe 7->21         started        24 powershell.exe 27 7->24         started        70 Detected unpacking (changes PE section rights) 12->70 72 Contains functionality to detect virtual machines (IN, VMware) 12->72 74 Adds a directory exclusion to Windows Defender 12->74 26 cmd.exe 12->26         started        28 powershell.exe 12->28         started        76 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 14->76 48 20.190.159.71 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 16->48 50 192.168.11.1 unknown unknown 16->50 78 Changes security center settings (notifications, updates, antivirus, firewall) 16->78 file5 signatures6 process7 dnsIp8 60 Uses schtasks.exe or at.exe to add and modify task schedules 18->60 30 conhost.exe 18->30         started        32 schtasks.exe 1 18->32         started        44 51.255.34.118 OVHFR France 21->44 62 Query firmware table information (likely to detect VMs) 21->62 34 conhost.exe 24->34         started        36 conhost.exe 26->36         started        38 schtasks.exe 26->38         started        40 conhost.exe 28->40         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f3a92a0b974cbe0f0c2b1236f098dde0763c220d391a83d8334d6e56946c57c3/
Threat name:
Win64.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-01-18 20:14:12 UTC
File Type:
PE+ (Exe)
Extracted files:
196
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6ousuc4xjs7a6dblci3pbgg54b3dyiqnhenihwbtjvxfnfdmk7bq._file
Verdict:
unknown
Similar samples:
231da5c49718bad2f3aaa7ec962b69df2cb384c2f1f50b8b5113e2c10f02ba75
CoinMiner
5a86ccd82013a5faa9b2f855ba6baf3b1658ecac5e409d4d90c4d63d4ada79a8
CoinMiner
6f0be85cffdd59d4a1d520b6985820b6a62ad3978d3325be19b0c2f0e58dea14
CoinMiner
7bd34b7923a17098175c99070569b5a49e8dea6921edcbce273ec7f59e8ab9d1
CoinMiner
9d4888ece611891fb0343b8c003703a4ec653031585a2c578b3bb525683b3b9a
CoinMiner
adbdc8fbf39fa4942fda9e524c274da27b745df83faf87db4a0f0cc4f5442711
CoinMiner
ae11649e6981572ec12b4ca1b9e200926040c6e3a59c2abe12c523a7f41a7113
CoinMiner
d6d728c1c24d9e6f05a81e8d54846be4c89ca6d9a1a59e52a1ccfb32d9b65d42
CoinMiner
e6d721a289c4f4976f8501ae50c373513230533c1f2aea486ca88b5c431a918a
CoinMiner
e792fa03f41983cad37a70ad66cc73268d76c9f353a3277ab58f4f9546e0d3ff
CoinMiner
+ 5'383 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/230118-yzy7psgh66/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Uses the VBS compiler for execution
.NET Reactor proctector
XMRig Miner payload
xmrig
Unpacked files
SH256 hash:
f3a92a0b974cbe0f0c2b1236f098dde0763c220d391a83d8334d6e56946c57c3
MD5 hash:
b0b1dbd803da35aaeba33c2a8af98364
SHA1 hash:
cd359dd69118acf4f9ca875442891da7e1a9d884
Link:
https://www.unpac.me/results/d35a18bb-4501-4410-b371-1160fe4b9d41/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f3a92a0b974c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/f3a92a0b974cbe0f0c2b1236f098dde0763c220d391a83d8334d6e56946c57c3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2511168/
Cape
Cape
https://www.capesandbox.com/analysis/354251/

Comments