MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4cc83df502e52e7bf58de1f498cc5f5c657eacdc1aebfeaae97258d23726b26. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f4cc83df502e52e7bf58de1f498cc5f5c657eacdc1aebfeaae97258d23726b26
SHA3-384 hash: a469314e62def5c1d9efa8c26bf056f55adba33e5f381b3c2055925fb194cc51782aad69365754a6375249be8e62533f
SHA1 hash: 3fec401d0f443007dfd17e645205f95d573183fe
MD5 hash: 6fa5273cb41f8e546d20103d2d5a71af
humanhash: pip-stairway-mirror-mississippi
File name:sgsdg.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:10'743'296 bytes
First seen:2025-05-15 01:10:49 UTC
Last seen:2025-05-15 06:47:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 196608:22GT1F5jIjbhsxO9VGWEmPoiK3trhSWEW1vG21/Dd47zxHzd+QfHsQ8lUi:rGXwbuUDGWEqc5EW1v1S7zJdV0v
TLSH T1FDB633CA9ABD043EC5B91D32BAB84454BBC9AA024072A570F7D077BC6D6E5F93E701C1
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter skocherhan
Tags:CoinMiner exe


Avatar
skocherhan
https://github.com/piunildunkos8/nom/raw/refs/heads/main/sgsdg.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
484
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
sgsdg.exe
Verdict:
Malicious activity
Analysis date:
2025-05-15 01:11:24 UTC
Tags:
stealer octalyn telegram miner winring0x64-sys vuln-driver
Link:
https://app.any.run/tasks/9192080a-d43d-46f5-a45a-50a39735774c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.MulDropNET.65.904.15261.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68253ff1e16384d6a704857c
Tags:
dropper micro spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Reading critical registry keys
Launching a process
Creating a process with a hidden window
Deleting a system file
Running batch commands
Unauthorized injection to a recently created process
Stealing user critical data
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/68253f35c609634bd7c266ec/reports/3f1d8758-2842-44ba-a3ba-7cbe1a4457a4/overview
Verdict:
Malicious
Labled as:
Backdoor.Marte.VenomRAT.Generic
Link:
https://www.hybrid-analysis.com/sample/f4cc83df502e52e7bf58de1f498cc5f5c657eacdc1aebfeaae97258d23726b26
Malware family:
XMRig Miner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c8755146-72bc-494f-affd-59f3ce225d09
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1690400
Signature
.NET source code contains very large strings
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to capture screen (.Net source)
Detected generic credential text file
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Disable power options
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop EventLog
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Uses powercfg.exe to modify the power settings
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected BrowsingHistoryView browser history reader tool
Yara detected Telegram Recon
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1690400 Sample: sgsdg.exe Startdate: 15/05/2025 Architecture: WINDOWS Score: 100 100 api.telegram.org 2->100 102 lookthis.space 2->102 104 25 other IPs or domains 2->104 112 Suricata IDS alerts for network traffic 2->112 114 Malicious sample detected (through community Yara rule) 2->114 116 Antivirus detection for URL or domain 2->116 120 13 other signatures 2->120 9 sgsdg.exe 5 2->9         started        12 tfbrzzhhrzhb.exe 2->12         started        15 svchost.exe 2->15         started        17 6 other processes 2->17 signatures3 118 Uses the Telegram API (likely for C&C communication) 100->118 process4 dnsIp5 84 C:\Users\user\AppData\...\XBinderOutput.exe, PE32 9->84 dropped 86 C:\Users\user\AppData\...\TelegramBuild.exe, PE32+ 9->86 dropped 88 C:\Users\user\AppData\Local\...\RustShel.exe, PE32+ 9->88 dropped 90 C:\Users\user\AppData\Local\...\sgsdg.exe.log, CSV 9->90 dropped 20 XBinderOutput.exe 3 9->20         started        24 TelegramBuild.exe 49 9->24         started        26 RustShel.exe 1 2 9->26         started        92 C:\Windows\Temp\qagmbzqbrpsk.sys, PE32+ 12->92 dropped 156 Multi AV Scanner detection for dropped file 12->156 158 Injects code into the Windows Explorer (explorer.exe) 12->158 160 Modifies the context of a thread in another process (thread injection) 12->160 164 3 other signatures 12->164 28 explorer.exe 12->28         started        31 powershell.exe 12->31         started        33 cmd.exe 12->33         started        35 5 other processes 12->35 162 Changes security center settings (notifications, updates, antivirus, firewall) 15->162 98 127.0.0.1 unknown unknown 17->98 file6 signatures7 process8 dnsIp9 78 C:\Users\user\AppData\Local\...\Scvhost.exe, PE32 20->78 dropped 122 Antivirus detection for dropped file 20->122 37 Scvhost.exe 14 27 20->37         started        80 C:\Users\user\AppData\Local\...\Cookies.temp, SQLite 24->80 dropped 124 Multi AV Scanner detection for dropped file 24->124 126 Suspicious powershell command line found 24->126 128 Found many strings related to Crypto-Wallets (likely being stolen) 24->128 142 2 other signatures 24->142 41 powershell.exe 24->41         started        82 C:\ProgramData\...\tfbrzzhhrzhb.exe, PE32+ 26->82 dropped 130 Uses powercfg.exe to modify the power settings 26->130 132 Adds a directory exclusion to Windows Defender 26->132 134 Modifies power options to not sleep / hibernate 26->134 44 powershell.exe 23 26->44         started        46 cmd.exe 26->46         started        48 powercfg.exe 26->48         started        52 7 other processes 26->52 108 lookthis.space 194.58.33.244, 49721, 6455 ETOP-ASPL Russian Federation 28->108 110 raw.githubusercontent.com 185.199.111.133, 443, 49722, 49724 FASTLYUS Netherlands 28->110 136 System process connects to network (likely due to code injection or exploit) 28->136 138 Query firmware table information (likely to detect VMs) 28->138 140 Loading BitLocker PowerShell Module 31->140 50 conhost.exe 31->50         started        54 2 other processes 33->54 56 4 other processes 35->56 file10 signatures11 process12 dnsIp13 106 api.telegram.org 149.154.167.220, 443, 49735, 49827 TELEGRAMRU United Kingdom 37->106 144 Antivirus detection for dropped file 37->144 146 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 37->146 148 Writes to foreign memory regions 37->148 152 3 other signatures 37->152 58 grpconv.exe 37->58         started        62 grpconv.exe 37->62         started        64 grpconv.exe 37->64         started        72 7 other processes 37->72 94 C:\Users\user\...\user_OctalynRetrieved.zip, Zip 41->94 dropped 150 Loading BitLocker PowerShell Module 41->150 66 conhost.exe 41->66         started        68 conhost.exe 44->68         started        74 2 other processes 46->74 70 conhost.exe 48->70         started        76 7 other processes 52->76 file14 signatures15 process16 file17 96 C:\Users\user\AppData\...\places.sqlite-shm, data 58->96 dropped 154 Tries to harvest and steal browser information (history, passwords, etc) 58->154 signatures18
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f4cc83df502e52e7bf58de1f498cc5f5c657eacdc1aebfeaae97258d23726b26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f4cc83df502e52e7bf58de1f498cc5f5c657eacdc1aebfeaae97258d23726b26/
Threat name:
ByteCode-MSIL.Backdoor.MarteVenomRAT
Create hunting rule
Status:
Malicious
First seen:
2025-05-15 01:11:21 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
29 of 37 (78.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6tgihx2qfzjopp2y3yputdgf6xdfp2wnygxl72vos4sy2i3snmta._file
Verdict:
malicious
Label(s):
admintool_bulletpassview
Create hunting rule
admintool_iepassview
Create hunting rule
admintool_extpassword
Create hunting rule
nirsoft
Create hunting rule
admintool_mailpassview
Create hunting rule
admintool_credentialsfileview
Create hunting rule
Similar samples:
error
CoinMiner
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:gurcu family:xmrig credential_access defense_evasion discovery execution miner persistence spyware stealer upx
Link:
https://tria.ge/reports/250515-bj2lkawpx7/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Power Settings
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Stops running service(s)
Uses browser remote debugging
Detected Nirsoft tools
NirSoft WebBrowserPassView
XMRig Miner payload
Gurcu family
Gurcu, WhiteSnake
Xmrig family
xmrig
Malware Config
C2 Extraction:
https://api.telegram.org/bot8069957268:AAG-qo8tQ53F1YNz8l3PJmO3Be-VgK5aK6c/sendDocumen
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4c5d295c-b616-4b2e-ab5d-cece78ecb9c7
Unpacked files
SH256 hash:
f4cc83df502e52e7bf58de1f498cc5f5c657eacdc1aebfeaae97258d23726b26
MD5 hash:
6fa5273cb41f8e546d20103d2d5a71af
SHA1 hash:
3fec401d0f443007dfd17e645205f95d573183fe
Link:
https://www.unpac.me/results/082af038-a7ce-422f-9cd2-c6e336ea501a/
SH256 hash:
6244a6dc0486899eaf1f7340efe7f67da5bc2b844db4e599f816915ff43590b6
MD5 hash:
9bc95302c2b0651a101ffd5511830a05
SHA1 hash:
4561636185c60ec9b85cb4dafc9935e49880737a
Detections:
MAL_NET_LimeCrypter_RunPE_Jan24
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs
Create hunting rule
Link:
https://www.unpac.me/results/082af038-a7ce-422f-9cd2-c6e336ea501a/
SH256 hash:
4fec95956088ca7dd2a5ff7f78d700e6a295cb3b5d1b4ac501b3b4055387b1dc
MD5 hash:
01183343f06cc6c92b270d6868b429c7
SHA1 hash:
c90b4e3d7355ce3b961f88a9c43ff75373300e91
Link:
https://www.unpac.me/results/082af038-a7ce-422f-9cd2-c6e336ea501a/
SH256 hash:
54baff58e54c3c0d3ad5254cd3c5efbc0a4fcc1e2c0038452046654e91e36edd
MD5 hash:
de3c64f69cbe60d90f694766db06805b
SHA1 hash:
82baec8ca2125edc431b62d1bc99ac2d70c4f5c0
Link:
https://www.unpac.me/results/082af038-a7ce-422f-9cd2-c6e336ea501a/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f4cc83df502e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f4cc83df502e52e7bf58de1f498cc5f5c657eacdc1aebfeaae97258d23726b26

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

c1a1cad5d0411d29cd7189ca93b32a74

CoinMiner

Executable exe f4cc83df502e52e7bf58de1f498cc5f5c657eacdc1aebfeaae97258d23726b26

(this sample)

  
Dropped by
MD5 c1a1cad5d0411d29cd7189ca93b32a74
  
URLhaus
https://urlhaus.abuse.ch/url/3543882/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments