MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f63b84859dc990b65e8eb8ee028a3b70ee03e9a3928fced6cea738ba7ef27a82. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f63b84859dc990b65e8eb8ee028a3b70ee03e9a3928fced6cea738ba7ef27a82
SHA3-384 hash: 2b94b214da405e868a278f569331cb48a1fb620296e7601584b62bb32797a19f18894644ab569d41214aad8274c93c07
SHA1 hash: 6a121e8ba1dad1123168b44d3ff27d275ec65585
MD5 hash: 4f1902241625b482c3c6f1a0f191c0e3
humanhash: sad-finch-ohio-november
File name:file
Download: download sample
Signature CoinMiner
Create hunting rule
File size:1'254'680 bytes
First seen:2022-12-03 13:13:37 UTC
Last seen:2022-12-03 14:31:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a9b6957b51d10876438e42f4d1647ce9 (1 x CoinMiner)
ssdeep 24576:H5jFUhB1HVo1XVgWCd3l1vijZVp8RmL++ssS:ZjFUhHe1XVDQDviVVuRK+cS
Threatray 3'238 similar samples on MalwareBazaar
TLSH T18445D081F5C9B165F0A36DF14BA6C3734A27BCF4A6D106172B64321F6A749068A3733E
File icon (PE):PE icon
dhash icon f1e8ccd57dcdf070 (1 x CoinMiner, 1 x LimeRAT)
Reporter andretavare5
Tags:CoinMiner exe signed

Code Signing Certificate

Organisation:Acer Nitro 5 AN517-52 [AN517-52-77M3]
Issuer:Acer Nitro 5 AN517-52 [AN517-52-77M3]
Algorithm:sha1WithRSAEncryption
Valid from:2022-12-02T14:23:13Z
Valid to:2032-12-03T14:23:13Z
Serial number: 37785678a4cab2a84892d2fdfcdbc862
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: befe78cd7f3219fb3b23ba5aa883ffc41fb4bf3ff7807a745d1bfdc99fac829a
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from http://gobesitysurgery.com/svcrun.exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2022-12-03 13:14:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e208de7c-e472-4d1b-ba68-7d8c293d2a29

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/342261/
Detection(s):
SecuriteInfo.com.Win64.Evo-gen.4616.18997.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for analyzing tools
Сreating synchronization primitives
Launching a process
Creating a file
Creating a file in the %temp% directory
Enabling the 'hidden' option for recently created files
Running batch commands
Creating a process from a recently created file
Sending a custom TCP request
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed regedit.exe shell32.dll
Link:
https://www.filescan.io/uploads/638b4b9e04e0e79bdf408bff/reports/5fba9631-9259-4407-88e3-c2ba5d417781/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/7f31cccc-c42f-456e-99ef-96d4d4c0e2e3
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1127080
Signature
Adds a directory exclusion to Windows Defender
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to detect virtual machines (IN, VMware)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for submitted file
PE file has nameless sections
Sets debug register (to hijack the execution of another thread)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 759804 Sample: file.exe Startdate: 03/12/2022 Architecture: WINDOWS Score: 100 40 Snort IDS alert for network traffic 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 PE file has nameless sections 2->44 46 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->46 7 file.exe 5 2->7         started        process3 file4 28 C:\ProgramData\github\PBBNAXU.exe, MS-DOS 7->28 dropped 30 C:\Users\user\AppData\Local\...\file.exe.log, CSV 7->30 dropped 48 Detected unpacking (changes PE section rights) 7->48 50 Detected unpacking (overwrites its own PE header) 7->50 52 Sets debug register (to hijack the execution of another thread) 7->52 54 2 other signatures 7->54 11 cmd.exe 1 7->11         started        13 powershell.exe 17 7->13         started        15 powershell.exe 20 7->15         started        signatures5 process6 process7 17 PBBNAXU.exe 11->17         started        20 conhost.exe 11->20         started        22 timeout.exe 1 11->22         started        24 conhost.exe 13->24         started        26 conhost.exe 15->26         started        signatures8 32 Tries to detect sandboxes and other dynamic analysis tools (window names) 17->32 34 Contains functionality to detect virtual machines (IN, VMware) 17->34 36 Contains functionality to detect hardware virtualization (CPUID execution measurement) 17->36 38 Tries to evade debugger and weak emulator (self modifying code) 17->38
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f63b84859dc990b65e8eb8ee028a3b70ee03e9a3928fced6cea738ba7ef27a82/
Threat name:
Win64.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-12-03 13:14:14 UTC
File Type:
PE+ (Exe)
Extracted files:
114
AV detection:
13 of 26 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6y5yjbm5zgilmxuoxdxafcr3odxah2ndskh45vwou44lu7xspkba._file
Verdict:
malicious
Similar samples:
42cd55c0f021f25893be2d9ccd6225e8ecef534270169ee1e67f4038d269b4bc
CoinMiner
4b832681660bd5727a36443544b83d5a69ccc47143220f7b3ea924b81bfe2fc4
CoinMiner
4c0ad114c1c1e3c228f7c8d892c620dc5b2c9b77fe134f9ae2ead6804b9adf34
CoinMiner
532d8d05263ecb3453da330b6213c9d5cb1f1eb5db77b40664c7ec722b9f9475
CoinMiner
533be061fa24c8041cdf7bd850a18090f02e9d96016a954dd4373860106cad40
CoinMiner
5a6f5d425060a2bfc152e1c2673991151e8863354deb3c4febd60ce42a80f35e
CoinMiner
6fa9af2985ae51764b5821c16287abcb1e02f8e184d50383f5615c687cb00d22
CoinMiner
7bd34b7923a17098175c99070569b5a49e8dea6921edcbce273ec7f59e8ab9d1
CoinMiner
b779c297559ce41a69678ec7286cebeb0bb99ebabd503f8ddcd0d889e7dee334
CoinMiner
d151ac7349eeddb2e769ffd33665c627fb1ec57004ac42927562b081d1c5de5b
CoinMiner
+ 3'228 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/221203-qgm3qada23/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3ed5cf00-1c02-4d63-8f29-868a00c2ee7c
Unpacked files
SH256 hash:
f63b84859dc990b65e8eb8ee028a3b70ee03e9a3928fced6cea738ba7ef27a82
MD5 hash:
4f1902241625b482c3c6f1a0f191c0e3
SHA1 hash:
6a121e8ba1dad1123168b44d3ff27d275ec65585
Link:
https://www.unpac.me/results/6c79bb46-f44e-43ea-8a55-2c057d44cf59/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f63b84859dc9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
CoinMiner
Score:
0.60
Link:
https://yomi.yoroi.company/submissions/f63b84859dc990b65e8eb8ee028a3b70ee03e9a3928fced6cea738ba7ef27a82

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2441526/
Cape
Cape
https://www.capesandbox.com/analysis/342261/

Comments