MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f63f90decc7d763f3c5202c7a4c643aeb99fd1d85ca97d64bf77fc1cc733f9f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	f63f90decc7d763f3c5202c7a4c643aeb99fd1d85ca97d64bf77fc1cc733f9f9
SHA3-384 hash:	c294418df05442f59603deaa0610364cbe2d7cacf55528d5cfc46fd278d115e98e4518ea4013452d43b4a49b1e9d683e
SHA1 hash:	2a225333ef5ff94ddd350bd02032e6b0d1de5859
MD5 hash:	c97b49cb79150162f6b00beed5a11d9e
humanhash:	magazine-ceiling-seventeen-tennis
File name:	c97b49cb79150162f6b00beed5a11d9e.exe
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	7'336'893 bytes
First seen:	2022-01-21 10:45:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c5640c7a22008f949f9bc94a27623f95 (3 x RaccoonStealer, 3 x IrisStealer, 2 x CoinMiner)
ssdeep	196608:8w+hvICteEroXxqENE+sKsXXgvkeM7A6ADMCXMND6:sInEroXjsKkXgseu0DYNu
Threatray	9 similar samples on MalwareBazaar
TLSH	T19276330063F808EEF4BBC638C6668221A0B2B46B9755D5DF17BC439A9F975D35E73A00
Reporter	abuse_ch
Tags:	CoinMiner exe

Intelligence

File Origin

# of uploads :

# of downloads :

249

Origin country :

n/a

Vendor Threat Intelligence

Detection:

PyInstaller

Link:

https://www.capesandbox.com/analysis/221403/

Detection(s):

SecuriteInfo.com.PyInstaller.13124.17635.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Running batch commands

Creating a process from a recently created file

Searching for the window

Launching a process

Creating a window

Сreating synchronization primitives

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Query of malicious DNS domain

Unauthorized injection to a system process

Enabling autorun by creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe expand.exe greyware overlay packed

Link:

https://www.filescan.io/uploads/61ea8ef10f8c757253d4840b/reports/3337631a-196f-4754-aafd-21e9470f5a1c/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/927ae4d6-3290-4d57-9c8c-75f723bf8d04

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/925122

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f63f90decc7d763f3c5202c7a4c643aeb99fd1d85ca97d64bf77fc1cc733f9f9/

Threat name:

Win64.Trojan.Tedy

Status:

Malicious

First seen:

2022-01-21 00:56:19 UTC

File Type:

PE+ (Exe)

Extracted files:

648

AV detection:

16 of 28 (57.14%)

Threat level:

5/5

Verdict:

malicious

CoinMiner

310fae0d844061aeea3d540052c5daadd3ea406b6fcc529b44c7997ac6a09cbb

CoinMiner

36227451bca557ea1488a46b8642d1eebceeeaed14c34e96f216a56321bff60c

CoinMiner

80f4e41827dfe57bd2217eabe487099a2912be536fe4b0aef95b4bbb215c8a2a

CoinMiner

c3cad582268b165711e2f2b1834891c7bcb5e57a7efb1e709e3df19d011ad656

CoinMiner

ffc3d4c2d7568d3d632ba01f05fcb54bb8bc2b73afabc4741999957498011568

CoinMiner

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:xmrig miner pyinstaller suricata

Link:

https://tria.ge/reports/220121-mtzeqschdj/

Behaviour

Delays execution with timeout.exe

Enumerates processes with tasklist

Modifies registry class

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Program crash

Enumerates physical storage devices

Legitimate hosting services abused for malware hosting/C2

Drops startup file

Loads dropped DLL

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

XMRig Miner Payload

suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

xmrig

Unpacked files

SH256 hash:

f63f90decc7d763f3c5202c7a4c643aeb99fd1d85ca97d64bf77fc1cc733f9f9

MD5 hash:

c97b49cb79150162f6b00beed5a11d9e

SHA1 hash:

2a225333ef5ff94ddd350bd02032e6b0d1de5859

Link:

https://www.unpac.me/results/190a6efe-368d-4b9c-bcd7-d61cf99798eb/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f63f90decc7d763f3c5202c7a4c643aeb99fd1d85ca97d64bf77fc1cc733f9f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.