MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8f34f31ccb111e148d818e7b5e5c4ea0268d97af23bccc6f25a59b3b03a1792. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f8f34f31ccb111e148d818e7b5e5c4ea0268d97af23bccc6f25a59b3b03a1792
SHA3-384 hash: 1fc377c4937e35be74a6e69217c5886b2e09f09b7ed3fc906012e0b3962980b1a87ddcb4523b22bf2ee6b19515bc1c7d
SHA1 hash: 5f6228d21a528db622d6b4b7530f1fdb8a054fde
MD5 hash: f53673aec0316b62ec1960799c371b6f
humanhash: wisconsin-bakerloo-artist-fourteen
File name:SecuriteInfo.com.Variant.Cerbu.136031.1446.27160
Download: download sample
Signature CoinMiner
Create hunting rule
File size:234'496 bytes
First seen:2022-03-23 09:13:30 UTC
Last seen:2022-03-25 07:27:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:fBCTWuKDvbHPQejmuW0ze8W9B5LuzVjNiV7jseQsrRUAfwSchm5D1pWSS:fcWuKDTvj3W0ze8W9B5LuhjNiV7jseQG
Threatray 1'462 similar samples on MalwareBazaar
TLSH T12F34349D726072EFC867D472DEA81DA8EA5034BB931B4203902715EDEE4D89BDF144F2
Reporter SecuriteInfoCom
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/255886/
Detection(s):
SecuriteInfo.com.Variant.Cerbu.136031.1446.27160.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Searching for the window
Searching for synchronization primitives
Searching for the Windows task manager window
Launching a process
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a window
Creating a file
DNS request
Sending an HTTP POST request
Connecting to a cryptocurrency mining pool
Sending a custom TCP request
Creating a service
Launching a service
Loading a system driver
Unauthorized injection to a recently created process
Launching a tool to kill processes
Enabling autorun for a service
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/623ae4f70cd58dbd92de5732/reports/f921900a-462b-4008-a9a1-46cc24e9b566/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/962712
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f8f34f31ccb111e148d818e7b5e5c4ea0268d97af23bccc6f25a59b3b03a1792/
Threat name:
ByteCode-MSIL.Trojan.Cerbu
Create hunting rule
Status:
Malicious
First seen:
2022-03-20 18:51:19 UTC
File Type:
PE (.Net Exe)
AV detection:
32 of 42 (76.19%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
02f2ddecb8e2761b0ecc346ec43dc12c05661f938331f6f4cc0b8703a9388224
CoinMiner
0a09519fee9d622a6c619b8195d512bcbf6c96233cd1c5e581a191dc011c3f04
CoinMiner
0f0807cdcb400a718656d3ec845ad57ffef9e25232d50044bb8d7a5d9d2a0a98
CoinMiner
162d0b27db414f15b5ae0870b2a4132b7fad64f8471441541ff153c2aded121a
CoinMiner
2e0aa995df9b6a99e37601b1d7dea6fb85f6c7130980a8c2a275370efb6f0236
CoinMiner
36e08c2df39cd84d8969a95de6a6882fbc954e7ca31a5a5d4be8ec33cfa84649
CoinMiner
392d92c5987f4aeea5e9988e126bd19798c3a63e60917445f67df835c15d598b
CoinMiner
88257609efe5333a543b5f35eabd47c2aa58d0e6101bab14d6d14437524e7728
CoinMiner
914cd602a58f69dd35dd207d8128807926a139f27f4d8b7b2b958041783bc10c
CoinMiner
ec86b00b3f187f93e86711f82043af2ec359861bd60497b53998b0a28bc20d3e
CoinMiner
+ 1'452 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/220323-k7jkbsfgan/
Behaviour
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Deletes itself
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
3843beab4f066553912e1c5c3aea7a2a8b11da892f65064c06f446aba7d27a51
MD5 hash:
69fb25dd358c224b385d728d90dba5b1
SHA1 hash:
058a150e0f65efa0af02f4f1ba8878af7a02d745
Link:
https://www.unpac.me/results/2bbe22a9-dacb-4573-958f-3ae7ebf45c5f/
SH256 hash:
f8f34f31ccb111e148d818e7b5e5c4ea0268d97af23bccc6f25a59b3b03a1792
MD5 hash:
f53673aec0316b62ec1960799c371b6f
SHA1 hash:
5f6228d21a528db622d6b4b7530f1fdb8a054fde
Link:
https://www.unpac.me/results/2bbe22a9-dacb-4573-958f-3ae7ebf45c5f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f8f34f31ccb111e148d818e7b5e5c4ea0268d97af23bccc6f25a59b3b03a1792

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe f8f34f31ccb111e148d818e7b5e5c4ea0268d97af23bccc6f25a59b3b03a1792

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2111848/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/255886/

Comments