MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 feb1cc6e909be612e822cc7b40b1c2b262836020c719e25ea5a0152b4de87829. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 11


Intelligence 11 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: feb1cc6e909be612e822cc7b40b1c2b262836020c719e25ea5a0152b4de87829
SHA3-384 hash: b598a38ec83dc7d1274ce6b4474763666ed131a1472b08b0dcdca1556be85cdda24836ca576183aba3987f7fdf91de7a
SHA1 hash: 94a703c5bd49f55ab478a209ba973bb485f49da8
MD5 hash: 9f73f9a7e915cbf0edbbbb5183283561
humanhash: batman-yankee-seventeen-south
File name:9f73f9a7e915cbf0edbbbb5183283561.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:5'833'696 bytes
First seen:2023-10-02 16:28:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0fdd3d21d2193b717f076a70dfaa659c (14 x CoinMiner)
ssdeep 98304:gLijaKrBeEVzoTU/W9sKuPqer/A6dfR7lKZPbFc22z53vRq8gAeySXY5:cijVYUsU/WiKuPvdfR7A2dZuAey2U
Threatray 87 similar samples on MalwareBazaar
TLSH T1E246D007DA745A5DCC116AB64D1C74E69DB7E935B92E2EE805EE3CE0ADFCCA10A34C10
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10523/12/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f0f89a9a9adcf830 (5 x AsyncRAT, 2 x DCRat, 2 x CoinMiner)
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
303
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9f73f9a7e915cbf0edbbbb5183283561.exe
Verdict:
Malicious activity
Analysis date:
2023-10-02 18:49:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/744e5426-9bce-4767-ade5-c2a8f65d22ed

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/452677/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process from a recently created file
Searching for synchronization primitives
Setting browser functions hooks
Сreating synchronization primitives
Searching for the window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Running batch commands
Launching a process
Creating a file in the %temp% directory
Deleting a recently created file
Creating a file in the Program Files subdirectories
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Unauthorized injection to a browser process
Enabling autorun by creating a file
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug overlay packed rozena
Link:
https://www.filescan.io/uploads/651aefd08a37001eb1d89b2a/reports/284d7457-1108-49eb-a105-6feebec317a7/overview
Verdict:
Malicious
Labled as:
Win64/Rozena.XN trojan
Link:
https://www.hybrid-analysis.com/sample/feb1cc6e909be612e822cc7b40b1c2b262836020c719e25ea5a0152b4de87829
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d780f754-5810-4c87-aeb3-748d685e9a08
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1318104
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates files in the system32 config directory
Found hidden mapped module (file has been removed from disk)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Self deletion via cmd or bat file
Sigma detected: Stop multiple services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1318104 Sample: PCjhei1nW5.exe Startdate: 02/10/2023 Architecture: WINDOWS Score: 100 70 Malicious sample detected (through community Yara rule) 2->70 72 Antivirus detection for dropped file 2->72 74 Antivirus / Scanner detection for submitted sample 2->74 76 7 other signatures 2->76 9 PCjhei1nW5.exe 4 2->9         started        13 MpNsEng.exe 5 2->13         started        15 powershell.exe 2->15         started        17 5 other processes 2->17 process3 file4 60 C:\Users\user\AppData\...\rigkkncdtkcy.tmp, PE32+ 9->60 dropped 62 C:\Program Files\...\MpNsEng.exe, PE32+ 9->62 dropped 98 Self deletion via cmd or bat file 9->98 100 Writes to foreign memory regions 9->100 102 Modifies the context of a thread in another process (thread injection) 9->102 104 Found hidden mapped module (file has been removed from disk) 9->104 19 dialer.exe 1 9->19         started        64 C:\Windows\Temp\skfztapqsibd.sys, PE32+ 13->64 dropped 66 C:\Windows\Temp\rigkkncdtkcy.tmp, PE32+ 13->66 dropped 106 Protects its processes via BreakOnTermination flag 13->106 108 Adds a directory exclusion to Windows Defender 13->108 110 Maps a DLL or memory area into another process 13->110 112 Sample is not signed and drops a device driver 13->112 22 dialer.exe 13->22         started        24 dialer.exe 13->24         started        27 dialer.exe 13->27         started        114 Creates files in the system32 config directory 15->114 29 conhost.exe 15->29         started        31 conhost.exe 17->31         started        33 conhost.exe 17->33         started        35 conhost.exe 17->35         started        37 12 other processes 17->37 signatures5 process6 dnsIp7 78 Performs DNS queries to domains with low reputation 19->78 80 Contains functionality to inject code into remote processes 19->80 82 Writes to foreign memory regions 19->82 92 2 other signatures 19->92 39 lsass.exe 19->39 injected 42 dwm.exe 19->42 injected 44 winlogon.exe 19->44 injected 52 4 other processes 19->52 84 Injects code into the Windows Explorer (explorer.exe) 22->84 86 Allocates memory in foreign processes 22->86 88 Creates a thread in another existing process (thread injection) 22->88 46 svchost.exe 22->46 injected 48 svchost.exe 22->48 injected 50 svchost.exe 22->50 injected 54 7 other processes 22->54 68 mysticpulse.xyz 199.91.100.75, 49795, 49796, 49813 RA-N002US Virgin Islands (BRITISH) 24->68 90 Query firmware table information (likely to detect VMs) 24->90 signatures8 process9 signatures10 94 Uses schtasks.exe or at.exe to add and modify task schedules 39->94 96 Writes to foreign memory regions 39->96 56 schtasks.exe 1 39->56         started        process11 process12 58 conhost.exe 56->58         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/feb1cc6e909be612e822cc7b40b1c2b262836020c719e25ea5a0152b4de87829/
Threat name:
Win64.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2023-10-02 16:29:07 UTC
File Type:
PE+ (Exe)
Extracted files:
24
AV detection:
13 of 23 (56.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=72y4y3uqtptbf2bczr5ubmocwjrigybay4m6exvfuakswtpipauq._file
Verdict:
malicious
Similar samples:
1f479a220e41be1c22092d76400565d0f7d8e890d1069a2f8bbdc5f697d9808f
CoinMiner
3761032e760a2bcc61854a0c7cf22e8e991af0ed60fac92b981853eadda00d1a
CoinMiner
3e8c625c24615c02438b4d0dac88772792b86e715d02df78e30a15e85a08b972
CoinMiner
6320b40b4809bd711e6a50eebacce6ac51d3cbb92f84d467116f79489c668a04
CoinMiner
6b6343ca74fe0cd2fe964efa64e2fb80159b239e6253f04e280031d257f5571f
CoinMiner
6fa605c719933e2bdd8cde82c00b62753086b62027206f2d787daae772a21736
CoinMiner
9084423577dca12435f58eaaec583e8362cad6d25430c8d91ab185f11cff9364
CoinMiner
ce7a9a4a88a1a9f154bb4e0650864933d87fd75bef94ec000faf24f75d0a308f
CoinMiner
e15b16fc5ba3994d5576aeb0581adb3bec21dae0ce15904aa93bf26d66e9669d
CoinMiner
fdbb6e0a160bc94da37c53e26298f29cce2b834f1e24a8ad3dd3f8f176823fc2
CoinMiner
+ 77 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion
Link:
https://tria.ge/reports/231002-ty8brscf6y/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Drops file in Program Files directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Deletes itself
Executes dropped EXE
Stops running service(s)
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
feb1cc6e909be612e822cc7b40b1c2b262836020c719e25ea5a0152b4de87829
MD5 hash:
9f73f9a7e915cbf0edbbbb5183283561
SHA1 hash:
94a703c5bd49f55ab478a209ba973bb485f49da8
Link:
https://www.unpac.me/results/24aee312-4379-4239-9c12-dbbe241a6789/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/feb1cc6e909b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/feb1cc6e909be612e822cc7b40b1c2b262836020c719e25ea5a0152b4de87829

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/452677/

Comments