MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4836bae2f9cdf49ec6d34cd1b85aee2a16de879e29ff172c45c26acc6f5721af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4836bae2f9cdf49ec6d34cd1b85aee2a16de879e29ff172c45c26acc6f5721af
SHA3-384 hash: d7f82134043ba57aed72dd3dc44fee26075604330737261d64929746caea2118a18c0e3384f1bf7bdd7ff7070851246c
SHA1 hash: 2147c54b1cf927951914d453b8bc42f462a9bd42
MD5 hash: f3f3782ee06fa1f34a44915ef00e8b94
humanhash: leopard-pennsylvania-eighteen-nebraska
File name:Loader.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:5'004'800 bytes
First seen:2025-10-16 08:22:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a56f115ee5ef2625bd949acaeec66b76 (53 x Stealc, 47 x PureHVNC, 28 x RedLineStealer)
ssdeep 98304:tTLLCO2f+nO5LwAYy3tPFbGLbO24MqQTvU65U6QZswhHaq4NNyq:tTR245iRwG2jDvU6q6QZzxm
TLSH T1F03633C739984C2AEACE83B646BD9399D96517420EC8850B6DF73C6CEF0C53C9D12692
TrID 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter burger
Tags:CoinMiner exe UmbralStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Loader.exe
Verdict:
Malicious activity
Analysis date:
2025-10-16 08:21:01 UTC
Tags:
evasion discord exfiltration stealer miner pastebin umbralstealer anti-evasion
Link:
https://app.any.run/tasks/c10ad766-d07a-479b-b757-2615a266ee4b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/33038/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f0ab4872d478f9059845ed
Tags:
autorun packed virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Running batch commands
Launching a process
Creating a service
Launching a service
Creating a file in the Windows subdirectories
Searching for synchronization primitives
Creating a file in the system32 subdirectories
Creating a process with a hidden window
Enabling autorun for a service
Adding an exclusion to Microsoft Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated obfuscated packed packed packer_detected themidawinlicense
Link:
https://www.filescan.io/uploads/68f0ab9764833d0cfabe4ce7/reports/4e73a893-15f0-4df3-9582-2414fd1dfbb1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/4836bae2f9cdf49ec6d34cd1b85aee2a16de879e29ff172c45c26acc6f5721af
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-10-16T05:36:00Z UTC
Last seen:
2025-10-16T18:52:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.Miner.sb Trojan.Win32.Agent.rnd PDM:Trojan.Win32.Generic Trojan-PSW.MSIL.Stealer.sb Trojan.Win32.Agent.sb Trojan-PSW.MSIL.Umbral.sb Trojan.Win32.Staser.eyar not-a-virus:RiskTool.Win64.XMRigMiner.a RiskTool.Miner.UDP.C&C VHO:Trojan-Downloader.MSIL.Convagent.gen Trojan-PSW.MSIL.Umbral.hj Trojan-PSW.Win32.Stealer.sb Trojan-PSW.MSIL.DiscoStealer.sb VHO:Trojan-PSW.MSIL.Convagent.gen Trojan-PSW.MSIL.Umbral.hk Trojan.Win32.Agent.sba VHO:Trojan-PSW.Win32.Convagent.gen Trojan-PSW.Win32.Xploder.sb Trojan-PSW.Win32.Disco.sb Trojan.Win32.Dizemp.sb NetTool.DiscoGetMe.HTTP.C&C
Link:
https://opentip.kaspersky.com/4836bae2f9cdf49ec6d34cd1b85aee2a16de879e29ff172c45c26acc6f5721af/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ccc6f9bb-a784-404b-b974-d28c1aa43196
Result
Threat name:
Blank Grabber, Umbral Stealer, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1796365
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Detected unpacking (changes PE section rights)
Drops PE files to the startup folder
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Hijacks the control flow in another process
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sample uses string decryption to hide its real strings
Sigma detected: Disable power options
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Stop EventLog
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Startup Folder Persistence
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Uses attrib.exe to hide files
Uses ping.exe to check the status of other devices and networks
Uses powercfg.exe to modify the power settings
Yara detected Blank Grabber
Yara detected Umbral Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1796365 Sample: Loader.exe Startdate: 16/10/2025 Architecture: WINDOWS Score: 100 94 pastebin.com 2->94 96 pool.hashvault.pro 2->96 98 3 other IPs or domains 2->98 124 Suricata IDS alerts for network traffic 2->124 126 Found malware configuration 2->126 128 Malicious sample detected (through community Yara rule) 2->128 132 19 other signatures 2->132 9 Loader.exe 14 7 2->9         started        14 tc5e4ek38kh4.exe 2->14         started        signatures3 130 Connects to a pastebin service (likely for C&C) 94->130 process4 dnsIp5 100 gitlab.com 172.65.251.78, 443, 49690 CLOUDFLARENETUS United States 9->100 76 C:\Users\user\AppData\Local\Temp\cheat.exe, PE32 9->76 dropped 78 C:\Users\user\AppData\Local\...\bypasser.exe, PE32+ 9->78 dropped 80 C:\Users\user\AppData\...\Loader.exe.log, CSV 9->80 dropped 134 Detected unpacking (changes PE section rights) 9->134 136 Query firmware table information (likely to detect VMs) 9->136 138 Hides threads from debuggers 9->138 146 3 other signatures 9->146 16 cheat.exe 16 12 9->16         started        21 bypasser.exe 1 2 9->21         started        23 conhost.exe 9->23         started        82 C:\Windows\Temp\ewhfyqrhqwxw.sys, PE32+ 14->82 dropped 140 Multi AV Scanner detection for dropped file 14->140 142 Hijacks the control flow in another process 14->142 144 Tries to detect sandboxes and other dynamic analysis tools (window names) 14->144 148 4 other signatures 14->148 25 powershell.exe 14->25         started        27 dwm.exe 14->27         started        29 cmd.exe 14->29         started        31 10 other processes 14->31 file6 signatures7 process8 dnsIp9 84 ip-api.com 208.95.112.1, 49696, 80 TUT-ASUS United States 16->84 86 discord.com 162.159.136.232, 443, 49699 CLOUDFLARENETUS United States 16->86 70 C:\ProgramData\Microsoft\...\CTDBV.scr, PE32 16->70 dropped 72 C:\Users\user\AppData\Local\...\cheat.exe.log, ASCII 16->72 dropped 106 Antivirus detection for dropped file 16->106 108 Multi AV Scanner detection for dropped file 16->108 110 Detected unpacking (changes PE section rights) 16->110 122 11 other signatures 16->122 33 cmd.exe 16->33         started        36 powershell.exe 16->36         started        44 9 other processes 16->44 74 C:\ProgramData\...\tc5e4ek38kh4.exe, PE32+ 21->74 dropped 112 Query firmware table information (likely to detect VMs) 21->112 114 Uses powercfg.exe to modify the power settings 21->114 116 Adds a directory exclusion to Windows Defender 21->116 118 Modifies power options to not sleep / hibernate 21->118 38 powershell.exe 23 21->38         started        40 cmd.exe 21->40         started        46 13 other processes 21->46 120 Loading BitLocker PowerShell Module 25->120 42 conhost.exe 25->42         started        88 pool.hashvault.pro 216.219.85.122, 443, 49698, 49701 IS-AS-1US United States 27->88 90 pastebin.com 172.66.171.73, 443, 49695 CLOUDFLARENETUS United States 27->90 92 104.251.123.89, 443, 49697, 49700 1GSERVERSUS United States 27->92 48 2 other processes 29->48 50 9 other processes 31->50 file10 signatures11 process12 signatures13 102 Uses ping.exe to check the status of other devices and networks 33->102 64 2 other processes 33->64 52 conhost.exe 36->52         started        104 Loading BitLocker PowerShell Module 38->104 54 conhost.exe 38->54         started        56 conhost.exe 40->56         started        58 wusa.exe 40->58         started        60 conhost.exe 44->60         started        66 8 other processes 44->66 62 conhost.exe 46->62         started        68 13 other processes 46->68 process14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4836bae2f9cdf49ec6d34cd1b85aee2a16de879e29ff172c45c26acc6f5721af
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/f3f3782ee06fa1f34a44915ef00e8b94
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4836bae2f9cdf49ec6d34cd1b85aee2a16de879e29ff172c45c26acc6f5721af/
Verdict:
Malicious
Threat:
Family.XMRIG
Link:
https://tip.neiki.dev/file/4836bae2f9cdf49ec6d34cd1b85aee2a16de879e29ff172c45c26acc6f5721af
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-10-16 08:22:34 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ja3lvyxzzx2j5rwtjti3qwxofiln5b46fh7rolcfyjvmy32xegxq._file
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:umbral family:xmrig defense_evasion discovery execution miner persistence spyware stealer themida trojan upx
Link:
https://tria.ge/reports/251016-kafr6sep6z/
Behaviour
Detects videocard installed
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Power Settings
Checks BIOS information in registry
Checks computer location settings
Creates new service(s)
Disables automatic submission of suspicious files to Microsoft by Windows Defender
Executes dropped EXE
Reads user/profile data of web browsers
Stops running service(s)
Themida packer
Command and Scripting Interpreter: PowerShell
Disables one or more Microsoft Defender components
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
Detects Umbral payload
Umbral
Umbral family
Xmrig family
xmrig
Malware Config
C2 Extraction:
https://discord.com/api/webhooks/1427743406863679569/hLCDYDCHNZUWCjL-zXW8URDpd2uw5mUrqLR7utdIoMvaskMgdzVlJvBujZ4cuAvXZi5g
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/85b4336b-9408-4956-89e7-aaade6d79112
Unpacked files
SH256 hash:
4836bae2f9cdf49ec6d34cd1b85aee2a16de879e29ff172c45c26acc6f5721af
MD5 hash:
f3f3782ee06fa1f34a44915ef00e8b94
SHA1 hash:
2147c54b1cf927951914d453b8bc42f462a9bd42
Link:
https://www.unpac.me/results/c9764a71-a697-4710-b1cd-b9be180b5dfa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.76
Link:
https://yomi.yoroi.company/submissions/4836bae2f9cdf49ec6d34cd1b85aee2a16de879e29ff172c45c26acc6f5721af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/33038/

Comments