MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67bf6d0a4de17f79de1347b75c9d1af3106448a806132cf50b38c2c8aa19d8ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 17


Intelligence 17 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 67bf6d0a4de17f79de1347b75c9d1af3106448a806132cf50b38c2c8aa19d8ea
SHA3-384 hash: 96f8e4bb4cd168cef17bd9a3eaebf19ecd55d4a1781966d0ad316174fb98988d1583f48588979f4a58d2f8aaef8ed8e4
SHA1 hash: 47105f8f0446123a65a0baa7c03b2d1d9d5e9101
MD5 hash: b47b9c16e1be0affaa297628ec89956a
humanhash: beryllium-beryllium-hamper-red
File name:adobe pack.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:3'990'793 bytes
First seen:2025-07-27 22:39:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b1c5b1beabd90d9fdabd1df0779ea832 (11 x CoinMiner, 10 x QuasarRAT, 8 x AsyncRAT)
ssdeep 98304:+gTzzP3VUYDY5oWAXQ28DzJsCYzBIresilUMgfs9:+gTzzP3VDDY5oTQtDzJpymresilpH
Threatray 344 similar samples on MalwareBazaar
TLSH T175062209E6F405E9E1B3E27899638907F77B7C4903718B8F17AD462A1F673908E3A711
TrID 92.4% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10522/11/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.7% (.EXE) OS/2 Executable (generic) (2029/13)
0.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 45a8dcd4ccc47a45 (1 x AsyncRAT, 1 x CoinMiner)
Reporter aachum
Tags:BRA CoinMiner exe


Avatar
iamaachum
https://www.youtube.com/watch?v=1-hghRIpdc0 => https://sites.google.com/view/adobe-2025/in%C3%ADcio => https://www.mediafire.com/file/0sfn68apr9j3y10/Adobe_Media_Encoder_2024.rar/file

Intelligence

File Origin
# of uploads :
1
# of downloads :
45
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
adobe pack.exe
Verdict:
Malicious activity
Analysis date:
2025-07-27 22:42:01 UTC
Tags:
auto-sch auto-startup auto-sch-xml auto mirai botnet
Link:
https://app.any.run/tasks/6fae5a2b-360f-411b-9347-a374393b3237

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CoinMiner02
Create hunting rule
Link:
https://www.capesandbox.com/analysis/17233/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6886aae80b4775fb21324ea5
Tags:
autorun xmrig madi
Result
Verdict:
Malware
Maliciousness:

Behaviour
Moving a recently created file
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Launching cmd.exe command interpreter
Creating a process with a hidden window
Launching a process
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Running batch commands
Deleting volume shadow copies
Enabling autorun by creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypt fingerprint microsoft_visual_cc obfuscated overlay packed packer_detected powershell xmrig
Link:
https://www.filescan.io/uploads/6886aafec79df08ef0965c1a/reports/9046488d-abc2-47d1-833e-bdf5d8818e05/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/67bf6d0a4de17f79de1347b75c9d1af3106448a806132cf50b38c2c8aa19d8ea
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/97f82018-8a2e-4024-b0aa-3140e9ed4ac6
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
rans.troj.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1745247
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Command shell drops VBS files
Deletes shadow drive data (may be related to ransomware)
Found strings related to Crypto-Mining
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Schtasks Creation Or Modification With SYSTEM Privileges
Sigma detected: Script Initiated Connection to Non-Local Network
Suspicious execution chain found
System process connects to network (likely due to code injection or exploit)
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes or reads registry keys via WMI
Wscript starts Powershell (via cmd or directly)
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1745247 Sample: adobe pack.exe Startdate: 28/07/2025 Architecture: WINDOWS Score: 100 82 testandoservidor369.com.br 2->82 86 Malicious sample detected (through community Yara rule) 2->86 88 Antivirus detection for dropped file 2->88 90 Multi AV Scanner detection for dropped file 2->90 92 7 other signatures 2->92 10 adobe pack.exe 3 32 2->10         started        14 wscript.exe 12 2->14         started        17 wscript.exe 2->17         started        19 wscript.exe 2->19         started        signatures3 process4 dnsIp5 64 C:\Dumper\ntrights.exe, PE32 10->64 dropped 66 C:\Dumper\mouse.exe, PE32 10->66 dropped 68 C:\Dumper\gtservices.exe, PE32+ 10->68 dropped 70 7 other malicious files 10->70 dropped 104 Found strings related to Crypto-Mining 10->104 106 Deletes shadow drive data (may be related to ransomware) 10->106 108 Sample is not signed and drops a device driver 10->108 21 wscript.exe 1 10->21         started        24 wscript.exe 3 10->24         started        84 testandoservidor369.com.br 89.116.115.65, 443, 49715 LRTC-ASLT Lithuania 14->84 110 System process connects to network (likely due to code injection or exploit) 14->110 112 Windows Scripting host queries suspicious COM object (likely to drop second stage) 14->112 114 Wscript starts Powershell (via cmd or directly) 17->114 26 cmd.exe 17->26         started        file6 signatures7 process8 signatures9 94 Wscript starts Powershell (via cmd or directly) 21->94 96 Windows Scripting host queries suspicious COM object (likely to drop second stage) 21->96 98 Suspicious execution chain found 21->98 100 Writes or reads registry keys via WMI 21->100 28 cmd.exe 17 21->28         started        32 cmd.exe 26->32         started        34 cmd.exe 26->34         started        36 cmd.exe 26->36         started        38 2 other processes 26->38 process10 file11 72 C:\update\7zxa.dll, PE32 28->72 dropped 74 C:\update\7za.exe, PE32 28->74 dropped 76 C:\update\7za.dll, PE32 28->76 dropped 78 9 other malicious files 28->78 dropped 116 Wscript starts Powershell (via cmd or directly) 28->116 118 Uses ping.exe to sleep 28->118 120 Command shell drops VBS files 28->120 122 6 other signatures 28->122 40 powershell.exe 23 28->40         started        43 cmd.exe 28->43         started        45 conhost.exe 28->45         started        56 18 other processes 28->56 47 csc.exe 32->47         started        50 mouse.exe 32->50         started        52 tasklist.exe 34->52         started        54 mouse.exe 36->54         started        signatures12 process13 file14 102 Loading BitLocker PowerShell Module 40->102 58 WMIC.exe 43->58         started        60 find.exe 43->60         started        80 C:80etframework.4.5.2\mouse.exe, PE32 47->80 dropped 62 cvtres.exe 47->62         started        signatures15 process16
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/67bf6d0a4de17f79de1347b75c9d1af3106448a806132cf50b38c2c8aa19d8ea
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/b47b9c16e1be0affaa297628ec89956a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/67bf6d0a4de17f79de1347b75c9d1af3106448a806132cf50b38c2c8aa19d8ea/
Verdict:
Malicious
Threat:
HEUR:RiskTool.Win32.BitCoinMiner
Link:
https://tip.neiki.dev/file/67bf6d0a4de17f79de1347b75c9d1af3106448a806132cf50b38c2c8aa19d8ea
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-02-01 14:54:37 UTC
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m67w2csn4f7xtxqti63vzhi26migisfiayjsz5ilhdbmrkqz3dva._file
Verdict:
malicious
Label(s):
xmrig
Create hunting rule
Similar samples:
2935daeddeb1f505cea4ad368f598ab029942d91d831b71bbe4de5284c7a3132
CoinMiner
2eb2e70b013a1cf44eb95fb0354f8d77bd29a0f1b260c246a1816b509bb827b2
CoinMiner
67bf6d0a4de17f79de1347b75c9d1af3106448a806132cf50b38c2c8aa19d8ea
CoinMiner
b8b32e5072b3ea2a43f3cd918137a554fc4298bd5e13acd6ce78acd2db95585a
CoinMiner
ca912d6c76152192dd0e1ce436ff328ae29973b912919cbb398dc7efd412ecfe
CoinMiner
error
CoinMiner
+ 334 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig defense_evasion discovery execution impact miner persistence ransomware
Link:
https://tria.ge/reports/250727-2lsdsasyby/
Behaviour
Interacts with shadow copies
Modifies registry class
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Indicator Removal: File Deletion
Power Settings
Checks computer location settings
Drops startup file
Executes dropped EXE
Modifies file permissions
Command and Scripting Interpreter: PowerShell
Deletes shadow copies
XMRig Miner payload
Xmrig family
xmrig
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/50ad8fe9-f862-441c-b828-4e31bdd8d3ed
Unpacked files
SH256 hash:
67bf6d0a4de17f79de1347b75c9d1af3106448a806132cf50b38c2c8aa19d8ea
MD5 hash:
b47b9c16e1be0affaa297628ec89956a
SHA1 hash:
47105f8f0446123a65a0baa7c03b2d1d9d5e9101
Link:
https://www.unpac.me/results/f932b9e0-815f-4f28-9215-b839c21a10be/
SH256 hash:
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
MD5 hash:
0c0195c48b6b8582fa6f6373032118da
SHA1 hash:
d25340ae8e92a6d29f599fef426a2bc1b5217299
Detections:
PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_11BD
Create hunting rule
Link:
https://www.unpac.me/results/f932b9e0-815f-4f28-9215-b839c21a10be/
Parent samples :
efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8
40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779
e6da05c053763230ec6ba48cb976d43f184604d9262799eadb0c27ef2e839ec6
e14d20d5a80507197245fc2b53eefc6c5b9de9a422857b376434f7dd03533bc0
01a976b80253450a09d0b89075f5fa923a3411265f7bc8f3413d059fd662aa83
f49dd9baed6ec113ad16bcd07e50ab5dc1ca98ef4797712cbf3f2f5463a16d41
22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184
21690a716f4d4f3af3ad00504dfd41ef4d11a5663ff96c3365838896ffcaedd7
c7eaff9d735d8eef42c73be4c093f7b31cf7d0df18c98d135eb915c13409d077
235c665b25c1e78fed3ca96e57c374e5a416aad1d27b4ae436a1c6c58604268b
c8a83c6c8f797e36eb7a5edf0e5f85a8d985895c82932422b95bf628f4106dfb
ed3ce2006fbfa402977bb026324637b905c5cc8228254b88037d3f68152463d3
a7a9d6a874f65ea3689930a2af208a025fee0a3dc1ad5cb9c964cbadd2cacf1f
67bf6d0a4de17f79de1347b75c9d1af3106448a806132cf50b38c2c8aa19d8ea
254a713d3ec2852b6657ecb8840efd2662e048ace42c2b4e0b30c589cdb9f8cb
6353b1218561a746bb3e009b611a1945bc2367b4d3ffef7849d4af4d369f184c
4f85b6d87dcc12f7904f95f3716b18930c63cb18bd624c1abcbdd9181ba4efc2
e93433169e2ec088a21ee58ae3e780f68215eb75dcd31b83d1fa31d6c16145e5
SH256 hash:
3c0dab67b9465868d4b87a7d77f8e2f72189f6891a90116ad861062ef551d80d
MD5 hash:
51d03af73a860e3b0bb29a0b918c9017
SHA1 hash:
4b3fb788c0785ca95e1868030e138dc282d0f681
Link:
https://www.unpac.me/results/f932b9e0-815f-4f28-9215-b839c21a10be/
SH256 hash:
49da580656e51214d59702a1d983eff143af3560a344f524fe86326c53fb5ddb
MD5 hash:
cb166d49ce846727ed70134b589b0142
SHA1 hash:
8f5e1c7792e9580f2b10d7bef6dc7e63ea044688
Detections:
XMRig
Create hunting rule
MAL_XMR_Miner_May19_1
Create hunting rule
XMRIG_Monero_Miner
Create hunting rule
MALWARE_Win_CoinMiner02
Create hunting rule
Link:
https://www.unpac.me/results/f932b9e0-815f-4f28-9215-b839c21a10be/
Parent samples :
49da580656e51214d59702a1d983eff143af3560a344f524fe86326c53fb5ddb
67bf6d0a4de17f79de1347b75c9d1af3106448a806132cf50b38c2c8aa19d8ea
SH256 hash:
7fa19d4b2b160ca3f2decde3d7c7d867527c96f3511a9dbecc898cfc14614638
MD5 hash:
97373d38bdd890a2f1224c7d1586db91
SHA1 hash:
013651321c499fa331b0c62b2a981027c5dd112b
Link:
https://www.unpac.me/results/f932b9e0-815f-4f28-9215-b839c21a10be/
SH256 hash:
bd377ba96ff8d3cbaea98190c8a60f32dc9d64dd44eed9aade05d3a74d935701
MD5 hash:
3107caecf7ec7a7ce12d05f9c3ab078f
SHA1 hash:
b72ac571efde591906771b45bed5b7dc568d7b08
Link:
https://www.unpac.me/results/f932b9e0-815f-4f28-9215-b839c21a10be/
SH256 hash:
ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d
MD5 hash:
43141e85e7c36e31b52b22ab94d5e574
SHA1 hash:
cfd7079a9b268d84b856dc668edbb9ab9ef35312
Link:
https://www.unpac.me/results/f932b9e0-815f-4f28-9215-b839c21a10be/
SH256 hash:
f46baa1b6227226518e42263e9b4808f81c27d060207df160f9ac64deae4f4f5
MD5 hash:
416c43aeb17252ee33048bd1f277d2a5
SHA1 hash:
085deb77551f9f6201e5aa352b62cad91c3005e5
Link:
https://www.unpac.me/results/f932b9e0-815f-4f28-9215-b839c21a10be/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/67bf6d0a4de17f79de1347b75c9d1af3106448a806132cf50b38c2c8aa19d8ea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 67bf6d0a4de17f79de1347b75c9d1af3106448a806132cf50b38c2c8aa19d8ea

(this sample)

  
Link
https://tria.ge/250727-1xpllaspv9/behavioral1
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/17233/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments