MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7eb099c5033672c65f8d09e0a0bd0c2f4d74312abfc8c027ec6b5a056ae53efd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7eb099c5033672c65f8d09e0a0bd0c2f4d74312abfc8c027ec6b5a056ae53efd
SHA3-384 hash: 8380e562a81c2782614c25695aaba678f9b31e9006d8cc291df140f6d413bfc188947855bd5124335d4477cf806f9be2
SHA1 hash: 192808d4a1dbf5e446aaf27b806d13121ec3de3b
MD5 hash: 387954c62e678d35c92c357dfc843fa4
humanhash: beer-angel-potato-mountain
File name:42658938061c41ee991c56ac8a8e90c7.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:3'985'651 bytes
First seen:2025-07-27 13:04:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c3cb335494c9b55e70b3c2e35ce0fe5c (2 x CoinMiner)
ssdeep 98304:Mhe2med0+8upI7ntB1PsH30qWlkGKDAdJUAbw3W7AKSjD:MsPed2uAt7Pg3PWmMJNgWAv
TLSH T1640633171E20DABEE440E4B60A1EA832B1D64FEF8CA4419257851D1BE5BBFCD37762C1
TrID 45.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.3% (.EXE) OS/2 Executable (generic) (2029/13)
18.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter burger
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
45
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
42658938061c41ee991c56ac8a8e90c7.exe
Verdict:
Suspicious activity
Analysis date:
2025-07-27 13:05:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d83cc62f-86ab-418d-a0ac-b7e5d4c1a0b2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/17147/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68862402af3050dc8d31876f
Tags:
shellcode packed spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
microsoft_visual_cc obfuscated overlay packed packed themidawinlicense zero
Link:
https://www.filescan.io/uploads/6886240ea16348d835f02c13/reports/9696176b-1847-4425-9b28-b4574b152acf/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/7eb099c5033672c65f8d09e0a0bd0c2f4d74312abfc8c027ec6b5a056ae53efd
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d6ad2220-a7f4-4dcc-9e7b-9931fd860230
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1744961
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to many ports of the same IP (likely port scanning)
Detected Stratum mining protocol
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found strings related to Crypto-Mining
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Xmrig
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected PersistenceViaHiddenTask
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1744961 Sample: 42658938061c41ee991c56ac8a8... Startdate: 27/07/2025 Architecture: WINDOWS Score: 100 79 Sigma detected: Xmrig 2->79 81 Malicious sample detected (through community Yara rule) 2->81 83 Multi AV Scanner detection for submitted file 2->83 85 16 other signatures 2->85 8 Default.exe 3 2->8         started        11 42658938061c41ee991c56ac8a8e90c7.exe 3 2->11         started        14 svchost.exe 2->14         started        16 9 other processes 2->16 process3 dnsIp4 103 Antivirus detection for dropped file 8->103 105 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 8->105 107 Writes to foreign memory regions 8->107 119 2 other signatures 8->119 19 RegAsm.exe 8->19         started        69 C:\Users\user\...\dac47d38a60ed844.exe, data 11->69 dropped 71 C:\Users\user\...\bc4686fb6aa57f49.exe, data 11->71 dropped 73 C:\Users\user\...\1197620a69342b4b.sys, data 11->73 dropped 109 Query firmware table information (likely to detect VMs) 11->109 111 Tries to detect sandboxes and other dynamic analysis tools (window names) 11->111 113 Sample is not signed and drops a device driver 11->113 121 4 other signatures 11->121 23 bc4686fb6aa57f49.exe 2 11->23         started        26 dac47d38a60ed844.exe 5 11->26         started        115 Changes security center settings (notifications, updates, antivirus, firewall) 14->115 28 MpCmdRun.exe 14->28         started        75 127.0.0.1 unknown unknown 16->75 117 Loading BitLocker PowerShell Module 16->117 30 conhost.exe 16->30         started        32 conhost.exe 16->32         started        34 conhost.exe 16->34         started        file5 signatures6 process7 dnsIp8 77 176.118.198.215, 39001, 49301, 49721 BALTNETACustomersASLT Russian Federation 19->77 87 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 19->87 89 Writes to foreign memory regions 19->89 91 Modifies the context of a thread in another process (thread injection) 19->91 93 Injects a PE file into a foreign processes 19->93 36 AddInProcess.exe 19->36         started        39 AddInProcess.exe 19->39         started        41 AddInProcess.exe 19->41         started        49 21 other processes 19->49 65 C:\Users\user\AppData\Local\...\iqvw64e.sys, PE32+ 23->65 dropped 95 Sample is not signed and drops a device driver 23->95 43 conhost.exe 23->43         started        67 C:\Users\user\AppData\Roaming\...\Default.exe, PE32+ 26->67 dropped 45 conhost.exe 28->45         started        47 conhost.exe 30->47         started        file9 97 Detected Stratum mining protocol 77->97 signatures10 process11 signatures12 99 Query firmware table information (likely to detect VMs) 36->99 101 Found strings related to Crypto-Mining 36->101 51 conhost.exe 36->51         started        53 conhost.exe 39->53         started        55 conhost.exe 41->55         started        57 conhost.exe 49->57         started        59 conhost.exe 49->59         started        61 conhost.exe 49->61         started        63 12 other processes 49->63 process13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7eb099c5033672c65f8d09e0a0bd0c2f4d74312abfc8c027ec6b5a056ae53efd
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/387954c62e678d35c92c357dfc843fa4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7eb099c5033672c65f8d09e0a0bd0c2f4d74312abfc8c027ec6b5a056ae53efd/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/7eb099c5033672c65f8d09e0a0bd0c2f4d74312abfc8c027ec6b5a056ae53efd
Threat name:
Win64.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-07-27 13:05:08 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
16 of 23 (69.57%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p2yjtridgzzmmx4nbhqkbpimf5gximjkx7emaj7mnnnak2xfh36q._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
defense_evasion themida trojan
Link:
https://tria.ge/reports/250727-qbl88sxqz8/
Behaviour
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1e049539-cfc5-48e4-a671-c458c2dd3220
Unpacked files
SH256 hash:
7eb099c5033672c65f8d09e0a0bd0c2f4d74312abfc8c027ec6b5a056ae53efd
MD5 hash:
387954c62e678d35c92c357dfc843fa4
SHA1 hash:
192808d4a1dbf5e446aaf27b806d13121ec3de3b
Link:
https://www.unpac.me/results/8d55ea35-b068-402a-9254-70ac89353c74/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7eb099c5033672c65f8d09e0a0bd0c2f4d74312abfc8c027ec6b5a056ae53efd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

AgentTesla

Executable exe 67a2ead75d204b7175dbd4d6c2afed6f6962c48892f5f05053409c9f7d84d887

CoinMiner

Executable exe 7eb099c5033672c65f8d09e0a0bd0c2f4d74312abfc8c027ec6b5a056ae53efd

(this sample)

  
Dropped by
SHA256 67a2ead75d204b7175dbd4d6c2afed6f6962c48892f5f05053409c9f7d84d887
Cape
Cape
https://www.capesandbox.com/analysis/17147/
  
Dropped by
MD5 c34fff2f19aae9e62792e7a7a9246f78

Comments