MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94cfde40eccb2f9de072d3cdbcfe2b0fbb238e2ce8d283f39e2d7b4c30183c1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94cfde40eccb2f9de072d3cdbcfe2b0fbb238e2ce8d283f39e2d7b4c30183c1d
SHA3-384 hash: 3c668e8b34e35779c04c3f0a42e373795ed304770fd0619f51063271e271fc855a38783e2bf49aaae8316f19f6808615
SHA1 hash: 6860a754019fc0bf42051483040d0b44e9b779c3
MD5 hash: 88303fed6c9b051757ecdd248c078913
humanhash: friend-vegan-kentucky-mississippi
File name:svchost.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:1'106'944 bytes
First seen:2025-11-23 09:26:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 67088e0c9d97ffbc67f39ac67b8abd79 (1 x CoinMiner)
ssdeep 24576:9JdlWRBtP7ix4odf1E09U0pp91pjDdmmRPTNDs2Am:9JyRX2zh1XPTpZpD5t
Threatray 2 similar samples on MalwareBazaar
TLSH T1BE3523CD87D416E3FD863BBAF12F4604C9E4D50A58ABA2A99F4DB8C5C134CA1F052793
TrID 64.7% (.EXE) UPX compressed Win64 Executable (70117/5/12)
25.0% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.8% (.EXE) OS/2 Executable (generic) (2029/13)
1.8% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Hexastrike
Tags:CoinMiner exe UPX
File size (compressed) :1'106'944 bytes
File size (de-compressed) :3'209'728 bytes
Format:win64/pe
Unpacked file: c344a5f74148eed25b717a3a773b91c328c174d92c5cb6c44b65d750d2296508

Intelligence

File Origin
# of uploads :
1
# of downloads :
17
Origin country :
IE IE
Vendor Threat Intelligence
Malware family:
xmrig
Create hunting rule
ID:
1
File name:
svchost.exe
Verdict:
Malicious activity
Analysis date:
2025-11-23 19:05:16 UTC
Tags:
xmrig upx
Link:
https://app.any.run/tasks/b3144458-8e81-41ca-afb6-ad30da8daf4f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CoinMiner02
Create hunting rule
Link:
https://www.capesandbox.com/analysis/40643/
Gathering data
Gathering data
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Running batch commands
Searching for synchronization primitives
Launching a process
Searching for the window
Creating a file
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug coinminer microsoft_visual_cc miner monero overlay packed packed packed pup upx xmrig
Link:
https://www.filescan.io/uploads/6922dc34eecb08e4aa45a271/reports/98ff7f9d-58a6-45e9-a1ec-d24304e8310c/overview
Verdict:
Malicious
Labled as:
Win64/CoinMiner.IZ potentially unwanted application
Link:
https://www.hybrid-analysis.com/sample/94cfde40eccb2f9de072d3cdbcfe2b0fbb238e2ce8d283f39e2d7b4c30183c1d
Result
Gathering data
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/94cfde40eccb2f9de072d3cdbcfe2b0fbb238e2ce8d283f39e2d7b4c30183c1d
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/88303fed6c9b051757ecdd248c078913
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/94cfde40eccb2f9de072d3cdbcfe2b0fbb238e2ce8d283f39e2d7b4c30183c1d/
Threat name:
Win64.Trojan.Miner
Create hunting rule
Status:
Malicious
First seen:
2025-11-22 20:47:48 UTC
AV detection:
17 of 38 (44.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sth54qhmzmxz3yds2pg3z7rlb65shdrm5djih446fv5uymayhqoq._file
Verdict:
malicious
Label(s):
xmrig
Create hunting rule
Similar samples:
c344a5f74148eed25b717a3a773b91c328c174d92c5cb6c44b65d750d2296508
CoinMiner
error
CoinMiner
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig discovery miner upx
Link:
https://tria.ge/reports/251123-l39fmatlex/
Behaviour
Runs ping.exe
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
UPX packed file
Checks computer location settings
Executes dropped EXE
XMRig Miner payload
Xmrig family
xmrig
Verdict:
Malicious
Tags:
cryptojacking xmrig
YARA:
PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20
Link:
https://app.threat.zone/submission/ce12ec1d-eda7-4ecf-b792-6efa3dc16654
Unpacked files
SH256 hash:
c344a5f74148eed25b717a3a773b91c328c174d92c5cb6c44b65d750d2296508
MD5 hash:
652792370a06bd0e63a91bb656a8288f
SHA1 hash:
38fe32878c6aa657e954eb4afd02b057ed3091e2
Detections:
XMRig
Create hunting rule
PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20
Create hunting rule
MAL_XMR_Miner_May19_1
Create hunting rule
PUA_Crypto_Mining_CommandLine_Indicators_Oct21
Create hunting rule
XMRIG_Monero_Miner
Create hunting rule
MALWARE_Win_CoinMiner02
Create hunting rule
Link:
https://www.unpac.me/results/5adafd80-3293-44df-8f20-501766232fbf/
Parent samples :
94cfde40eccb2f9de072d3cdbcfe2b0fbb238e2ce8d283f39e2d7b4c30183c1d
c344a5f74148eed25b717a3a773b91c328c174d92c5cb6c44b65d750d2296508
SH256 hash:
94cfde40eccb2f9de072d3cdbcfe2b0fbb238e2ce8d283f39e2d7b4c30183c1d
MD5 hash:
88303fed6c9b051757ecdd248c078913
SHA1 hash:
6860a754019fc0bf42051483040d0b44e9b779c3
Link:
https://www.unpac.me/results/5adafd80-3293-44df-8f20-501766232fbf/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/94cfde40eccb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.98
Link:
https://yomi.yoroi.company/submissions/94cfde40eccb2f9de072d3cdbcfe2b0fbb238e2ce8d283f39e2d7b4c30183c1d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects XMRIG crypto coin miners
Reference:https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Rule name:PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20_RID33BA
Create hunting rule
Author:Florian Roth
Description:Detects XMRIG crypto coin miners
Reference:https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

CoinMiner

Executable exe 94cfde40eccb2f9de072d3cdbcfe2b0fbb238e2ce8d283f39e2d7b4c30183c1d

(this sample)

CoinMiner

Executable exe c344a5f74148eed25b717a3a773b91c328c174d92c5cb6c44b65d750d2296508

Cape
Cape
https://www.capesandbox.com/analysis/40643/
  
Dropping
SHA256 c344a5f74148eed25b717a3a773b91c328c174d92c5cb6c44b65d750d2296508
  
Dropping
MD5 652792370a06bd0e63a91bb656a8288f

Comments