MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab24248296df1b0044a98cf250b65ec40adeb9b1ff4db9c3ee7e675985b4c4c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab24248296df1b0044a98cf250b65ec40adeb9b1ff4db9c3ee7e675985b4c4c5
SHA3-384 hash: f5ab3445e65a24e0a05f3378900aa019b998be3e2c7e4a1183a2b0025e746dc51d99ddca0ccd99f7bb830b3bb56af2da
SHA1 hash: 87c3659016d0df777dba1f39467000c44608251e
MD5 hash: b9cc2958936a7f0fd5b7ec7ae1165e47
humanhash: lithium-violet-berlin-north
File name:Start.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:160'256 bytes
First seen:2025-09-09 16:12:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 23aa6ede111f6ac860a5e9008f9b9673 (22 x Rhadamanthys, 4 x DonutLoader, 3 x CoinMiner)
ssdeep 3072:sGPLWFdkhbgNpJNuL1sV+LPL6xnQ+vCjLGqzHgv4PtVZcU1D:sGPLWFdkhburoyV+DOStLdzAAX
Threatray 38 similar samples on MalwareBazaar
TLSH T1C0F35B5773A530F9E0778139C9920A45E7B278764760ABEF03A0477A1F636D09D3EB22
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter burger
Tags:CoinMiner donutloader exe Loader XMRIG

Intelligence

File Origin
# of uploads :
1
# of downloads :
244
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
xmrig
Create hunting rule
ID:
1
File name:
Start.exe
Verdict:
Malicious activity
Analysis date:
2025-09-09 16:07:33 UTC
Tags:
loader miner xmrig anti-evasion stealer
Link:
https://app.any.run/tasks/f45c5e5f-b45c-4ea7-8726-0a4250f5e05b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/26527/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c051ebb200525988793ac2
Tags:
downloader dropper spoof virus
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Connection attempt
Sending an HTTP GET request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint microsoft_visual_cc obfuscated similar-threat
Link:
https://www.filescan.io/uploads/68c051f3cfa59bfdc7f5e271/reports/bd2f2451-1d1c-4987-8a33-8c425be2dbcf/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/ab24248296df1b0044a98cf250b65ec40adeb9b1ff4db9c3ee7e675985b4c4c5
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-09-09T23:08:00Z UTC
Last seen:
2025-09-09T23:08:00Z UTC
Hits:
~100
Detections:
UDS:DangerousObject.Multi.Generic PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/ab24248296df1b0044a98cf250b65ec40adeb9b1ff4db9c3ee7e675985b4c4c5/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c3cb49c7-71e2-495b-a0e2-d2490f0285d6
Result
Threat name:
RHADAMANTHYS, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1774157
Signature
.NET source code contains very large array initializations
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Found API chain indicative of debugger detection
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Found stalling execution ending in API Sleep call
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: Potential Crypto Mining Activity
Sigma detected: Xmrig
Switches to a custom stack to bypass stack traces
Uses known network protocols on non-standard ports
Yara detected RHADAMANTHYS Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1774157 Sample: Start.exe Startdate: 09/09/2025 Architecture: WINDOWS Score: 100 83 pool.supportxmr.com 2->83 85 pool-phx.supportxmr.com 2->85 99 Sigma detected: Xmrig 2->99 101 Malicious sample detected (through community Yara rule) 2->101 103 Antivirus detection for dropped file 2->103 105 7 other signatures 2->105 12 Start.exe 15 2->12         started        17 svchost.exe 2->17         started        19 DataSyncHost.exe 1 2->19         started        21 5 other processes 2->21 signatures3 process4 dnsIp5 89 91.108.241.80, 49717, 5554 WSTELECOM_FRANCEFR Iraq 12->89 79 C:\Users\user\AppData\Local\...\tjgajdjrg.exe, PE32+ 12->79 dropped 81 926ab7d10da645f08b..._bound_build[1].exe, PE32+ 12->81 dropped 123 Found API chain indicative of debugger detection 12->123 23 tjgajdjrg.exe 5 12->23         started        125 Changes security center settings (notifications, updates, antivirus, firewall) 17->125 26 MpCmdRun.exe 17->26         started        28 conhost.exe 19->28         started        30 conhost.exe 21->30         started        file6 signatures7 process8 file9 73 C:\Users\user\AppData\Local\...\iirn0cjr.exe, PE32+ 23->73 dropped 75 C:\Users\user\AppData\Local\...\6tgbf3fr.exe, PE32+ 23->75 dropped 32 iirn0cjr.exe 15 23->32         started        36 6tgbf3fr.exe 15 23->36         started        38 conhost.exe 23->38         started        40 conhost.exe 26->40         started        process10 file11 63 C:\Users\user\AppData\Local\...\tjgajdjrg.exe, PE32+ 32->63 dropped 65 2441ad99bc98451e8e...96e27b_miner[1].exe, PE32+ 32->65 dropped 95 Found API chain indicative of debugger detection 32->95 42 tjgajdjrg.exe 1 3 32->42         started        67 C:\Users\user\AppData\Local\...\tjgajdjrg.exe, PE32 36->67 dropped 69 051e910c9d3249d584...rypted_build[1].exe, PE32 36->69 dropped 46 tjgajdjrg.exe 16 36->46         started        signatures12 process13 dnsIp14 77 C:\Users\user\AppData\...\DataSyncHost.exe, PE32+ 42->77 dropped 113 Multi AV Scanner detection for dropped file 42->113 49 DataSyncHost.exe 4 42->49         started        53 conhost.exe 42->53         started        91 62.60.158.10 IROST-ASIR Iran (ISLAMIC Republic Of) 46->91 93 62.60.158.37 IROST-ASIR Iran (ISLAMIC Republic Of) 46->93 115 Antivirus detection for dropped file 46->115 117 Found stalling execution ending in API Sleep call 46->117 119 Found API chain indicative of sandbox detection 46->119 121 2 other signatures 46->121 55 conhost.exe 46->55         started        file15 signatures16 process17 file18 71 C:\Users\user\AppData\...\msedge_updater.exe, PE32+ 49->71 dropped 97 Multi AV Scanner detection for dropped file 49->97 57 msedge_updater.exe 1 49->57         started        signatures19 process20 dnsIp21 87 pool-phx.supportxmr.com 107.167.92.130 IOFLOODUS United States 57->87 107 Antivirus detection for dropped file 57->107 109 Multi AV Scanner detection for dropped file 57->109 111 Query firmware table information (likely to detect VMs) 57->111 61 conhost.exe 57->61         started        signatures22 process23
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ab24248296df1b0044a98cf250b65ec40adeb9b1ff4db9c3ee7e675985b4c4c5
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/b9cc2958936a7f0fd5b7ec7ae1165e47
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab24248296df1b0044a98cf250b65ec40adeb9b1ff4db9c3ee7e675985b4c4c5/
Verdict:
Malicious
Threat:
Family.DONUTLOADER
Link:
https://tip.neiki.dev/file/ab24248296df1b0044a98cf250b65ec40adeb9b1ff4db9c3ee7e675985b4c4c5
Threat name:
Win64.Infostealer.Tinba
Create hunting rule
Status:
Malicious
First seen:
2025-09-09 16:12:29 UTC
File Type:
PE+ (Exe)
AV detection:
29 of 38 (76.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vmscjauw34nqarfjrtzfbns6yqfn5onr75g3tq7opztvtbnuytcq._file
Verdict:
malicious
Label(s):
xmrig
Create hunting rule
Similar samples:
252918aaa98f25a1cc128e8eebb27905ded606d4eb04285abbf5344ff51947ba
CoinMiner
30235049839cd3ddfb7e50e8a58f3d0c2a5dffaa632c671a97de12ed1dfa6a06
CoinMiner
556d8ed53e1015b4d40383198e5a787e022fa26dc132820fc053e55ec28317b7
CoinMiner
7215b48548bba5e5502aa68bb83c51c3fdbb30978e7cd2f5b44898886218d085
CoinMiner
a7c936a7b98f9f469fc36171229fb4c785cec00956694595917eb5e9240837af
CoinMiner
ab24248296df1b0044a98cf250b65ec40adeb9b1ff4db9c3ee7e675985b4c4c5
CoinMiner
error
CoinMiner
+ 28 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:rhadamanthys discovery loader stealer
Link:
https://tria.ge/reports/250909-tnrw2axyet/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Executes dropped EXE
Downloads MZ/PE file
Detects DonutLoader
Detects Rhadamanthys Payload
DonutLoader
Donutloader family
Rhadamanthys
Rhadamanthys family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/491b5427-e302-4ef4-832e-544bec03ec8c
Unpacked files
SH256 hash:
ab24248296df1b0044a98cf250b65ec40adeb9b1ff4db9c3ee7e675985b4c4c5
MD5 hash:
b9cc2958936a7f0fd5b7ec7ae1165e47
SHA1 hash:
87c3659016d0df777dba1f39467000c44608251e
Link:
https://www.unpac.me/results/3e3fc53b-2f71-4d65-a321-2af17a572c1a/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ab24248296df/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ab24248296df1b0044a98cf250b65ec40adeb9b1ff4db9c3ee7e675985b4c4c5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset

File information

The table below shows additional information about this malware sample such as delivery method and external references.

CoinMiner

Executable exe ab24248296df1b0044a98cf250b65ec40adeb9b1ff4db9c3ee7e675985b4c4c5

(this sample)

CoinMiner

Executable exe 30235049839cd3ddfb7e50e8a58f3d0c2a5dffaa632c671a97de12ed1dfa6a06

  
Dropping
SHA256 30235049839cd3ddfb7e50e8a58f3d0c2a5dffaa632c671a97de12ed1dfa6a06
  
Dropping
MD5 b8b7a103484504636148673a44eca835
  
Dropping
SHA256 293ab68de0e343a7feb0cf35c7c266125e2f7bbafeed2849820da3ce51024d6b
  
Dropping
MD5 f8d2e00ec32f7fb56f6411211abc9684
  
Dropping
SHA256 556d8ed53e1015b4d40383198e5a787e022fa26dc132820fc053e55ec28317b7
  
Dropping
MD5 76c0b9fe40658d4157264aeea2fcd13b
Cape
Cape
https://www.capesandbox.com/analysis/26527/

Comments