MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8b32e5072b3ea2a43f3cd918137a554fc4298bd5e13acd6ce78acd2db95585a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 12


Intelligence 12 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b8b32e5072b3ea2a43f3cd918137a554fc4298bd5e13acd6ce78acd2db95585a
SHA3-384 hash: ed61a3a3c18b4e2dddc1e444aed1915cc2db650175273279dc54023cc8c23525f29f814d05ee7ec3b9ff4830ecaeb133
SHA1 hash: 2add7a28db7fea7f85e8bb8955c6a3431f505ed7
MD5 hash: 88a624e06992365f4ad49e095a3fff33
humanhash: lactose-papa-paris-mars
File name:adobe pack.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:38'768'934 bytes
First seen:2025-06-29 14:51:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b1c5b1beabd90d9fdabd1df0779ea832 (11 x CoinMiner, 10 x QuasarRAT, 8 x AsyncRAT)
ssdeep 786432:Pv3la1iv2i4/tvMBeq5rqItX3cs7FJILMXWHZrGUI+c5MRMYGnz:XViC4uBjrqiVQQsXc56MY6z
TLSH T10A873390B3FC0EF5C6BA3A348826590BF77F744606F48A0D46980527DFA37529E7A712
TrID 92.4% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10522/11/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.7% (.EXE) OS/2 Executable (generic) (2029/13)
0.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon b27161e8cccc9e90 (1 x CoinMiner)
Reporter aachum
Tags:CoinMiner exe


Avatar
iamaachum
https://www.youtube.com/watch?v=ZTw1Fsi32sI => https://drive.google.com/file/d/1ErsBWVPy-9hlLXlMfd9yvox_iY19qmH9/view

Intelligence

File Origin
# of uploads :
1
# of downloads :
219
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
adobepack.exe
Verdict:
No threats detected
Analysis date:
2025-06-29 14:48:40 UTC
Tags:
auto-sch-xml
Link:
https://app.any.run/tasks/4d1284a1-3275-4e0a-bdc2-b3ee9775ea9f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6861524937c3436779473d4c
Tags:
autorun madi
Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching the process to change the firewall settings
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Launching cmd.exe command interpreter
Creating a process with a hidden window
Launching a process
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Enabling autorun by creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm crypt fingerprint microsoft_visual_cc miner overlay overlay packed packer_detected powershell
Link:
https://www.filescan.io/uploads/6861532c8cd0d23e5bea681e/reports/4884bbc5-dab6-4144-9f7a-55a3858c0db6/overview
Verdict:
Malicious
Labled as:
Giant.Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/b8b32e5072b3ea2a43f3cd918137a554fc4298bd5e13acd6ce78acd2db95585a
Result
Threat name:
Xmrig, ccminer
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1725033
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Command shell drops VBS files
Detected unpacking (changes PE section rights)
Found direct / indirect Syscall (likely to bypass EDR)
Found strings related to Crypto-Mining
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has nameless sections
Sample is not signed and drops a device driver
Sigma detected: Potential Crypto Mining Activity
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Schtasks Creation Or Modification With SYSTEM Privileges
Sigma detected: Xmrig
Suspicious execution chain found
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes or reads registry keys via WMI
Wscript starts Powershell (via cmd or directly)
Yara detected ccminer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1725033 Sample: adobe pack.exe Startdate: 29/06/2025 Architecture: WINDOWS Score: 100 109 srbminer.com 2->109 111 na.luckpool.net 2->111 119 Sigma detected: Xmrig 2->119 121 Antivirus detection for dropped file 2->121 123 Antivirus / Scanner detection for submitted sample 2->123 125 10 other signatures 2->125 10 adobe pack.exe 3 25 2->10         started        14 wscript.exe 2->14         started        16 wscript.exe 2->16         started        18 2 other processes 2->18 signatures3 process4 dnsIp5 87 C:\Dumper\ntrights.exe, PE32 10->87 dropped 89 C:\Dumper\mouse.exe, PE32 10->89 dropped 91 C:\Dumper\gtservices.exe, PE32+ 10->91 dropped 93 10 other malicious files 10->93 dropped 139 Sample is not signed and drops a device driver 10->139 21 wscript.exe 1 10->21         started        24 wscript.exe 3 10->24         started        141 Wscript starts Powershell (via cmd or directly) 14->141 26 cmd.exe 14->26         started        28 cmd.exe 16->28         started        113 127.0.0.1 unknown unknown 18->113 file6 signatures7 process8 signatures9 127 Wscript starts Powershell (via cmd or directly) 21->127 129 Windows Scripting host queries suspicious COM object (likely to drop second stage) 21->129 131 Suspicious execution chain found 21->131 133 Writes or reads registry keys via WMI 21->133 30 cmd.exe 10 21->30         started        135 Obfuscated command line found 26->135 137 Uses ping.exe to sleep 26->137 34 gtservices.exe 26->34         started        37 cmd.exe 26->37         started        39 cmd.exe 26->39         started        47 10 other processes 26->47 41 cmd.exe 28->41         started        43 cmd.exe 28->43         started        45 cmd.exe 28->45         started        49 4 other processes 28->49 process10 dnsIp11 95 C:95etframework.4.5.2\gtservices.exe, PE32+ 30->95 dropped 97 C:97etframework.4.5.2\WinRing0x64.sys, PE32+ 30->97 dropped 99 C:99etframework.4.5.2\WinIo64.sys, PE32+ 30->99 dropped 107 2 other malicious files 30->107 dropped 149 Wscript starts Powershell (via cmd or directly) 30->149 151 Obfuscated command line found 30->151 153 Uses ping.exe to sleep 30->153 161 10 other signatures 30->161 51 powershell.exe 30->51         started        61 14 other processes 30->61 115 na.luckpool.net 149.56.27.47, 3956, 49700, 49707 OVHFR Canada 34->115 117 srbminer.com 104.21.78.9, 443, 49697, 49706 CLOUDFLARENETUS United States 34->117 101 C:\Users\user\AppData\Local\...\evbEDEE.tmp, PE32+ 34->101 dropped 103 C:\Users\user\AppData\Local\...\evbEDDD.tmp, PE32+ 34->103 dropped 105 C:\Users\user\AppData\Local\...\evbEDAD.tmp, PE32+ 34->105 dropped 155 Antivirus detection for dropped file 34->155 157 Multi AV Scanner detection for dropped file 34->157 159 Detected unpacking (changes PE section rights) 34->159 163 3 other signatures 34->163 53 cmd.exe 34->53         started        64 2 other processes 37->64 55 tasklist.exe 39->55         started        66 2 other processes 41->66 57 tasklist.exe 43->57         started        59 mouse.exe 45->59         started        69 4 other processes 47->69 file12 signatures13 process14 file15 71 wscript.exe 51->71         started        73 netsh.exe 51->73         started        75 netsh.exe 51->75         started        83 48 other processes 51->83 143 Obfuscated command line found 61->143 145 Writes or reads registry keys via WMI 61->145 147 Loading BitLocker PowerShell Module 61->147 77 WMIC.exe 1 61->77         started        79 find.exe 61->79         started        85 C:85etframework.4.5.2\mouse.exe, PE32 66->85 dropped 81 cvtres.exe 66->81         started        signatures16 process17
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b8b32e5072b3ea2a43f3cd918137a554fc4298bd5e13acd6ce78acd2db95585a
Gathering data
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/b8b32e5072b3ea2a43f3cd918137a554fc4298bd5e13acd6ce78acd2db95585a
Threat name:
Win64.Trojan.Giant
Create hunting rule
Status:
Malicious
First seen:
2025-05-21 05:53:14 UTC
File Type:
PE+ (Exe)
Extracted files:
6
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xczs4udswpvcuq7tzwiycn5fkt6efgf5lyj2zvwopcwnfw4vlbna._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution persistence privilege_escalation
Link:
https://tria.ge/reports/250629-r8y5qshj2s/
Behaviour
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Power Settings
Checks computer location settings
Drops startup file
Executes dropped EXE
Modifies file permissions
Command and Scripting Interpreter: PowerShell
Modifies Windows Firewall
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/44f6e108-a165-4ef3-8eaa-0bb5d96b968c
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b8b32e5072b3ea2a43f3cd918137a554fc4298bd5e13acd6ce78acd2db95585a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe b8b32e5072b3ea2a43f3cd918137a554fc4298bd5e13acd6ce78acd2db95585a

(this sample)

  
Link
https://tria.ge/250629-rzt5esyxhx/behavioral1
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments