MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8ffba1fad735b0405cbadd00fda875313ef8ee9d4ffd3970a152ecf14c5e279. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b8ffba1fad735b0405cbadd00fda875313ef8ee9d4ffd3970a152ecf14c5e279
SHA3-384 hash: 9ace337b987fc7e953ca978299afca764232bbb18449b3971ec0033d525caff5cb83822cbce038edb01f35e6f67e4702
SHA1 hash: de33726ce9286b197c7b35a96e2696d161e207b0
MD5 hash: 89c479b1e27016926d2e8bc56671e7d7
humanhash: india-potato-white-purple
File name:Launcher.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:80'633'968 bytes
First seen:2025-11-23 15:43:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 98aa68e4d11d1d6caaff2fb7a8208443 (1 x Heodo, 1 x CoinMiner)
ssdeep 393216:Knh2M1/XytnhNh07I7fMzW2CQZr13j+F2g0VMRQu58EASEhoIaE2lShglF27TDUJ:KtxsoIRQJhXnGPX3UvxOOxoz
TLSH T113086B46A7EA04D5F9F79A349AE65213D673BC063F30C5CB3208172A1F736E09976722
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter burger
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Launcher.exe
Verdict:
Suspicious activity
Analysis date:
2025-11-23 15:43:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fb0434ec-4edd-450f-8af7-66eb37b1e8fa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Gathering data
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a file
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/b8ffba1fad735b0405cbadd00fda875313ef8ee9d4ffd3970a152ecf14c5e279
Result
Gathering data
Verdict:
Clean
File Type:
exe x64
Link:
https://opentip.kaspersky.com/b8ffba1fad735b0405cbadd00fda875313ef8ee9d4ffd3970a152ecf14c5e279/results?tab=lookup
Result
Threat name:
EICAR, Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.troj.spyw.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1819553
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Disable Windows Defender notifications (registry)
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies windows update settings
Multi AV Scanner detection for dropped file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop EventLog
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses WMIC command to query system information (often done to detect virtual machines)
Yara detected EICAR
Yara detected NexeCompiled Binary
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1819553 Sample: Launcher.exe Startdate: 23/11/2025 Architecture: WINDOWS Score: 100 92 wee-wee-gachi-master.com 2->92 94 ip-api.com 2->94 96 heronwater1337.com 2->96 102 Malicious sample detected (through community Yara rule) 2->102 104 Antivirus detection for URL or domain 2->104 106 Antivirus detection for dropped file 2->106 108 10 other signatures 2->108 10 Launcher.exe 74 2->10         started        15 spooIsv.exe 2->15         started        17 svchost.exe 9 10 2->17         started        19 3 other processes 2->19 signatures3 process4 dnsIp5 98 ip-api.com 208.95.112.1, 49752, 80 TUT-ASUS United States 10->98 100 heronwater1337.com 172.64.80.1, 443, 49753, 49754 CLOUDFLARENETUS United States 10->100 84 C:\Users\user\...\yX8MnR8CbBZIyI74.exe, PE32 10->84 dropped 86 C:\Users\user\AppData\Local\...\modules.node, PE32+ 10->86 dropped 88 C:\Users\user\...88jodrsPth22XereX.exe, PE32+ 10->88 dropped 90 3 other malicious files 10->90 dropped 134 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 10->134 136 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->136 138 Tries to steal Mail credentials (via file / registry access) 10->138 146 3 other signatures 10->146 21 CScAp7y5IT0ba8lJ.exe 10->21         started        25 NjodrsPth22XereX.exe 10->25         started        27 cmd.exe 1 10->27         started        37 10 other processes 10->37 140 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 15->140 142 Unusual module load detection (module proxying) 15->142 144 Found direct / indirect Syscall (likely to bypass EDR) 15->144 29 cmd.exe 15->29         started        31 WerFault.exe 2 17->31         started        33 WerFault.exe 2 17->33         started        35 WerFault.exe 17->35         started        file6 signatures7 process8 file9 78 C:\ProgramData\Microsoft\...\WmiPrvSE.exe, PE32+ 21->78 dropped 110 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 21->110 112 Modifies windows update settings 21->112 114 Adds a directory exclusion to Windows Defender 21->114 116 Disable Windows Defender notifications (registry) 21->116 39 powershell.exe 21->39         started        42 cmd.exe 21->42         started        52 14 other processes 21->52 80 C:\Users\user\AppData\Roaming\...\spooIsv.exe, PE32+ 25->80 dropped 118 Unusual module load detection (module proxying) 25->118 120 Found direct / indirect Syscall (likely to bypass EDR) 25->120 44 cmd.exe 25->44         started        46 cmd.exe 25->46         started        122 Uses WMIC command to query system information (often done to detect virtual machines) 27->122 48 WMIC.exe 1 27->48         started        50 conhost.exe 27->50         started        54 2 other processes 29->54 82 C:\Users\user\AppData\...\LedgerLive.exe, PE32 37->82 dropped 124 Multi AV Scanner detection for dropped file 37->124 126 Uses schtasks.exe or at.exe to add and modify task schedules 37->126 56 12 other processes 37->56 signatures10 process11 signatures12 128 Loading BitLocker PowerShell Module 39->128 58 conhost.exe 39->58         started        60 net.exe 42->60         started        62 conhost.exe 42->62         started        64 conhost.exe 44->64         started        66 schtasks.exe 44->66         started        68 conhost.exe 46->68         started        70 timeout.exe 46->70         started        130 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 48->130 132 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 48->132 72 conhost.exe 52->72         started        74 14 other processes 52->74 process13 process14 76 net1.exe 60->76         started       
Score:
75%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b8ffba1fad735b0405cbadd00fda875313ef8ee9d4ffd3970a152ecf14c5e279
Gathering data
Verdict:
Susipicious
Link:
https://tip.neiki.dev/file/b8ffba1fad735b0405cbadd00fda875313ef8ee9d4ffd3970a152ecf14c5e279
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xd73uh5nonnqibolvxia7wuhkmj67dxj2t75hfykcuxm6fgf4j4q._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/251123-s6vvzatjgk/
Behaviour
Checks processor information in registry
Verdict:
Suspicious
Tags:
trojan emotet
YARA:
Emotet_Payload
Link:
https://app.threat.zone/submission/a440681e-b5e8-4b96-b842-904e7756f0d9
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments