MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3e45d5120a9da0dbbe280c14fbd443b71ef957557b86319ba54b9900549a7ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 14

Intelligence 14 IOCs YARA 22 File information Comments

SHA256 hash:	e3e45d5120a9da0dbbe280c14fbd443b71ef957557b86319ba54b9900549a7ee
SHA3-384 hash:	222dd70e71b712bc38ee3d69b8a1b688d0d41269428d099ea5f430b4e8422f218f544fde159b201a81ab6b852ed5c19b
SHA1 hash:	562544df296de9016f31dcf89c3f6038878eee95
MD5 hash:	9e961b62cb4b7e59f03f0ac7edea0ba9
humanhash:	golf-muppet-venus-seven
File name:	svchost.exe
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	3'209'728 bytes
First seen:	2025-11-23 09:31:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	28d199f0ef22fb96cf34dc0bfdfd5351 (1 x CoinMiner)
ssdeep	98304:9Qyr17jKYxrMv3R+qQV2uCaI3itMQXfFVU86NCCPx3:9dr+x3
TLSH	T1A2E5AE1AB5A101E8D87AC43C8A4FA997F771344DC398F9EB37B442592F237D4863AB11
TrID	48.7% (.EXE) Win64 Executable (generic) (10522/11/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	Hexastrike
Tags:	CoinMiner exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

xmrig

ID:

File name:

svchost.exe

Verdict:

Malicious activity

Analysis date:

2025-11-23 19:54:49 UTC

Tags:

xmrig

Link:

https://app.any.run/tasks/924f284a-e439-41d6-a438-340248e92927

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

CoinMiner02

Link:

https://www.capesandbox.com/analysis/40929/

Detection(s):

Win.Coinminer.Generic-7151250-0

Win.Coinminer.Generic-7151253-0

Win.Coinminer.Generic-7151447-0

Win.Coinminer.Generic-7155777-0

Win.Coinminer.Generic-7158858-0

Win.Trojan.Coinminer-9866537-0

Win.Trojan.Tedy-9956629-0

Gathering data

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

Running batch commands

Launching a process

Searching for the window

Searching for synchronization primitives

Creating a file

Launching the default Windows debugger (dwwin.exe)

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug base64 coinminer microsoft_visual_cc miner monero pup xmrig

Link:

https://www.filescan.io/uploads/6922e5abf96b58f0dc80bb91/reports/3005e4a9-548b-4193-ba17-a7450fe5b295/overview

Verdict:

Malicious

Labled as:

Win64/CoinMiner.IZ potentially unwanted application

Link:

https://www.hybrid-analysis.com/sample/e3e45d5120a9da0dbbe280c14fbd443b71ef957557b86319ba54b9900549a7ee

Result

Gathering data

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/e3e45d5120a9da0dbbe280c14fbd443b71ef957557b86319ba54b9900549a7ee

Verdict:

inconclusive

YARA:

3 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/9e961b62cb4b7e59f03f0ac7edea0ba9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e3e45d5120a9da0dbbe280c14fbd443b71ef957557b86319ba54b9900549a7ee/

Threat name:

Win64.Coinminer.XMRig

Status:

Malicious

First seen:

2025-11-22 19:38:29 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

22 of 36 (61.11%)

Threat level:

4/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4psf2ujavhna3o7cqdau7pkehny67flvk64gggn2ks4zabkju7xa._file

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:xmrig discovery miner

Link:

https://tria.ge/reports/251123-mqgqhstqc1/

Behaviour

Runs ping.exe

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

Checks computer location settings

Executes dropped EXE

XMRig Miner payload

Xmrig family

xmrig

Verdict:

Malicious

Tags:

cryptojacking xmrig coinminer Win.Coinminer.Generic-7151250-0

YARA:

MacOS_Cryptominer_Xmrig_241780a1 PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 MAL_XMR_Miner_May19_1 PUA_Crypto_Mining_CommandLine_Indicators_Oct21 XMRIG_Monero_Miner MALWARE_Win_CoinMiner02

Link:

https://app.threat.zone/submission/f9ae198f-1400-416e-a689-1473424588f8

Unpacked files

SH256 hash:

e3e45d5120a9da0dbbe280c14fbd443b71ef957557b86319ba54b9900549a7ee

MD5 hash:

9e961b62cb4b7e59f03f0ac7edea0ba9

SHA1 hash:

562544df296de9016f31dcf89c3f6038878eee95

Detections:

XMRig

Link:

https://www.unpac.me/results/03c99608-7be1-433c-84ea-8ee49f52e0fa/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e3e45d5120a9da0dbbe280c14fbd443b71ef957557b86319ba54b9900549a7ee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__MemoryWorkingSet Create hunting rule
Author:	Fernando Mercês
Description:	Anti-debug process memory working set size check
Reference:	http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MacOS_Cryptominer_Xmrig_241780a1 Create hunting rule
Author:	Elastic Security

Rule name:	MALWARE_Win_CoinMiner02 Create hunting rule
Author:	ditekSHen
Description:	Detects coinmining malware

Rule name:	MAL_XMR_Miner_May19_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Monero Crypto Coin Miner
Reference:	https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/

Rule name:	MAL_XMR_Miner_May19_1_RID2E1B Create hunting rule
Author:	Florian Roth
Description:	Detects Monero Crypto Coin Miner
Reference:	https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/

Rule name:	Multi_Cryptominer_Xmrig_f9516741 Create hunting rule
Author:	Elastic Security

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PUA_Crypto_Mining_CommandLine_Indicators_Oct21 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects command line parameters often used by crypto mining software
Reference:	https://www.poolwatch.io/coin/monero

Rule name:	PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects XMRIG crypto coin miners
Reference:	https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/

Rule name:	PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20_RID33BA Create hunting rule
Author:	Florian Roth
Description:	Detects XMRIG crypto coin miners
Reference:	https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/

Rule name:	rig_win64_xmrig_6_13_1_xmrig Create hunting rule
Author:	yarGen Rule Generator
Description:	rig_win64 - file xmrig.exe
Reference:	https://github.com/Neo23x0/yarGen

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	WHIRLPOOL_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for WhirlPool constants

Rule name:	Windows_Cryptominer_Generic_f53cfb9b Create hunting rule
Author:	Elastic Security

Rule name:	XMRIG_Monero_Miner Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Monero mining software
Reference:	https://github.com/xmrig/xmrig/releases

Rule name:	xmrig_v1 Create hunting rule
Author:	RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/40929/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample