MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e93433169e2ec088a21ee58ae3e780f68215eb75dcd31b83d1fa31d6c16145e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 12


Intelligence 12 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e93433169e2ec088a21ee58ae3e780f68215eb75dcd31b83d1fa31d6c16145e5
SHA3-384 hash: 164609b700ea86df3db33a843a0f8ce67eeefa1d2606f59f104ea34dcca0c209bbd38cba54da2e6c61b8b20ac14efb81
SHA1 hash: 80e7a2b4a47a7c0de30db916131df67ae145f143
MD5 hash: 2a4cd8f00244cf1a647cf9c1ae0f1e9f
humanhash: ack-october-north-social
File name:SilentCode.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:6'594'048 bytes
First seen:2025-11-23 14:40:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 196608:1a7fap/5OaZDlRMYhmFg7NOKaP30dlTps2BiJ:w7w/5FZBrCg78vPIlgJ
TLSH T11B660247F25A51E5C07AD238C28B6212FBB178614767E6CF569003622F267F4AF3E712
TrID 27.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
26.6% (.EXE) UPX compressed Win64 Executable (70117/5/12)
15.7% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
10.2% (.EXE) UPX compressed Win32 Executable (27066/9/6)
6.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
Magika pebin
Reporter burger
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e93433169e2ec088a21ee58ae3e780f68215eb75dcd31b83d1fa31d6c16145e5.exe
Verdict:
Malicious activity
Analysis date:
2025-11-23 15:03:50 UTC
Tags:
upx xor-url generic netreactor
Link:
https://app.any.run/tasks/9ba35644-4c6a-403e-8299-8ba84d76d986

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/41134/
Gathering data
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Launching a process
Searching for the window
Сreating synchronization primitives
Creating a file
Searching for synchronization primitives
Changing a file
Creating a process with a hidden window
Reading critical registry keys
Moving a recently created file
Replacing files
DNS request
Connection attempt
Sending a custom TCP request
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e93433169e2ec088a21ee58ae3e780f68215eb75dcd31b83d1fa31d6c16145e5
Result
Gathering data
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1819540
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Connects to many ports of the same IP (likely port scanning)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Disable power options
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Stop EventLog
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Unusual module load detection (module proxying)
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected PersistenceViaHiddenTask
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1819540 Sample: SilentCode.exe Startdate: 23/11/2025 Architecture: WINDOWS Score: 100 86 pool.hashvault.pro 2->86 100 Malicious sample detected (through community Yara rule) 2->100 102 Multi AV Scanner detection for submitted file 2->102 104 Yara detected Xmrig cryptocurrency miner 2->104 106 13 other signatures 2->106 9 SilentCode.exe 16 2->9         started        13 msautoconfig.exe 2->13         started        15 SyncRoot.exe 2->15         started        17 4 other processes 2->17 signatures3 process4 file5 80 C:\...\eb66cf1406334a92988bbac9586890a5.exe, PE32+ 9->80 dropped 82 C:\...\c1b8dc7d614a42b7958b93c19e93ea29.exe, PE32+ 9->82 dropped 130 Suspicious powershell command line found 9->130 132 Bypasses PowerShell execution policy 9->132 134 Adds a directory exclusion to Windows Defender 9->134 19 eb66cf1406334a92988bbac9586890a5.exe 9->19         started        23 c1b8dc7d614a42b7958b93c19e93ea29.exe 9->23         started        25 powershell.exe 23 9->25         started        34 4 other processes 9->34 84 C:\Windows\Temp\memcache.sys, PE32+ 13->84 dropped 136 Antivirus detection for dropped file 13->136 138 Multi AV Scanner detection for dropped file 13->138 140 Injects code into the Windows Explorer (explorer.exe) 13->140 150 4 other signatures 13->150 27 explorer.exe 13->27         started        30 powershell.exe 13->30         started        36 6 other processes 13->36 142 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 15->142 144 Writes to foreign memory regions 15->144 146 Modifies the context of a thread in another process (thread injection) 15->146 32 AddInUtil.exe 15->32         started        148 Loading BitLocker PowerShell Module 17->148 38 2 other processes 17->38 signatures6 process7 dnsIp8 76 C:\ProgramData\Microsoft\...\msautoconfig.exe, PE32+ 19->76 dropped 108 Antivirus detection for dropped file 19->108 110 Multi AV Scanner detection for dropped file 19->110 112 Uses powercfg.exe to modify the power settings 19->112 124 2 other signatures 19->124 40 powershell.exe 19->40         started        43 cmd.exe 19->43         started        45 powercfg.exe 19->45         started        54 7 other processes 19->54 78 C:\Users\user\AppData\...\SyncRoot.exe, PE32+ 23->78 dropped 114 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 23->114 116 Loading BitLocker PowerShell Module 25->116 47 conhost.exe 25->47         started        94 pool.hashvault.pro 216.219.85.122, 443, 49701 IS-AS-1US United States 27->94 118 System process connects to network (likely due to code injection or exploit) 27->118 120 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 27->120 122 Query firmware table information (likely to detect VMs) 27->122 126 2 other signatures 27->126 49 conhost.exe 30->49         started        96 176.118.198.215, 39001, 39002, 39003 BALTNETACustomersASLT Russian Federation 32->96 98 192.168.2.5, 138, 39001, 39002 unknown unknown 34->98 51 chrome.exe 34->51         started        56 4 other processes 34->56 58 6 other processes 36->58 file9 signatures10 process11 dnsIp12 128 Loading BitLocker PowerShell Module 40->128 60 conhost.exe 40->60         started        62 conhost.exe 43->62         started        64 wusa.exe 43->64         started        66 conhost.exe 45->66         started        88 www.google.com 142.250.105.99, 443, 49702, 49758 GOOGLEUS United States 51->88 90 youtube-ui.l.google.com 142.250.12.136, 443, 49695 GOOGLEUS United States 51->90 92 www.youtube.com 51->92 68 conhost.exe 54->68         started        70 conhost.exe 54->70         started        72 conhost.exe 54->72         started        74 4 other processes 54->74 signatures13 process14
Score:
86%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e93433169e2ec088a21ee58ae3e780f68215eb75dcd31b83d1fa31d6c16145e5
Verdict:
AgentTesla
YARA:
12 match(es)
Tags:
.Net .Net Obfuscator .Net Reactor AgentTesla Executable Fody/Costura Packer Managed .NET PDB Path PE (Portable Executable) PE File Layout RAT SOS: 0.00 SOS: 0.49 SOS: 0.88 Win 32 Exe x86
Link:
https://app.malva.re/file/2a4cd8f00244cf1a647cf9c1ae0f1e9f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e93433169e2ec088a21ee58ae3e780f68215eb75dcd31b83d1fa31d6c16145e5/
Verdict:
Malicious
Threat:
Trojan.MSIL.Loader
Link:
https://tip.neiki.dev/file/e93433169e2ec088a21ee58ae3e780f68215eb75dcd31b83d1fa31d6c16145e5
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-11-23 14:40:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
26
AV detection:
15 of 36 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5e2dgfu6f3airiq64wfohz4a62bbl23v3tjrxa6r7iy5nqlbixsq._file
Verdict:
malicious
Label(s):
purecrypter
Create hunting rule
unc_loader_078
Create hunting rule
Similar samples:
error
CoinMiner
Result
Malware family:
n/a
Score:
  4/10
Tags:
discovery
Link:
https://tria.ge/reports/251123-r1583shp8x/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Unpacked files
SH256 hash:
e93433169e2ec088a21ee58ae3e780f68215eb75dcd31b83d1fa31d6c16145e5
MD5 hash:
2a4cd8f00244cf1a647cf9c1ae0f1e9f
SHA1 hash:
80e7a2b4a47a7c0de30db916131df67ae145f143
Detections:
win_svcready_a0
Create hunting rule
Link:
https://www.unpac.me/results/b5894986-1b41-44e8-8bdb-453e934736e4/
SH256 hash:
0be94f80cbe610beb4b4e4f11b5bf7e54a532985bcc802925759e4b5537fa646
MD5 hash:
b6616c45b6f958cb628065f3491d7c85
SHA1 hash:
917503658a9d393c1024503d8508fd4220a0c033
Detections:
win_svcready_a0
Create hunting rule
Link:
https://www.unpac.me/results/b5894986-1b41-44e8-8bdb-453e934736e4/
SH256 hash:
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
MD5 hash:
0c0195c48b6b8582fa6f6373032118da
SHA1 hash:
d25340ae8e92a6d29f599fef426a2bc1b5217299
Detections:
PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_11BD
Create hunting rule
Link:
https://www.unpac.me/results/b5894986-1b41-44e8-8bdb-453e934736e4/
Parent samples :
efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8
40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779
e6da05c053763230ec6ba48cb976d43f184604d9262799eadb0c27ef2e839ec6
e14d20d5a80507197245fc2b53eefc6c5b9de9a422857b376434f7dd03533bc0
01a976b80253450a09d0b89075f5fa923a3411265f7bc8f3413d059fd662aa83
f49dd9baed6ec113ad16bcd07e50ab5dc1ca98ef4797712cbf3f2f5463a16d41
22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184
21690a716f4d4f3af3ad00504dfd41ef4d11a5663ff96c3365838896ffcaedd7
c7eaff9d735d8eef42c73be4c093f7b31cf7d0df18c98d135eb915c13409d077
235c665b25c1e78fed3ca96e57c374e5a416aad1d27b4ae436a1c6c58604268b
c8a83c6c8f797e36eb7a5edf0e5f85a8d985895c82932422b95bf628f4106dfb
ed3ce2006fbfa402977bb026324637b905c5cc8228254b88037d3f68152463d3
a7a9d6a874f65ea3689930a2af208a025fee0a3dc1ad5cb9c964cbadd2cacf1f
67bf6d0a4de17f79de1347b75c9d1af3106448a806132cf50b38c2c8aa19d8ea
254a713d3ec2852b6657ecb8840efd2662e048ace42c2b4e0b30c589cdb9f8cb
6353b1218561a746bb3e009b611a1945bc2367b4d3ffef7849d4af4d369f184c
4f85b6d87dcc12f7904f95f3716b18930c63cb18bd624c1abcbdd9181ba4efc2
e93433169e2ec088a21ee58ae3e780f68215eb75dcd31b83d1fa31d6c16145e5
SH256 hash:
c60cab72b4fb29a3321e98975e87defa2d84bd20d127302f37f2635af71736b3
MD5 hash:
214321ce63073ef634fef77b3c823ead
SHA1 hash:
afcf67dccc277da5a15291f0014250228f757ea8
Link:
https://www.unpac.me/results/b5894986-1b41-44e8-8bdb-453e934736e4/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e93433169e2e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Generic_Threat_e8abb835
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

CoinMiner

zip 0480f4a7dafcc57d9ddcdc9c8df7087130a4672c6aba2865d918bfa98689cf14

CoinMiner

Executable exe e93433169e2ec088a21ee58ae3e780f68215eb75dcd31b83d1fa31d6c16145e5

(this sample)

  
Dropped by
SHA256 0480f4a7dafcc57d9ddcdc9c8df7087130a4672c6aba2865d918bfa98689cf14
  
Dropped by
MD5 19fa0edb5220ad9d285873ed718ccf4a
Cape
Cape
https://www.capesandbox.com/analysis/41134/

Comments