MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff53ea407afca08ff7555f895686fb71cc858cfd51725efc6a678c2b202f31f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 15

Intelligence 15 IOCs YARA 19 File information Comments

SHA256 hash:	ff53ea407afca08ff7555f895686fb71cc858cfd51725efc6a678c2b202f31f4
SHA3-384 hash:	af53e034d597568178183de00fa341dbfea4a6943edd5907a0a9889c8be3a26b965452c764e81be91ca8209e003f0643
SHA1 hash:	53ecdd520ee31739e1911aebb35219eb0bf057f0
MD5 hash:	5d6699184e58934e07ff7c8dd58f76f0
humanhash:	pip-cup-river-hydrogen
File name:	modest-menu.exe
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	26'733'568 bytes
First seen:	2025-08-11 06:41:06 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	140094f13383e9ae168c4b35b6af3356 (32 x DCRat, 11 x CoinMiner, 10 x njrat)
ssdeep	393216:Sg6+N71m3mzE3up6xlGaE+TXmcqQMBrgtKQrpqaeIQvZWCQfkVRu:Sg6+N4esxlGaE+TTqQZgapqatfwRu
Threatray	10 similar samples on MalwareBazaar
TLSH	T13D4733D30A523863F04BEE36C97B49D69B236458D6CC799E12871D1FED3A114E6E3B02
TrID	28.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 25.5% (.EXE) Win32 Executable (generic) (4504/4/1) 11.7% (.EXE) Win16/32 Executable Delphi generic (2072/23) 11.4% (.EXE) OS/2 Executable (generic) (2029/13) 11.3% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
dhash icon	068e81c68eadcc4c (3 x RedLineStealer, 2 x CoinMiner, 1 x zgRAT)
Reporter	Vip5676
Tags:	CoinMiner exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

xmrig

ID:

File name:

modest-menu.exe

Verdict:

Malicious activity

Analysis date:

2025-08-11 06:51:03 UTC

Tags:

github evasion stealer xworm miner auto-reg auto-startup auto rat remote xor-url upx generic xmrig amsi-bypass

Link:

https://app.any.run/tasks/bb01e97c-2838-44b1-b95f-115519125b46

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

R77

Link:

https://www.capesandbox.com/analysis/20051/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=689990aafca70bd90e8dfe90

Tags:

vmdetect autorun lien

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a process from a recently created file

Searching for analyzing tools

Searching for the window

Сreating synchronization primitives

DNS request

Connection attempt

Sending a custom TCP request

Creating a window

Creating a file

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Running batch commands

Launching a process

Unauthorized injection to a recently created process

Adding an exclusion to Microsoft Defender

Using obfuscated Powershell scripts

Verdict:

Unknown

Threat level:

2.5/10

Confidence:

100%

Tags:

fasm obfuscated

Link:

https://www.filescan.io/uploads/689990a69ef4d2ff7cf583ff/reports/45f6a51f-d166-4bb4-8f71-5396f451e195/overview

Verdict:

Malicious

Labled as:

ExNuma.Generic

Link:

https://www.hybrid-analysis.com/sample/ff53ea407afca08ff7555f895686fb71cc858cfd51725efc6a678c2b202f31f4

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ff53ea407afca08ff7555f895686fb71cc858cfd51725efc6a678c2b202f31f4

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) Win 32 Exe x86

Link:

https://app.malva.re/file/5d6699184e58934e07ff7c8dd58f76f0

Gathering data

Verdict:

Malicious

Threat:

RiskTool.Miner.UDP

Link:

https://tip.neiki.dev/file/ff53ea407afca08ff7555f895686fb71cc858cfd51725efc6a678c2b202f31f4

Threat name:

Win32.Trojan.ExNuma

Status:

Malicious

First seen:

2025-08-11 06:44:42 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

33 of 38 (86.84%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=75j6uqd27sqi752vl6evnbx3ohgildh5kfzf57dkm6gcwibpgh2a._file

Verdict:

malicious

Label(s):

phemedronestealer

unc_loader_055

xworm

CoinMiner

3f50ff9e2d8b9e236f907ee98010b8ebdcf5e7ecbe88a8e1e713cacd61348bd8

CoinMiner

4edc085848c227c30b0022a28ef5054c19e60ef30ef5e7854ad2af29266d8bdd

CoinMiner

6cb5005a2a43e0ca027de531c844c00935940df89d797b67f47d4399b89d3bf4

CoinMiner

c404e0d7e951bf6e07dd09390f0332024031081b08f493d073d7a1d3e279d844

CoinMiner

eebb47c48137f331e9e7e203763300c343a3643f88c60318667b5d525c40a058

CoinMiner

error

CoinMiner

f7275b24c106b512ebb4520a80746db20d7d62e3d216303abfabb8a1d0b2b465

CoinMiner

Result

Malware family:

xworm

Score:

10/10

Tags:

family:phemedrone family:xmrig family:xworm credential_access defense_evasion discovery execution miner persistence rat spyware stealer trojan upx

Link:

https://tria.ge/reports/250811-hf5x5sxkt7/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Modifies registry class

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Launches sc.exe

Drops file in System32 directory

Suspicious use of SetThreadContext

UPX packed file

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Power Settings

Checks computer location settings

Drops startup file

Executes dropped EXE

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Command and Scripting Interpreter: PowerShell

Creates new service(s)

Downloads MZ/PE file

Stops running service(s)

XMRig Miner payload

Detect Xworm Payload

Phemedrone

Phemedrone family

Suspicious use of NtCreateUserProcessOtherParentProcess

Xmrig family

Xworm

Xworm family

xmrig

Malware Config

C2 Extraction:

92.113.146.251:9944

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/61386e14-b33f-4ecc-a507-7c117568b947

Malware family:

XWorm

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ff53ea407afc/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.16

Link:

https://yomi.yoroi.company/submissions/ff53ea407afca08ff7555f895686fb71cc858cfd51725efc6a678c2b202f31f4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	CAS_Malware_Hunting Create hunting rule
Author:	Michael Reinprecht
Description:	DEMO CAS YARA Rules for sample2.exe

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__MemoryWorkingSet Create hunting rule
Author:	Fernando Mercês
Description:	Anti-debug process memory working set size check
Reference:	http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	Indicator_MiniDumpWriteDump Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references

Rule name:	MALWARE_Win_R77 Create hunting rule
Author:	ditekSHen
Description:	Detects r77 rootkit

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Suspicious_PssCaptureSnapshot_Usage Create hunting rule
Author:	Dana Behling - Just me not for personal curiosity, no company.
Description:	Detects binaries abusing PssCaptureSnapshot in combination with typical combination that indicates malicious activity.

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Windows_Rootkit_R77_d0367e28 Create hunting rule
Author:	Elastic Security
Reference:	https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/20051/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high
CHECK_TRUST_INFO	Requires Elevated Execution (level:requireAdministrator)	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::VirtualAllocExNuma kernel32.dll::CreateThread
WIN_BASE_USER_API	Retrieves Account Information	kernel32.dll::GetComputerNameA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample