MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b8af99acc6ea0b0b25c7cec0e0403836975c93e2153213cb74b2e823d9aaaf8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 16


Intelligence 16 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0b8af99acc6ea0b0b25c7cec0e0403836975c93e2153213cb74b2e823d9aaaf8
SHA3-384 hash: 0fb91ce16790c777ac16f1f87c2cf5ee16c53cae61b2b436e3ddbe4f000fec3902335c2924d6cd4516d0f023e341c26c
SHA1 hash: bf9f73255bc647f694cb975aab50f49faaaa581c
MD5 hash: e4e16af17e49e3c8e70fd9ee88165f25
humanhash: friend-white-mars-orange
File name:nw.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:3'511'808 bytes
First seen:2025-12-18 09:14:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e2aa63e3f0d9837d01e53951cc9f3e29 (1 x Amadey, 1 x CoinMiner)
ssdeep 49152:cE4oLGU8GV4gBvu/AfGFu5izUZRORD4sfhWSF2UpQi:NCq0AwzgROtcti
TLSH T199F5DF15E3A801B9D82BD734CA658333D6B0B9925370E54F0A9DD6052F73AA29F3F712
TrID 66.6% (.EXE) InstallShield setup (43053/19/16)
16.2% (.EXE) Win64 Executable (generic) (10522/11/4)
7.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.1% (.EXE) OS/2 Executable (generic) (2029/13)
3.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Malware family:
xmrig
Create hunting rule
ID:
1
File name:
nw.exe
Verdict:
Malicious activity
Analysis date:
2025-12-18 09:15:07 UTC
Tags:
uac auto-reg auto-sch xmrig amsi-bypass
Link:
https://app.any.run/tasks/7b95e882-2e91-45b0-a542-aa0f78dbd950

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/45396/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6943c62dc97f4a807a3b9ec8
Tags:
shell spawn blic
Result
Verdict:
Malware
Maliciousness:

Behaviour
Restart of the analyzed sample
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Launching a process
Creating a process with a hidden window
Creating a process from a recently created file
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
DNS request
Creating a service
Launching a service
Loading a system driver
Unauthorized injection to a recently created process
Enabling autorun with the shell\open\command registry branches
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun for a service
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypto fingerprint microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/6943c62aa7163552ba024125/reports/55f5559a-ef6d-4100-b66d-f475b21bbab5/overview
Verdict:
Malicious
Labled as:
Win64/GenKryptik_AGeneric.BTC trojan
Link:
https://www.hybrid-analysis.com/sample/0b8af99acc6ea0b0b25c7cec0e0403836975c93e2153213cb74b2e823d9aaaf8
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-12-17T16:24:00Z UTC
Last seen:
2025-12-18T12:48:00Z UTC
Hits:
~100
Detections:
VHO:Trojan-PSW.MSIL.Agensla.gen Trojan-Downloader.Win32.Bitser.sb Trojan.Win32.BypassUAC.sb Trojan.Win32.BypassUAC.djr HEUR:Exploit.Win32.BypassUAC.gen Trojan.Win32.Reconyc.sb Trojan.Win32.Inject.sb Trojan.Win32.Agent.sb MEM:Trojan.Script.AngryPower.gen HEUR:Trojan.Win32.Generic HEUR:Trojan.PowerShell.Generic
Link:
https://opentip.kaspersky.com/0b8af99acc6ea0b0b25c7cec0e0403836975c93e2153213cb74b2e823d9aaaf8/results?tab=lookup
Malware family:
QuirkyLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2eeaf42b-7164-4703-9409-015f1c503718
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1835498
Signature
AI detected malicious Powershell script
Bypasses PowerShell execution policy
Changes security center settings (notifications, updates, antivirus, firewall)
Drops PE files with benign system names
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Schedule system process
Sigma detected: Schtasks Creation Or Modification With SYSTEM Privileges
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Service Binary Directory
Sigma detected: System File Execution Location Anomaly
Sigma detected: Windows Binaries Write Suspicious Extensions
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to download and execute files (via powershell)
UAC bypass detected (Fodhelper)
Unusual module load detection (module proxying)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Powershell download and execute
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1835498 Sample: nw.exe Startdate: 18/12/2025 Architecture: WINDOWS Score: 100 94 comptech.sbs 2->94 98 Multi AV Scanner detection for submitted file 2->98 100 Yara detected Powershell download and execute 2->100 102 Yara detected Xmrig cryptocurrency miner 2->102 104 16 other signatures 2->104 12 nw.exe 2->12         started        15 svchost.exe 2->15         started        17 svchost.exe 1 2->17         started        19 2 other processes 2->19 signatures3 process4 signatures5 130 Suspicious powershell command line found 12->130 132 Found strings related to Crypto-Mining 12->132 134 Tries to download and execute files (via powershell) 12->134 138 3 other signatures 12->138 21 nw.exe 2 28 12->21         started        136 Changes security center settings (notifications, updates, antivirus, firewall) 15->136 25 MpCmdRun.exe 15->25         started        process6 file7 82 C:\Users\Public\Libraries\svchost.exe, PE32+ 21->82 dropped 84 C:\Windows\Temp\6464734.ps1, ASCII 21->84 dropped 86 C:\Users\...\svchost.exe:Zone.Identifier, ASCII 21->86 dropped 106 UAC bypass detected (Fodhelper) 21->106 108 Suspicious powershell command line found 21->108 110 Tries to download and execute files (via powershell) 21->110 27 ComputerDefaults.exe 12 21->27         started        29 powershell.exe 21->29         started        32 powershell.exe 21->32         started        36 33 other processes 21->36 34 conhost.exe 25->34         started        signatures8 process9 signatures10 38 svchost.exe 27->38         started        140 Loading BitLocker PowerShell Module 29->140 41 conhost.exe 29->41         started        43 conhost.exe 32->43         started        45 conhost.exe 36->45         started        47 conhost.exe 36->47         started        49 conhost.exe 36->49         started        51 29 other processes 36->51 process11 signatures12 112 Multi AV Scanner detection for dropped file 38->112 114 Suspicious powershell command line found 38->114 116 Tries to download and execute files (via powershell) 38->116 118 5 other signatures 38->118 53 svchost.exe 4 22 38->53         started        process13 dnsIp14 96 80.253.249.252, 49722, 49725, 49728 ADEOXTECHUS Turkey 53->96 88 C:\Windows\Temp\RTCore64.sys, PE32+ 53->88 dropped 90 C:\Windows\Temp\6458906.ps1, ASCII 53->90 dropped 120 System process connects to network (likely due to code injection or exploit) 53->120 122 Suspicious powershell command line found 53->122 124 Tries to download and execute files (via powershell) 53->124 126 Sample is not signed and drops a device driver 53->126 58 powershell.exe 23 53->58         started        61 powershell.exe 53->61         started        63 powershell.exe 53->63         started        65 33 other processes 53->65 file15 signatures16 process17 dnsIp18 128 Loading BitLocker PowerShell Module 58->128 68 conhost.exe 58->68         started        70 conhost.exe 61->70         started        72 conhost.exe 63->72         started        92 comptech.sbs 104.21.14.133, 443, 49726, 49727 CLOUDFLARENETUS United States 65->92 74 conhost.exe 65->74         started        76 conhost.exe 65->76         started        78 conhost.exe 65->78         started        80 29 other processes 65->80 signatures19 process20
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0b8af99acc6ea0b0b25c7cec0e0403836975c93e2153213cb74b2e823d9aaaf8
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/e4e16af17e49e3c8e70fd9ee88165f25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0b8af99acc6ea0b0b25c7cec0e0403836975c93e2153213cb74b2e823d9aaaf8/
Verdict:
Malicious
Threat:
Family.XMRIG
Link:
https://tip.neiki.dev/file/0b8af99acc6ea0b0b25c7cec0e0403836975c93e2153213cb74b2e823d9aaaf8
Threat name:
Win64.Trojan.Etset
Create hunting rule
Status:
Malicious
First seen:
2025-12-18 02:42:39 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
18 of 38 (47.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bofptgwmn2qlbms4ptwa4badqnuxlsj6efjscpfxjmxiepm2vl4a._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion execution persistence
Link:
https://tria.ge/reports/251223-pyb64sypgy/
Behaviour
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Modify Registry: Disable Windows Driver Blocklist
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f6385809-53c2-4006-9e85-0349eaba472e
Unpacked files
SH256 hash:
0b8af99acc6ea0b0b25c7cec0e0403836975c93e2153213cb74b2e823d9aaaf8
MD5 hash:
e4e16af17e49e3c8e70fd9ee88165f25
SHA1 hash:
bf9f73255bc647f694cb975aab50f49faaaa581c
Link:
https://www.unpac.me/results/f6bb31f9-2428-4219-9adc-481dd769d2bf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0b8af99acc6ea0b0b25c7cec0e0403836975c93e2153213cb74b2e823d9aaaf8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Detect_Remcos_RAT
Create hunting rule
Author:daniyyell
Description:Detects Remcos RAT payloads and commands
Rule name:dgaaga
Create hunting rule
Author:Harshit
Description:Detects suspicious PowerShell or registry activity
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PUA_Crypto_Mining_CommandLine_Indicators_Oct21
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects command line parameters often used by crypto mining software
Reference:https://www.poolwatch.io/coin/monero
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SUSP_XMRIG_String
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a suspicious XMRIG crypto miner executable string in filr
Reference:Internal Research
Rule name:SUSP_XMRIG_String_RID2D18
Create hunting rule
Author:Florian Roth
Description:Detects a suspicious XMRIG crypto miner executable string in filr
Reference:Internal Research
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 0b8af99acc6ea0b0b25c7cec0e0403836975c93e2153213cb74b2e823d9aaaf8

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/45396/
  
URLhaus
https://urlhaus.abuse.ch/url/3736138/
  
Delivery method
Distributed via web download

Comments