MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1465c03f920bc101bbeb925045ebf10af793246c533c8c90d82923a1c441b147. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 14


Intelligence 14 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1465c03f920bc101bbeb925045ebf10af793246c533c8c90d82923a1c441b147
SHA3-384 hash: c066151a63199b54fa6bccb9f04528cc47bffb85b65c92c30f45bebb7c1baf15e06765f4b9890faf43489658329639b3
SHA1 hash: d709f9e197ef928d0212be348127f6677a902bad
MD5 hash: 9961c0f342ceaff5f88d7f125b8a24be
humanhash: sweet-sink-hotel-ack
File name:6adc1e14c896571371bc6e1c4f7763c7dd67d22af827cc0b57c4bde8e8925ba6f4120c2f803e7acc
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'934'120 bytes
First seen:2025-05-14 03:46:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 203d63d5d9a088e2d84cef737227986b (55 x CoinMiner)
ssdeep 49152:0TBspvVu8zdaIck2PyDBevNKDi3acRu1zYxBwbvrJh8lyjB5a:0+VuAoxyDBecD2hu1MxBUhUYa
Threatray 198 similar samples on MalwareBazaar
TLSH T1BFD512E00081231FD36CDA7E11DB8E9916654FFC47FA77EB45A652A8AFD3381E428D90
TrID 49.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
31.8% (.EXE) Win64 Executable (generic) (10522/11/4)
6.1% (.EXE) OS/2 Executable (generic) (2029/13)
6.0% (.EXE) Generic Win/DOS Executable (2002/3)
6.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter skocherhan
Tags:CoinMiner exe


Avatar
skocherhan
http://uffyaa.ru/PacketgeoDbbaseFlowerDatalifeLocalpublicDownloads/6adc1e14c896571371bc6e1c4f7763c7dd67d22af827cc0b57c4bde8e8925ba6f4120c2f803e7acc

Intelligence

File Origin
# of uploads :
1
# of downloads :
449
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
test.exe
Verdict:
Malicious activity
Analysis date:
2025-04-15 08:04:34 UTC
Tags:
pastebin loader miner winring0x64-sys vuln-driver
Link:
https://app.any.run/tasks/4f769272-1a3d-4382-9871-71aaa808f79a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.Genkryptik-10016533-0
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6824136fe16384d6a7043cf7
Tags:
virus spawn krypt mint
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process from a recently created file
Creating a file in the Windows subdirectories
Searching for synchronization primitives
Creating a file in the system32 subdirectories
Deleting a recently created file
Сreating synchronization primitives
Deleting a system file
Running batch commands
Launching a process
Creating a service
Creating a file
Launching a service
Enabling autorun for a service
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Enabling autorun by creating a file
Using obfuscated Powershell scripts
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug coinminer expired-cert invalid-signature krypt signed
Link:
https://www.filescan.io/uploads/6824123c8bd61140fb6f4e2e/reports/29e0a724-fd23-4c18-afd1-fa4caeddc90f/overview
Verdict:
Malicious
Labled as:
Mint.Zard.Generic
Link:
https://www.hybrid-analysis.com/sample/1465c03f920bc101bbeb925045ebf10af793246c533c8c90d82923a1c441b147
Malware family:
XMRig Miner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3960e57b-6859-44a2-bf82-78e20428a761
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1689547
Signature
.NET source code contains process injector
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Found suspicious powershell code related to unpacking or dynamic code loading
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs new ROOT certificates
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Protects its processes via BreakOnTermination flag
Sigma detected: Disable power options
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop EventLog
Suspicious powershell command line found
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1689547 Sample: 6adc1e14c896571371bc6e1c4f7... Startdate: 14/05/2025 Architecture: WINDOWS Score: 100 68 Multi AV Scanner detection for submitted file 2->68 70 Sigma detected: Stop EventLog 2->70 72 Sigma detected: Disable power options 2->72 74 12 other signatures 2->74 9 powershell.exe 2 15 2->9         started        12 6adc1e14c896571371bc6e1c4f7763c7dd67d22af827cc0b57c4bde8e8925ba6f4120c2f803e7acc.exe 1 2 2->12         started        15 ydmehmmzlokc.exe 2->15         started        17 powershell.exe 2->17         started        process3 file4 96 Writes to foreign memory regions 9->96 98 Modifies the context of a thread in another process (thread injection) 9->98 100 Injects a PE file into a foreign processes 9->100 19 dllhost.exe 9->19         started        22 conhost.exe 9->22         started        66 C:\ProgramData\...\ydmehmmzlokc.exe, PE32+ 12->66 dropped 102 Uses powercfg.exe to modify the power settings 12->102 104 Adds a directory exclusion to Windows Defender 12->104 106 Modifies power options to not sleep / hibernate 12->106 24 powershell.exe 23 12->24         started        26 cmd.exe 1 12->26         started        34 14 other processes 12->34 108 Multi AV Scanner detection for dropped file 15->108 110 Protects its processes via BreakOnTermination flag 15->110 28 powershell.exe 21 15->28         started        30 cmd.exe 15->30         started        36 11 other processes 15->36 32 conhost.exe 17->32         started        signatures5 process6 signatures7 76 Contains functionality to inject code into remote processes 19->76 78 Writes to foreign memory regions 19->78 80 Creates a thread in another existing process (thread injection) 19->80 86 2 other signatures 19->86 38 winlogon.exe 19->38 injected 40 lsass.exe 19->40 injected 47 2 other processes 19->47 82 Found suspicious powershell code related to unpacking or dynamic code loading 24->82 84 Loading BitLocker PowerShell Module 24->84 43 conhost.exe 24->43         started        49 2 other processes 26->49 45 conhost.exe 28->45         started        51 2 other processes 30->51 53 13 other processes 34->53 55 9 other processes 36->55 process8 signatures9 57 dllhost.exe 38->57         started        88 Installs new ROOT certificates 40->88 90 Writes to foreign memory regions 40->90 92 Adds a directory exclusion to Windows Defender 43->92 94 Modifies power options to not sleep / hibernate 43->94 process10 signatures11 112 Injects code into the Windows Explorer (explorer.exe) 57->112 114 Writes to foreign memory regions 57->114 116 Creates a thread in another existing process (thread injection) 57->116 118 Injects a PE file into a foreign processes 57->118 60 svchost.exe 57->60 injected 62 svchost.exe 57->62 injected 64 svchost.exe 57->64 injected process12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1465c03f920bc101bbeb925045ebf10af793246c533c8c90d82923a1c441b147
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1465c03f920bc101bbeb925045ebf10af793246c533c8c90d82923a1c441b147/
Threat name:
Win64.Trojan.MintZard
Create hunting rule
Status:
Malicious
First seen:
2025-03-08 07:27:40 UTC
File Type:
PE+ (Exe)
AV detection:
26 of 35 (74.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=crs4ap4sbpaqdo7lsjiel27rbl3zgjdmkm6izegyfer2drcbwfdq._file
Verdict:
malicious
Label(s):
r77
Create hunting rule
Similar samples:
093963c3fd2e61c4d8ac56c62a4fe9426bd348b65a9f681d2322f9a51fa1d655
CoinMiner
1a45c674c9c80cee378a210c83c2492baae976727c62bbaf262ee06e6b88c1db
CoinMiner
52e2f57489e8cabde628e4d477bfff50504b92cabba78ffaba9fd632e924932d
CoinMiner
5f7c6cdea3c4e825af1d796cbd34b2d45b2b6fabed130e717a30a6d871993f5d
CoinMiner
5fe211041b58d0588133f7d7dde18867cfc77dd1d87c5af1222edc91ac882665
CoinMiner
6c99b8348aaf2c00eb161a754eab7b6f54632e1bd5b9ae9bede5f0062dabe727
CoinMiner
a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
CoinMiner
bc919d4fa285e2891889c6cf592c7f1707d69adead1af792e005e4d58cd02bbf
CoinMiner
bd464c108d2022979662b515c494dabaf7f528c31b2da3e75d83ba24171600d0
CoinMiner
error
CoinMiner
fe74f06d7437d213d96466b4475db2809c60a4e8aced9df338f4a71cf9bc7c16
CoinMiner
+ 188 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion execution persistence
Link:
https://tria.ge/reports/250514-eb9hzsvtdv/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Power Settings
Checks BIOS information in registry
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Stops running service(s)
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
Win.Trojan.Genkryptik-10016533-0
YARA:
n/a
Link:
https://app.threat.zone/submission/b6d1b564-335e-40d5-aacd-51a2db965f6c
Unpacked files
SH256 hash:
1465c03f920bc101bbeb925045ebf10af793246c533c8c90d82923a1c441b147
MD5 hash:
9961c0f342ceaff5f88d7f125b8a24be
SHA1 hash:
d709f9e197ef928d0212be348127f6677a902bad
Link:
https://www.unpac.me/results/48628abc-9196-42d7-8135-842a4889488b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1465c03f920b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1465c03f920bc101bbeb925045ebf10af793246c533c8c90d82923a1c441b147

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MALWARE_Win_R77
Create hunting rule
Author:ditekSHen
Description:Detects r77 rootkit
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Rootkit_R77_d0367e28
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit

File information

The table below shows additional information about this malware sample such as delivery method and external references.

65220f9d7e727909edf0c55e5b569c53

CoinMiner

Executable exe 1465c03f920bc101bbeb925045ebf10af793246c533c8c90d82923a1c441b147

(this sample)

  
Dropped by
MD5 65220f9d7e727909edf0c55e5b569c53

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments