MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b213a2c0c92828d10d1f5879b97b8a2927ee9fae2d0d9bc170ff6ded7087e24. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b213a2c0c92828d10d1f5879b97b8a2927ee9fae2d0d9bc170ff6ded7087e24
SHA3-384 hash: 277ca6c1c07d64f637a7088c59afad44f9f30f9230744f60f9ed1ea7f5fbdd1e4d1c9a8886fd2f8ca48ae3083c15ed38
SHA1 hash: 5b16272f28b077cbf598017cbfb00ad2ee3032c8
MD5 hash: dfce7816559907bd6706b01a1fb26f57
humanhash: rugby-orange-oscar-quebec
File name:Mines Predictor V1.1.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'283'008 bytes
First seen:2026-02-03 19:35:40 UTC
Last seen:2026-02-03 20:31:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 02549ff92b49cce693542fc9afb10102 (89 x CoinMiner, 2 x CoinMiner.XMRig, 1 x AgentTesla)
ssdeep 24576:2C8zDfbtO+dL6Q1c+cCNjn+vh4yvhiZm3w4M0OWfVzYnud+1q6t040xByvlmlteg:DGtO+dLNIV24hcmDanM+AK0uv8irF
Threatray 131 similar samples on MalwareBazaar
TLSH T1E8B533BED72446DBF35B363298329748976099D71F513B0B13B306B0861C8B54EB87EA
TrID 55.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
16.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.9% (.ICL) Windows Icons Library (generic) (2059/9)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
6.7% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter aachum
Tags:CoinMiner exe


Avatar
iamaachum
https://www.youtube.com/watch?v=AgTU4gyIzRA => https://www.mediafire.com/file/50mcj2hx5n3qnit/Mines_Predictor_V1.1.rar/file

Intelligence

File Origin
# of uploads :
2
# of downloads :
113
Origin country :
ES ES
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
Mines Predictor V1.1.exe
Verdict:
No threats detected
Analysis date:
2025-09-06 09:28:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bd5f4e61-9787-4194-a18b-2f8dbe489409

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CoinMiner02
Create hunting rule
Link:
https://www.capesandbox.com/analysis/51562/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69824e356b1af47db72c8630
Tags:
autorun xmrig
Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a process from a recently created file
Creating a process with a hidden window
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
crypt donut packed
Link:
https://www.filescan.io/uploads/69824e312ffccda097672c79/reports/0ce42c96-a84a-4cb6-aeac-272c6afbf0ad/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/1b213a2c0c92828d10d1f5879b97b8a2927ee9fae2d0d9bc170ff6ded7087e24
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-08-07T19:46:00Z UTC
Last seen:
2025-11-13T20:14:00Z UTC
Hits:
~100
Detections:
Trojan.Win64.DonutInjector.sb Trojan.Win32.Shellcode.sb HEUR:Trojan.Win64.DonutInjector.gen Trojan.Win64.Inject.sb Trojan.Win64.Donut.sb Trojan.Win32.Inject.sb HEUR:Trojan.Win32.Generic Trojan.Win32.Shellcode.dwv RiskTool.Miner.UDP.C&C RiskTool.BitCoinMiner.TCP.C&C
Link:
https://opentip.kaspersky.com/1b213a2c0c92828d10d1f5879b97b8a2927ee9fae2d0d9bc170ff6ded7087e24/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0f7f3d36-0121-4756-8e94-303baf1a3523
Result
Threat name:
BitCoin Miner, SilentXMRMiner, Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1862788
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Found direct / indirect Syscall (likely to bypass EDR)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Xmrig
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Unusual module load detection (module proxying)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected SilentXMRMiner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1862788 Sample: Mines Predictor V1.1.exe Startdate: 03/02/2026 Architecture: WINDOWS Score: 100 80 pool.hashvault.pro 2->80 84 Sigma detected: Xmrig 2->84 86 Malicious sample detected (through community Yara rule) 2->86 88 Antivirus / Scanner detection for submitted sample 2->88 90 8 other signatures 2->90 10 Mines Predictor V1.1.exe 2->10         started        13 services64.exe 2->13         started        15 svchost.exe 2->15         started        17 6 other processes 2->17 signatures3 process4 signatures5 110 Writes to foreign memory regions 10->110 112 Allocates memory in foreign processes 10->112 114 Creates a thread in another existing process (thread injection) 10->114 19 conhost.exe 6 10->19         started        23 conhost.exe 5 10->23         started        116 Antivirus detection for dropped file 13->116 118 Multi AV Scanner detection for dropped file 13->118 25 conhost.exe 3 13->25         started        120 Changes security center settings (notifications, updates, antivirus, firewall) 15->120 27 MpCmdRun.exe 15->27         started        29 WerFault.exe 17->29         started        process6 file7 72 C:\Windows\System32\...\sihost64.exe, PE32+ 19->72 dropped 74 C:\Windows\System32\Microsoft\Libs\WR64.sys, PE32+ 19->74 dropped 92 Found strings related to Crypto-Mining 19->92 94 Injects code into the Windows Explorer (explorer.exe) 19->94 96 Drops executables to the windows directory (C:\Windows) and starts them 19->96 100 5 other signatures 19->100 31 sihost64.exe 19->31         started        34 explorer.exe 19->34         started        37 cmd.exe 19->37         started        76 C:\Windows\System32\services64.exe, PE32+ 23->76 dropped 78 C:\Windows\...\services64.exe:Zone.Identifier, ASCII 23->78 dropped 98 Adds a directory exclusion to Windows Defender 23->98 39 cmd.exe 1 23->39         started        41 cmd.exe 1 23->41         started        43 cmd.exe 1 23->43         started        45 sihost64.exe 25->45         started        49 2 other processes 25->49 47 conhost.exe 27->47         started        signatures8 process9 dnsIp10 122 Antivirus detection for dropped file 31->122 124 Multi AV Scanner detection for dropped file 31->124 126 Writes to foreign memory regions 31->126 51 conhost.exe 2 31->51         started        82 185.84.98.5, 443, 49690, 49697 COLTENGINECOLTENGINENetworkIT Italy 34->82 128 System process connects to network (likely due to code injection or exploit) 34->128 130 Query firmware table information (likely to detect VMs) 34->130 132 Unusual module load detection (module proxying) 34->132 62 3 other processes 37->62 134 Uses schtasks.exe or at.exe to add and modify task schedules 39->134 136 Adds a directory exclusion to Windows Defender 39->136 53 powershell.exe 23 39->53         started        64 2 other processes 39->64 138 Drops executables to the windows directory (C:\Windows) and starts them 41->138 56 services64.exe 41->56         started        58 conhost.exe 41->58         started        66 2 other processes 43->66 140 Allocates memory in foreign processes 45->140 142 Creates a thread in another existing process (thread injection) 45->142 144 Found direct / indirect Syscall (likely to bypass EDR) 45->144 60 conhost.exe 45->60         started        68 5 other processes 49->68 signatures11 process12 signatures13 102 Loading BitLocker PowerShell Module 53->102 104 Writes to foreign memory regions 56->104 106 Allocates memory in foreign processes 56->106 108 Creates a thread in another existing process (thread injection) 56->108 70 WerFault.exe 60->70         started        process14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1b213a2c0c92828d10d1f5879b97b8a2927ee9fae2d0d9bc170ff6ded7087e24
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1b213a2c0c92828d10d1f5879b97b8a2927ee9fae2d0d9bc170ff6ded7087e24/
Verdict:
Malicious
Threat:
Family.XMRIG
Link:
https://tip.neiki.dev/file/1b213a2c0c92828d10d1f5879b97b8a2927ee9fae2d0d9bc170ff6ded7087e24
Threat name:
Win64.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2025-08-26 13:59:00 UTC
File Type:
PE+ (Exe)
Extracted files:
2
AV detection:
27 of 36 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dmqtulamskbi2egr6wdzxf5yukjh52p24lintpaxb73n5vyipysa._file
Verdict:
malicious
Label(s):
donutloader
Create hunting rule
Similar samples:
75a68ccf94d77bd6b321a5aac66a93cf16624da85e14bb16458559434992a0be
CoinMiner
aa3444054be8d8f795d96ee3cea05e8038293cb27c951b00d82d5033d3437539
CoinMiner
be6928a5935f0b49ec86015be3f600a635d3aef55f602827a7104a661b13200a
CoinMiner
df1725526b23e3ddb09667fe5d9a519d704f536e5a7b701029f58b00097dcab2
CoinMiner
error
CoinMiner
+ 121 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig execution miner persistence
Link:
https://tria.ge/reports/260203-ybcnssfv5b/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Drops file in System32 directory
Suspicious use of SetThreadContext
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
XMRig Miner payload
Xmrig family
xmrig
Unpacked files
SH256 hash:
1b213a2c0c92828d10d1f5879b97b8a2927ee9fae2d0d9bc170ff6ded7087e24
MD5 hash:
dfce7816559907bd6706b01a1fb26f57
SHA1 hash:
5b16272f28b077cbf598017cbfb00ad2ee3032c8
Link:
https://www.unpac.me/results/fb479493-c922-4995-ba2b-25ec57fbdc8c/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1b213a2c0c92/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.10
Link:
https://yomi.yoroi.company/submissions/1b213a2c0c92828d10d1f5879b97b8a2927ee9fae2d0d9bc170ff6ded7087e24

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 1b213a2c0c92828d10d1f5879b97b8a2927ee9fae2d0d9bc170ff6ded7087e24

(this sample)

  
Link
https://tria.ge/260203-x3djqsez5g/behavioral2
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/51562/

Comments