MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c453909c154042ba5cdafd9fe20e52013690dac89e4786e6abf874359fdd34a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c453909c154042ba5cdafd9fe20e52013690dac89e4786e6abf874359fdd34a
SHA3-384 hash: 0b41fca7890160f5070456db6654334f7da20655acfbf3126d52ef80e58dbc2e987b2aa46a2373e1cce6b90822782b3b
SHA1 hash: dc284fcc3c8469e0690ef914796cbb83b923e612
MD5 hash: 746e942b0393e4cebe7098bc38e8d22f
humanhash: stairway-angel-nuts-connecticut
File name:SecuriteInfo.com.Win64.MalwareX-gen.17053.7046
Download: download sample
Signature CoinMiner
Create hunting rule
File size:304'640 bytes
First seen:2025-06-10 15:40:39 UTC
Last seen:2025-06-10 16:30:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1853412c17c05ed43c05e391a21a1278 (1 x CoinMiner)
ssdeep 6144:7iuaextUFAAiNq+r8hdUWezPogxxCBiw:7xKFrCr8hWBDxJ
Threatray 1 similar samples on MalwareBazaar
TLSH T136548E15F7A811F9EA67823CC9424906EB72BC564761E7CF03A04A963F237E09E3E751
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter SecuriteInfoCom
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
633
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
NewTextDocument.exe
Verdict:
Malicious activity
Analysis date:
2025-06-10 15:07:02 UTC
Tags:
github loader pastebin amadey evasion botnet stealer ms-smartcard hausbomber dcrat lumma rat remote darkcrystal discord
Link:
https://app.any.run/tasks/7abceb0b-0a44-4697-ab8d-403aea297ffd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/8843/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6848522107b5e8c1cfe6292c
Tags:
dropper xmrig shell spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a process with a hidden window
Connection attempt
Sending an HTTP GET request
Creating a file
Searching for synchronization primitives
Creating a process from a recently created file
Searching for the window
Creating a file in the %temp% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/1c453909c154042ba5cdafd9fe20e52013690dac89e4786e6abf874359fdd34a
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c10b9a8a-afed-473c-b4cc-c5e2e5b7e989
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1711161
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Contains functionality to modify Windows User Account Control (UAC) settings
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Detected Stratum mining protocol
Disables UAC (registry)
Found API chain indicative of debugger detection
Found strings related to Crypto-Mining
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1711161 Sample: SecuriteInfo.com.Win64.Malw... Startdate: 10/06/2025 Architecture: WINDOWS Score: 100 127 xmr.kryptex.network 2->127 129 release-assets.githubusercontent.com 2->129 131 3 other IPs or domains 2->131 161 Malicious sample detected (through community Yara rule) 2->161 163 Antivirus detection for dropped file 2->163 165 Multi AV Scanner detection for dropped file 2->165 167 11 other signatures 2->167 12 SecuriteInfo.com.Win64.MalwareX-gen.17053.7046.exe 4 2->12         started        17 defendnot-self.exe 2->17         started        19 defendnot-self.exe 2->19         started        21 10 other processes 2->21 signatures3 process4 dnsIp5 139 45.138.74.1, 49681, 5553 HOSTGLOBALPLUS-ASRU Russian Federation 12->139 125 C:\Users\user\AppData\...\downloaded_app.exe, PE32 12->125 dropped 205 Suspicious powershell command line found 12->205 207 Adds a directory exclusion to Windows Defender 12->207 23 downloaded_app.exe 1 4 12->23         started        37 3 other processes 12->37 27 defendnot-loader.exe 17->27         started        29 defendnot-helper.exe 17->29         started        39 11 other processes 17->39 31 defendnot-loader.exe 19->31         started        41 12 other processes 19->41 141 127.0.0.1 unknown unknown 21->141 33 launcherr.exe 21->33         started        35 launcherr.exe 21->35         started        file6 signatures7 process8 file9 111 C:\Users\user\AppData\Local\...\defendnot.dll, PE32+ 23->111 dropped 113 C:\Users\user\AppData\...\defendnot-self.exe, PE32 23->113 dropped 115 C:\Users\user\...\defendnot-loader.exe, PE32+ 23->115 dropped 185 Multi AV Scanner detection for dropped file 23->185 187 Suspicious powershell command line found 23->187 189 Creates autostart registry keys with suspicious names 23->189 199 4 other signatures 23->199 53 3 other processes 23->53 191 Writes to foreign memory regions 27->191 193 Allocates memory in foreign processes 27->193 195 Creates a thread in another existing process (thread injection) 27->195 43 Taskmgr.exe 27->43         started        45 launcherr.exe 29->45         started        47 Taskmgr.exe 31->47         started        49 cmd.exe 33->49         started        51 cmd.exe 35->51         started        57 2 other processes 37->57 59 11 other processes 39->59 197 Loading BitLocker PowerShell Module 41->197 61 12 other processes 41->61 signatures10 process11 file12 63 cmd.exe 45->63         started        65 xmrig.exe 49->65         started        68 conhost.exe 49->68         started        109 C:\Users\user\...\defendnot-helper.exe, PE32 53->109 dropped 177 Multi AV Scanner detection for dropped file 53->177 179 Suspicious powershell command line found 53->179 181 Creates autostart registry keys with suspicious names 53->181 183 4 other signatures 53->183 70 defendnot-helper.exe 53->70         started        74 defendnot-loader.exe 53->74         started        76 powershell.exe 53->76         started        80 12 other processes 53->80 78 cmd.exe 61->78         started        signatures13 process14 dnsIp15 82 xmrig.exe 63->82         started        86 conhost.exe 63->86         started        143 Query firmware table information (likely to detect VMs) 65->143 135 github.com 140.82.112.3, 443, 49682 GITHUBUS United States 70->135 137 objects.githubusercontent.com 185.199.110.133, 443, 49684, 49687 FASTLYUS Netherlands 70->137 117 C:\Users\user\AppData\Local\Temp\xmrig.exe, PE32+ 70->117 dropped 119 C:\Users\user\AppData\Local\...\launcherr.exe, PE32+ 70->119 dropped 121 C:\Users\user\AppData\...\WinRing0x64.sys, PE32+ 70->121 dropped 123 3 other malicious files 70->123 dropped 145 Multi AV Scanner detection for dropped file 70->145 147 Sample is not signed and drops a device driver 70->147 88 launcherr.exe 70->88         started        149 Contains functionality to inject threads in other processes 74->149 151 Contains functionality to inject code into remote processes 74->151 153 Writes to foreign memory regions 74->153 159 2 other signatures 74->159 90 Taskmgr.exe 74->90         started        155 Loading BitLocker PowerShell Module 76->155 92 conhost.exe 76->92         started        157 Disables UAC (registry) 80->157 94 conhost.exe 80->94         started        96 conhost.exe 80->96         started        98 conhost.exe 80->98         started        100 7 other processes 80->100 file16 signatures17 process18 dnsIp19 133 xmr.kryptex.network 157.90.32.66, 49692, 49694, 49696 REDIRISRedIRISAutonomousSystemES United States 82->133 169 Query firmware table information (likely to detect VMs) 82->169 171 Potentially malicious time measurement code found 88->171 102 cmd.exe 88->102         started        173 Found API chain indicative of debugger detection 90->173 signatures20 175 Detected Stratum mining protocol 133->175 process21 process22 104 xmrig.exe 102->104         started        107 conhost.exe 102->107         started        signatures23 201 Multi AV Scanner detection for dropped file 104->201 203 Query firmware table information (likely to detect VMs) 104->203
Score:
87%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1c453909c154042ba5cdafd9fe20e52013690dac89e4786e6abf874359fdd34a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1c453909c154042ba5cdafd9fe20e52013690dac89e4786e6abf874359fdd34a/
Threat name:
Win64.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-06-10 15:41:22 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
6 of 36 (16.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=drctscobkqccxjonv7m74ihfeajwsdnmrhshq3tkx6dugwp52nfa._file
Verdict:
malicious
Label(s):
hacktool_defendernot
Create hunting rule
Similar samples:
1c453909c154042ba5cdafd9fe20e52013690dac89e4786e6abf874359fdd34a
CoinMiner
error
CoinMiner
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery execution persistence trojan
Link:
https://tria.ge/reports/250610-s4wpgsaq5t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
UAC bypass
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/edb18fa0-6924-4c57-b9f5-856f99505891
Unpacked files
SH256 hash:
1c453909c154042ba5cdafd9fe20e52013690dac89e4786e6abf874359fdd34a
MD5 hash:
746e942b0393e4cebe7098bc38e8d22f
SHA1 hash:
dc284fcc3c8469e0690ef914796cbb83b923e612
Link:
https://www.unpac.me/results/0b3880ee-9ec3-4069-84da-06bae29af06a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1c453909c154042ba5cdafd9fe20e52013690dac89e4786e6abf874359fdd34a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 1c453909c154042ba5cdafd9fe20e52013690dac89e4786e6abf874359fdd34a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3560325/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/8843/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::CheckTokenMembership
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::ShellExecuteExW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WINHTTP.dll::WinHttpCloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleWindow
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::GetWindowsDirectoryW
KERNEL32.dll::FindFirstFileW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::GetUserNameW
WIN_HTTP_APIUses HTTP servicesWINHTTP.dll::WinHttpConnect
WINHTTP.dll::WinHttpCrackUrl
WINHTTP.dll::WinHttpOpen
WINHTTP.dll::WinHttpOpenRequest
WINHTTP.dll::WinHttpReadData
WINHTTP.dll::WinHttpReceiveResponse

Comments