MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20dc254b66b8616088c5122b29211d7102306484b550f75caee7ec9b2a02e71f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 16


Intelligence 16 IOCs YARA 36 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 20dc254b66b8616088c5122b29211d7102306484b550f75caee7ec9b2a02e71f
SHA3-384 hash: e170dc884e0a747a1af7783c20ab619fa1bff796f751f00c1a9915ea577bab42eeaabc0deb566f9cd9b89967d8f227e7
SHA1 hash: 0fcd796d6caec82be82ec07480513d28c036a68e
MD5 hash: a98c150c2f4a46f58503495b71137fb0
humanhash: fourteen-bacon-nineteen-video
File name:file
Download: download sample
Signature CoinMiner
Create hunting rule
File size:11'268'608 bytes
First seen:2026-03-02 11:18:38 UTC
Last seen:2026-03-02 23:20:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4794687cac0beee76bb775325b829d22 (1 x CoinMiner)
ssdeep 196608:k8AJgyeuPivvI4+7IDSJB9CL8PxLrIyrIuUVqmLqBILER1wpbmoP5:jzvvIpIDSJAg3IywtkA5
Threatray 19 similar samples on MalwareBazaar
TLSH T176B63319FD9359BAC593A97118AFB37AE7361A0E0607D9F7CF901DA0ED7B7020924306
TrID 39.7% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
21.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
8.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
8.3% (.EXE) Win64 Executable (generic) (6522/11/2)
6.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter Bitsight
Tags:CoinMiner dropped-by-amadey exe fbf543


Avatar
Bitsight
url: http://130.12.180.43/files/7725193537/BTCWtnO.exe

Intelligence

File Origin
# of uploads :
27
# of downloads :
195
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
xmrig
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2026-03-02 11:21:16 UTC
Tags:
salatstealer stealer miner xmrig susp-powershell donutloader loader auto-reg ms-smartcard
Link:
https://app.any.run/tasks/26d02f22-ca04-46b5-a0a3-f908191aca65

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CoinMiner02
Create hunting rule
Link:
https://www.capesandbox.com/analysis/55229/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a57238002d37d5c982a6af
Tags:
xmrig virus shell overt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
DNS request
Sending a UDP request
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a service
Launching a service
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Enabling autorun for a service
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm barys packed rust
Link:
https://www.filescan.io/uploads/69a57233cd25bfe1dfddfbdf/reports/b02b19a3-bd63-48e9-9233-d0b8634fb067/overview
Verdict:
Malicious
Labled as:
Barys.Generic
Link:
https://www.hybrid-analysis.com/sample/20dc254b66b8616088c5122b29211d7102306484b550f75caee7ec9b2a02e71f
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f5ed52ef-43e6-44b4-9f8d-c4976468f457
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/20dc254b66b8616088c5122b29211d7102306484b550f75caee7ec9b2a02e71f
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/20dc254b66b8616088c5122b29211d7102306484b550f75caee7ec9b2a02e71f/
Verdict:
Malicious
Threat:
Family.SALATSTEALER
Link:
https://tip.neiki.dev/file/20dc254b66b8616088c5122b29211d7102306484b550f75caee7ec9b2a02e71f
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-03-02 11:19:22 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=edocks3gxbqwbcgfcivssii5oebdazeewvipoxfo47wjwkqc44pq._file
Verdict:
malicious
Label(s):
salatstealer
Create hunting rule
Similar samples:
1b03cd6ad141fe183fde097bf9030deaaa33b5b221bfa8d011b21454c0571816
CoinMiner
1eb86f440903f1b5303320c4b662ba0e2f0048c896759916b2e226701e58e9a1
CoinMiner
736ff0c6bd7151db3c9d22adb2bab14b4f8711bceafc02c9193ec13b347e6eba
CoinMiner
760338a60eeb0e10681d101beebb567c2e380eb3afcf8bc58ecf8a9fe2d838f8
CoinMiner
9b21cf772c011513630d2c5c43bdc3a7e1e497f410216b9afbf3ad396f38df33
CoinMiner
error
CoinMiner
+ 9 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig credential_access defense_evasion discovery execution miner persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/260302-neyekaet9g/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Windows security modification
Command and Scripting Interpreter: PowerShell
Windows security bypass
XMRig Miner payload
Xmrig family
xmrig
Unpacked files
SH256 hash:
20dc254b66b8616088c5122b29211d7102306484b550f75caee7ec9b2a02e71f
MD5 hash:
a98c150c2f4a46f58503495b71137fb0
SHA1 hash:
0fcd796d6caec82be82ec07480513d28c036a68e
Link:
https://www.unpac.me/results/2df671e5-896e-46e3-b9c3-df66434fb9dd/
Malware family:
SalatStealer
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/20dc254b66b8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/20dc254b66b8616088c5122b29211d7102306484b550f75caee7ec9b2a02e71f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables containing artifacts associated with disabling Widnows Defender
Rule name:MacOS_Cryptominer_Xmrig_241780a1
Create hunting rule
Author:Elastic Security
Rule name:MALWARE_Win_CoinMiner02
Create hunting rule
Author:ditekSHen
Description:Detects coinmining malware
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:MAL_XMR_Miner_May19_1_RID2E1B
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:Multi_Cryptominer_Xmrig_f9516741
Create hunting rule
Author:Elastic Security
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:rig_win64_xmrig_6_13_1_xmrig
Create hunting rule
Author:yarGen Rule Generator
Description:rig_win64 - file xmrig.exe
Reference:https://github.com/Neo23x0/yarGen
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:Rustyloader_mem_loose
Create hunting rule
Author:James_inthe_box
Description:Corroded buerloader
Reference:https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Suspicious_Process
Create hunting rule
Author:Security Research Team
Description:Suspicious process creation
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants
Rule name:Windows_Cryptominer_Generic_f53cfb9b
Create hunting rule
Author:Elastic Security
Rule name:XMRIG_Monero_Miner
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Monero mining software
Reference:https://github.com/xmrig/xmrig/releases
Rule name:xmrig_v1
Create hunting rule
Author:RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 20dc254b66b8616088c5122b29211d7102306484b550f75caee7ec9b2a02e71f

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/55229/
  
URLhaus
https://urlhaus.abuse.ch/url/3788525/
  
URLhaus
https://urlhaus.abuse.ch/url/3788529/

Comments