MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2bbd691e69efca373365776e38c44d93c7ce075deca99d0abd79305b55c64444. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2bbd691e69efca373365776e38c44d93c7ce075deca99d0abd79305b55c64444
SHA3-384 hash: c76ef6d143e5528a801b14f95e18ea6fed38283eaf46501b9717ac59e74314534caf2fe95fafed5745d2c850d5d6ee32
SHA1 hash: 0611976e7afc08b469a8c66416c848f6e1f0a01e
MD5 hash: fa3a27b70958cf7cb052c37d0399c9b3
humanhash: nevada-july-maine-eighteen
File name:WSSecurity.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'041'344 bytes
First seen:2026-01-06 10:12:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 02549ff92b49cce693542fc9afb10102 (89 x CoinMiner, 2 x CoinMiner.XMRig, 1 x AgentTesla)
ssdeep 49152:FwvxxaN7B+rdEtrUanbuioy80uiVZ900vfOsfmxxG:FwvPa2rdYU6yk39Os+jG
Threatray 125 similar samples on MalwareBazaar
TLSH T1F495337C8D2F81EED9817C3BB619F43904B28068D7C491A67CEB76E9D42506C72E4B17
TrID 55.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
16.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.9% (.ICL) Windows Icons Library (generic) (2059/9)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
6.7% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
149
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
https://github.com/JLeaker2/sexo2/blob/main/main.exe
Verdict:
Malicious activity
Analysis date:
2025-12-22 17:00:52 UTC
Tags:
github python evasion stealer luna anti-evasion loader arch-doc pyinstaller websocket ip-check golang sparkrat rat
Link:
https://app.any.run/tasks/67575464-d27b-4432-83e0-262e9528e35b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/47839/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=695ce043d2357cccc3dff50f
Tags:
autorun virus shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a process from a recently created file
Creating a process with a hidden window
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypt donut packed
Link:
https://www.filescan.io/uploads/695ce0406c350eb0b6f686d4/reports/01fb206f-bf88-46e4-bf9d-1fd0156423b6/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/2bbd691e69efca373365776e38c44d93c7ce075deca99d0abd79305b55c64444
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-11-29T09:16:00Z UTC
Last seen:
2026-01-07T18:23:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan.Win64.Donut.pef HEUR:Trojan.Win32.Generic Trojan.Win64.Inject.sb Trojan.Win64.DonutInjector.sb Trojan.Win64.Donut.sb Trojan.Win32.Shellcode.sb Trojan.Win32.Inject.sb HEUR:Trojan.Win64.DonutInjector.gen
Link:
https://opentip.kaspersky.com/2bbd691e69efca373365776e38c44d93c7ce075deca99d0abd79305b55c64444/results?tab=lookup
Malware family:
Donut Injector
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/78d4b415-08c9-4193-a4d0-b294dfdf88ad
Result
Threat name:
BitCoin Miner, SilentXMRMiner
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1845393
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected SilentXMRMiner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1845393 Sample: WSSecurity.exe Startdate: 06/01/2026 Architecture: WINDOWS Score: 100 54 Malicious sample detected (through community Yara rule) 2->54 56 Antivirus / Scanner detection for submitted sample 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 5 other signatures 2->60 11 WSSecurity.exe 2->11         started        14 WSSecurity.exe 2->14         started        process3 signatures4 72 Writes to foreign memory regions 11->72 74 Allocates memory in foreign processes 11->74 76 Creates a thread in another existing process (thread injection) 11->76 16 conhost.exe 5 11->16         started        78 Antivirus detection for dropped file 14->78 80 Multi AV Scanner detection for dropped file 14->80 20 conhost.exe 3 14->20         started        process5 file6 46 C:\Users\user\AppData\...\WSSecurity.exe, PE32+ 16->46 dropped 48 C:\Users\...\WSSecurity.exe:Zone.Identifier, ASCII 16->48 dropped 52 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->52 22 cmd.exe 1 16->22         started        24 cmd.exe 1 16->24         started        27 WerFault.exe 20 16 20->27         started        signatures7 process8 signatures9 29 WSSecurity.exe 22->29         started        32 conhost.exe 22->32         started        62 Uses schtasks.exe or at.exe to add and modify task schedules 24->62 34 conhost.exe 24->34         started        36 schtasks.exe 1 24->36         started        process10 signatures11 82 Writes to foreign memory regions 29->82 84 Allocates memory in foreign processes 29->84 86 Creates a thread in another existing process (thread injection) 29->86 38 conhost.exe 4 29->38         started        process12 file13 50 C:\Users\user\AppData\...\sihost32.exe, PE32+ 38->50 dropped 41 sihost32.exe 38->41         started        process14 signatures15 64 Antivirus detection for dropped file 41->64 66 Multi AV Scanner detection for dropped file 41->66 68 Writes to foreign memory regions 41->68 70 3 other signatures 41->70 44 conhost.exe 2 41->44         started        process16
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2bbd691e69efca373365776e38c44d93c7ce075deca99d0abd79305b55c64444
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/fa3a27b70958cf7cb052c37d0399c9b3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2bbd691e69efca373365776e38c44d93c7ce075deca99d0abd79305b55c64444/
Verdict:
Malicious
Threat:
Family.COINMINER
Link:
https://tip.neiki.dev/file/2bbd691e69efca373365776e38c44d93c7ce075deca99d0abd79305b55c64444
Threat name:
Win64.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2025-12-02 23:39:15 UTC
File Type:
PE+ (Exe)
AV detection:
26 of 36 (72.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fo6wshtj57fdom3fo5xdrrcnspd44b255suz2cv5peyfwvogirca._file
Verdict:
malicious
Label(s):
donutloader
Create hunting rule
Similar samples:
2bbd691e69efca373365776e38c44d93c7ce075deca99d0abd79305b55c64444
CoinMiner
53635c2b43f8d87aa8305a1906b2b25dfb204637101bef51d7f734289d5513f1
CoinMiner
75a68ccf94d77bd6b321a5aac66a93cf16624da85e14bb16458559434992a0be
CoinMiner
aa3444054be8d8f795d96ee3cea05e8038293cb27c951b00d82d5033d3437539
CoinMiner
be6928a5935f0b49ec86015be3f600a635d3aef55f602827a7104a661b13200a
CoinMiner
error
CoinMiner
+ 115 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
execution persistence
Link:
https://tria.ge/reports/260106-mln9ssgs5h/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of SetThreadContext
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/dafc2fcf-f3c0-4142-9ffe-03ff2a2e166e
Unpacked files
SH256 hash:
2bbd691e69efca373365776e38c44d93c7ce075deca99d0abd79305b55c64444
MD5 hash:
fa3a27b70958cf7cb052c37d0399c9b3
SHA1 hash:
0611976e7afc08b469a8c66416c848f6e1f0a01e
Link:
https://www.unpac.me/results/e2816707-af38-4583-b645-ed833261f02d/
Malware family:
DonutLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2bbd691e69ef/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.10
Link:
https://yomi.yoroi.company/submissions/2bbd691e69efca373365776e38c44d93c7ce075deca99d0abd79305b55c64444

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 2bbd691e69efca373365776e38c44d93c7ce075deca99d0abd79305b55c64444

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3751258/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/47839/

Comments