MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ddc60e198968b3b6a2c900fa225cec6ff3340e67972ebf3b94938423f3dd347. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 16

Intelligence 16 IOCs YARA 8 File information Comments

SHA256 hash:	2ddc60e198968b3b6a2c900fa225cec6ff3340e67972ebf3b94938423f3dd347
SHA3-384 hash:	351ab3792b8e97d8dcca50dd7ad6ec4a7c758a040db277b3116064df9fcb4e5bca1c45763d39644ded08c2c62263080b
SHA1 hash:	4731feb01d22764ef8ac79e12b23541927487329
MD5 hash:	b806b48f24ea908350285941972e2a94
humanhash:	solar-green-lima-burger
File name:	hack_game.exe
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	18'637'824 bytes
First seen:	2026-02-11 12:17:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2b4a9a9cf090b9abc323b2037a41ed31 (1 x CoinMiner)
ssdeep	49152:vriz7S0kk0Q6Wda2C9Zpt44FIM2EScChdC1lhNiCyoQcJ7YR3L0HmJY18cJFk9nK:+CXV
Threatray	3 similar samples on MalwareBazaar
TLSH	T1B7177C269F805B8AF6DC0CABC07D1A1B6BF36780D0B3F2CD67926503269FE1C5729558
TrID	44.4% (.EXE) Win64 Executable (generic) (10522/11/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	burger
Tags:	CoinMiner exe

Intelligence

File Origin

# of uploads :

# of downloads :

118

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

https://www.mediafire.com/file/wnx87sit7z7jcqz/cheatt_gamer.rar/file

Verdict:

Malicious activity

Analysis date:

2026-02-04 18:53:13 UTC

Tags:

possible-phishing

Link:

https://app.any.run/tasks/bf0f7eae-2fb8-4a7d-ab20-494a62939a03

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/52996/

Detection(s):

SecuriteInfo.com.Generic-EXE.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=698c738c38c84aca0d32e1af

Tags:

vmdetect autorun

Result

Verdict:

Malware

Maliciousness:

Behaviour

Running batch commands

Launching a process

Creating a file in the Program Files subdirectories

Creating a window

DNS request

Enabling autorun by creating a file

Verdict:

Malicious

Labled as:

QD:Trojan.GenericQ

Link:

https://www.hybrid-analysis.com/sample/2ddc60e198968b3b6a2c900fa225cec6ff3340e67972ebf3b94938423f3dd347

Verdict:

Adware

File Type:

exe x64

First seen:

2026-02-01T04:48:00Z UTC

Last seen:

2026-02-11T20:54:00Z UTC

Hits:

~10

Detections:

RiskTool.Miner.UDP.C&C not-a-virus:RiskTool.Win32.Miner.raj

Link:

https://opentip.kaspersky.com/2ddc60e198968b3b6a2c900fa225cec6ff3340e67972ebf3b94938423f3dd347/results?tab=lookup

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/1867362

Signature

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: Schtasks Creation Or Modification With SYSTEM Privileges

Uses schtasks.exe or at.exe to add and modify task schedules

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/2ddc60e198968b3b6a2c900fa225cec6ff3340e67972ebf3b94938423f3dd347

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2ddc60e198968b3b6a2c900fa225cec6ff3340e67972ebf3b94938423f3dd347/

Verdict:

Malicious

Threat:

Family.XMRIG

Link:

https://tip.neiki.dev/file/2ddc60e198968b3b6a2c900fa225cec6ff3340e67972ebf3b94938423f3dd347

Threat name:

Win64.Trojan.Kepavll

Status:

Malicious

First seen:

2026-02-01 09:32:30 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

15 of 24 (62.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fxogbymys2ftw2rmsah2ejooy37tgqhgpfzox45zje4eepz52ndq._file

Verdict:

malicious

Label(s):

xmrig

CoinMiner

2ddc60e198968b3b6a2c900fa225cec6ff3340e67972ebf3b94938423f3dd347

CoinMiner

error

CoinMiner

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:xmrig execution miner persistence

Link:

https://tria.ge/reports/260211-pgqceahz3d/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Drops file in Program Files directory

Suspicious use of SetThreadContext

Executes dropped EXE

Badlisted process makes network request

XMRig Miner payload

Xmrig family

xmrig

Unpacked files

SH256 hash:

2ddc60e198968b3b6a2c900fa225cec6ff3340e67972ebf3b94938423f3dd347

MD5 hash:

b806b48f24ea908350285941972e2a94

SHA1 hash:

4731feb01d22764ef8ac79e12b23541927487329

Link:

https://www.unpac.me/results/793256dd-1fbd-4c84-9f9f-ad184028df1c/

SH256 hash:

d06238a4fc7bfded8e86b0fb4a49b3d968e6f8edec949e8ac0a19617447891b7

MD5 hash:

87451abe2cd7ac32dc723997c1341c19

SHA1 hash:

dda81b39a86bfc833981a58dc7a68da859f74d6c

Detections:

XMRig

MAL_XMR_Miner_May19_1

XMRIG_Monero_Miner

MALWARE_Win_CoinMiner02

Link:

https://www.unpac.me/results/793256dd-1fbd-4c84-9f9f-ad184028df1c/

Parent samples :

c290ed8fbc2d5e378e4cf17edbf901898d35acc1c414ccfb49fe137e9d9532b9
2ddc60e198968b3b6a2c900fa225cec6ff3340e67972ebf3b94938423f3dd347

Malware family:

XMRig

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2ddc60e19896/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2ddc60e198968b3b6a2c900fa225cec6ff3340e67972ebf3b94938423f3dd347

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	SUSP_Double_Base64_Encoded_Executable_RID34CC Create hunting rule
Author:	Florian Roth
Description:	Detects an executable that has been encoded with base64 twice
Reference:	https://twitter.com/TweeterCyber/status/1189073238803877889

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

CoinMiner

exe c290ed8fbc2d5e378e4cf17edbf901898d35acc1c414ccfb49fe137e9d9532b9

CoinMiner

exe 2ddc60e198968b3b6a2c900fa225cec6ff3340e67972ebf3b94938423f3dd347

(this sample)

Cape

https://www.capesandbox.com/analysis/52996/

Dropped by

SHA256 c290ed8fbc2d5e378e4cf17edbf901898d35acc1c414ccfb49fe137e9d9532b9

Dropped by

MD5 690ab644317d2c7bb4605691846a6241

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample