MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e17dd7bbccc6e65bbdb950082fe456632fd99ff060bcfe07226774e730688a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 15

Intelligence 15 IOCs YARA 11 File information Comments

SHA256 hash:	2e17dd7bbccc6e65bbdb950082fe456632fd99ff060bcfe07226774e730688a4
SHA3-384 hash:	976810c1455c9b42b4a479f92024c66c573fd04a20b4b0f5048cabd42c0e0a7087cd0bd5d1497f0bae8d9f5af00aff60
SHA1 hash:	74014da306af611eb2721a53854c1a9b75f1b74a
MD5 hash:	b9081d6e610e48db8092b812ee2ef174
humanhash:	two-oxygen-minnesota-don
File name:	SecuriteInfo.com.PUA.Tool.BtcMine.2799.25127.4403
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	6'579'209 bytes
First seen:	2025-11-06 00:35:43 UTC
Last seen:	2025-11-06 01:20:26 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c6d4063efc1eea7d5163a7cb25a07083 (2 x CoinMiner)
ssdeep	98304:0tLMInJpLjDTefBAltFrPfjheuizYZvapOmRe9B9:ALHnJp3DTHvUYt
Threatray	7 similar samples on MalwareBazaar
TLSH	T1C2666D8329CB0DE6DDC737B875D32339A775FD62CD2A1E6A9644C13069632C06E2EB50
TrID	51.0% (.EXE) UPX compressed Win64 Executable (70117/5/12) 19.7% (.EXE) UPX compressed Win32 Executable (27066/9/6) 12.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 7.6% (.EXE) Win64 Executable (generic) (10522/11/4) 3.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika	pebin
Reporter	SecuriteInfoCom
Tags:	CoinMiner exe

Intelligence

File Origin

# of uploads :

# of downloads :

151

Origin country :

Vendor Threat Intelligence

Malware family:

vidar

ID:

File name:

bomb.exe

Verdict:

Malicious activity

Analysis date:

2025-11-06 00:23:01 UTC

Tags:

anti-evasion loader auto-reg pastebin arch-exec auto coinminer miner winring0-sys vuln-driver stealer stealc vidar generic purelogs autoit auto-startup logmeinrescue rmm-tool auto-sch darkvision remote gcleaner antivm golang xor-url rat xmrig

Link:

https://app.any.run/tasks/95add0e5-1337-430d-a6e3-e9cc197f6a95

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/35575/

Detection(s):

SecuriteInfo.com.PUA.Tool.BtcMine.2799.25127.4403.UNOFFICIAL

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=690bed8c5a5ed7864e234ac6

Tags:

injection dropper crypt

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

DNS request

Connection attempt

Sending a custom TCP request

Creating a file in the %temp% directory

Launching the default Windows debugger (dwwin.exe)

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Gathering data

Verdict:

Malicious

Labled as:

Win64/CoinMiner.IZ potentially unwanted application

Link:

https://www.hybrid-analysis.com/sample/2e17dd7bbccc6e65bbdb950082fe456632fd99ff060bcfe07226774e730688a4

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-11-05T21:50:00Z UTC

Last seen:

2025-11-06T10:23:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/2e17dd7bbccc6e65bbdb950082fe456632fd99ff060bcfe07226774e730688a4/results?tab=lookup

Malware family:

XMRig Miner

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9d0daf6c-c962-47a5-a031-e82f2b57a8d1

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/2e17dd7bbccc6e65bbdb950082fe456632fd99ff060bcfe07226774e730688a4

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/b9081d6e610e48db8092b812ee2ef174

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2e17dd7bbccc6e65bbdb950082fe456632fd99ff060bcfe07226774e730688a4/

Threat name:

Win64.Trojan.Amadey

Status:

Malicious

First seen:

2025-11-06 00:36:22 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fyl52654zrxglo63suaif7sfmyzp3gp7ayf47ydsez3u44ygrcsa._file

Verdict:

malicious

Label(s):

xmrig

CoinMiner

4653c9115c8cb40430cb89e38440047efa8f44745d1d3b761ed936b63500949f

CoinMiner

886e6def15a81553712164f5f8e4a0c831c9ba7cd4e281bce8f2a5f3e4906658

CoinMiner

bdb21a7f3ea3e2b79dc1b0882f47aecce8cb7b2b592298d94e6e3fc32cdbc1ab

CoinMiner

error

CoinMiner

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:xmrig miner persistence upx

Link:

https://tria.ge/reports/251106-ax2m2sep6x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

UPX packed file

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Cryptocurrency Miner

XMRig Miner payload

Xmrig family

xmrig

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/a6020e25-2515-4b2c-b445-3c50ea335b67

Unpacked files

SH256 hash:

2e17dd7bbccc6e65bbdb950082fe456632fd99ff060bcfe07226774e730688a4

MD5 hash:

b9081d6e610e48db8092b812ee2ef174

SHA1 hash:

74014da306af611eb2721a53854c1a9b75f1b74a

Link:

https://www.unpac.me/results/8e9ee08f-6cec-43ac-af3b-18014483ae63/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2e17dd7bbccc6e65bbdb950082fe456632fd99ff060bcfe07226774e730688a4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL Create hunting rule
Author:	ditekSHen
Description:	Detects executables (downlaoders) containing URLs to raw contents of a paste

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	Rooter Create hunting rule
Author:	Seth Hardy
Description:	Rooter

Rule name:	RooterStrings Create hunting rule
Author:	Seth Hardy
Description:	Rooter Identifying Strings

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	TH_Generic_MassHunt_Win_Malware_2025_CYFARE Create hunting rule
Author:	CYFARE
Description:	Generic Windows malware mass-hunt rule - 2025
Reference:	https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/35575/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample