MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30235049839cd3ddfb7e50e8a58f3d0c2a5dffaa632c671a97de12ed1dfa6a06. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 18


Intelligence 18 IOCs YARA 23 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 30235049839cd3ddfb7e50e8a58f3d0c2a5dffaa632c671a97de12ed1dfa6a06
SHA3-384 hash: 5ae0ceea9326803629e83d28153c2430ec7a361b6d1f111ffe7cc9e15e8bb662c61b09de127f943c8777317467561fc5
SHA1 hash: d5db50217b873976ffbf6e30d21a451d8ddac1ac
MD5 hash: b8b7a103484504636148673a44eca835
humanhash: bulldog-chicken-bacon-eleven
File name:926ab7d10da645f08b9d109b5bab77c8_bound_build.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:12'350'249 bytes
First seen:2025-09-09 16:12:36 UTC
Last seen:2025-09-09 19:18:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4b1892ce4fbcfcf064c6f69d693fc6a5 (10 x Rhadamanthys, 4 x AgentTesla, 3 x QuasarRAT)
ssdeep 196608:e0E3pxFTTmYicGoo47NA6wPawJLDYXKlIZ:rGDTToE7NGLDYXwIZ
Threatray 65 similar samples on MalwareBazaar
TLSH T1E2C6AD12F2FD01E8E5BBC178C667551BE7B27855132097DF52A08A692F23BE06E3D321
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter burger
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
89
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
xmrig
Create hunting rule
ID:
1
File name:
Start.exe
Verdict:
Malicious activity
Analysis date:
2025-09-09 16:07:33 UTC
Tags:
loader miner xmrig anti-evasion stealer
Link:
https://app.any.run/tasks/f45c5e5f-b45c-4ea7-8726-0a4250f5e05b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/26528/
Detection(s):
SecuriteInfo.com.Win64.Malware-gen.75752115.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c0523cb200525988793ad4
Tags:
trojan spoof spawn crypt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Connection attempt
Sending an HTTP GET request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug fingerprint microsoft_visual_cc overlay overlay packed
Link:
https://www.filescan.io/uploads/68c05238cfa59bfdc7f5e30d/reports/7f35c451-fb12-4fa4-acb7-dbb33de452a4/overview
Verdict:
Malicious
Labled as:
Trojan.Win64.Agent
Link:
https://www.hybrid-analysis.com/sample/30235049839cd3ddfb7e50e8a58f3d0c2a5dffaa632c671a97de12ed1dfa6a06
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-09-09T13:12:00Z UTC
Last seen:
2025-09-09T13:12:00Z UTC
Hits:
~100
Detections:
PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/30235049839cd3ddfb7e50e8a58f3d0c2a5dffaa632c671a97de12ed1dfa6a06/results?tab=lookup
Gathering data
Result
Threat name:
RHADAMANTHYS, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1774158
Signature
Antivirus detection for dropped file
Found API chain indicative of debugger detection
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Found stalling execution ending in API Sleep call
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: Potential Crypto Mining Activity
Sigma detected: Xmrig
Switches to a custom stack to bypass stack traces
Uses known network protocols on non-standard ports
Yara detected RHADAMANTHYS Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1774158 Sample: 926ab7d10da645f08b9d109b5ba... Startdate: 09/09/2025 Architecture: WINDOWS Score: 100 68 pool.supportxmr.com 2->68 70 pool-phx.supportxmr.com 2->70 90 Sigma detected: Xmrig 2->90 92 Malicious sample detected (through community Yara rule) 2->92 94 Antivirus detection for dropped file 2->94 96 6 other signatures 2->96 11 926ab7d10da645f08b9d109b5bab77c8_bound_build.exe 5 2->11         started        14 DataSyncHost.exe 1 2->14         started        16 DataSyncHost.exe 1 2->16         started        signatures3 process4 file5 62 C:\Users\user\AppData\Local\...\zflsd19p.exe, PE32+ 11->62 dropped 64 C:\Users\user\AppData\Local\...\jzrqup43.exe, PE32+ 11->64 dropped 18 jzrqup43.exe 15 11->18         started        23 zflsd19p.exe 15 11->23         started        25 conhost.exe 11->25         started        27 conhost.exe 14->27         started        29 conhost.exe 16->29         started        process6 dnsIp7 72 91.108.241.80, 49691, 49692, 49693 WSTELECOM_FRANCEFR Iraq 18->72 52 C:\Users\user\AppData\Local\...\tjgajdjrg.exe, PE32+ 18->52 dropped 54 2441ad99bc98451e8e...96e27b_miner[1].exe, PE32+ 18->54 dropped 98 Found API chain indicative of debugger detection 18->98 31 tjgajdjrg.exe 1 3 18->31         started        56 C:\Users\user\AppData\Local\...\tjgajdjrg.exe, PE32 23->56 dropped 58 051e910c9d3249d584...rypted_build[1].exe, PE32 23->58 dropped 35 tjgajdjrg.exe 16 23->35         started        file8 signatures9 process10 dnsIp11 66 C:\Users\user\AppData\...\DataSyncHost.exe, PE32+ 31->66 dropped 80 Multi AV Scanner detection for dropped file 31->80 38 DataSyncHost.exe 4 31->38         started        42 conhost.exe 31->42         started        74 62.60.158.10 IROST-ASIR Iran (ISLAMIC Republic Of) 35->74 76 62.60.158.37 IROST-ASIR Iran (ISLAMIC Republic Of) 35->76 82 Antivirus detection for dropped file 35->82 84 Found stalling execution ending in API Sleep call 35->84 86 Found API chain indicative of sandbox detection 35->86 88 2 other signatures 35->88 44 conhost.exe 35->44         started        file12 signatures13 process14 file15 60 C:\Users\user\AppData\...\msedge_updater.exe, PE32+ 38->60 dropped 100 Multi AV Scanner detection for dropped file 38->100 46 msedge_updater.exe 1 38->46         started        signatures16 process17 dnsIp18 78 pool-phx.supportxmr.com 107.167.92.130 IOFLOODUS United States 46->78 102 Antivirus detection for dropped file 46->102 104 Multi AV Scanner detection for dropped file 46->104 106 Query firmware table information (likely to detect VMs) 46->106 50 conhost.exe 46->50         started        signatures19 process20
Score:
69%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/30235049839cd3ddfb7e50e8a58f3d0c2a5dffaa632c671a97de12ed1dfa6a06
Verdict:
inconclusive
YARA:
9 match(es)
Tags:
.Net Executable Html Javascript in Html PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/b8b7a103484504636148673a44eca835
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/30235049839cd3ddfb7e50e8a58f3d0c2a5dffaa632c671a97de12ed1dfa6a06/
Verdict:
Malicious
Threat:
Family.DONUTLOADER
Link:
https://tip.neiki.dev/file/30235049839cd3ddfb7e50e8a58f3d0c2a5dffaa632c671a97de12ed1dfa6a06
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-09-09 16:14:38 UTC
File Type:
PE+ (Exe)
Extracted files:
15
AV detection:
17 of 38 (44.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=garvasmdttj53636kdukldz5bqvf375kmmwgogux3yjo2hp2nida._file
Verdict:
malicious
Label(s):
xmrig
Create hunting rule
Similar samples:
252918aaa98f25a1cc128e8eebb27905ded606d4eb04285abbf5344ff51947ba
CoinMiner
30235049839cd3ddfb7e50e8a58f3d0c2a5dffaa632c671a97de12ed1dfa6a06
CoinMiner
556d8ed53e1015b4d40383198e5a787e022fa26dc132820fc053e55ec28317b7
CoinMiner
7215b48548bba5e5502aa68bb83c51c3fdbb30978e7cd2f5b44898886218d085
CoinMiner
a7c936a7b98f9f469fc36171229fb4c785cec00956694595917eb5e9240837af
CoinMiner
ab24248296df1b0044a98cf250b65ec40adeb9b1ff4db9c3ee7e675985b4c4c5
CoinMiner
error
CoinMiner
+ 55 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:rhadamanthys discovery loader stealer
Link:
https://tria.ge/reports/250909-tpem4axyew/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Executes dropped EXE
Downloads MZ/PE file
Detects DonutLoader
Detects Rhadamanthys Payload
DonutLoader
Donutloader family
Rhadamanthys
Rhadamanthys family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/920f39cd-3674-4110-a52c-486d6351bb8a
Unpacked files
SH256 hash:
33c75708915a4da1096034f04b5531a5985ce1188a73d3b98135ba1804c217a9
MD5 hash:
abedfa6a0db84fec68715015f7f6475b
SHA1 hash:
1671484c3714d37212760b4cd0ff43a8bd5fc344
Link:
https://www.unpac.me/results/0ea97f5a-9ee8-411e-8d95-ef290a7ed565/
SH256 hash:
c9e2f9f04aded97ac6902991397dd78f17b651d08dc5f29d8e889dbd5c02746c
MD5 hash:
85702891b04babe57938cd3b7b4633f2
SHA1 hash:
714cca53fc171a812fc45813057ad7753d2cc678
Link:
https://www.unpac.me/results/0ea97f5a-9ee8-411e-8d95-ef290a7ed565/
SH256 hash:
37bead9a87d704618ad1f507d833d311a914afd166fa7db526a5d3885f6f8ad4
MD5 hash:
c5b656dec98ffc25c33ebd44773ecdea
SHA1 hash:
bf1783dec6d0aae1c2c9a73e5aa3596fd0c4e942
Link:
https://www.unpac.me/results/0ea97f5a-9ee8-411e-8d95-ef290a7ed565/
SH256 hash:
4f56c74032b71f5e523667f0cad97de31aefb53fd1b7f4c886a7a99fe2407a30
MD5 hash:
712ce730f96f8d5b1e5d8b4b41eca6aa
SHA1 hash:
37cf3a2307d7d84b70528ca71005fc04fb56bdd2
Link:
https://www.unpac.me/results/0ea97f5a-9ee8-411e-8d95-ef290a7ed565/
SH256 hash:
b910006cea197f661c19638e3b2c8cc6033e13cb87c91e6fd7e4b59b9e3ab335
MD5 hash:
71867d25f47d64416c00b201aa34961a
SHA1 hash:
2b837fc662c757c9b91a9fb8893498b08414ce1c
Link:
https://www.unpac.me/results/0ea97f5a-9ee8-411e-8d95-ef290a7ed565/
SH256 hash:
c05d685863850917187b7282aa9739b23d5b967cac411c1fbe122b13a24ce5fa
MD5 hash:
ba95de25f100739f3b28e0b80165e643
SHA1 hash:
e8b992ad23e4fac1698a530d835fd086a80cf238
Link:
https://www.unpac.me/results/0ea97f5a-9ee8-411e-8d95-ef290a7ed565/
SH256 hash:
1105504e9509d59047685ba48197791657aa861b887a84bf1089fc98c7a2a3c0
MD5 hash:
c52626726021b19dc8a2f06907b0df54
SHA1 hash:
1b6dfb266923aa99c8f6c6031872ee70903c221c
Link:
https://www.unpac.me/results/0ea97f5a-9ee8-411e-8d95-ef290a7ed565/
SH256 hash:
b785b5c9614deb53d722be38cfa949d5b0bc360d105c4d53a1be4f648324892c
MD5 hash:
c683830ecc56a96cf9047f4ea19904e1
SHA1 hash:
8f57bb573a537bc29bf6387474c57252b965dbeb
Link:
https://www.unpac.me/results/0ea97f5a-9ee8-411e-8d95-ef290a7ed565/
SH256 hash:
30235049839cd3ddfb7e50e8a58f3d0c2a5dffaa632c671a97de12ed1dfa6a06
MD5 hash:
b8b7a103484504636148673a44eca835
SHA1 hash:
d5db50217b873976ffbf6e30d21a451d8ddac1ac
Link:
https://www.unpac.me/results/0ea97f5a-9ee8-411e-8d95-ef290a7ed565/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/30235049839c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/30235049839cd3ddfb7e50e8a58f3d0c2a5dffaa632c671a97de12ed1dfa6a06

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:ducktail
Create hunting rule
Author:Michelle Khalil
Description:This rule detects unpacked ducktail malware samples.
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Jupyter_infostealer
Create hunting rule
Author:CD_R0M_
Description:Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022
Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:test_Malaysia
Create hunting rule
Author:rectifyq
Description:Detects file containing malaysia string
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

CoinMiner

Executable exe ab24248296df1b0044a98cf250b65ec40adeb9b1ff4db9c3ee7e675985b4c4c5

CoinMiner

Executable exe 30235049839cd3ddfb7e50e8a58f3d0c2a5dffaa632c671a97de12ed1dfa6a06

(this sample)

  
Dropped by
SHA256 ab24248296df1b0044a98cf250b65ec40adeb9b1ff4db9c3ee7e675985b4c4c5
  
Delivery method
Distributed via web download
  
Dropped by
MD5 b9cc2958936a7f0fd5b7ec7ae1165e47
Cape
Cape
https://www.capesandbox.com/analysis/26528/
  
URLhaus
https://urlhaus.abuse.ch/url/3620889/

Comments