MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31f8844ec94d14c27c94b4abad2a5712a32f39bcc88156a72fbcdb24a653f789. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 19


Intelligence 19 IOCs YARA 72 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 31f8844ec94d14c27c94b4abad2a5712a32f39bcc88156a72fbcdb24a653f789
SHA3-384 hash: b7a7fddee6c2729fa5c56a6f97e01240ec69479f8bc65d54de650afac307f0cd59cbec6206f7dd7f844b50017faa79e2
SHA1 hash: 2d0b6339557ec80daf8dfb9122fba6ef395843f0
MD5 hash: 4be94394ffbfd7c68d9bdaeeae9a51bb
humanhash: fruit-double-pluto-uniform
File name:start.bat.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:7'214'592 bytes
First seen:2025-10-04 10:44:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d59a4a699610169663a929d37c90be43 (75 x DCRat, 22 x njrat, 15 x SalatStealer)
ssdeep 98304:1YANCskmKXolue4ZRzR/ilFgVVH30af8WnV762P6AV2yYSFsSYC:CAN3Ku4L1/ijOVX0EFnNViByVySYC
Threatray 242 similar samples on MalwareBazaar
TLSH T13A7612BAA174D1A8E430ED36DE768A34D5E17B33CFF086C702507AA177214C85F6BA64
TrID 53.9% (.EXE) UPX compressed Win32 Executable (27066/9/6)
20.9% (.EXE) Win64 Executable (generic) (10522/11/4)
8.9% (.EXE) Win32 Executable (generic) (4504/4/1)
4.1% (.EXE) Win16/32 Executable Delphi generic (2072/23)
4.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter aachum
Tags:CoinMiner exe RUS SalatStealer


Avatar
iamaachum
https://www.youtube.com/post/UgkxdduRdqEl-FurMLYyHfdEUnz2qFQUK-X5 => https://limewire.com/d/Q8H21#PIPAYpUkZm

CoinMiner Config: https://pastebin.com/raw/LTU3vzpQ
XMR Wallet: 43TJDwfWe1TckoVgUCDjD5Si5wWm5ah4H3cAEtwUaP8SfNtZvXSoagJgEgCd1EGUjbZ8mQDLoXpKhV36Fz2aDdQCECWmoaw

Intelligence

File Origin
# of uploads :
1
# of downloads :
58
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
start.bat.exe
Verdict:
Malicious activity
Analysis date:
2025-10-04 10:46:17 UTC
Tags:
pastebin miner ms-smartcard stealer winring0-sys vuln-driver susp-powershell upx salatstealer golang
Link:
https://app.any.run/tasks/bc7f2fb4-c01e-4948-acd8-7f1dc07daa0e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/30403/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68e0faf8d707128ed1ec2243
Tags:
virus sage delf
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
DNS request
Sending a UDP request
Connection attempt
Sending a custom TCP request
Running batch commands
Launching a process
Creating a service
Creating a file
Launching a service
Creating a file in the Windows subdirectories
Searching for synchronization primitives
Creating a file in the system32 subdirectories
Connection attempt to an infection source
Creating a process with a hidden window
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Connecting to a cryptocurrency mining pool
Creating a file in the Program Files subdirectories
Enabling autorun for a service
Query of malicious DNS domain
Sending a TCP request to an infection source
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys borland_delphi coinminer krypt masquerade obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/68e10d48f377ab231051e2b1/reports/c9efa272-3e97-41d5-af76-3f05d51fe669/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/31f8844ec94d14c27c94b4abad2a5712a32f39bcc88156a72fbcdb24a653f789
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-04T06:45:00Z UTC
Last seen:
2025-10-04T10:37:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/31f8844ec94d14c27c94b4abad2a5712a32f39bcc88156a72fbcdb24a653f789/results?tab=lookup
Malware family:
XMRig Miner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7f616df8-f8bd-494e-928d-fcc318ebc388
Result
Threat name:
Salat Stealer, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1789145
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to a pastebin service (likely for C&C)
Creates multiple autostart registry keys
Drops executable to a common third party application directory
Found many strings related to Crypto-Wallets (likely being stolen)
Hijacks the control flow in another process
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Disable power options
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop EventLog
Uses powercfg.exe to modify the power settings
Yara detected Salat Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1789145 Sample: start.bat.exe Startdate: 04/10/2025 Architecture: WINDOWS Score: 100 94 pastebin.com 2->94 96 pool.hashvault.pro 2->96 98 dns.google 2->98 112 Malicious sample detected (through community Yara rule) 2->112 114 Antivirus detection for URL or domain 2->114 116 Antivirus detection for dropped file 2->116 120 9 other signatures 2->120 9 start.bat.exe 3 2->9         started        12 s6lvp26qtly3.exe 2->12         started        15 svchost.exe 2->15         started        17 6 other processes 2->17 signatures3 118 Connects to a pastebin service (likely for C&C) 94->118 process4 dnsIp5 86 C:\Users\user\AppData\...\jjsploit.exe.exe, PE32+ 9->86 dropped 88 C:\Users\user\...\FelisSpooferV2.0.exe, PE32 9->88 dropped 20 FelisSpooferV2.0.exe 2 9->20         started        24 jjsploit.exe.exe 1 2 9->24         started        90 C:\Windows\Temp\cyenrpezsuct.sys, PE32+ 12->90 dropped 146 Antivirus detection for dropped file 12->146 148 Multi AV Scanner detection for dropped file 12->148 150 Hijacks the control flow in another process 12->150 154 4 other signatures 12->154 26 powershell.exe 12->26         started        28 dwm.exe 12->28         started        31 cmd.exe 12->31         started        33 10 other processes 12->33 152 Changes security center settings (notifications, updates, antivirus, firewall) 15->152 92 127.0.0.1 unknown unknown 17->92 file6 signatures7 process8 dnsIp9 74 C:\Users\user\AppData\...\FelisSpoofer.exe, PE32 20->74 dropped 122 Antivirus detection for dropped file 20->122 124 Multi AV Scanner detection for dropped file 20->124 35 FelisSpoofer.exe 4 9 20->35         started        76 C:\ProgramData\...\s6lvp26qtly3.exe, PE32+ 24->76 dropped 126 Uses powercfg.exe to modify the power settings 24->126 128 Adds a directory exclusion to Windows Defender 24->128 130 Modifies power options to not sleep / hibernate 24->130 40 powershell.exe 23 24->40         started        42 cmd.exe 1 24->42         started        44 powercfg.exe 1 24->44         started        52 13 other processes 24->52 132 Loading BitLocker PowerShell Module 26->132 46 conhost.exe 26->46         started        106 216.219.85.122, 443, 49721, 49724 IS-AS-1US United States 28->106 108 pastebin.com 104.20.29.150, 443, 49716 CLOUDFLARENETUS United States 28->108 110 pool.hashvault.pro 104.251.123.89, 443, 49723, 49725 1GSERVERSUS United States 28->110 134 Query firmware table information (likely to detect VMs) 28->134 48 conhost.exe 31->48         started        50 wusa.exe 31->50         started        54 9 other processes 33->54 file10 signatures11 process12 dnsIp13 100 dns.google 8.8.4.4, 443, 50267, 51150 GOOGLEUS United States 35->100 102 8.8.8.8, 443, 51151, 54542 GOOGLEUS United States 35->102 104 2 other IPs or domains 35->104 78 C:\Users\user\AppData\...\VaFE2HGFoQf.exe, PE32 35->78 dropped 80 C:\Program Files (x86)\...\bCEcpkSlmHXTkb.exe, PE32 35->80 dropped 82 C:\...\QvpKl3mxb0wOReaiUN.exe, PE32 35->82 dropped 84 C:\...\cnytmQrH7A8TVOHuttAx.exe, PE32 35->84 dropped 136 Antivirus detection for dropped file 35->136 138 Multi AV Scanner detection for dropped file 35->138 140 Found many strings related to Crypto-Wallets (likely being stolen) 35->140 144 2 other signatures 35->144 56 cnytmQrH7A8TVOHuttAx.exe 35->56         started        142 Loading BitLocker PowerShell Module 40->142 58 conhost.exe 40->58         started        60 conhost.exe 42->60         started        62 wusa.exe 42->62         started        64 conhost.exe 44->64         started        66 conhost.exe 52->66         started        68 conhost.exe 52->68         started        70 conhost.exe 52->70         started        72 9 other processes 52->72 file14 signatures15 process16
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/31f8844ec94d14c27c94b4abad2a5712a32f39bcc88156a72fbcdb24a653f789
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/4be94394ffbfd7c68d9bdaeeae9a51bb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/31f8844ec94d14c27c94b4abad2a5712a32f39bcc88156a72fbcdb24a653f789/
Verdict:
Malicious
Threat:
Family.SALATSTEALER
Link:
https://tip.neiki.dev/file/31f8844ec94d14c27c94b4abad2a5712a32f39bcc88156a72fbcdb24a653f789
Threat name:
Win32.Trojan.GenSteal
Create hunting rule
Status:
Malicious
First seen:
2025-10-04 10:46:18 UTC
File Type:
PE (Exe)
Extracted files:
32
AV detection:
36 of 38 (94.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gh4iitwjjukme7euwsv22ksxckrs6on4zcavnjzpxtnsjjst66eq._file
Verdict:
malicious
Label(s):
salatstealer
Create hunting rule
Similar samples:
0180a183276b7fe640d1c371119806578fa7ef5fce0bbb9d4365fd00396ab0fd
CoinMiner
1bfd6286fd0a54a5036984b8a43cce66c786cfa350b2aa0fada8ac6a3e7e5b7e
CoinMiner
24c820fbf7376c4db374ba3e5267ee6eb2e9c03b31ce1b77528bc67451be0833
CoinMiner
41feb3e5043316b1eb0b423b461633b72bd0fd10e795ff2c47afc73058780908
CoinMiner
463d6d0e362d78e3664ce4a8dce86d59aa2a38a22efdb962c081a06014667c4a
CoinMiner
50b6828abaa487cddb055699b82fc20b790d35f6b814ae4fc6658126d5f6ec9d
CoinMiner
55f4b41cf0f7303afb52d47652f2f8cf170756c40357407bada780ed7c3e7062
CoinMiner
aa7c94762bee6d539190903cd789f326e0390d025aef7bfb6b85472a1748a49a
CoinMiner
error
CoinMiner
+ 232 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:salatstealer family:xmrig credential_access defense_evasion discovery execution miner persistence spyware stealer upx
Link:
https://tria.ge/reports/251004-n7spsacp4y/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Power Settings
Checks computer location settings
Creates new service(s)
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Stops running service(s)
Unsecured Credentials: Credentials In Files
Command and Scripting Interpreter: PowerShell
XMRig Miner payload
xmrig
Detect SalatStealer payload
Salatstealer family
Xmrig family
salatstealer
Verdict:
Malicious
Tags:
Win.Trojan.Injector-6297685-1
YARA:
n/a
Link:
https://app.threat.zone/submission/c05adda4-c4c9-4e42-bcc8-a4f34ebbe111
Unpacked files
SH256 hash:
31f8844ec94d14c27c94b4abad2a5712a32f39bcc88156a72fbcdb24a653f789
MD5 hash:
4be94394ffbfd7c68d9bdaeeae9a51bb
SHA1 hash:
2d0b6339557ec80daf8dfb9122fba6ef395843f0
Link:
https://www.unpac.me/results/1aa21a05-3fa9-49ce-984a-1940213deedd/
SH256 hash:
0f7f86530b7fa2e693a2a3a5bf69957e61c2f45d39418d077285a1ea6f4bb992
MD5 hash:
cd6cddac2686df01814705f21e6da343
SHA1 hash:
f29ad4efdc160ffba5cb63e01349ec9b84123e30
Link:
https://www.unpac.me/results/1aa21a05-3fa9-49ce-984a-1940213deedd/
SH256 hash:
4d8bc99a3cc1cba289f7062047386db7b64af9427c8898cb998b67d159b7529a
MD5 hash:
96f054161f32a2e084f1bbd5a13954d4
SHA1 hash:
22c7ac87c8b8b37ccada0186b92ea6d8f460c8aa
Detections:
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Link:
https://www.unpac.me/results/1aa21a05-3fa9-49ce-984a-1940213deedd/
Parent samples :
31f8844ec94d14c27c94b4abad2a5712a32f39bcc88156a72fbcdb24a653f789
d7649ccd16fe57dc9d3ee808a06ee1af51d165f7bfe9b7a6cb218ba8b7e3918a
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/31f8844ec94d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/31f8844ec94d14c27c94b4abad2a5712a32f39bcc88156a72fbcdb24a653f789

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule
Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:Heuristics_ChromeABE
Create hunting rule
Author:Still
Description:attempts to match instructions related to Chrome App-bound Encryption elevation service; possibly spotted amongst infostealers
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables (downlaoders) containing URLs to raw contents of a paste
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_References_SecTools
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many IR and analysis tools
Rule name:MacOS_Cryptominer_Xmrig_241780a1
Create hunting rule
Author:Elastic Security
Rule name:Macos_Infostealer_Wallets_8e469ea0
Create hunting rule
Author:Elastic Security
Rule name:MALWARE_Win_CoinMiner02
Create hunting rule
Author:ditekSHen
Description:Detects coinmining malware
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:MAL_XMR_Miner_May19_1_RID2E1B
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:Multi_Cryptominer_Xmrig_f9516741
Create hunting rule
Author:Elastic Security
Rule name:Multi_Generic_Threat_19854dc2
Create hunting rule
Author:Elastic Security
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:Rooter
Create hunting rule
Author:Seth Hardy
Description:Rooter
Rule name:RooterStrings
Create hunting rule
Author:Seth Hardy
Description:Rooter Identifying Strings
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:SUSP_Websites
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference of suspicious sites that might be used to download further malware
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants
Rule name:Windows_Cryptominer_Generic_f53cfb9b
Create hunting rule
Author:Elastic Security
Rule name:Windows_Generic_Threat_e8abb835
Create hunting rule
Author:Elastic Security
Rule name:XMRIG_Monero_Miner
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Monero mining software
Reference:https://github.com/xmrig/xmrig/releases
Rule name:xmrig_v1
Create hunting rule
Author:RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 31f8844ec94d14c27c94b4abad2a5712a32f39bcc88156a72fbcdb24a653f789

(this sample)

SalatStealer

Executable exe 5d51610fccdaef126da878107d5870bf87ce0ea1b41dee705a4d2e00f7cffc8f

  
Link
https://tria.ge/251004-mpevjacj7s/behavioral1
  
Delivery method
Distributed via web download
  
Dropping
SHA256 5d51610fccdaef126da878107d5870bf87ce0ea1b41dee705a4d2e00f7cffc8f
  
Dropping
MD5 0f20ec2b7efe0c8532f03e9632f88315
  
Dropping
SHA256 d7649ccd16fe57dc9d3ee808a06ee1af51d165f7bfe9b7a6cb218ba8b7e3918a
  
Dropping
MD5 45a689ec02e8ba59bc9722fe547de535
Cape
Cape
https://www.capesandbox.com/analysis/30403/

Comments


Avatar
commented on 2025-10-04 10:47:21 UTC

Wrong source. Correct source: https://www.youtube.com/watch?v=F5W9Cc6KSYg => https://disk.yandex.ru/d/wMn2Z0QB0k087w