MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 389d3fefcaa011c88e9c9b613b9f546e7fac0a5c0878d757045e2bfb0ca71f9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 17


Intelligence 17 IOCs YARA 25 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 389d3fefcaa011c88e9c9b613b9f546e7fac0a5c0878d757045e2bfb0ca71f9d
SHA3-384 hash: f2b8cc21908956edc778d7e19a1192f86a10c646e304281ecbc2dbed661754a6a3bca2ae7522aacc46126a72bd6ae759
SHA1 hash: 567f8e2d213b65ec7ec1b82a86cece32a70b1265
MD5 hash: 55c65f788ec7a073942b81d8c987c386
humanhash: single-lamp-lake-oklahoma
File name:file
Download: download sample
Signature CoinMiner
Create hunting rule
File size:10'261'386 bytes
First seen:2026-02-25 00:08:29 UTC
Last seen:2026-02-25 00:13:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash de93f2c3ac12b121f15db149d1837f4b (1 x CoinMiner)
ssdeep 196608:adWM0vfBJa0uzWDrdCB9IGruIoNJKlG1OoBjS:adofBo02WvMPVrxoHKwEum
Threatray 93 similar samples on MalwareBazaar
TLSH T1DEA6CF15A3B40071FA3BC674C9268733DAB1BC965B34C50F0259F2522F77EA29BAF215
TrID 48.4% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
19.1% (.EXE) Win64 Executable (generic) (6522/11/2)
14.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.9% (.EXE) OS/2 Executable (generic) (2029/13)
5.8% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Bitsight
Tags:CoinMiner dropped-by-amadey exe fbf543


Avatar
Bitsight
url: http://130.12.180.43/files/2038862353/5o1vzUb.exe

Intelligence

File Origin
# of uploads :
12
# of downloads :
252
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
xmrig
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2026-02-25 00:09:09 UTC
Tags:
uac evasion miner xmrig auto-sch-xml crypto-regex
Link:
https://app.any.run/tasks/6a9f7706-46d0-4df8-8074-d4add11a18ef

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CoinMiner02
Create hunting rule
Link:
https://www.capesandbox.com/analysis/54510/
Detection(s):
Win.Malware.Tinukebot-10031688-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=699e3dad8fffa866e3b1cb21
Tags:
vmdetect emotet xmrig
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-vm crypto microsoft_visual_cc miner overlay packed stealer tinynuke zbot
Link:
https://www.filescan.io/uploads/699e3da997feb4afd65831f5/reports/ec75d452-2e2f-4682-a194-6bccba9e52b5/overview
Verdict:
Malicious
Labled as:
Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/389d3fefcaa011c88e9c9b613b9f546e7fac0a5c0878d757045e2bfb0ca71f9d
Verdict:
Malicious
File Type:
exe x64
Detections:
Trojan.Win32.Miner.sb HEUR:Trojan-PSW.Win32.Disco.gen Trojan-Banker.Win32.Express.sb Trojan.Win32.Reconyc.sb PDM:Trojan.Win32.Generic HackTool.Multi.AmsiETWPatch.sb Backdoor.Win32.Zegost.sb Trojan-PSW.Win32.Coins.sb Trojan-Banker.Win32.TinyNuke.sb Trojan.Win64.Agentb.sb Trojan-Dropper.Win32.Agent.sb Trojan-PSW.Win32.Disco.sb Backdoor.Win32.DarkVNC.sb RiskTool.BitCoinMiner.TCP.C&C not-a-virus:RiskTool.Win32.Miner.sb RiskTool.Miner.UDP.C&C not-a-virus:RiskTool.Win64.XMRigMiner.a
Link:
https://opentip.kaspersky.com/389d3fefcaa011c88e9c9b613b9f546e7fac0a5c0878d757045e2bfb0ca71f9d/results?tab=lookup
Malware family:
XMRig Miner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f3737e71-5d69-441d-85ec-0f1de53d2398
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/389d3fefcaa011c88e9c9b613b9f546e7fac0a5c0878d757045e2bfb0ca71f9d
Verdict:
inconclusive
YARA:
9 match(es)
Tags:
Executable Html Javascript in Html PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/55c65f788ec7a073942b81d8c987c386
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/389d3fefcaa011c88e9c9b613b9f546e7fac0a5c0878d757045e2bfb0ca71f9d/
Verdict:
Malicious
Threat:
Family.XMRIG
Link:
https://tip.neiki.dev/file/389d3fefcaa011c88e9c9b613b9f546e7fac0a5c0878d757045e2bfb0ca71f9d
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hcot736kuai4rdu4tnqtxh2unz72ycs4bb4novyelyv7wdfhd6oq._file
Verdict:
malicious
Label(s):
xmrig
Create hunting rule
Similar samples:
242141d9d23761573731b5f0a0f2a5039a6b8bb5209e167d93ea804802f15762
CoinMiner
389d3fefcaa011c88e9c9b613b9f546e7fac0a5c0878d757045e2bfb0ca71f9d
CoinMiner
43b9cfbfd524d138da3312b47fcee8c4c9ab9343d89fe7b4b730f73c940fbfef
CoinMiner
583cb65d69756efdef6f4186bd920e468ee6d7a4d41f5fbbe5c23a2b69e7ef9e
CoinMiner
efac57361fa125ca73858831c5b7a1e8f236add5c534925c98c48204328c8540
CoinMiner
error
CoinMiner
+ 83 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig defense_evasion evasion execution miner persistence trojan
Link:
https://tria.ge/reports/260225-afj2nsh13g/
Behaviour
Checks processor information in registry
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Drops file in Windows directory
Launches sc.exe
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Stops running service(s)
Windows security modification
Command and Scripting Interpreter: PowerShell
Event Triggered Execution: Image File Execution Options Injection
Modifies Windows Defender DisableAntiSpyware settings
Modifies Windows Defender Real-time Protection settings
Windows security bypass
XMRig Miner payload
Xmrig family
xmrig
Unpacked files
SH256 hash:
389d3fefcaa011c88e9c9b613b9f546e7fac0a5c0878d757045e2bfb0ca71f9d
MD5 hash:
55c65f788ec7a073942b81d8c987c386
SHA1 hash:
567f8e2d213b65ec7ec1b82a86cece32a70b1265
Detections:
win_tinynuke_g0
Create hunting rule
Link:
https://www.unpac.me/results/55a66b4b-b7fe-4481-84a3-5a0285c6a61c/
SH256 hash:
9983ace5120461cef653e500900d133840abf463792a67a8d9199a7d961315ab
MD5 hash:
178498971e20cd0b63cf70e49eb015e8
SHA1 hash:
020af0c8a73c4c9e19d4eb04959c21083313affe
Detections:
win_tinynuke_g0
Create hunting rule
Link:
https://www.unpac.me/results/55a66b4b-b7fe-4481-84a3-5a0285c6a61c/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/389d3fefcaa0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/389d3fefcaa011c88e9c9b613b9f546e7fac0a5c0878d757045e2bfb0ca71f9d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
Rule name:Jupyter_infostealer
Create hunting rule
Author:CD_R0M_
Description:Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Suspicious_PowerShell_Commands_Executed_via_Rundll32
Create hunting rule
Author:assistant
Description:Detects when rundll32.exe is used to execute PowerShell commands that may indicate malicious activity
Reference:https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_powershell_via_rundll32.yml
Rule name:Suspicious_Process
Create hunting rule
Author:Security Research Team
Description:Suspicious process creation
Rule name:Sus_All_Windows_PE_Malware
Create hunting rule
Author:DiegoAnalytics
Description:Detects Windows PE malware of all types, avoids non-executables like .html
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:test_Malaysia
Create hunting rule
Author:rectifyq
Description:Detects file containing malaysia string
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 389d3fefcaa011c88e9c9b613b9f546e7fac0a5c0878d757045e2bfb0ca71f9d

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3785230/
Cape
Cape
https://www.capesandbox.com/analysis/54510/

Comments