MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 395a68f5bcfa421b2dbdc7b51ea9237451193465c3e9fe095f522d127583727c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 395a68f5bcfa421b2dbdc7b51ea9237451193465c3e9fe095f522d127583727c
SHA3-384 hash: 921992899ddfc86b2cc653c8a2ce506d18b02e32ad299cadc5673b08ca8198ba4af411c93114fbc5a63aa959b4be2d7a
SHA1 hash: b7bf255fac02bedc8c87d6fe0000d54e384da1ac
MD5 hash: 6e8d49f925c4f7666881c94353c4cee3
humanhash: triple-alanine-shade-skylark
File name:Installer_v1231_x64.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:23'505'920 bytes
First seen:2025-12-16 15:23:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a56f115ee5ef2625bd949acaeec66b76 (57 x PureHVNC, 54 x Stealc, 35 x CoinMiner)
ssdeep 393216:C8adR2pQ9l8VJtZqf3n5Jt2E1ynizyjbIFRCZpJKP1S11RB1/tWxTPm:tbbJDM5JtR1ynCF8wP1S1dxtsK
Threatray 1 similar samples on MalwareBazaar
TLSH T1673733D2799AB22EED710A3D58383585863342C8E9A7E7BE07A7DC3F1D55272243184F
TrID 25.4% (.ICL) Windows Icons Library (generic) (2059/9)
25.0% (.EXE) OS/2 Executable (generic) (2029/13)
24.7% (.EXE) Generic Win/DOS Executable (2002/3)
24.7% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
dhash icon f0cc8ed49696d4f0 (1 x CoinMiner, 1 x PureCrypter)
Reporter aachum
Tags:CoinMiner exe purecrypter PureHVNC PureMiner


Avatar
iamaachum
https://dl777filesbase.top/0nj84gjs2ma0gjemfwdc4i-installer00731578ghsvbetischgh3dlpabwj3vn5rusjcb50swcg00

PureHVNC C2: winautordr.hopto.org

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
ES ES
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
Installer_v1231_x64.exe
Verdict:
Malicious activity
Analysis date:
2025-12-16 15:24:40 UTC
Tags:
themida netreactor auto-sch
Link:
https://app.any.run/tasks/e5fc85ad-bca0-4a68-b720-f6c70096cd7b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/45247/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=694179a5c97f4a807a3b49fd
Tags:
autorun packed shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
DNS request
Creating a file
Launching a process
Creating a window
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/395a68f5bcfa421b2dbdc7b51ea9237451193465c3e9fe095f522d127583727c
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-12-16T12:54:00Z UTC
Last seen:
2025-12-17T00:08:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/395a68f5bcfa421b2dbdc7b51ea9237451193465c3e9fe095f522d127583727c/results?tab=lookup
Result
Threat name:
Purecrypter
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1834075
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Changes security center settings (notifications, updates, antivirus, firewall)
Detected unpacking (changes PE section rights)
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Schedule system process
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: System File Execution Location Anomaly
Sigma detected: Xmrig
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Purecrypter
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1834075 Sample: Installer_v1231_x64.exe Startdate: 16/12/2025 Architecture: WINDOWS Score: 100 85 winautordr.hopto.org 2->85 87 shed.dual-low.part-0041.t-0009.t-msedge.net 2->87 89 8 other IPs or domains 2->89 95 Sigma detected: Xmrig 2->95 97 Antivirus / Scanner detection for submitted sample 2->97 99 Multi AV Scanner detection for submitted file 2->99 101 15 other signatures 2->101 10 PathAPI.exe 8 2->10         started        14 Installer_v1231_x64.exe 4 2->14         started        16 TypeId.exe 2->16         started        18 10 other processes 2->18 signatures3 process4 dnsIp5 69 C:\Users\user\AppData\...\RuntimeBroker.exe, PE32+ 10->69 dropped 71 C:\Users\user\AppData\...71ewtonsoft.Json.dll, PE32 10->71 dropped 73 C:\Users\user\AppData\...\wtmp_589024.exe, PE32+ 10->73 dropped 75 C:\Users\user\AppData\...\wtmp_16970264.exe, PE32+ 10->75 dropped 115 Antivirus detection for dropped file 10->115 117 Suspicious powershell command line found 10->117 119 Query firmware table information (likely to detect VMs) 10->119 135 4 other signatures 10->135 21 powershell.exe 10->21         started        23 powershell.exe 10->23         started        25 powershell.exe 10->25         started        37 7 other processes 10->37 77 C:\Users\user\AppData\Local\...\PathAPI.exe, PE32+ 14->77 dropped 79 C:\Users\user\...\Installer_v1231_x64.exe.log, CSV 14->79 dropped 121 Detected unpacking (changes PE section rights) 14->121 123 Uses schtasks.exe or at.exe to add and modify task schedules 14->123 125 Adds a directory exclusion to Windows Defender 14->125 27 powershell.exe 23 14->27         started        30 schtasks.exe 1 14->30         started        127 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 16->127 129 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 16->129 137 3 other signatures 16->137 32 InstallUtil.exe 16->32         started        91 monerooceans.stream 66.23.199.44, 20128, 49711 ANYNODEUS United States 18->91 93 127.0.0.1 unknown unknown 18->93 131 Tries to detect sandboxes and other dynamic analysis tools (window names) 18->131 133 Changes security center settings (notifications, updates, antivirus, firewall) 18->133 139 2 other signatures 18->139 35 MSBuild.exe 18->35         started        39 3 other processes 18->39 file6 signatures7 process8 dnsIp9 41 RuntimeBroker.exe 21->41         started        44 conhost.exe 21->44         started        46 wtmp_16970264.exe 23->46         started        49 conhost.exe 23->49         started        57 2 other processes 25->57 141 Loading BitLocker PowerShell Module 27->141 51 conhost.exe 27->51         started        53 conhost.exe 30->53         started        83 winautordr.hopto.org 45.77.249.79, 49710, 49712, 58009 AS-CHOOPAUS United States 32->83 143 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 32->143 145 Uses powercfg.exe to modify the power settings 37->145 59 12 other processes 37->59 55 conhost.exe 39->55         started        signatures10 process11 file12 103 Antivirus detection for dropped file 41->103 105 Detected unpacking (changes PE section rights) 41->105 107 Query firmware table information (likely to detect VMs) 41->107 113 4 other signatures 41->113 81 C:\Users\user\AppData\Local\...\TypeId.exe, PE32+ 46->81 dropped 109 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 46->109 111 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 46->111 61 schtasks.exe 46->61         started        63 schtasks.exe 46->63         started        signatures13 process14 process15 65 conhost.exe 61->65         started        67 conhost.exe 63->67         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/395a68f5bcfa421b2dbdc7b51ea9237451193465c3e9fe095f522d127583727c
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/6e8d49f925c4f7666881c94353c4cee3
Gathering data
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-12-16 15:21:30 UTC
File Type:
PE+ (Exe)
Extracted files:
3
AV detection:
18 of 38 (47.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hfngr5n47jbbwln5y62r5kjdorirsndfypu74ck7kiwre5mdoj6a._file
Verdict:
malicious
Label(s):
unc_loader_078
Create hunting rule
Similar samples:
395a68f5bcfa421b2dbdc7b51ea9237451193465c3e9fe095f522d127583727c
CoinMiner
error
CoinMiner
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig defense_evasion execution miner persistence themida trojan
Link:
https://tria.ge/reports/251216-ss5g9a1mbx/
Behaviour
Delays execution with timeout.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Power Settings
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Themida packer
Command and Scripting Interpreter: PowerShell
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
Xmrig family
xmrig
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7762e8bc-306f-46af-8aa1-c4cfdbe0a759
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/395a68f5bcfa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.34
Link:
https://yomi.yoroi.company/submissions/395a68f5bcfa421b2dbdc7b51ea9237451193465c3e9fe095f522d127583727c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

iso b4a5d4e6c06d4bb1f8412059f8c0c1bc30c3ec1d1b104936a33d28fc83a831c5

CoinMiner

Executable exe 395a68f5bcfa421b2dbdc7b51ea9237451193465c3e9fe095f522d127583727c

(this sample)

  
Link
https://tria.ge/251216-sgxm9shn8z/behavioral2
  
Dropped by
SHA256 b4a5d4e6c06d4bb1f8412059f8c0c1bc30c3ec1d1b104936a33d28fc83a831c5
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/45247/
  
Dropped by
MD5 3ba92e7872a90ccaa9db8b1a92388844

Comments