MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39b61eab7c4cd82e9e75a950858c95e1878202529cd2981d063f25c7f934d06b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 39b61eab7c4cd82e9e75a950858c95e1878202529cd2981d063f25c7f934d06b
SHA3-384 hash: ebc0a008fbb815617efec87427acc53567148352e9f571010e44e1c30acdd444b68934ae6644e186aaad7cb0f96ab880
SHA1 hash: d56415a20846c0557dabd4af14f5ad66d245d699
MD5 hash: 0d93a1c736bb56de648ef8d357a6a04d
humanhash: yankee-kansas-north-pasta
File name:0d93a1c736bb56de648ef8d357a6a04d.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:12'550'848 bytes
First seen:2025-08-30 14:50:33 UTC
Last seen:2025-09-02 04:01:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e19ef3c78a1511663db464b607820070 (2 x CoinMiner)
ssdeep 196608:5vU2GYfTfEKi/wpmLZzdHTxQlRgUPlXeXwlbawYs1A8WqNvN8anTQN6GC41kToQf:S1ihi/amLZzdzC39PlGwlWwY4A8vN8Hw
TLSH T115C6334563845698F932D53589750822CEBB3C214BA4F71B2B5BFBAB9F730824F38716
TrID 92.4% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10522/11/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.7% (.EXE) OS/2 Executable (generic) (2029/13)
0.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
6
# of downloads :
64
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
xmrig
Create hunting rule
ID:
1
File name:
39b61eab7c4cd82e9e75a950858c95e1878202529cd2981d063f25c7f934d06b.bin.exe
Verdict:
Malicious activity
Analysis date:
2025-08-30 05:59:40 UTC
Tags:
delphi miner netreactor pureminer xmrig
Link:
https://app.any.run/tasks/453ef7da-fb09-415f-9b6f-d22667308efc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/24266/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68b30ff7eb163e0ec1832942
Tags:
corrupt virus spawn
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug crypto expand fingerprint keylogger lolbin microsoft_visual_cc overlay overlay packed packed
Link:
https://www.filescan.io/uploads/68b3102739a6221faa7669ed/reports/d7988f54-615d-4a71-8dd9-9ae04d1a0f57/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/39b61eab7c4cd82e9e75a950858c95e1878202529cd2981d063f25c7f934d06b
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-08-30T00:10:00Z UTC
Last seen:
2025-08-30T00:10:00Z UTC
Hits:
~10
Detections:
UDS:DangerousObject.Multi.Generic
Link:
https://opentip.kaspersky.com/39b61eab7c4cd82e9e75a950858c95e1878202529cd2981d063f25c7f934d06b/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ea44e7c1-f417-4b01-a68c-eb24b51eea0a
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1768185
Signature
Allocates memory in foreign processes
Bypasses PowerShell execution policy
Changes security center settings (notifications, updates, antivirus, firewall)
Detected Stratum mining protocol
DNS related to crypt mining pools
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: Xmrig
Suspicious powershell command line found
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1768185 Sample: Jb6Z7jxXx3.exe Startdate: 30/08/2025 Architecture: WINDOWS Score: 100 49 xmr-eu1.nanopool.org 2->49 65 Sigma detected: Xmrig 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Yara detected Xmrig cryptocurrency miner 2->69 73 5 other signatures 2->73 10 Jb6Z7jxXx3.exe 10 2->10         started        13 powershell.exe 23 2->13         started        16 svchost.exe 2->16         started        18 2 other processes 2->18 signatures3 71 DNS related to crypt mining pools 49->71 process4 file5 45 C:\Users\user\AppData\Local\Temp\...\bc.exe, PE32+ 10->45 dropped 47 C:\Users\user\AppData\Local\...\oleacc.dll, PE32+ 10->47 dropped 20 bc.exe 10->20         started        87 Loading BitLocker PowerShell Module 13->87 23 conhost.exe 13->23         started        25 WmiPrvSE.exe 13->25         started        89 Changes security center settings (notifications, updates, antivirus, firewall) 16->89 27 MpCmdRun.exe 1 16->27         started        29 WerFault.exe 2 18->29         started        signatures6 process7 signatures8 75 Writes to foreign memory regions 20->75 77 Allocates memory in foreign processes 20->77 79 Modifies the context of a thread in another process (thread injection) 20->79 81 3 other signatures 20->81 31 csc.exe 16 2 20->31         started        35 WerFault.exe 19 16 20->35         started        37 conhost.exe 27->37         started        process9 dnsIp10 53 196.251.118.72, 39003, 49725 xneeloZA Seychelles 31->53 55 196.251.88.246, 49726, 80 Web4AfricaZA Seychelles 31->55 57 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 31->57 59 Found strings related to Crypto-Mining 31->59 61 Writes to foreign memory regions 31->61 63 3 other signatures 31->63 39 AddInProcess.exe 31->39         started        signatures11 process12 dnsIp13 51 51.15.193.130, 10300, 49735 OnlineSASFR France 39->51 83 Query firmware table information (likely to detect VMs) 39->83 43 conhost.exe 39->43         started        signatures14 85 Detected Stratum mining protocol 51->85 process15
Score:
64%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/39b61eab7c4cd82e9e75a950858c95e1878202529cd2981d063f25c7f934d06b
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/0d93a1c736bb56de648ef8d357a6a04d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/39b61eab7c4cd82e9e75a950858c95e1878202529cd2981d063f25c7f934d06b/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/39b61eab7c4cd82e9e75a950858c95e1878202529cd2981d063f25c7f934d06b
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hg3b5k34jtmc5htvvfiildev4gdyeassttjjqhigh4s4p6ju2bvq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution persistence
Link:
https://tria.ge/reports/250830-r8vsbabn2z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0e4bc088-5851-49cb-af3d-dae193deeb29
Unpacked files
SH256 hash:
200b6e5b18e13bbf02d19cdae648b08153d11703954cc977a29a2dc413044f5d
MD5 hash:
77c83517c8815ac20d9c48e57a90a35f
SHA1 hash:
b0bf576559e9473bd969cc984a9a71b2ca02e79c
Link:
https://www.unpac.me/results/86e4ce5a-af11-4b1a-835b-1a80eaf4b3b1/
SH256 hash:
96e15c79a704a7c7c54e59b4eabbccb3c9a816db6f0738e0862c436eaf815da3
MD5 hash:
5bdb6ee3cd8b7765f439aa7429b127d0
SHA1 hash:
0a07dca193f1d718dd497d94d2aabdbf7e840449
Link:
https://www.unpac.me/results/86e4ce5a-af11-4b1a-835b-1a80eaf4b3b1/
SH256 hash:
39b61eab7c4cd82e9e75a950858c95e1878202529cd2981d063f25c7f934d06b
MD5 hash:
0d93a1c736bb56de648ef8d357a6a04d
SHA1 hash:
d56415a20846c0557dabd4af14f5ad66d245d699
Link:
https://www.unpac.me/results/86e4ce5a-af11-4b1a-835b-1a80eaf4b3b1/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/39b61eab7c4c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/39b61eab7c4cd82e9e75a950858c95e1878202529cd2981d063f25c7f934d06b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 39b61eab7c4cd82e9e75a950858c95e1878202529cd2981d063f25c7f934d06b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3614190/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/24266/

Comments