MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b93465de33b87e03e1932381c60acfd13f461e6ce8cc129b2ca0d04680321f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 17


Intelligence 17 IOCs YARA 21 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b93465de33b87e03e1932381c60acfd13f461e6ce8cc129b2ca0d04680321f8
SHA3-384 hash: 9851b57e745129110b6aad599dd6882a9d7727c6afd2c0184c33b14333dbad4f28d4ad1f8ac3b605a609186933069eca
SHA1 hash: 8c073b2130029047738696a02ba8dc86f7eb44fe
MD5 hash: bc4c0ce8eae6f204f43463e68e0ec9a7
humanhash: aspen-ack-skylark-seventeen
File name:file
Download: download sample
Signature CoinMiner
Create hunting rule
File size:10'630'652 bytes
First seen:2026-02-15 22:58:47 UTC
Last seen:2026-02-15 23:27:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f9733d815c562b4051f00a897b1b84e8 (4 x CoinMiner)
ssdeep 196608:H5CVjjpa2WFV+UK+9Nn2/7pFVZsB/omyGVZqzlMw0r9JP8G0xyfoEA:H54jcDFV9Nn2/7pFVZsB/ombVZX9uGMx
Threatray 66 similar samples on MalwareBazaar
TLSH T1C4B6CF15A3A80071D477C630CAA68733CAB17D665B34C90F0699F3522F77DA29B6F722
TrID 37.0% (.EXE) Win64 Executable (generic) (6522/11/2)
28.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.5% (.EXE) OS/2 Executable (generic) (2029/13)
11.3% (.EXE) Generic Win/DOS Executable (2002/3)
11.3% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:CoinMiner dropped-by-amadey exe fbf543


Avatar
Bitsight
url: http://130.12.180.43/files/6723359323/ZNY48if.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
199
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
xmrig
Create hunting rule
ID:
1
File name:
ZNY48if.exe
Verdict:
Malicious activity
Analysis date:
2026-02-15 22:56:54 UTC
Tags:
uac xmrig miner
Link:
https://app.any.run/tasks/72352f52-1505-41c8-858e-821fe6273ee0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CoinMiner02
Create hunting rule
Link:
https://www.capesandbox.com/analysis/53372/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69924f320d0369ff9979bd62
Tags:
xmrig shell virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Launching a process
Сreating synchronization primitives
Enabling the 'hidden' option for analyzed file
Adding an access-denied ACE
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Searching for synchronization primitives
Modifying a system file
DNS request
Creating a file in the %AppData% subdirectories
Creating a file
Enabling the 'hidden' option for recently created files
Sending an HTTP GET request
Sending a custom TCP request
Enabling the 'hidden' option for files in the %temp% directory
Blocking the Windows Defender launch
Creating a file in the mass storage device
Adding an exclusion to Microsoft Defender
Enabling autorun
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context crypto microsoft_visual_cc net overlay packed
Link:
https://www.filescan.io/uploads/69924fba2ffccda097704ef0/reports/c7093677-1d5a-4622-9373-e461e7587512/overview
Verdict:
Malicious
Labled as:
Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/3b93465de33b87e03e1932381c60acfd13f461e6ce8cc129b2ca0d04680321f8
Verdict:
Malicious
File Type:
exe x64
Detections:
HEUR:Trojan-PSW.Win32.Disco.gen Trojan-PSW.Win32.Disco.sb not-a-virus:RiskTool.Win32.Miner.sb Trojan.Win32.Miner.sb Trojan-PSW.PureLogs.TCP.C&C Trojan.Win64.Agent.sb Trojan.Win32.Reconyc.sb PDM:Trojan.Win32.Generic Trojan-Dropper.Win32.Agent.sb not-a-virus:RiskTool.Win64.XMRigMiner.a
Link:
https://opentip.kaspersky.com/3b93465de33b87e03e1932381c60acfd13f461e6ce8cc129b2ca0d04680321f8/results?tab=lookup
Malware family:
XMRig Miner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/447e010f-ead1-44fe-949c-c87fd41d3edc
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3b93465de33b87e03e1932381c60acfd13f461e6ce8cc129b2ca0d04680321f8
Verdict:
inconclusive
YARA:
9 match(es)
Tags:
Executable Html Javascript in Html PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/bc4c0ce8eae6f204f43463e68e0ec9a7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3b93465de33b87e03e1932381c60acfd13f461e6ce8cc129b2ca0d04680321f8/
Verdict:
Malicious
Threat:
Family.XMRIG
Link:
https://tip.neiki.dev/file/3b93465de33b87e03e1932381c60acfd13f461e6ce8cc129b2ca0d04680321f8
Threat name:
Win64.Trojan.MereTam
Create hunting rule
Status:
Malicious
First seen:
2026-02-15 23:07:46 UTC
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hojumxpdhod6apqzgi4byyfm7uj7iypgz2gmcknszigqi2adeh4a._file
Verdict:
malicious
Label(s):
xmrig
Create hunting rule
Similar samples:
242141d9d23761573731b5f0a0f2a5039a6b8bb5209e167d93ea804802f15762
CoinMiner
7f98dc14437c2ce9d014457eb436e8cf15f2fdee7ad531f6d0e8def692a559a8
CoinMiner
9665aef3579856fe0781f524065283184697b247bd8abedb5229388b8e713edd
CoinMiner
eb28fc1bbe23ae47f2b66cee1e4f907034e68e26f81bd8fc645859ab386cff77
CoinMiner
error
CoinMiner
f0eff94e8ed95c8ccb19decb14f7edcf036830502745ec47fd64152e8b6e42b9
CoinMiner
+ 56 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion evasion execution persistence trojan
Link:
https://tria.ge/reports/260215-2yenfsew5g/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Launches sc.exe
Executes dropped EXE
Loads dropped DLL
Stops running service(s)
Windows security modification
Command and Scripting Interpreter: PowerShell
Event Triggered Execution: Image File Execution Options Injection
Modifies Windows Defender DisableAntiSpyware settings
Modifies Windows Defender Real-time Protection settings
Windows security bypass
Unpacked files
SH256 hash:
3b93465de33b87e03e1932381c60acfd13f461e6ce8cc129b2ca0d04680321f8
MD5 hash:
bc4c0ce8eae6f204f43463e68e0ec9a7
SHA1 hash:
8c073b2130029047738696a02ba8dc86f7eb44fe
Link:
https://www.unpac.me/results/9aee2b84-2f17-47e8-a9e5-ee01a11eecca/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3b93465de33b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3b93465de33b87e03e1932381c60acfd13f461e6ce8cc129b2ca0d04680321f8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
Rule name:Jupyter_infostealer
Create hunting rule
Author:CD_R0M_
Description:Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:test_Malaysia
Create hunting rule
Author:rectifyq
Description:Detects file containing malaysia string
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 3b93465de33b87e03e1932381c60acfd13f461e6ce8cc129b2ca0d04680321f8

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/53372/

Comments