MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d3a49ebbfeb9467d72b94448c8709d4eb616ec9bab5647122f0f98aa983f67f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d3a49ebbfeb9467d72b94448c8709d4eb616ec9bab5647122f0f98aa983f67f
SHA3-384 hash: add11acd81a8dbdc30525016428408583368faa137bacf4991932e1766c83d383652b70e57a354eb704c2f4160c73bc5
SHA1 hash: e326314c2f59f821dd08d740f068472abd3e5b36
MD5 hash: 6b20fd11a6ef679db3272652e1a4a9b3
humanhash: alanine-wyoming-earth-alanine
File name:chrome_144.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:8'725'400 bytes
First seen:2026-02-26 16:02:35 UTC
Last seen:2026-04-07 18:33:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 35a81d16af9f2ba6d515f11152d0364b (61 x CoinMiner, 2 x CobaltStrike)
ssdeep 196608:shhwWuHTAYhnVDMKmjnmxMTvjU9kpAt5sh3Dc:mkAwMK4dU9wAtqD
TLSH T1DC9633D8589724F6FAC9DFFA45DA8E2EE4277B03C5093209610FADBB87910CB7070665
TrID 33.6% (.EXE) OS/2 Executable (generic) (2029/13)
33.1% (.EXE) Generic Win/DOS Executable (2002/3)
33.1% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
162
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Malware family:
amadey
Create hunting rule
ID:
1
File name:
virusvippro.exe
Verdict:
Malicious activity
Analysis date:
2026-02-26 14:03:12 UTC
Tags:
auto metasploit framework github amadey botnet stealer stealc possible-phishing anti-evasion telegram phishing clickfix python barys powershell maskgram xenorat rat anydesk rmm-tool generic action1rmm screenconnect tool remote maskgramstealer tinynuke miner meterpreter backdoor havoc koistealer koiloader loader wannacry ransomware cobaltstrike guloader cryptowall njrat remcos vidar xred networm amus asyncrat smb bruteratel formbook sheet pyinstaller redline stealerium pastebin coinminer gh0st cryptolocker bladabindi pushware adware scan smbscan donutloader putty noescape wiper gotohttp ghostsocks proxyware whitesnakestealer xworm
Link:
https://app.any.run/tasks/1cf7f269-638c-477f-9a92-9fcd7b08a3e9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/54716/
Detection(s):
SecuriteInfo.com.Trojan.BankBot.2748.15294.7994.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a06ec58fffa866e3b26e94
Tags:
injection packed crypt
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated overlay packed packed themidawinlicense zusy
Link:
https://www.filescan.io/uploads/69a06ec2cd25bfe1dfdb1ddd/reports/abee4e24-0c09-4e9c-b1e2-f310c3debfeb/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/3d3a49ebbfeb9467d72b94448c8709d4eb616ec9bab5647122f0f98aa983f67f
Verdict:
Malicious
File Type:
exe x64
Detections:
Trojan-Dropper.Win32.Agent.sb Trojan.Win32.Hosts2.gen Trojan.Win32.Agent.rnd HEUR:Trojan.Win32.Agent.pef HEUR:Trojan.Multi.Agent.gen RiskTool.BitCoinMiner.UDP.C&C RiskTool.Miner.UDP.C&C
Link:
https://opentip.kaspersky.com/3d3a49ebbfeb9467d72b94448c8709d4eb616ec9bab5647122f0f98aa983f67f/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c9bc1ba0-ebf9-497a-a21c-59aa84a21860
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1875441
Signature
.NET source code contains process injector
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Found strings related to Crypto-Mining
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Disable power options
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop EventLog
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Unusual module load detection (module proxying)
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1875441 Sample: chrome_144.exe Startdate: 26/02/2026 Architecture: WINDOWS Score: 100 73 Malicious sample detected (through community Yara rule) 2->73 75 Antivirus / Scanner detection for submitted sample 2->75 77 Multi AV Scanner detection for submitted file 2->77 79 16 other signatures 2->79 7 updater.exe 1 2->7         started        11 chrome_144.exe 1 3 2->11         started        13 powershell.exe 2 15 2->13         started        15 3 other processes 2->15 process3 file4 55 C:\Windows\Temp\zbgwfexknxcr.sys, PE32+ 7->55 dropped 81 Antivirus detection for dropped file 7->81 83 Multi AV Scanner detection for dropped file 7->83 85 Query firmware table information (likely to detect VMs) 7->85 101 9 other signatures 7->101 17 powershell.exe 7->17         started        20 cmd.exe 1 7->20         started        32 10 other processes 7->32 57 C:\ProgramDatabehaviorgraphoogle\Chrome\updater.exe, PE32+ 11->57 dropped 59 C:\Windows\System32\drivers\etc\hosts, ASCII 11->59 dropped 87 Uses powercfg.exe to modify the power settings 11->87 89 Modifies the context of a thread in another process (thread injection) 11->89 91 Modifies the hosts file 11->91 22 powershell.exe 23 11->22         started        24 cmd.exe 1 11->24         started        26 powercfg.exe 1 11->26         started        34 13 other processes 11->34 93 Writes to foreign memory regions 13->93 95 Injects a PE file into a foreign processes 13->95 28 dllhost.exe 1 13->28         started        30 conhost.exe 13->30         started        97 Changes security center settings (notifications, updates, antivirus, firewall) 15->97 99 Unusual module load detection (module proxying) 15->99 signatures5 process6 signatures7 36 conhost.exe 17->36         started        45 2 other processes 20->45 61 Found suspicious powershell code related to unpacking or dynamic code loading 22->61 63 Loading BitLocker PowerShell Module 22->63 38 conhost.exe 22->38         started        47 2 other processes 24->47 40 conhost.exe 26->40         started        65 Injects code into the Windows Explorer (explorer.exe) 28->65 67 Contains functionality to inject code into remote processes 28->67 69 Writes to foreign memory regions 28->69 71 4 other signatures 28->71 42 winlogon.exe 28->42 injected 49 3 other processes 28->49 51 9 other processes 32->51 53 12 other processes 34->53 process8 signatures9 103 Unusual module load detection (module proxying) 42->103
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3d3a49ebbfeb9467d72b94448c8709d4eb616ec9bab5647122f0f98aa983f67f
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/6b20fd11a6ef679db3272652e1a4a9b3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d3a49ebbfeb9467d72b94448c8709d4eb616ec9bab5647122f0f98aa983f67f/
Verdict:
Malicious
Threat:
Family.XMRIG
Link:
https://tip.neiki.dev/file/3d3a49ebbfeb9467d72b94448c8709d4eb616ec9bab5647122f0f98aa983f67f
Threat name:
Win64.Infostealer.Tinba
Create hunting rule
Status:
Malicious
First seen:
2026-02-26 00:56:45 UTC
File Type:
PE+ (Exe)
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hu5et2575okgpvzlsrcizbyj2tvwc3wjxk2wi4jc6d4yvkmd6z7q._file
Verdict:
malicious
Label(s):
unc_loader_055
Create hunting rule
Similar samples:
error
CoinMiner
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig defense_evasion execution miner persistence themida trojan
Link:
https://tria.ge/reports/260226-thf8cag17c/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Power Settings
Checks BIOS information in registry
Creates new service(s)
Executes dropped EXE
Stops running service(s)
Themida packer
Command and Scripting Interpreter: PowerShell
Drops file in Drivers directory
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Xmrig family
xmrig
Unpacked files
SH256 hash:
3d3a49ebbfeb9467d72b94448c8709d4eb616ec9bab5647122f0f98aa983f67f
MD5 hash:
6b20fd11a6ef679db3272652e1a4a9b3
SHA1 hash:
e326314c2f59f821dd08d740f068472abd3e5b36
Link:
https://www.unpac.me/results/7a9aff0e-acfa-49f9-b751-c6422c8bfade/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3d3a49ebbfeb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d3a49ebbfeb9467d72b94448c8709d4eb616ec9bab5647122f0f98aa983f67f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Windows_Generic_Threat_e8abb835
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 3d3a49ebbfeb9467d72b94448c8709d4eb616ec9bab5647122f0f98aa983f67f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3771987/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/54716/

Comments