MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d90753ef2115ad9c5c646f537c1b10285bed07b4f96813557c2a80013af24d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4d90753ef2115ad9c5c646f537c1b10285bed07b4f96813557c2a80013af24d9
SHA3-384 hash: 500a5c96b5ef44f68dbbad963cd60ee946fcc1e560ba4f84a1164723ae3a3f4ec09065ea8e5c40f6e5a2631a7bd3db61
SHA1 hash: 39f26cc7b4620bfeacf119b1e3114556c6b91d5e
MD5 hash: 2a07229dd1db1e4c4228d80c2a9044e2
humanhash: winner-william-yellow-london
File name:file
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'234'368 bytes
First seen:2025-12-29 02:10:10 UTC
Last seen:2025-12-29 04:27:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 02549ff92b49cce693542fc9afb10102 (88 x CoinMiner, 2 x CoinMiner.XMRig, 1 x AgentTesla)
ssdeep 49152:zhkQXUPqIZUiEjU1FvtznLPMOqR8A4h5AhBIrvKiwv:z1XUCviEjUtznTq62D8Ciw
Threatray 117 similar samples on MalwareBazaar
TLSH T181A533BB290FB122C1294A396EFEB745D5E0E0185FA85BA747909C7542D027BD039BCF
TrID 55.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
16.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.9% (.ICL) Windows Icons Library (generic) (2059/9)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
6.7% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Bitsight
Tags:CoinMiner dropped-by-amadey exe fbf543


Avatar
Bitsight
url: http://130.12.180.43/files/8278288380/WsFbrLC.exe

Intelligence

File Origin
# of uploads :
5
# of downloads :
118
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2025-12-29 02:10:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/622a6adb-65bd-4da6-b7b0-0d94b9575f75

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/46368/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.23171.5802.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6951e3117d915bf1778e8379
Tags:
autorun shell crypt sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypt donut packed
Link:
https://www.filescan.io/uploads/6951e30b148c21e830edd7e7/reports/4926c3fa-30c0-4f0b-9d19-873bc1e4548a/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/4d90753ef2115ad9c5c646f537c1b10285bed07b4f96813557c2a80013af24d9
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-12-28T23:24:00Z UTC
Last seen:
2025-12-29T00:32:00Z UTC
Hits:
~10
Detections:
PDM:Trojan.Win32.Generic Trojan.Win64.Inject.sb Trojan.Win64.Donut.sb Trojan.Win32.Shellcode.sb Trojan.Win64.DonutInjector.sb Trojan.Win32.Inject.sb HEUR:Trojan.Win64.Inject.pef HEUR:Trojan.Win64.DonutInjector.gen HEUR:Trojan.Win64.Donut.pef HEUR:Trojan.Win32.Generic RiskTool.Miner.UDP.C&C RiskTool.BitCoinMiner.UDP.C&C
Link:
https://opentip.kaspersky.com/4d90753ef2115ad9c5c646f537c1b10285bed07b4f96813557c2a80013af24d9/results?tab=lookup
Malware family:
Donut Injector
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3af76a2e-c0a3-4bd0-a030-8556bb1a27da
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4d90753ef2115ad9c5c646f537c1b10285bed07b4f96813557c2a80013af24d9
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/2a07229dd1db1e4c4228d80c2a9044e2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4d90753ef2115ad9c5c646f537c1b10285bed07b4f96813557c2a80013af24d9/
Verdict:
Malicious
Threat:
Family.COINMINER
Link:
https://tip.neiki.dev/file/4d90753ef2115ad9c5c646f537c1b10285bed07b4f96813557c2a80013af24d9
Threat name:
Win64.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2025-12-29 02:10:27 UTC
File Type:
PE+ (Exe)
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jwihkpxscfnntrogi32tpqnrakc35ud3j6licnkxykuaae5petmq._file
Verdict:
malicious
Label(s):
donutloader
Create hunting rule
Similar samples:
694d23c82bb2ef802432cce13808c97a6f571e95b8bef74d84bf31dd43e8c88a
CoinMiner
75a68ccf94d77bd6b321a5aac66a93cf16624da85e14bb16458559434992a0be
CoinMiner
aa3444054be8d8f795d96ee3cea05e8038293cb27c951b00d82d5033d3437539
CoinMiner
b32ca5f8d7dcf69823c317163ed43f7a8591958ffdf87434a508c9de60070ddf
CoinMiner
be6928a5935f0b49ec86015be3f600a635d3aef55f602827a7104a661b13200a
CoinMiner
error
CoinMiner
fe55e4f54a33e553a9e20dd0f3cae2f1463f7aaf8a7fe6409c6f1aab95fb8fe0
CoinMiner
+ 107 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig execution miner persistence
Link:
https://tria.ge/reports/251229-clwzjacr51/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of SetThreadContext
Executes dropped EXE
XMRig Miner payload
Xmrig family
xmrig
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5147b18f-1e85-4cf9-94d7-34cc8ed2a919
Unpacked files
SH256 hash:
4d90753ef2115ad9c5c646f537c1b10285bed07b4f96813557c2a80013af24d9
MD5 hash:
2a07229dd1db1e4c4228d80c2a9044e2
SHA1 hash:
39f26cc7b4620bfeacf119b1e3114556c6b91d5e
Link:
https://www.unpac.me/results/4fc2f770-dcfa-4856-a8e7-d22b45fabec4/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4d90753ef211/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/4d90753ef2115ad9c5c646f537c1b10285bed07b4f96813557c2a80013af24d9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 4d90753ef2115ad9c5c646f537c1b10285bed07b4f96813557c2a80013af24d9

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/46368/
  
URLhaus
https://urlhaus.abuse.ch/url/3745586/

Comments