MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57fb3950a9eaeeb3cb4d922f81eea4979aea1cafb15e75efa59dafe91f7ce9b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57fb3950a9eaeeb3cb4d922f81eea4979aea1cafb15e75efa59dafe91f7ce9b5
SHA3-384 hash: 25ac7c017b26da792eddc419d25d4a620671717b37b7004d6720934597dd4fb7a90de29793e3df3c50032de54b7e1a90
SHA1 hash: 18505da11829275a3923842737f086c98b0bd607
MD5 hash: eff7ea67b7e047d4dd907f0d1843e304
humanhash: tennessee-island-queen-failed
File name:solsniper.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:1'354'240 bytes
First seen:2025-05-27 05:47:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:elZToFvnK9vCf5GZlpKYMmCVBFL0IR5OdoEblkttG3fDBR7Jtda4m17yizfpqA6W:EZuPiqRD+l6mbNtcV17fh
TLSH T1EF553F2C26FA4309F2736E364AD9B5958A1F76E2E5F6539B134C020B4711A80CF91FF6
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 4cb2716969711628 (1 x DonutLoader, 1 x RustyStealer, 1 x CoinMiner)
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
425
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
xmrig
Create hunting rule
ID:
1
File name:
solsniper.exe
Verdict:
Malicious activity
Analysis date:
2025-05-27 06:14:32 UTC
Tags:
stealer pastebin xmrig miner rhadamanthys shellcode
Link:
https://app.any.run/tasks/ef877fa2-5c6a-4295-92cc-8bf522a329a7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.84.10731.4809.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=683553e4acf88f5815e7758f
Tags:
spawn virus micro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Detecting VM
Connection attempt
Sending a custom TCP request
DNS request
Sending a UDP request
Reading critical registry keys
Unauthorized injection to a system process
Stealing user critical data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/683551f2171e01f9592defa8/reports/6f3b1beb-636d-422f-a276-fb892f29a8ba/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/57fb3950a9eaeeb3cb4d922f81eea4979aea1cafb15e75efa59dafe91f7ce9b5
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/bebdbd45-45f0-42b0-95c2-69373d4ef45a
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1699535
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Changes security center settings (notifications, updates, antivirus, firewall)
Checks if the current machine is a virtual machine (disk enumeration)
Connects to a pastebin service (likely for C&C)
Deletes itself after installation
Detected Stratum mining protocol
Early bird code injection technique detected
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sigma detected: Notepad Making Network Connection
Sigma detected: Potential Crypto Mining Activity
Sigma detected: Xmrig
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses threadpools to delay analysis
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1699535 Sample: solsniper.exe Startdate: 27/05/2025 Architecture: WINDOWS Score: 100 74 pastebin.com 2->74 76 ts1.aco.net 2->76 78 9 other IPs or domains 2->78 98 Sigma detected: Xmrig 2->98 100 Multi AV Scanner detection for dropped file 2->100 102 Multi AV Scanner detection for submitted file 2->102 106 7 other signatures 2->106 9 solsniper.exe 3 2->9         started        12 svchost.exe 2->12         started        15 sppsvc.exe 2->15         started        17 11 other processes 2->17 signatures3 104 Connects to a pastebin service (likely for C&C) 74->104 process4 dnsIp5 62 C:\Users\user\AppData\...\solsniper.exe.log, CSV 9->62 dropped 20 OpenWith.exe 7 9->20         started        124 Changes security center settings (notifications, updates, antivirus, firewall) 12->124 25 MpCmdRun.exe 12->25         started        126 Uses threadpools to delay analysis 15->126 70 127.0.0.1 unknown unknown 17->70 72 239.255.255.250 unknown Reserved 17->72 27 msedge.exe 17->27         started        29 msedge.exe 17->29         started        31 msedge.exe 17->31         started        33 3 other processes 17->33 file6 signatures7 process8 dnsIp9 82 time-a-g.nist.gov 129.6.15.28 US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGYUS United States 20->82 84 ntp1.net.berkeley.edu 169.229.128.134 UCBUS United States 20->84 90 6 other IPs or domains 20->90 60 C:\Users\user\AppData\Local\...\YAu.exe, PE32+ 20->60 dropped 116 Early bird code injection technique detected 20->116 118 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->118 120 Query firmware table information (likely to detect VMs) 20->120 122 13 other signatures 20->122 35 YAu.exe 20->35         started        40 chrome.exe 1 20->40         started        42 msedge.exe 14 20->42         started        46 3 other processes 20->46 44 conhost.exe 25->44         started        86 192.168.2.7, 443, 49672, 49681 unknown unknown 27->86 88 s-part-0041.t-0009.t-msedge.net 13.107.246.69, 443, 49708, 49711 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 27->88 92 9 other IPs or domains 27->92 file10 signatures11 process12 dnsIp13 80 pastebin.com 172.67.25.94 CLOUDFLARENETUS United States 35->80 58 C:\Users\user\AppData\Local\Temp\THA377.tmp, PE32+ 35->58 dropped 108 Multi AV Scanner detection for dropped file 35->108 110 Writes to foreign memory regions 35->110 112 Modifies the context of a thread in another process (thread injection) 35->112 114 2 other signatures 35->114 48 notepad.exe 35->48         started        52 chrome.exe 40->52         started        54 chrome.exe 40->54         started        56 msedge.exe 42->56         started        file14 signatures15 process16 dnsIp17 64 pool-phx.supportxmr.com 107.167.83.34 IOFLOODUS United States 48->64 94 System process connects to network (likely due to code injection or exploit) 48->94 96 Query firmware table information (likely to detect VMs) 48->96 66 googlehosted.l.googleusercontent.com 142.250.101.132, 443, 49696, 49709 GOOGLEUS United States 52->66 68 clients2.googleusercontent.com 52->68 signatures18
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/57fb3950a9eaeeb3cb4d922f81eea4979aea1cafb15e75efa59dafe91f7ce9b5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/57fb3950a9eaeeb3cb4d922f81eea4979aea1cafb15e75efa59dafe91f7ce9b5/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-05-27 01:02:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k75tsufj5lxlhs2nsixyd3ves6nouhfpwfphl35ftwx6sh345g2q._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
error
CoinMiner
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/250527-gg3czazmy5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Deletes itself
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/cf71f782-6fdf-4eac-afad-eb012c23b19e
Unpacked files
SH256 hash:
57fb3950a9eaeeb3cb4d922f81eea4979aea1cafb15e75efa59dafe91f7ce9b5
MD5 hash:
eff7ea67b7e047d4dd907f0d1843e304
SHA1 hash:
18505da11829275a3923842737f086c98b0bd607
Link:
https://www.unpac.me/results/b3bba0ab-3344-4a8a-9b1f-bcde48470f3e/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/57fb3950a9ea/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/57fb3950a9eaeeb3cb4d922f81eea4979aea1cafb15e75efa59dafe91f7ce9b5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 57fb3950a9eaeeb3cb4d922f81eea4979aea1cafb15e75efa59dafe91f7ce9b5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3551926/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments