MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 691c7411c7a9e418e81f51c34e323735bcc12dd8c21c7a58ee149b588f3d621b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 18

Intelligence 18 IOCs YARA 7 File information Comments

SHA256 hash:	691c7411c7a9e418e81f51c34e323735bcc12dd8c21c7a58ee149b588f3d621b
SHA3-384 hash:	f2ae246bd6dcf155f275d9d26aafc5ea2077db018fff43084dc6213ac8ea95c06d6f02e19e4cb3db2bbfb0d41b9d3981
SHA1 hash:	178ad0b76d7f2059676e9021e21bcb456004af74
MD5 hash:	fce087e6dc906c6c23e72631522fa890
humanhash:	mango-bulldog-lactose-west
File name:	winx.exe
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	11'186'455 bytes
First seen:	2025-10-18 18:10:30 UTC
Last seen:	2025-10-24 09:09:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	965e162fe6366ee377aa9bc80bdd5c65 (44 x BlankGrabber, 9 x Efimer, 7 x PythonStealer)
ssdeep	196608:R05Os/lw4j9Jd2T9SuU5n7zj9AKm6gUU8gBk6vdQmRsIkaqdVTVjMfi4hD8Qw:ts/C4j9JAhSJ3GH6Yk4dQ3Iwd/qiU8Qw
TLSH	T123B6330666E408A7ED76D23C04B7421AEB1178608B31D5CF67E0A7BB1E273E15D3AF85
TrID	48.7% (.EXE) Win64 Executable (generic) (10522/11/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	Alex_sev
Tags:	CoinMiner dropper exe miner XMRIG

Intelligence

File Origin

# of uploads :

# of downloads :

212

Origin country :

Vendor Threat Intelligence

Malware family:

xmrig

ID:

File name:

winx.exe

Verdict:

Malicious activity

Analysis date:

2025-10-18 17:45:57 UTC

Tags:

python pyinstaller miner github winring0-sys vuln-driver rust upx xor-url generic xmrig

Link:

https://app.any.run/tasks/2f1b85d3-f93a-4df2-a164-126c26842cf9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

CoinMiner

Link:

https://www.capesandbox.com/analysis/33282/

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68f3d254c949ca4fcbe2f1f5

Tags:

installer extens spawn

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Restart of the analyzed sample

Creating a window

Running batch commands

Creating a process with a hidden window

Moving a file to the %temp% subdirectory

Creating a process from a recently created file

Сreating synchronization primitives

Launching a process

Sending a custom TCP request

Creating a service

Creating a file

Launching a service

Creating a file in the Windows subdirectories

DNS request

Searching for synchronization primitives

Connecting to a cryptocurrency mining pool

Connection attempt

Loading a system driver

Using the Windows Management Instrumentation requests

Enabling autorun for a service

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

expand invalid-signature lolbin microsoft_visual_cc obfuscated overlay packed packed packer_detected signed threat

Link:

https://www.filescan.io/uploads/68f3d82c3a79800405ea299e/reports/9a891bb1-cb6f-49a7-a71f-1ccf9a7d0002/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/691c7411c7a9e418e81f51c34e323735bcc12dd8c21c7a58ee149b588f3d621b

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-10-18T12:21:00Z UTC

Last seen:

2025-10-20T05:31:00Z UTC

Hits:

~100

Detections:

Trojan.Win32.Miner.sb Trojan.Win32.Inject.sb Trojan.Win32.Agent.sb Trojan.Win32.Agent.rnd PDM:Trojan.Win32.Generic RiskTool.Miner.UDP.C&C Trojan.Win64.SilentCryptoMiner.aan

Link:

https://opentip.kaspersky.com/691c7411c7a9e418e81f51c34e323735bcc12dd8c21c7a58ee149b588f3d621b/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/a07efcbd-97c7-4b90-988d-3a7f101e9a9d

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/691c7411c7a9e418e81f51c34e323735bcc12dd8c21c7a58ee149b588f3d621b

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/fce087e6dc906c6c23e72631522fa890

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/691c7411c7a9e418e81f51c34e323735bcc12dd8c21c7a58ee149b588f3d621b/

Verdict:

Malicious

Threat:

Family.XMRIG

Link:

https://tip.neiki.dev/file/691c7411c7a9e418e81f51c34e323735bcc12dd8c21c7a58ee149b588f3d621b

Threat name:

Win64.Malware.Heuristic

Status:

Malicious

First seen:

2025-10-18 17:45:58 UTC

File Type:

PE+ (Exe)

Extracted files:

533

AV detection:

12 of 38 (31.58%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=neohieohvhsbr2a7khbu4mrxgw6mcloyyiohuwhocsnvrdz5minq._file

Verdict:

malicious

Label(s):

unc_loader_055

Similar samples:

error

CoinMiner

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:xmrig defense_evasion execution miner persistence pyinstaller upx

Link:

https://tria.ge/reports/251018-wsdajstrbs/

Behaviour

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Launches sc.exe

Suspicious use of SetThreadContext

UPX packed file

Legitimate hosting services abused for malware hosting/C2

Creates new service(s)

Cryptocurrency Miner

Executes dropped EXE

Loads dropped DLL

Stops running service(s)

XMRig Miner payload

Xmrig family

xmrig

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/c635e409-52d6-45e9-8726-285d871d12f6

Unpacked files

SH256 hash:

691c7411c7a9e418e81f51c34e323735bcc12dd8c21c7a58ee149b588f3d621b

MD5 hash:

fce087e6dc906c6c23e72631522fa890

SHA1 hash:

178ad0b76d7f2059676e9021e21bcb456004af74

Link:

https://www.unpac.me/results/3462db4d-3fe7-4503-bd5e-1f60b555d627/

Malware family:

XMRig

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/691c7411c7a9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/691c7411c7a9e418e81f51c34e323735bcc12dd8c21c7a58ee149b588f3d621b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Detect_PyInstaller Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects PyInstaller compiled executables across platforms

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PyInstaller Create hunting rule
Author:	@bartblaze
Description:	Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	upxHook Create hunting rule
Author:	@r3dbU7z
Description:	Detect artifacts from 'upxHook' - modification of UPX packer
Reference:	https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/