MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6abbe6ae99e3ae4311804d63dcf9e34c6a486432daadf6bfdb988a0b1e6fd107. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6abbe6ae99e3ae4311804d63dcf9e34c6a486432daadf6bfdb988a0b1e6fd107
SHA3-384 hash: 17b3708bb8d72f3ee9a8d1940953fe9ba6faea2d68a739920305309ecb585e856e7ec370337ce0667a001a92e6fb0a4f
SHA1 hash: 551817732b26f58b2992307edb5bbdc12d2a3c80
MD5 hash: d44269e8005e1c265f1e964cab88d4a1
humanhash: autumn-double-florida-ink
File name:file
Download: download sample
Signature CoinMiner
Create hunting rule
File size:5'519'512 bytes
First seen:2026-01-24 00:30:20 UTC
Last seen:2026-01-24 01:09:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b237ac2118704db9e7609540658f5790 (30 x CoinMiner)
ssdeep 98304:bXxsPxB5S7kctb6Jie4em2ZBvv7LjXBgLv1/vNOeZbocpWuM+3ElVcVDJTo0:bhmx2kctKBO2DPjXS1nNjEtuDcVY5
Threatray 889 similar samples on MalwareBazaar
TLSH T1D746231123B617A8EC029677C5FD98F45EB23B0B9F53549F4F623A93FA638D4C41290A
TrID 49.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
31.8% (.EXE) Win64 Executable (generic) (10522/11/4)
6.1% (.EXE) OS/2 Executable (generic) (2029/13)
6.0% (.EXE) Generic Win/DOS Executable (2002/3)
6.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:CoinMiner dropped-by-amadey exe fbf543


Avatar
Bitsight
url: http://130.12.180.43/files/6382108206/AoA6ARH.exe

Intelligence

File Origin
# of uploads :
8
# of downloads :
184
Origin country :
US US
Vendor Threat Intelligence
Malware configuration found for:
SilentCryptoMiner
Details
PEPacker
a UPX version number and an unpacked binary
SilentCryptoMiner
AES-CBC decryption parameters, decrypted component(s), and possibly urls and a CryptoCurrency address
Link:
https://research.acce.ciphertechsolutions.com/results/2b3733e7-9d00-473a-bca5-0d3bcf9b9faa/
Malware family:
xmrig
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2026-01-24 00:30:47 UTC
Tags:
miner winring0-sys vuln-driver amsi-bypass xmrig upx xor-url generic
Link:
https://app.any.run/tasks/0a78bf37-9354-4be8-b877-22d79439088e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/49936/
Detection(s):
Win.Trojan.Genkryptik-10016533-0
Create hunting rule

Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=697412bef3cf908ba507dd32
Tags:
injection obfusc crypt
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug coinminer crypt invalid-signature krypt miner signed unsafe windows
Link:
https://www.filescan.io/uploads/697412b6a9d5ec2c54cf967a/reports/47ae62ef-20c6-45d3-9984-6749ad42e0dd/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/6abbe6ae99e3ae4311804d63dcf9e34c6a486432daadf6bfdb988a0b1e6fd107
Result
Gathering data
Malware family:
XMRig Miner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a31436f4-41b1-4722-bfad-670b0200a712
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6abbe6ae99e3ae4311804d63dcf9e34c6a486432daadf6bfdb988a0b1e6fd107
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/d44269e8005e1c265f1e964cab88d4a1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6abbe6ae99e3ae4311804d63dcf9e34c6a486432daadf6bfdb988a0b1e6fd107/
Verdict:
Malicious
Threat:
Family.UNAMSILENTCRYPTOMINER
Link:
https://tip.neiki.dev/file/6abbe6ae99e3ae4311804d63dcf9e34c6a486432daadf6bfdb988a0b1e6fd107
Threat name:
Win64.Trojan.Reflo
Create hunting rule
Status:
Malicious
First seen:
2026-01-24 00:31:05 UTC
File Type:
PE+ (Exe)
AV detection:
20 of 36 (55.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nk56nluz4oxegemajvr5z6pdjrveqzbs3kw7np63tcfawhtp2edq._file
Verdict:
malicious
Label(s):
unc_loader_055
Create hunting rule
Similar samples:
8db0cd1d0244de2a22f748c4d8fdac91f6850f1fef19bc7f2afe1d5cefb5b228
CoinMiner
9ff62f3e271ae8e05cb2c296bfe39f1e892adb61b350aa8a740539b0301c7955
CoinMiner
a92496d47628f8ca944290ddf8d791b2cf5f7858397afcff4b609908aaf1fce6
CoinMiner
ac035aeacf8e68baf9d44aadc29d2036d9ad86578622f3d691b58277412dcb37
CoinMiner
ae7224287a33de677612229acdf01a5eac12e60bceec1bcbaa47579b154aff28
CoinMiner
c78ba64e698b6db6a9a1c05b3c82c5d12ba12d668a440f844f287828c031d825
CoinMiner
error
CoinMiner
f348584967e1869fce5e6208cd86713dada23c117ae3f65d4bd0393d4c379f12
CoinMiner
f930afd78b0f26099dc7bf8170ebb7c0514e4100f72720ae711bf7251b15377c
CoinMiner
fc3f73647a48ceb5c3569a3fa01c666c8358a4c712bdc9817b046f1701be0383
CoinMiner
+ 879 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig defense_evasion execution miner persistence upx
Link:
https://tria.ge/reports/260124-atwydsgx9a/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
UPX packed file
Power Settings
Creates new service(s)
Executes dropped EXE
Stops running service(s)
Command and Scripting Interpreter: PowerShell
Drops file in Drivers directory
XMRig Miner payload
Xmrig family
xmrig
Unpacked files
SH256 hash:
6abbe6ae99e3ae4311804d63dcf9e34c6a486432daadf6bfdb988a0b1e6fd107
MD5 hash:
d44269e8005e1c265f1e964cab88d4a1
SHA1 hash:
551817732b26f58b2992307edb5bbdc12d2a3c80
Link:
https://www.unpac.me/results/2fb6a0ed-5fae-4535-837b-1196a05b4737/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6abbe6ae99e3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/6abbe6ae99e3ae4311804d63dcf9e34c6a486432daadf6bfdb988a0b1e6fd107

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Windows_Generic_Threat_e8abb835
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 6abbe6ae99e3ae4311804d63dcf9e34c6a486432daadf6bfdb988a0b1e6fd107

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/49936/
  
URLhaus
https://urlhaus.abuse.ch/url/3762806/

Comments