MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6acb851114fdc56205458aa12f2ddc014fc5a0db1cb0d29a6e481d8c40cae044. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 14

Intelligence 14 IOCs YARA 4 File information Comments

SHA256 hash:	6acb851114fdc56205458aa12f2ddc014fc5a0db1cb0d29a6e481d8c40cae044
SHA3-384 hash:	06999c1eabc34859f51b05e9faf482cf542953990aede77d2fa9c0c2f79069c38591c3300e5787d5cf9db842a4de5bf2
SHA1 hash:	7825ad0f9413d49e0ff7845ef05d2110f2bb684d
MD5 hash:	9d269d7a373d11bec43b2c7b7bad15b3
humanhash:	lithium-purple-beryllium-network
File name:	file
Download:	download sample
File size:	3'212'600 bytes
First seen:	2025-12-01 19:18:47 UTC
Last seen:	2025-12-01 19:51:15 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	3641b918fa6fcd6b6754b75fd2065c00 (1 x CoinMiner)
ssdeep	49152:B3GzaBUfkRn9JvBPjG3o9AugWEVcOkYK+sAFi5pLKwEdR2waua22e6ioZfg:BWz2fR9JvRj6kv+RFiHLKwEOul6Zg
Threatray	8 similar samples on MalwareBazaar
TLSH	T165E533AD5BC22EF5D842E1340282871A6C3FE1495B54D5FF3D6A32532AEC4CC9B70E69
TrID	73.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 8.9% (.EXE) OS/2 Executable (generic) (2029/13) 8.8% (.EXE) Generic Win/DOS Executable (2002/3) 8.8% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe fbf543

Bitsight

url: http://172.86.114.146/update.exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

xmrig

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2025-12-01 19:20:12 UTC

Tags:

pastebin winring0-sys vuln-driver xmrig upx

Link:

https://app.any.run/tasks/dc35745c-b751-4b8d-8408-72a158ccdd1e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/42054/

Detection(s):

Win.Packed.Tedy-10024450-0

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=692dec5116e6db515e45ab2c

Tags:

injection virus krypt mint

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Running batch commands

Launching a process

Creating a service

Creating a file

Launching a service

Creating a process from a recently created file

Creating a file in the Windows subdirectories

Searching for synchronization primitives

Creating a file in the system32 subdirectories

Launching cmd.exe command interpreter

DNS request

Connecting to a cryptocurrency mining pool

Connection attempt

Sending a custom TCP request

Loading a system driver

Enabling autorun for a service

Adding an exclusion to Microsoft Defender

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug expired-cert invalid-signature signed

Link:

https://www.filescan.io/uploads/692dea36175eb9965c9f6837/reports/fab03ad8-06fe-4dea-96b8-a28f33d2c67c/overview

Verdict:

Malicious

Labled as:

Mint.Zard.Generic

Link:

https://www.hybrid-analysis.com/sample/6acb851114fdc56205458aa12f2ddc014fc5a0db1cb0d29a6e481d8c40cae044

Result

Gathering data

Malware family:

XMRig Miner

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/430cbb96-bf16-493b-a38d-ec36482155e8

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/6acb851114fdc56205458aa12f2ddc014fc5a0db1cb0d29a6e481d8c40cae044

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/9d269d7a373d11bec43b2c7b7bad15b3

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6acb851114fdc56205458aa12f2ddc014fc5a0db1cb0d29a6e481d8c40cae044/

Verdict:

Malicious

Threat:

Family.XMRIG

Link:

https://tip.neiki.dev/file/6acb851114fdc56205458aa12f2ddc014fc5a0db1cb0d29a6e481d8c40cae044

Gathering data

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nlfykeiu7xcwebkfrkqs6lo4afh4lig3dsynfgtojaoyyqgk4bca._file

Verdict:

malicious

Label(s):

xmrig

6acb851114fdc56205458aa12f2ddc014fc5a0db1cb0d29a6e481d8c40cae044

714deddbe31e2804f44a3532553f5560792552bfecbfb0e95137ba906e25e6d7

8832f5ecb1e61c79555bb01ba4b0567c3293400b64deb504349fde67d2c5f6d2

984dbd06c3a8ece43142e45d61b2aa3dfae7be270edc66153dc8d521f481d1ef

c28c65b7f30c1ed7af879a7aa2b6aa8b1f8e54775ed847d0655a8d7bb2f939c7

error

fb710f58f94eba2aaf7e08c8244c7db62b54846c1172ae2c67d5d3c136b011f7

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:xmrig defense_evasion execution miner persistence upx

Link:

https://tria.ge/reports/251201-x1mdvsvlfp/

Behaviour

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Launches sc.exe

Drops file in System32 directory

Suspicious use of SetThreadContext

UPX packed file

Legitimate hosting services abused for malware hosting/C2

Creates new service(s)

Executes dropped EXE

Stops running service(s)

Badlisted process makes network request

Command and Scripting Interpreter: PowerShell

XMRig Miner payload

Xmrig family

xmrig

Verdict:

Malicious

Tags:

Win.Packed.Tedy-10024450-0

YARA:

n/a

Link:

https://app.threat.zone/submission/6c804c96-aad5-4c1e-a521-213ba064911f

Unpacked files

SH256 hash:

6acb851114fdc56205458aa12f2ddc014fc5a0db1cb0d29a6e481d8c40cae044

MD5 hash:

9d269d7a373d11bec43b2c7b7bad15b3

SHA1 hash:

7825ad0f9413d49e0ff7845ef05d2110f2bb684d

Link:

https://www.unpac.me/results/ca0e489b-2c96-4ed5-a261-62a5f9895d2f/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Windows_Generic_Threat_e8abb835 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 6acb851114fdc56205458aa12f2ddc014fc5a0db1cb0d29a6e481d8c40cae044

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3722423/

Cape

https://www.capesandbox.com/analysis/42054/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample