MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e9dd191856ca7b1c817a3f2df6d51044f1a3711cda63274cee740d960757450. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7e9dd191856ca7b1c817a3f2df6d51044f1a3711cda63274cee740d960757450
SHA3-384 hash: 55ac066ade0e7c4ffedc93a73862d773530af7454b433068913ac47a43c54a05116454a9aeda3225f61f6d7ee5f8ea4c
SHA1 hash: 8e173e17cf718fdc4e767030685f93f86bee1077
MD5 hash: 0b9e1d71fd1be2e396c81d67c74e6cef
humanhash: helium-jersey-hot-maine
File name:0b9e1d71fd1be2e396c81d67c74e6cef.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:12'255'125 bytes
First seen:2025-07-01 09:47:14 UTC
Last seen:2025-09-21 04:01:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e19ef3c78a1511663db464b607820070 (2 x CoinMiner)
ssdeep 196608:avmzYPW+OWE0o49vTFKIvIu4FIzWuM5zQLF1bAtqJMxBuH5PnYiBmiwMbv3nYboV:vzAWUqCEo16pxibAsH5QVubPYbI1J
TLSH T12FC6335837E404F7E8339736C2B41B6AD27328061770DE5A823D139D6E37BA5983AF91
TrID 92.4% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10522/11/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.7% (.EXE) OS/2 Executable (generic) (2029/13)
0.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon cdabae6fe6e7eaec (20 x Amadey, 9 x AurotunStealer, 8 x CoinMiner)
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
75
# of downloads :
20
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
4e78d104e0b4c373a892cea59ff2471a890b9c584834665479ed1f6b65c93c99.bin
Verdict:
Malicious activity
Analysis date:
2025-07-01 05:00:19 UTC
Tags:
amadey botnet stealer rdp arch-exec loader delphi auto-reg lumma
Link:
https://app.any.run/tasks/c9e1a339-446e-4e27-9bf8-b8950031b704

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/11799/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6863aeac0fceda814b479f26
Tags:
virus spawn
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug expand fingerprint keylogger lolbin microsoft_visual_cc overlay overlay packed packed packed
Link:
https://www.filescan.io/uploads/6863aeb17423ff017c3929e5/reports/aef34d8e-df56-4d5a-9272-c7aee04daefc/overview
Verdict:
Suspicious
Labled as:
Trojan_Win32_Wacatac_B_ml
Link:
https://www.hybrid-analysis.com/sample/7e9dd191856ca7b1c817a3f2df6d51044f1a3711cda63274cee740d960757450
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/56689dc1-5542-46ce-b653-0e35c42734dc
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.troj.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1726255
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
Bypasses PowerShell execution policy
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to many ports of the same IP (likely port scanning)
Detected Stratum mining protocol
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: Xmrig
Suspicious powershell command line found
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1726255 Sample: noTcQ6eEjm.exe Startdate: 01/07/2025 Architecture: WINDOWS Score: 100 57 blue.o7lab.me 2->57 63 Sigma detected: Xmrig 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Yara detected Xmrig cryptocurrency miner 2->67 69 9 other signatures 2->69 10 noTcQ6eEjm.exe 10 2->10         started        13 svchost.exe 2->13         started        16 powershell.exe 7 2->16         started        18 9 other processes 2->18 signatures3 process4 file5 53 C:\Users\user\AppData\Local\Temp\...\bb.exe, PE32+ 10->53 dropped 55 C:\Users\user\AppData\Local\...\oleacc.dll, PE32+ 10->55 dropped 20 bb.exe 2 10->20         started        83 Changes security center settings (notifications, updates, antivirus, firewall) 13->83 24 MpCmdRun.exe 1 13->24         started        26 conhost.exe 16->26         started        28 WerFault.exe 2 18->28         started        signatures6 process7 file8 49 C:\Users\user\Pictures\oleacc.dll, PE32+ 20->49 dropped 51 C:\Users\user\Pictures\casteProtector.exe, PE32+ 20->51 dropped 71 Writes to foreign memory regions 20->71 73 Allocates memory in foreign processes 20->73 75 Modifies the context of a thread in another process (thread injection) 20->75 77 3 other signatures 20->77 30 csc.exe 16 2 20->30         started        34 cmd.exe 1 20->34         started        36 WerFault.exe 19 16 20->36         started        38 conhost.exe 24->38         started        signatures9 process10 dnsIp11 59 blue.o7lab.me 196.251.116.205, 39001, 49301, 49730 xneeloZA Seychelles 30->59 61 196.251.88.246, 49734, 80 Web4AfricaZA Seychelles 30->61 85 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 30->85 87 Writes to foreign memory regions 30->87 89 Modifies the context of a thread in another process (thread injection) 30->89 93 2 other signatures 30->93 40 AddInProcess.exe 30->40         started        43 conhost.exe 34->43         started        45 reg.exe 1 1 34->45         started        signatures12 91 Detected Stratum mining protocol 59->91 process13 signatures14 79 Query firmware table information (likely to detect VMs) 40->79 81 Found strings related to Crypto-Mining 40->81 47 conhost.exe 40->47         started        process15
Score:
64%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/7e9dd191856ca7b1c817a3f2df6d51044f1a3711cda63274cee740d960757450
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/0b9e1d71fd1be2e396c81d67c74e6cef
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7e9dd191856ca7b1c817a3f2df6d51044f1a3711cda63274cee740d960757450/
Verdict:
Malicious
Threat:
Image-BMP.Format.Malformed
Link:
https://tip.neiki.dev/file/7e9dd191856ca7b1c817a3f2df6d51044f1a3711cda63274cee740d960757450
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p2o5demfnst3dsaxupzn63krarhrunyrzwtde5go45ansydvoria._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution persistence
Link:
https://tria.ge/reports/250701-lscznstqv8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7a7f4ee2-bb64-41a3-949c-bdf4a37affb2
Unpacked files
SH256 hash:
7e9dd191856ca7b1c817a3f2df6d51044f1a3711cda63274cee740d960757450
MD5 hash:
0b9e1d71fd1be2e396c81d67c74e6cef
SHA1 hash:
8e173e17cf718fdc4e767030685f93f86bee1077
Link:
https://www.unpac.me/results/523ca986-0324-4371-ab94-cf1cfe968940/
SH256 hash:
266a16d1c79d7b47be2f7763137217524ae0117bd0a7a1f1e68d2176c1895f6e
MD5 hash:
10800f9fb487aeb48781e3dcf3c573fa
SHA1 hash:
f946d2da999356ee408d10002c2bc328ce13d912
Link:
https://www.unpac.me/results/523ca986-0324-4371-ab94-cf1cfe968940/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 7e9dd191856ca7b1c817a3f2df6d51044f1a3711cda63274cee740d960757450

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3572447/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/11799/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments