MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9333c323c3fe82695c58625412e5163cf0db4804e3740b941bde6aef4375999a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9333c323c3fe82695c58625412e5163cf0db4804e3740b941bde6aef4375999a
SHA3-384 hash: 635441bbff16b4913a730a7b4383fb5792aa333960a7f19d5b16bad8d40ae8171e98280717859b6277fe01e3ad784e65
SHA1 hash: 550f38f9aa9b46d2737f3b589eeebc3e2ee1d69b
MD5 hash: cdafef0209c6ea580496f5f729f231fb
humanhash: music-violet-kansas-lake
File name:9333c323c3fe82695c58625412e5163cf0db4804e3740b941bde6aef4375999a
Download: download sample
Signature CoinMiner
Create hunting rule
File size:180'736 bytes
First seen:2026-04-15 19:37:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f1b68ca79cbcadd0e6e325dcf892eb21 (1 x CoinMiner)
ssdeep 3072:Wjo8/GoiUlPGWm29E8LdXQxyBMu9CGeIq3tuuml8Ed:Wz/3iURG38LNSIq9uuvE
TLSH T1B504094ABEE601E8D1364639B4A64B41E725FF1146284BFF115872DF1F326C09CBAA1F
TrID 37.0% (.EXE) Win64 Executable (generic) (6522/11/2)
28.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.5% (.EXE) OS/2 Executable (generic) (2029/13)
11.3% (.EXE) Generic Win/DOS Executable (2002/3)
11.3% (.EXE) DOS Executable (generic) (2000/1)
Magika pebin
dhash icon 34ecccf0f0f8d4d4 (1 x CoinMiner)
Reporter johnk3r
Tags:CoinMiner exe hmbr-org-br latam XMRIG

Intelligence

File Origin
# of uploads :
1
# of downloads :
186
Origin country :
CH CH
Vendor Threat Intelligence
No detections
Malware family:
xmrig
Create hunting rule
ID:
1
File name:
https://hmbr.org.br/downloads/PdfReader.zip
Verdict:
Malicious activity
Analysis date:
2026-04-15 13:40:38 UTC
Tags:
arch-exec github miner xmrig
Link:
https://app.any.run/tasks/fd846862-4f84-4416-a7fd-38536652bdd2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/61789/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69dfe901f68adfe1003a3080
Tags:
stration dropper shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Launching a process
Creating a process with a hidden window
Creating a file in the %temp% directory
Searching for synchronization primitives
Connecting to a cryptocurrency mining pool
Creating a service
Launching a service
Loading a system driver
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug cmd hacktool lolbin microsoft_visual_cc overlay schtasks
Link:
https://www.filescan.io/uploads/69dfe9005ea31bc68a2e1ea1/reports/3758a801-65a3-4a7b-95a6-edd6745d3f24/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/9333c323c3fe82695c58625412e5163cf0db4804e3740b941bde6aef4375999a
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-04-15T07:12:00Z UTC
Last seen:
2026-04-16T13:24:00Z UTC
Hits:
~100
Detections:
BSS:Trojan.Win32.Generic Trojan.Win64.Miner.sb VHO:Trojan-Dropper.Win32.Sysn.gen VHO:Trojan.Win32.Miner.bfsri PDM:Trojan.Win32.Generic Trojan.Win32.CoinMiner.sb Trojan.Win32.Agent.sb HEUR:Trojan.Script.Miner.gen not-a-virus:RiskTool.Win64.XMRigMiner.a not-a-virus:HEUR:RiskTool.Script.BitMiner.gen not-a-virus:HEUR:RiskTool.Win32.BitMiner.gen not-a-virus:RiskTool.Win32.BitCoinMiner.sb not-a-virus:HEUR:RiskTool.Win32.BitCoinMiner.gen not-a-virus:BSS:RiskTool.Win32.BitCoinMiner.ga RiskTool.Miner.UDP.C&C RiskTool.Miner.TCP.C&C RiskTool.BitCoinMiner.TCP.C&C
Link:
https://opentip.kaspersky.com/9333c323c3fe82695c58625412e5163cf0db4804e3740b941bde6aef4375999a/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/666ca3ef-2b5d-4a5a-bd07-0edcc4d1d8de
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1899056
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Detected Stratum mining protocol
Found evasive API chain (may stop execution after checking mutex)
Found strings related to Crypto-Mining
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Self deletion via cmd or bat file
Sigma detected: Potential Crypto Mining Activity
Sigma detected: Xmrig
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1899056 Sample: BAVdyDHPXv.exe Startdate: 15/04/2026 Architecture: WINDOWS Score: 100 58 release-assets.githubusercontent.com 2->58 60 pool.supportxmr.com 2->60 62 2 other IPs or domains 2->62 70 Sigma detected: Xmrig 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Multi AV Scanner detection for submitted file 2->74 76 5 other signatures 2->76 9 BAVdyDHPXv.exe 2 11 2->9         started        14 svchost.exe 2->14         started        16 svchost.exe 2->16         started        18 7 other processes 2->18 signatures3 process4 dnsIp5 66 github.com 140.82.113.4, 443, 49715 GITHUBUS United States 9->66 68 release-assets.githubusercontent.com 185.199.109.133, 443, 49716 FASTLYUS Netherlands 9->68 52 C:\Users\user\AppData\...\MsEdgeUpdate.exe, PE32+ 9->52 dropped 54 C:\Users\...\task_MicrosoftEdgeUpdateCore.xml, XML 9->54 dropped 56 C:\Users\user\AppData\...\del_installer.bat, DOS 9->56 dropped 94 Found evasive API chain (may stop execution after checking mutex) 9->94 96 Suspicious powershell command line found 9->96 98 Self deletion via cmd or bat file 9->98 100 Uses schtasks.exe or at.exe to add and modify task schedules 9->100 20 powershell.exe 36 9->20         started        24 MsEdgeUpdate.exe 9->24         started        26 cmd.exe 9->26         started        28 schtasks.exe 1 9->28         started        102 Changes security center settings (notifications, updates, antivirus, firewall) 14->102 30 MpCmdRun.exe 1 14->30         started        file6 signatures7 process8 file9 46 C:\Users\user\AppData\Roaming\...\xmrig.exe, PE32+ 20->46 dropped 48 C:\Users\user\AppData\...\WinRing0x64.sys, PE32+ 20->48 dropped 50 C:\Users\user\AppData\Roaming\...\config.json, JSON 20->50 dropped 86 Sample is not signed and drops a device driver 20->86 88 Loading BitLocker PowerShell Module 20->88 90 Powershell drops PE file 20->90 32 conhost.exe 20->32         started        92 Found evasive API chain (may stop execution after checking mutex) 24->92 34 xmrig.exe 24->34         started        38 timeout.exe 1 26->38         started        40 conhost.exe 28->40         started        42 conhost.exe 30->42         started        signatures10 process11 dnsIp12 64 107.167.83.34, 3333, 49724 IOFLOODUS United States 34->64 78 Multi AV Scanner detection for dropped file 34->78 80 Query firmware table information (likely to detect VMs) 34->80 82 Found strings related to Crypto-Mining 34->82 44 conhost.exe 38->44         started        signatures13 84 Detected Stratum mining protocol 64->84 process14
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9333c323c3fe82695c58625412e5163cf0db4804e3740b941bde6aef4375999a
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9333c323c3fe82695c58625412e5163cf0db4804e3740b941bde6aef4375999a/
Verdict:
Malicious
Threat:
Family.XMRIG
Link:
https://tip.neiki.dev/file/9333c323c3fe82695c58625412e5163cf0db4804e3740b941bde6aef4375999a
Threat name:
Win64.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2026-04-15 08:32:39 UTC
File Type:
PE+ (Exe)
Extracted files:
5
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=smz4gi6d72bgsxcymjkbfziwhtynwsae4n2axfa33zvo6q3vtgna._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/260415-yb4saag19j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Unpacked files
SH256 hash:
9333c323c3fe82695c58625412e5163cf0db4804e3740b941bde6aef4375999a
MD5 hash:
cdafef0209c6ea580496f5f729f231fb
SHA1 hash:
550f38f9aa9b46d2737f3b589eeebc3e2ee1d69b
Link:
https://www.unpac.me/results/9cb5cccd-701d-445b-adb2-0441161d35e0/
SH256 hash:
4a3f21b2f0b0c4d4e5d43cfdcd8fb800c95a4ad7ec582d714ccd9480df826e2c
MD5 hash:
9191668067d2e379c9bc471341021d02
SHA1 hash:
2ef5d0d8492aa47d9074b6a24cdb67be51c5e2c9
Link:
https://www.unpac.me/results/9cb5cccd-701d-445b-adb2-0441161d35e0/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9333c323c3fe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9333c323c3fe82695c58625412e5163cf0db4804e3740b941bde6aef4375999a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

CoinMiner

Executable exe 9333c323c3fe82695c58625412e5163cf0db4804e3740b941bde6aef4375999a

(this sample)

CoinMiner

Executable exe 4a3f21b2f0b0c4d4e5d43cfdcd8fb800c95a4ad7ec582d714ccd9480df826e2c

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/61789/
  
Dropping
SHA256 4a3f21b2f0b0c4d4e5d43cfdcd8fb800c95a4ad7ec582d714ccd9480df826e2c
  
Dropping
MD5 9191668067d2e379c9bc471341021d02

Comments