MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99b236bc80f391b58b4b100c89d5c097ba9d4f901d07e9ba4616874c949b4e3b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 99b236bc80f391b58b4b100c89d5c097ba9d4f901d07e9ba4616874c949b4e3b
SHA3-384 hash: 7110014ec05131ad35942453f7ddf1330eb43c11afc512e05f2010f75f658f65f260e88ba6b0cfa633f2728d74335a9a
SHA1 hash: dbed7dda4a25241ffdff92d857bece44ddee6316
MD5 hash: 8462a27dffbc01d432e1b7410bed0ebe
humanhash: winner-sweet-pluto-triple
File name:SecuriteInfo.com.Win64.Evo-gen.3867.30279
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'881'400 bytes
First seen:2025-06-04 06:43:15 UTC
Last seen:2025-06-04 07:51:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash de41d4e0545d977de6ca665131bb479a (85 x CoinMiner)
ssdeep 49152:nin08HOd/jKwnmTOTYGsdVmr3Ll73s5XGVR+0RJgY+D8N3jIilc79egXA:njHZKwnmTOkGsdE3J3Q2VR+qJ7+DvAcY
Threatray 309 similar samples on MalwareBazaar
TLSH T188D5338CC6917735CD4A0A72C16ACFD29B6439720B75E2E75ED1E32A63328D18E74DC2
TrID 49.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
31.8% (.EXE) Win64 Executable (generic) (10522/11/4)
6.1% (.EXE) OS/2 Executable (generic) (2029/13)
6.0% (.EXE) Generic Win/DOS Executable (2002/3)
6.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter SecuriteInfoCom
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
353
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-06-04 13:06:31 UTC
Tags:
amadey botnet stealer loader telegram lumma themida rdp miner silentcryptominer github evasion winring0x64-sys vuln-driver auto-reg vidar gcleaner
Link:
https://app.any.run/tasks/e138e676-5e68-47b2-8b12-b838ea0da90c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/7204/
Detection(s):
SecuriteInfo.com.Win64.Evo-gen.3867.30279.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=683febb18bd5d68a12e4e2cf
Tags:
virus spawn krypt mint
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Deleting a system file
Running batch commands
Launching a process
Creating a service
Creating a file
Launching a service
Creating a process from a recently created file
Creating a file in the Windows subdirectories
Searching for synchronization primitives
Creating a file in the system32 subdirectories
Deleting a recently created file
DNS request
Connecting to a cryptocurrency mining pool
Connection attempt
Sending a custom TCP request
Loading a system driver
Using the Windows Management Instrumentation requests
Enabling autorun for a service
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Enabling autorun by creating a file
Using obfuscated Powershell scripts
Verdict:
Malicious
Labled as:
Mint.Zard.Generic
Link:
https://www.hybrid-analysis.com/sample/99b236bc80f391b58b4b100c89d5c097ba9d4f901d07e9ba4616874c949b4e3b
Malware family:
XMRig Miner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/308b1ec3-9992-4bd0-9498-aa4003fad3f8
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1705599
Signature
.NET source code contains process injector
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Found suspicious powershell code related to unpacking or dynamic code loading
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs new ROOT certificates
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop EventLog
Suspicious powershell command line found
Uses threadpools to delay analysis
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1705599 Sample: SecuriteInfo.com.Win64.Evo-... Startdate: 04/06/2025 Architecture: WINDOWS Score: 100 54 Multi AV Scanner detection for submitted file 2->54 56 Sigma detected: Stop EventLog 2->56 58 .NET source code references suspicious native API functions 2->58 60 11 other signatures 2->60 7 powershell.exe 2 15 2->7         started        10 SecuriteInfo.com.Win64.Evo-gen.3867.30279.exe 1 2 2->10         started        13 cclpujhkdyap.exe 2->13         started        15 5 other processes 2->15 process3 dnsIp4 74 Writes to foreign memory regions 7->74 76 Modifies the context of a thread in another process (thread injection) 7->76 78 Injects a PE file into a foreign processes 7->78 18 dllhost.exe 1 7->18         started        21 conhost.exe 7->21         started        50 C:\ProgramData\...\cclpujhkdyap.exe, PE32+ 10->50 dropped 80 Adds a directory exclusion to Windows Defender 10->80 23 powershell.exe 23 10->23         started        25 cmd.exe 1 10->25         started        27 sc.exe 1 10->27         started        29 9 other processes 10->29 82 Multi AV Scanner detection for dropped file 13->82 52 127.0.0.1 unknown unknown 15->52 84 Changes security center settings (notifications, updates, antivirus, firewall) 15->84 86 Uses threadpools to delay analysis 15->86 file5 signatures6 process7 signatures8 62 Injects code into the Windows Explorer (explorer.exe) 18->62 64 Contains functionality to inject code into remote processes 18->64 66 Writes to foreign memory regions 18->66 72 3 other signatures 18->72 31 lsass.exe 18->31 injected 46 18 other processes 18->46 68 Found suspicious powershell code related to unpacking or dynamic code loading 23->68 70 Loading BitLocker PowerShell Module 23->70 34 WmiPrvSE.exe 23->34         started        36 conhost.exe 23->36         started        38 conhost.exe 25->38         started        40 wusa.exe 25->40         started        42 conhost.exe 27->42         started        44 conhost.exe 29->44         started        48 7 other processes 29->48 process9 signatures10 88 Installs new ROOT certificates 31->88 90 Writes to foreign memory regions 31->90
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/99b236bc80f391b58b4b100c89d5c097ba9d4f901d07e9ba4616874c949b4e3b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/99b236bc80f391b58b4b100c89d5c097ba9d4f901d07e9ba4616874c949b4e3b/
Threat name:
Win64.Trojan.MintZard
Create hunting rule
Status:
Malicious
First seen:
2025-06-04 05:48:01 UTC
File Type:
PE+ (Exe)
AV detection:
31 of 38 (81.58%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tgzdnpea6oi3lc2lcagitvoas65j2t4qdud6tosgc2duzfe3jy5q._file
Verdict:
malicious
Label(s):
r77
Create hunting rule
Similar samples:
093963c3fd2e61c4d8ac56c62a4fe9426bd348b65a9f681d2322f9a51fa1d655
CoinMiner
1465c03f920bc101bbeb925045ebf10af793246c533c8c90d82923a1c441b147
CoinMiner
1a45c674c9c80cee378a210c83c2492baae976727c62bbaf262ee06e6b88c1db
CoinMiner
3818c4f5333a5fb9fa7f9b9a0b764ad303dccb2c49bd11186c1132ec3b2a1552
CoinMiner
52e2f57489e8cabde628e4d477bfff50504b92cabba78ffaba9fd632e924932d
CoinMiner
5f7c6cdea3c4e825af1d796cbd34b2d45b2b6fabed130e717a30a6d871993f5d
CoinMiner
6c99b8348aaf2c00eb161a754eab7b6f54632e1bd5b9ae9bede5f0062dabe727
CoinMiner
a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
CoinMiner
bc919d4fa285e2891889c6cf592c7f1707d69adead1af792e005e4d58cd02bbf
CoinMiner
error
CoinMiner
fc3f73647a48ceb5c3569a3fa01c666c8358a4c712bdc9817b046f1701be0383
CoinMiner
+ 299 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig defense_evasion execution miner persistence upx
Link:
https://tria.ge/reports/250604-hg5c1acr9w/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
UPX packed file
Checks BIOS information in registry
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Stops running service(s)
XMRig Miner payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Xmrig family
xmrig
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/29df3243-2530-4e67-947c-46255d616345
Unpacked files
SH256 hash:
99b236bc80f391b58b4b100c89d5c097ba9d4f901d07e9ba4616874c949b4e3b
MD5 hash:
8462a27dffbc01d432e1b7410bed0ebe
SHA1 hash:
dbed7dda4a25241ffdff92d857bece44ddee6316
Link:
https://www.unpac.me/results/d10f83c6-9cc9-4035-9614-98b530aaac66/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/99b236bc80f3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
CoinMiner
Score:
0.60
Link:
https://yomi.yoroi.company/submissions/99b236bc80f391b58b4b100c89d5c097ba9d4f901d07e9ba4616874c949b4e3b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Generic_Threat_e8abb835
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 99b236bc80f391b58b4b100c89d5c097ba9d4f901d07e9ba4616874c949b4e3b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3557909/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/7204/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments