MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7c936a7b98f9f469fc36171229fb4c785cec00956694595917eb5e9240837af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 17


Intelligence 17 IOCs YARA 23 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a7c936a7b98f9f469fc36171229fb4c785cec00956694595917eb5e9240837af
SHA3-384 hash: 11c52c44d1d47fed41def5c4db2d9e04a188a20a41619ee8d3e57defd9652f299eed4f794cc47ea4f64eb8ab2aa2cea8
SHA1 hash: 62e4f78766874dedb4bbe41b1657446c4821329f
MD5 hash: 94b4f31866a695d2b2b1583bee1328fb
humanhash: bacon-mango-july-april
File name:45058fd046634b96bcb5bf76d13300cb_bound_build.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:12'337'961 bytes
First seen:2025-09-05 18:30:40 UTC
Last seen:2025-09-06 08:14:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4b1892ce4fbcfcf064c6f69d693fc6a5 (10 x Rhadamanthys, 4 x AgentTesla, 3 x QuasarRAT)
ssdeep 98304:6JCe0hK3jlrqm/hrT8ym16ijkeqlGpALD3avzvCB7Nyp6FkiJLDYXOnlID:e0E3pxFTTmYicGos47NA6iiJLDYXKlID
Threatray 114 similar samples on MalwareBazaar
TLSH T101C6AD12E2FD01E8E5BBC178C667551BE7B27855132097DF52A08A692F23FE06E3D321
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter aachum
Tags:185-238-191-89 CoinMiner donutloader exe Rhadamanthys


Avatar
iamaachum
http://185.238.191.89:5554/45058fd046634b96bcb5bf76d13300cb_bound_build.exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
94
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
xmrig
Create hunting rule
ID:
1
File name:
xQ4gNK9auvFo4.exe
Verdict:
Malicious activity
Analysis date:
2025-09-06 02:33:18 UTC
Tags:
loader anti-evasion stealer auto-sch rhadamanthys miner xmrig
Link:
https://app.any.run/tasks/8585bf86-b07c-4444-80bf-a6810d9f4abc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/25903/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68bb2c7beb163e0ec1849d53
Tags:
downloader shellcode dropper spoof
Result
Verdict:
Malware
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug fingerprint microsoft_visual_cc overlay overlay packed threat
Link:
https://www.filescan.io/uploads/68bb2c8237c25fcf12d513f2/reports/007f13af-ff54-4cad-bd69-a6b214753f6b/overview
Verdict:
Suspicious
Labled as:
Trojan.Agent
Link:
https://www.hybrid-analysis.com/sample/a7c936a7b98f9f469fc36171229fb4c785cec00956694595917eb5e9240837af
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-09-05T16:22:00Z UTC
Last seen:
2025-09-05T16:22:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/a7c936a7b98f9f469fc36171229fb4c785cec00956694595917eb5e9240837af/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/6214ee23-c89a-42a7-b0ce-6d98e4796e66
Result
Threat name:
RHADAMANTHYS, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1772037
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found API chain indicative of debugger detection
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found stalling execution ending in API Sleep call
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Query firmware table information (likely to detect VMs)
Sigma detected: System File Execution Location Anomaly
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RHADAMANTHYS Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1772037 Sample: 45058fd046634b96bcb5bf76d13... Startdate: 05/09/2025 Architecture: WINDOWS Score: 100 66 pool.supportxmr.com 2->66 68 pool-nyc.supportxmr.com 2->68 84 Found malware configuration 2->84 86 Malicious sample detected (through community Yara rule) 2->86 88 Antivirus detection for dropped file 2->88 90 6 other signatures 2->90 11 45058fd046634b96bcb5bf76d13300cb_bound_build.exe 5 2->11         started        signatures3 process4 file5 52 C:\Users\user\AppData\Local\...\nzdjkegm.exe, PE32+ 11->52 dropped 54 C:\Users\user\AppData\Local\...\46f5tnim.exe, PE32+ 11->54 dropped 14 nzdjkegm.exe 15 11->14         started        19 46f5tnim.exe 15 11->19         started        21 conhost.exe 11->21         started        process6 dnsIp7 76 185.238.191.89, 49691, 49692, 5554 SECUREBITSecurebitAutonomousSystemCH European Union 14->76 58 C:\Users\user\AppData\Local\zztb\cog.exe, PE32 14->58 dropped 60 4f4f24f0764040c484...rypted_build[1].exe, PE32 14->60 dropped 78 Found API chain indicative of debugger detection 14->78 23 cog.exe 16 14->23         started        62 C:\Users\user\AppData\Local\klsh\cog.exe, PE32+ 19->62 dropped 64 ab11eccc5c6f4f2c81...15d362_miner[1].exe, PE32+ 19->64 dropped 27 cog.exe 2 19->27         started        file8 signatures9 process10 dnsIp11 70 62.60.158.37 IROST-ASIR Iran (ISLAMIC Republic Of) 23->70 72 62.60.158.10 IROST-ASIR Iran (ISLAMIC Republic Of) 23->72 92 Antivirus detection for dropped file 23->92 94 Found stalling execution ending in API Sleep call 23->94 96 Found API chain indicative of sandbox detection 23->96 100 3 other signatures 23->100 30 conhost.exe 23->30         started        56 C:\Users\user\AppData\Roaming\...\consent.exe, PE32+ 27->56 dropped 98 Multi AV Scanner detection for dropped file 27->98 32 consent.exe 5 27->32         started        36 cmd.exe 1 27->36         started        38 conhost.exe 27->38         started        file12 signatures13 process14 file15 50 C:\Users\user\AppData\...\msedge_updater.dat, PE32+ 32->50 dropped 80 Multi AV Scanner detection for dropped file 32->80 40 msedge_updater.dat 1 32->40         started        82 Uses schtasks.exe or at.exe to add and modify task schedules 36->82 44 conhost.exe 36->44         started        46 schtasks.exe 1 36->46         started        signatures16 process17 dnsIp18 74 104.243.33.118 RELIABLESITEUS United States 40->74 102 Antivirus detection for dropped file 40->102 104 Multi AV Scanner detection for dropped file 40->104 106 Query firmware table information (likely to detect VMs) 40->106 48 conhost.exe 40->48         started        signatures19 process20
Score:
58%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/a7c936a7b98f9f469fc36171229fb4c785cec00956694595917eb5e9240837af
Verdict:
inconclusive
YARA:
9 match(es)
Tags:
.Net Executable Html Javascript in Html PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/94b4f31866a695d2b2b1583bee1328fb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a7c936a7b98f9f469fc36171229fb4c785cec00956694595917eb5e9240837af/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-09-05 18:31:29 UTC
File Type:
PE+ (Exe)
Extracted files:
15
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u7etnj5zr6punh6dmfysfh5uy6c45qajkzuulfmrp226sjaig6xq._file
Verdict:
malicious
Label(s):
xmrig
Create hunting rule
donut_injector
Create hunting rule
rhadamanthys
Create hunting rule
Similar samples:
17d651beb2f137db26ef7821e8e4648d3065146aa54340d2962c295cff4510b8
CoinMiner
7215b48548bba5e5502aa68bb83c51c3fdbb30978e7cd2f5b44898886218d085
CoinMiner
a7c936a7b98f9f469fc36171229fb4c785cec00956694595917eb5e9240837af
CoinMiner
ab89658928c28f0c089080e766c02fbc11c214d7f61e9631ad98f163bd770772
CoinMiner
afba422a25bd24633d887ba7fab1723a580cc8b7bcbbf9c00015314e745d8a58
CoinMiner
cfaed4f7db58b901f28cf05aefc32d824d56d5d9be3c6d11dea052527aa7236e
CoinMiner
error
CoinMiner
+ 104 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:rhadamanthys discovery loader stealer
Link:
https://tria.ge/reports/250905-w55wbsvtew/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Executes dropped EXE
Downloads MZ/PE file
Detects DonutLoader
Detects Rhadamanthys Payload
DonutLoader
Donutloader family
Rhadamanthys
Rhadamanthys family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c511abed-9b7c-4ec8-ad57-f6d46db7c27b
Unpacked files
SH256 hash:
33c75708915a4da1096034f04b5531a5985ce1188a73d3b98135ba1804c217a9
MD5 hash:
abedfa6a0db84fec68715015f7f6475b
SHA1 hash:
1671484c3714d37212760b4cd0ff43a8bd5fc344
Link:
https://www.unpac.me/results/4441b2e7-bc10-4a14-974c-d5ff0d3dc83f/
SH256 hash:
c9e2f9f04aded97ac6902991397dd78f17b651d08dc5f29d8e889dbd5c02746c
MD5 hash:
85702891b04babe57938cd3b7b4633f2
SHA1 hash:
714cca53fc171a812fc45813057ad7753d2cc678
Link:
https://www.unpac.me/results/4441b2e7-bc10-4a14-974c-d5ff0d3dc83f/
SH256 hash:
37bead9a87d704618ad1f507d833d311a914afd166fa7db526a5d3885f6f8ad4
MD5 hash:
c5b656dec98ffc25c33ebd44773ecdea
SHA1 hash:
bf1783dec6d0aae1c2c9a73e5aa3596fd0c4e942
Link:
https://www.unpac.me/results/4441b2e7-bc10-4a14-974c-d5ff0d3dc83f/
SH256 hash:
4f56c74032b71f5e523667f0cad97de31aefb53fd1b7f4c886a7a99fe2407a30
MD5 hash:
712ce730f96f8d5b1e5d8b4b41eca6aa
SHA1 hash:
37cf3a2307d7d84b70528ca71005fc04fb56bdd2
Link:
https://www.unpac.me/results/4441b2e7-bc10-4a14-974c-d5ff0d3dc83f/
SH256 hash:
b910006cea197f661c19638e3b2c8cc6033e13cb87c91e6fd7e4b59b9e3ab335
MD5 hash:
71867d25f47d64416c00b201aa34961a
SHA1 hash:
2b837fc662c757c9b91a9fb8893498b08414ce1c
Link:
https://www.unpac.me/results/4441b2e7-bc10-4a14-974c-d5ff0d3dc83f/
SH256 hash:
c05d685863850917187b7282aa9739b23d5b967cac411c1fbe122b13a24ce5fa
MD5 hash:
ba95de25f100739f3b28e0b80165e643
SHA1 hash:
e8b992ad23e4fac1698a530d835fd086a80cf238
Link:
https://www.unpac.me/results/4441b2e7-bc10-4a14-974c-d5ff0d3dc83f/
SH256 hash:
0a05cc0490a582ac61b1b9e8b8ca24cfe926c65a85088eac8615e02e3e282489
MD5 hash:
5998ed633567d2c0f4078fab278dc797
SHA1 hash:
4d1924fcff8b4b9b3233e8c6f9180464801ed712
Link:
https://www.unpac.me/results/4441b2e7-bc10-4a14-974c-d5ff0d3dc83f/
SH256 hash:
b785b5c9614deb53d722be38cfa949d5b0bc360d105c4d53a1be4f648324892c
MD5 hash:
c683830ecc56a96cf9047f4ea19904e1
SHA1 hash:
8f57bb573a537bc29bf6387474c57252b965dbeb
Link:
https://www.unpac.me/results/4441b2e7-bc10-4a14-974c-d5ff0d3dc83f/
SH256 hash:
a7c936a7b98f9f469fc36171229fb4c785cec00956694595917eb5e9240837af
MD5 hash:
94b4f31866a695d2b2b1583bee1328fb
SHA1 hash:
62e4f78766874dedb4bbe41b1657446c4821329f
Link:
https://www.unpac.me/results/4441b2e7-bc10-4a14-974c-d5ff0d3dc83f/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a7c936a7b98f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a7c936a7b98f9f469fc36171229fb4c785cec00956694595917eb5e9240837af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:ducktail
Create hunting rule
Author:Michelle Khalil
Description:This rule detects unpacked ducktail malware samples.
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Jupyter_infostealer
Create hunting rule
Author:CD_R0M_
Description:Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022
Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:test_Malaysia
Create hunting rule
Author:rectifyq
Description:Detects file containing malaysia string
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe a7c936a7b98f9f469fc36171229fb4c785cec00956694595917eb5e9240837af

(this sample)

  
Link
https://tria.ge/250905-w2y9davshs/behavioral2
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/25903/
  
URLhaus
https://urlhaus.abuse.ch/url/3618271/

Comments