MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9c42f11e75c3525d8d0f3f036c2f603e60fe102fc68b8f22a8b4c81779652a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner.XMRig


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a9c42f11e75c3525d8d0f3f036c2f603e60fe102fc68b8f22a8b4c81779652a2
SHA3-384 hash: c6ff665423d5ab934c022c6958a9d731fa8e72be4d80e1ee4aaefaf23b4ab27d55a8b74758d8e9b162d55985c1f4e24b
SHA1 hash: 4e0812d11ee4344e599d5c8a5f52e3e0664d2642
MD5 hash: 8f7ea7be4386da8059546cc2a0646de1
humanhash: wisconsin-artist-steak-louisiana
File name:em_XsVM4WZh_installer_Win7-Win11_x86_x64.msi
Download: download sample
Signature CoinMiner.XMRig
Create hunting rule
File size:98'541'568 bytes
First seen:2025-03-24 13:25:02 UTC
Last seen:2025-04-07 18:59:30 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 1572864:Ty7kX8EflR/epgGzGIqB/PsE1RafPiNPk1SL9KW+XTwy1f25tdCt5749tZOt5:uTEflR/wzmhsE1W6NaSonv1f25tCoOf
TLSH T113283312B53558FBE9A60C328C739626C3797E771A618C8B4FF07B0D25B22833779619
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter JAMESWT_WT
Tags:almeida-clientepj-com CoinMiner.XMRig msi signed

Code Signing Certificate

Organisation:ITarian LLC
Issuer:Sectigo Public Code Signing CA EV R36
Algorithm:sha256WithRSAEncryption
Valid from:2022-04-20T00:00:00Z
Valid to:2025-04-19T23:59:59Z
Serial number: c5924c0273fe90c912bfe4f50ff11484
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 544c7c65161f2d391e637ba9962668970517face7415c565af9b030301c1ceaa
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
104
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Clean
Score:
89.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e24c14bb84e066269ed94d
Tags:
n/a
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context crypto fingerprint installer signed
Link:
https://www.filescan.io/uploads/67e15d49de7b23ce171dd23a/reports/f18d9f87-21ca-44e9-88a4-7ddc8c70a60c/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/a9c42f11e75c3525d8d0f3f036c2f603e60fe102fc68b8f22a8b4c81779652a2
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/a9c42f11e75c3525d8d0f3f036c2f603e60fe102fc68b8f22a8b4c81779652a2
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1647104
Behaviour
Behavior Graph:
n/a
Score:
2%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/a9c42f11e75c3525d8d0f3f036c2f603e60fe102fc68b8f22a8b4c81779652a2
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vhcc6ephlq2slwgq6pydnqxwapta7yic7rulr4rkrngic54wkkra._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery persistence privilege_escalation
Link:
https://tria.ge/reports/250324-qn3fzstqv9/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Adds Run key to start application
Blocklisted process makes network request
Checks for any installed AV software in registry
Enumerates connected drives
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/353d8fbc-714f-44d0-bb27-791fb75f816c
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner.XMRig

Microsoft Software Installer (MSI) msi a9c42f11e75c3525d8d0f3f036c2f603e60fe102fc68b8f22a8b4c81779652a2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3489320/
  
Delivery method
Distributed via web download

Comments