MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac868493f7f305788a1934fe39bef7808ee3746fc7d97754ec223f19bbe06273. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 12

Intelligence 12 IOCs YARA 12 File information Comments

SHA256 hash:	ac868493f7f305788a1934fe39bef7808ee3746fc7d97754ec223f19bbe06273
SHA3-384 hash:	49bd2484184585de6d2071250a134cee57644dc71b66db279ded05aa5b989417aefa16710bb52f09755a23b3808f2db6
SHA1 hash:	dafa92de374c2465289e2e958d79e4f0097ebcbd
MD5 hash:	f44c3408d127d2a6f1d055a7fff21ed6
humanhash:	fillet-oven-football-ohio
File name:	heif.dll
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	3'957'248 bytes
First seen:	2025-12-29 08:27:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b84eb1980875be2b17e8b4652ad81eb6 (1 x CoinMiner)
ssdeep	98304:Qwr7BKDWZIrQC6yU0L46uPaSdk9KjdggUUTB/8AwCDfCQkIbCO63lJOx2q0b88Na:lrlKJrQIs6bJKj2U10GkUpglJOQp1HK9
TLSH	T1F706BF47B3C46E99C005C939A707EE31D0A27AE38A76D0CA5F96D6094FF6B517B39B00
TrID	66.6% (.EXE) InstallShield setup (43053/19/16) 16.2% (.EXE) Win64 Executable (generic) (10522/11/4) 7.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 3.1% (.EXE) OS/2 Executable (generic) (2029/13) 3.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	JAMESWT_WT
Tags:	Aotera CoinMiner exe

Intelligence

File Origin

# of uploads :

# of downloads :

104

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

xmrig

ID:

File name:

7ae66d6e53f0c878e31a75ee24c1b6b917896417ba1c627091888e6319f1bc90.ps1

Verdict:

Malicious activity

Analysis date:

2025-12-29 08:32:52 UTC

Tags:

arch-exec uac amsi-bypass xmrig winring0-sys vuln-driver miner

Link:

https://app.any.run/tasks/a2dc84f7-2404-4a57-b208-93c94d6b9591

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/46445/

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69523abf7d915bf1778e9da5

Tags:

malware

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

base64 crypto hacktool masquerade microsoft_visual_cc overlay

Link:

https://www.filescan.io/uploads/69523b9c127d6a14e0c61061/reports/8b178a3e-f8a6-41ea-91cf-b3337e96dc57/overview

Verdict:

Malicious

Labled as:

HEUR_Trojan_Win64_DllHijacking_gen

Link:

https://www.hybrid-analysis.com/sample/ac868493f7f305788a1934fe39bef7808ee3746fc7d97754ec223f19bbe06273

Verdict:

Malicious

File Type:

dll x64

First seen:

2025-12-28T19:28:00Z UTC

Last seen:

2025-12-31T06:23:00Z UTC

Hits:

~10

Detections:

Trojan.Win32.Agent.sb HEUR:Trojan.Win64.DllHijacking.gen HEUR:Trojan.Win32.Generic

Link:

https://opentip.kaspersky.com/ac868493f7f305788a1934fe39bef7808ee3746fc7d97754ec223f19bbe06273/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/106f99e9-9311-4a0a-8723-45e35979e5af

Score:

89%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ac868493f7f305788a1934fe39bef7808ee3746fc7d97754ec223f19bbe06273

Verdict:

inconclusive

YARA:

6 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/f44c3408d127d2a6f1d055a7fff21ed6

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ac868493f7f305788a1934fe39bef7808ee3746fc7d97754ec223f19bbe06273/

Verdict:

Malicious

Threat:

Family.COINMINER

Link:

https://tip.neiki.dev/file/ac868493f7f305788a1934fe39bef7808ee3746fc7d97754ec223f19bbe06273

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vsdije7x6mcxrcqzgt7dtpxxqchog5dpy7mxovhmei7rto7amjzq._file

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:xmrig defense_evasion execution miner persistence

Link:

https://tria.ge/reports/251229-kc4a9axqds/

Behaviour

Modifies registry class

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Hide Artifacts: Ignore Process Interrupts

Launches sc.exe

Suspicious use of SetThreadContext

Indicator Removal: File Deletion

Creates new service(s)

Executes dropped EXE

Stops running service(s)

Badlisted process makes network request

Command and Scripting Interpreter: PowerShell

XMRig Miner payload

Xmrig family

xmrig

Malware Config

Dropper Extraction:

https://onexri.apptaly.com/xmrig-6.22.3-msvc-win64.zip

Verdict:

Unknown

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/66dd5c2a-8244-4905-adf4-dcf0bbeefe96

Unpacked files

SH256 hash:

ac868493f7f305788a1934fe39bef7808ee3746fc7d97754ec223f19bbe06273

MD5 hash:

f44c3408d127d2a6f1d055a7fff21ed6

SHA1 hash:

dafa92de374c2465289e2e958d79e4f0097ebcbd

Link:

https://www.unpac.me/results/c1d6ff15-f207-4045-8330-f68d13325930/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ac868493f7f3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ac868493f7f305788a1934fe39bef7808ee3746fc7d97754ec223f19bbe06273

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__MemoryWorkingSet Create hunting rule
Author:	Fernando Mercês
Description:	Anti-debug process memory working set size check
Reference:	http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	Jupyter_infostealer Create hunting rule
Author:	CD_R0M_
Description:	Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Warp Create hunting rule
Author:	Seth Hardy
Description:	Warp

Rule name:	WarpStrings Create hunting rule
Author:	Seth Hardy
Description:	Warp Identifying Strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/46445/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample