MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b15ea3865cbdbddb7cf1bd10e70177676c70c8b212d063e55a9bb17aa1cfa661. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b15ea3865cbdbddb7cf1bd10e70177676c70c8b212d063e55a9bb17aa1cfa661
SHA3-384 hash: 53d7f923b0ed97e9888c745203c9e7558677a9093d7e5f3d2ebd1774a6e537ba88ec0a0f5a5f9b879baf61869c234527
SHA1 hash: 9bdc5fe318706c19788f8cae7d36513334915d6d
MD5 hash: fc82070f526b97afdb6abb66bb9a6ee7
humanhash: fourteen-summer-carpet-oklahoma
File name:SecuriteInfo.com.Win64.Evo-gen.14679.25471
Download: download sample
Signature CoinMiner
Create hunting rule
File size:55'731'712 bytes
First seen:2025-07-03 06:17:05 UTC
Last seen:2025-07-03 07:22:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash df9a7bc1c6c6cd97d04c3762fdde6719 (18 x CoinMiner, 2 x CoinMiner.XMRig, 1 x PripyatMiner)
ssdeep 786432:KjVCaKqw8P8aa4IEkATazO7Kacn2T1Yg6DTl5v:iopG8j4IEkiKas2TZMh
Threatray 241 similar samples on MalwareBazaar
TLSH T12DC7D0B90D6E2B81BDE5730976C70FD044223072BBDE43B0A4DB6A88CD81F654FA7596
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter SecuriteInfoCom
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
41
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://176.46.157.32/files/hofnar05/random.exe
Verdict:
Malicious activity
Analysis date:
2025-07-04 02:21:58 UTC
Tags:
loader
Link:
https://app.any.run/tasks/5cdc5ab1-ab03-45e7-8b53-14ff70195cdd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68662086c9eb97473765c1c9
Tags:
coinminer crypt miner
Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching a process
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the Windows subdirectories
Creating a file in the system32 subdirectories
Forced system process termination
Сreating synchronization primitives
Deleting a recently created file
Replacing files
Searching for synchronization primitives
Setting browser functions hooks
Possible injection to a system process
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Unauthorized injection to a system process
Using obfuscated Powershell scripts
Unauthorized injection to a browser process
Verdict:
Malicious
Labled as:
Whisperer.1.Generic
Link:
https://www.hybrid-analysis.com/sample/b15ea3865cbdbddb7cf1bd10e70177676c70c8b212d063e55a9bb17aa1cfa661
Score:
0%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/b15ea3865cbdbddb7cf1bd10e70177676c70c8b212d063e55a9bb17aa1cfa661
Gathering data
Threat name:
Win64.Trojan.Whisperer
Create hunting rule
Status:
Malicious
First seen:
2025-07-03 00:30:09 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wfpkhbs4xw65w7hrxuiooalxm5whbsfsclighzk2toyxviopuzqq._file
Verdict:
malicious
Label(s):
r77
Create hunting rule
Similar samples:
51b3d59d59b618ade2fa6c244a0055219e718d32aaacbc61bf7ab964d0059b51
CoinMiner
58c06312c4b8a6e6e68873da9afe2a79a486e16a2d764f7268880ae27bf0d8be
CoinMiner
6035a71af879b41ae019d0545fca39ccc66f97ba5fc594f4bbad0076721ad89c
CoinMiner
8ce939e78f764da1da27154cc2c2b9ead8c4fd9c3954958bde1f2afa423dd218
CoinMiner
ac08903be48df04ee8b744c61a65c8003af729943049cb4d04870854686c93ca
CoinMiner
b15ea3865cbdbddb7cf1bd10e70177676c70c8b212d063e55a9bb17aa1cfa661
CoinMiner
e84fe903559b6d7048d69e0e4a7136236fa35dbd3591670de54ea81cec31a480
CoinMiner
error
CoinMiner
+ 231 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig discovery execution miner persistence upx
Link:
https://tria.ge/reports/250703-g2atfsfn9t/
Behaviour
Checks processor information in registry
Detects videocard installed
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
System Location Discovery: System Language Discovery
Drops file in System32 directory
Suspicious use of SetThreadContext
UPX packed file
Command and Scripting Interpreter: PowerShell
Power Settings
Executes dropped EXE
Sets service image path in registry
XMRig Miner payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Xmrig family
xmrig
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c57d8138-129e-4360-bafb-cfbf26443a07
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe b15ea3865cbdbddb7cf1bd10e70177676c70c8b212d063e55a9bb17aa1cfa661

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3574535/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
CHECK_TRUST_INFORequires Elevated Execution (uiAccess:None)high
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.dll::GetStartupInfoW

Comments