MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4e7d9736d35fd6e4a67c9ed2740b6bca12c94bce89f41bf7030f37f1d773076. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 17

Intelligence 17 IOCs YARA 7 File information Comments

SHA256 hash:	b4e7d9736d35fd6e4a67c9ed2740b6bca12c94bce89f41bf7030f37f1d773076
SHA3-384 hash:	e9693f8c4f80d40ed78833c6d2edb6a1caca66ced61c26aefa8b17659f9a2318928caa7da9654064d0a18f1a5c13bbfb
SHA1 hash:	0ee5adcffa1aa23eb4fa025ccd2ee59190de7ac8
MD5 hash:	bc85a1afb2f2d80dce1cae9d38167da8
humanhash:	delta-indigo-connecticut-timing
File name:	winx.exe
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	11'186'613 bytes
First seen:	2025-10-14 19:19:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	965e162fe6366ee377aa9bc80bdd5c65 (44 x BlankGrabber, 9 x Efimer, 7 x PythonStealer)
ssdeep	196608:E0UdJxeXLTPAXwhpEzYUy5ywSGW7zj9AKm6gUU8gBk6vdQmRsIkaqdVTVjM6UlhG:0dneHPAXYUXy4wSGW3GH6Yk4dQ3Iwd/T
Threatray	88 similar samples on MalwareBazaar
TLSH	T193B63305B39004D7EE7E823C4877416CEB607CA54771D28B57F0A6B72E272D06E3AB96
TrID	48.7% (.EXE) Win64 Executable (generic) (10522/11/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	Alex_sev
Tags:	CoinMiner dropper exe miner XMRIG

Intelligence

File Origin

# of uploads :

# of downloads :

152

Origin country :

Vendor Threat Intelligence

Malware family:

xmrig

ID:

File name:

winx.exe

Verdict:

Malicious activity

Analysis date:

2025-10-14 17:02:32 UTC

Tags:

python pyinstaller github miner winring0-sys vuln-driver rust xmrig xor-url upx generic

Link:

https://app.any.run/tasks/92a77094-891e-4150-9d82-bcddf7da7602

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

CoinMiner

Link:

https://www.capesandbox.com/analysis/32833/

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68ee822a04e22ce9acda1393

Tags:

installer extens spawn

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Restart of the analyzed sample

Creating a window

Running batch commands

Creating a process with a hidden window

Moving a file to the %temp% subdirectory

Creating a process from a recently created file

Sending a custom TCP request

Сreating synchronization primitives

Launching a process

Creating a service

Creating a file

Launching a service

Creating a file in the Windows subdirectories

DNS request

Searching for synchronization primitives

Connecting to a cryptocurrency mining pool

Connection attempt

Loading a system driver

Enabling autorun for a service

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm compiled-script expand invalid-signature lolbin microsoft_visual_cc overlay overlay packed packed pyinstaller pyinstaller signed

Link:

https://www.filescan.io/uploads/68eea28171883144ef370e92/reports/fd3c57e1-67a9-4621-8a27-b48e50cd8a78/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/b4e7d9736d35fd6e4a67c9ed2740b6bca12c94bce89f41bf7030f37f1d773076

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-10-14T14:56:00Z UTC

Last seen:

2025-10-14T15:21:00Z UTC

Hits:

~10

Detections:

PDM:Trojan.Win32.Generic Trojan.Win64.Reflo.sb Trojan.Win32.Miner.sb Trojan.Win32.Inject.sb Trojan.Win32.Agent.sb Trojan.Win32.Agent.rnd RiskTool.Miner.UDP.C&C not-a-virus:RiskTool.Win32.Miner.qtg

Link:

https://opentip.kaspersky.com/b4e7d9736d35fd6e4a67c9ed2740b6bca12c94bce89f41bf7030f37f1d773076/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/8486e20f-c071-4bbf-b608-6e8eb6747d5d

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/b4e7d9736d35fd6e4a67c9ed2740b6bca12c94bce89f41bf7030f37f1d773076

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/bc85a1afb2f2d80dce1cae9d38167da8

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b4e7d9736d35fd6e4a67c9ed2740b6bca12c94bce89f41bf7030f37f1d773076/

Verdict:

Malicious

Threat:

Family.XMRIG

Link:

https://tip.neiki.dev/file/b4e7d9736d35fd6e4a67c9ed2740b6bca12c94bce89f41bf7030f37f1d773076

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wtt5s43ngx6w4sthzhwsoqfwxsqszff45cpudp3qgdzx6hlxgb3a._file

Verdict:

malicious

Label(s):

unc_loader_055

CoinMiner

ba044225be61597336bebfaa7118e4d11b5ca1dc42cb8e7bfad63c0151116f1f

CoinMiner

d17fbdccb55a602246b26034b6ce9d64ae1c3b5ad48fd93a732d2fb1dd8de6df

CoinMiner

d8d4c136068c9c5aad47a796b1e5f075bae4ded6c9e547ddba00ca9e112cb279

CoinMiner

e5ccb90afcfbb5bfea4485765374e8f30b2987459f7f506c879582bca6dcbc16

CoinMiner

error

CoinMiner

+ 78 additional samples on MalwareBazaar

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:xmrig defense_evasion execution miner persistence pyinstaller upx

Link:

https://tria.ge/reports/251014-x1171svkv8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Launches sc.exe

Suspicious use of SetThreadContext

UPX packed file

Legitimate hosting services abused for malware hosting/C2

Creates new service(s)

Cryptocurrency Miner

Executes dropped EXE

Loads dropped DLL

Stops running service(s)

XMRig Miner payload

Xmrig family

xmrig

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/9d25e5c2-94c3-40d6-92d9-48ae64d8369a

Unpacked files

SH256 hash:

b4e7d9736d35fd6e4a67c9ed2740b6bca12c94bce89f41bf7030f37f1d773076

MD5 hash:

bc85a1afb2f2d80dce1cae9d38167da8

SHA1 hash:

0ee5adcffa1aa23eb4fa025ccd2ee59190de7ac8

Link:

https://www.unpac.me/results/475191d2-6e56-4d14-b14d-c8a2e6823b89/

Malware family:

XMRig

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b4e7d9736d35/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b4e7d9736d35fd6e4a67c9ed2740b6bca12c94bce89f41bf7030f37f1d773076

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Detect_PyInstaller Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects PyInstaller compiled executables across platforms

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PyInstaller Create hunting rule
Author:	@bartblaze
Description:	Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	upxHook Create hunting rule
Author:	@r3dbU7z
Description:	Detect artifacts from 'upxHook' - modification of UPX packer
Reference:	https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/