MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4f42e2d8be3ccd05179f4ed0f21019da4f47b87cee2d08f0acd1e90429a376c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	b4f42e2d8be3ccd05179f4ed0f21019da4f47b87cee2d08f0acd1e90429a376c
SHA3-384 hash:	b53ab7cf86eb969f5a560c73a984d708e781ab19f53a00a20ec8df3f5231c112c169bb36686562e06c83164345ef9ce3
SHA1 hash:	7d88a98659aeabfc6111610189a9f2fad6fd4ae0
MD5 hash:	c23a9e2cbac26cb5b5433797b026e96d
humanhash:	earth-march-three-skylark
File name:	EasyLaunch.exe
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	82'353'333 bytes
First seen:	2025-12-10 18:30:49 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e05e31a5063c852520cc6950fe83ad1a (13 x CoinMiner, 8 x ScarfaceStealer)
ssdeep	393216:+TI3xpBpYeoGmZcpmjz5GZd93ULfBPLoIJBsIyNOnS0B4AycWMCY6+Y3xjtFRYVP:+YrO/sJY2ByOjR5rs3wbvEx
TLSH	T16E086C4262EB04C4F9F7DA759AE66617C673BC162F3095CF221C17291F336E08976B22
TrID	63.5% (.EXE) Win64 Executable (generic) (10522/11/4) 12.2% (.EXE) OS/2 Executable (generic) (2029/13) 12.0% (.EXE) Generic Win/DOS Executable (2002/3) 12.0% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
dhash icon	2f1d332b4dccc805 (1 x CoinMiner)
Reporter	tcains1
Tags:	CoinMiner exe

Intelligence

File Origin

# of uploads :

# of downloads :

225

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/848189e1-35b9-4b47-a667-495950a83712/

Malware family:

n/a

ID:

File name:

EasyLaunch.exe

Verdict:

Suspicious activity

Analysis date:

2025-12-10 18:33:20 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f91ed68a-53bb-42fd-85c5-e62a1e61a7e7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Clean

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6939bc97bde6a3e5970fed73

Tags:

n/a

Verdict:

Malicious

Labled as:

TR/W64.MalwareX

Link:

https://www.hybrid-analysis.com/sample/b4f42e2d8be3ccd05179f4ed0f21019da4f47b87cee2d08f0acd1e90429a376c

Verdict:

Clean

File Type:

exe x64

First seen:

2025-12-10T10:44:00Z UTC

Last seen:

2025-12-11T06:37:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/b4f42e2d8be3ccd05179f4ed0f21019da4f47b87cee2d08f0acd1e90429a376c/results?tab=lookup

Score:

75%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/b4f42e2d8be3ccd05179f4ed0f21019da4f47b87cee2d08f0acd1e90429a376c

Gathering data

Verdict:

Malicious

Threat:

Family.XMRIG

Link:

https://tip.neiki.dev/file/b4f42e2d8be3ccd05179f4ed0f21019da4f47b87cee2d08f0acd1e90429a376c

Threat name:

Win64.Malware.Generic

Status:

Suspicious

First seen:

2025-12-10 18:31:41 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

3 of 24 (12.50%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wt2c4lml4pgnaulz6twq6iibtwspi64hz3rnbdykzupjaqu2g5wa._file

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:xmrig collection defense_evasion discovery execution exploit impact miner persistence ransomware spyware stealer trojan

Link:

https://tria.ge/reports/251210-w5952sfx4a/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Interacts with shadow copies

Modifies data under HKEY_USERS

Runs net.exe

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

outlook_office_path

outlook_win_path

Browser Information Discovery

Drops file in Windows directory

Launches sc.exe

Drops file in System32 directory

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Indicator Removal: File Deletion

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Power Settings

Cryptocurrency Miner

Disables service(s)

Executes dropped EXE

Loads dropped DLL

Modifies file permissions

Reads WinSCP keys stored on the system

Reads user/profile data of web browsers

Stops running service(s)

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Possible privilege escalation attempt

Deletes shadow copies

XMRig Miner payload

Modifies Windows Defender notification settings

Xmrig family

xmrig

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/649772ae-e23c-4991-a3d7-199ff300f24e

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

exe b4f42e2d8be3ccd05179f4ed0f21019da4f47b87cee2d08f0acd1e90429a376c

(this sample)

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample