MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba88c267c441cc5a621ad21bffcad1b0344f59a5c6c22d7a2a303efd96414cc2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 17


Intelligence 17 IOCs YARA 24 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ba88c267c441cc5a621ad21bffcad1b0344f59a5c6c22d7a2a303efd96414cc2
SHA3-384 hash: 85383c4a359280ac0fbb02159a12c84bffb72d4c318ecbbff294c649f996a0b4264087b897b6bd97f9027ead144b18d3
SHA1 hash: 9fbc0b0596822d23cdba95507b36014fedebea78
MD5 hash: 06875dc588f80b5e40404420af396e3a
humanhash: mars-uncle-steak-magnesium
File name:06875dc588f80b5e40404420af396e3a.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:5'453'312 bytes
First seen:2025-08-17 08:09:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 203d63d5d9a088e2d84cef737227986b (55 x CoinMiner)
ssdeep 98304:bSaoRnoNleFGUbWwXF/j78/ISCdOkd9qgiCfvhxeCgHdH8+ZHufKO1LWt9qDf:yoNk3bbVrI7cMafv2ZHdtYLWa
Threatray 850 similar samples on MalwareBazaar
TLSH T1234623A65B2938F9E4FEAF32A2519F3C225F12939B0685BB10CC0B734CA4E85D554DF4
TrID 49.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
31.8% (.EXE) Win64 Executable (generic) (10522/11/4)
6.1% (.EXE) OS/2 Executable (generic) (2029/13)
6.0% (.EXE) Generic Win/DOS Executable (2002/3)
6.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
54
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
75cf6661f99e3bc59651becb4837f99ef8eb84a9a8ce6209b4926a8a8dd4a0cc.bin.exe
Verdict:
Malicious activity
Analysis date:
2025-08-16 22:10:24 UTC
Tags:
gcleaner loader lumma stealer auto autoit inno installer amadey redline delphi botnet telegram themida auto-reg
Link:
https://app.any.run/tasks/10eda3a4-a5d4-44d3-9263-ddd896c456df

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/21761/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a18e458fd55a79c528429d
Tags:
virus spawn krypt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Launching a process
Creating a service
Creating a file
Launching a service
Creating a process from a recently created file
Creating a file in the Windows subdirectories
Searching for synchronization primitives
Creating a file in the system32 subdirectories
Deleting a recently created file
DNS request
Connecting to a cryptocurrency mining pool
Connection attempt
Sending a custom TCP request
Possible injection to a system process
Enabling autorun for a service
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Enabling autorun by creating a file
Using obfuscated Powershell scripts
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug coinminer crypt obfuscated
Link:
https://www.filescan.io/uploads/68a18e40419c816a6e896293/reports/00ac68c0-86b1-4c45-88da-a38977fedc4e/overview
Verdict:
Malicious
Labled as:
Trojan_Win64_Coinminer_NCA_MTB
Link:
https://www.hybrid-analysis.com/sample/ba88c267c441cc5a621ad21bffcad1b0344f59a5c6c22d7a2a303efd96414cc2
Malware family:
XMRig Miner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0474059a-2c91-49a8-ad20-276a53e70ade
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1758756
Signature
.NET source code contains process injector
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Found strings related to Crypto-Mining
Found suspicious powershell code related to unpacking or dynamic code loading
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop EventLog
Suspicious powershell command line found
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1758756 Sample: By70AANDd3.exe Startdate: 17/08/2025 Architecture: WINDOWS Score: 100 73 monerooceans.stream 2->73 75 gulf.moneroocean.stream 2->75 79 Malicious sample detected (through community Yara rule) 2->79 81 Multi AV Scanner detection for submitted file 2->81 83 Yara detected Xmrig cryptocurrency miner 2->83 85 14 other signatures 2->85 10 powershell.exe 2 15 2->10         started        13 esdzadxkgdsl.exe 1 2->13         started        16 By70AANDd3.exe 1 2 2->16         started        18 powershell.exe 2->18         started        signatures3 process4 file5 101 Writes to foreign memory regions 10->101 103 Modifies the context of a thread in another process (thread injection) 10->103 105 Injects a PE file into a foreign processes 10->105 20 dllhost.exe 10->20         started        23 conhost.exe 10->23         started        69 C:\Windows\Temp\klfepudurmlk.sys, PE32+ 13->69 dropped 107 Multi AV Scanner detection for dropped file 13->107 109 Adds a directory exclusion to Windows Defender 13->109 111 Sample is not signed and drops a device driver 13->111 25 powershell.exe 21 13->25         started        27 dialer.exe 13->27         started        36 8 other processes 13->36 71 C:\ProgramData\...\esdzadxkgdsl.exe, PE32+ 16->71 dropped 30 powershell.exe 23 16->30         started        32 cmd.exe 1 16->32         started        38 10 other processes 16->38 34 conhost.exe 18->34         started        signatures6 process7 dnsIp8 87 Contains functionality to inject code into remote processes 20->87 89 Writes to foreign memory regions 20->89 91 Creates a thread in another existing process (thread injection) 20->91 99 2 other signatures 20->99 40 winlogon.exe 20->40 injected 52 3 other processes 20->52 42 conhost.exe 25->42         started        77 monerooceans.stream 66.23.199.44, 20128, 49721, 49722 ANYNODEUS United States 27->77 93 Query firmware table information (likely to detect VMs) 27->93 95 Found suspicious powershell code related to unpacking or dynamic code loading 30->95 97 Loading BitLocker PowerShell Module 30->97 44 conhost.exe 30->44         started        46 conhost.exe 32->46         started        48 wusa.exe 32->48         started        54 7 other processes 36->54 50 conhost.exe 38->50         started        56 8 other processes 38->56 signatures9 process10 process11 58 dllhost.exe 40->58         started        signatures12 113 Injects code into the Windows Explorer (explorer.exe) 58->113 115 Writes to foreign memory regions 58->115 117 Creates a thread in another existing process (thread injection) 58->117 119 Injects a PE file into a foreign processes 58->119 61 svchost.exe 58->61 injected 63 svchost.exe 58->63 injected 65 svchost.exe 58->65 injected 67 7 other processes 58->67 process13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ba88c267c441cc5a621ad21bffcad1b0344f59a5c6c22d7a2a303efd96414cc2
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/06875dc588f80b5e40404420af396e3a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ba88c267c441cc5a621ad21bffcad1b0344f59a5c6c22d7a2a303efd96414cc2/
Verdict:
Malicious
Threat:
Family.XMRIG
Link:
https://tip.neiki.dev/file/ba88c267c441cc5a621ad21bffcad1b0344f59a5c6c22d7a2a303efd96414cc2
Threat name:
Win64.Trojan.Amadey
Create hunting rule
Status:
Suspicious
First seen:
2025-08-12 00:57:06 UTC
File Type:
PE+ (Exe)
AV detection:
32 of 38 (84.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xkemez6eihgfuyq22in77swrwa2e6wnfy3bc26rkga7p3fsbjtba._file
Verdict:
malicious
Label(s):
unc_loader_055
Create hunting rule
r77rootkit
Create hunting rule
Similar samples:
018f9ba428f4e3360bb6ee7c42f5f475bda12ae71a430d603a4a5e8ea94fdcf9
CoinMiner
33afc2363bcb30909c61249f68bb14c6fe871f981ca4a3db6866e128beef41d6
CoinMiner
6a24ba25482c73d193fcc208d8ae267236b870b9ab30c44cabe2dc8bfb7a1073
CoinMiner
7908c78041ece2129127d26500321b09f094e41c66f535454884bb4d79573b9b
CoinMiner
7a77290685b008f799f7d0959f37edb7ad2a9fb3df1bd05cef5e6c792928e66a
CoinMiner
811f30601dbe15e0d78bf4f8319caf3dbed4227af4c08bccf8e7b33229375576
CoinMiner
81d322befe2fb9594401df99bba21b530b75feb0a505a64c67839d93df9fac50
CoinMiner
e66a08612641e3fb9ed31747e08dc00c0a9d53155fc1565baafcddd7d1b9ce1e
CoinMiner
error
CoinMiner
ff6ee4d16712bd542ca2860a4bfe3b9ca7dd88f70d54215e069ffc3ec2cb7ea6
CoinMiner
+ 840 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig defense_evasion execution miner persistence upx
Link:
https://tria.ge/reports/250817-j2dapatwcv/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
UPX packed file
Checks BIOS information in registry
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Modifies trusted root certificate store through registry
Sets service image path in registry
Stops running service(s)
XMRig Miner payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Xmrig family
xmrig
Verdict:
Malicious
Tags:
Win.Trojan.Genkryptik-10016533-0
YARA:
n/a
Link:
https://app.threat.zone/submission/a64215d8-cc97-4cc1-9c72-72c0511c4369
Unpacked files
SH256 hash:
ba88c267c441cc5a621ad21bffcad1b0344f59a5c6c22d7a2a303efd96414cc2
MD5 hash:
06875dc588f80b5e40404420af396e3a
SHA1 hash:
9fbc0b0596822d23cdba95507b36014fedebea78
Link:
https://www.unpac.me/results/dcd3873f-c787-4ddd-8e3a-6c92003f00f2/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ba88c267c441/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.40
Link:
https://yomi.yoroi.company/submissions/ba88c267c441cc5a621ad21bffcad1b0344f59a5c6c22d7a2a303efd96414cc2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Indicator_MiniDumpWriteDump
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references
Rule name:MALWARE_Win_R77
Create hunting rule
Author:ditekSHen
Description:Detects r77 rootkit
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Suspicious_PssCaptureSnapshot_Usage
Create hunting rule
Author:Dana Behling - Just me not for personal curiosity, no company.
Description:Detects binaries abusing PssCaptureSnapshot in combination with typical combination that indicates malicious activity.
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Generic_Threat_e8abb835
Create hunting rule
Author:Elastic Security
Rule name:Windows_Rootkit_R77_d0367e28
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/21761/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments