MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb5ee026e883daa38d01b7f7b8c126a12c4500c472408f9afdb5d4cf1f853ef2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb5ee026e883daa38d01b7f7b8c126a12c4500c472408f9afdb5d4cf1f853ef2
SHA3-384 hash: d0cafdd204a111b08f190aa4743cab637e7eafe54960104a796e4f3b6eec9c71726e1ebe9180d82a9e0bf364ca6c75db
SHA1 hash: 6e8e792a0ac3e722327ba83edf61b3feddf64464
MD5 hash: c12970d322b1582a9fba61e47a83ddaa
humanhash: delaware-delta-mike-angel
File name:KMSAuto++ Portable v1.6.5.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:63'147'167 bytes
First seen:2025-08-22 17:52:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f4680c52b4d4f6f1e0f92b81397ce8c4 (4 x MeduzaStealer, 1 x LummaStealer, 1 x CoinMiner)
ssdeep 786432:t9T/j07mZyv3+gc5ibDB28+oFwjvYKM289vy3TOZ34wWIN34TN:t9T/jQmZyvf28+u289l4uu
TLSH T1F1D7BF22B3C8CA26F99E067285BBE655C37DA9150735EBCB0698FBD814723D149313E3
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter aachum
Tags:93-113-25-43 CoinMiner exe redem-reductedusima-world Rhadamanthys


Avatar
iamaachum
https://github.com/Koperrachelle727/KMS-Activator-Plus-Net/releases/download/as/KMSAuto++.Portable.v1.6.5.7z

Intelligence

File Origin
# of uploads :
1
# of downloads :
134
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
xmrig
Create hunting rule
ID:
1
File name:
KMSAuto++ Portable v1.6.5.exe
Verdict:
Malicious activity
Analysis date:
2025-08-22 18:00:03 UTC
Tags:
python anti-evasion miner winring0-sys vuln-driver stealer themida xor-url upx generic lumma xmrig rhadamanthys
Link:
https://app.any.run/tasks/e4e988b6-e0ea-455e-8178-cf286f488a58

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a8aebbe9d9dbcfd96d2261
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Connecting to a non-recommended domain
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
Creating a process with a hidden window
Moving a recently created file
Сreating synchronization primitives
Launching a process
Creating a file
Sending a custom TCP request
Creating a window
Running batch commands
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Adding an exclusion to Microsoft Defender
Verdict:
Suspicious
Labled as:
TrojanPSW.Medeze
Link:
https://www.hybrid-analysis.com/sample/bb5ee026e883daa38d01b7f7b8c126a12c4500c472408f9afdb5d4cf1f853ef2
Verdict:
Unknown
File Type:
exe x32
Link:
https://opentip.kaspersky.com/bb5ee026e883daa38d01b7f7b8c126a12c4500c472408f9afdb5d4cf1f853ef2/results?tab=lookup
Result
Threat name:
n/a
Detection:
suspicious
Classification:
evad
Score:
29 / 100
Link:
https://www.joesandbox.com/analysis/1763167
Signature
Contains functionality to prevent local Windows debugging
Behaviour
Behavior Graph:
Download SVG
Score:
15%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/bb5ee026e883daa38d01b7f7b8c126a12c4500c472408f9afdb5d4cf1f853ef2
Gathering data
Threat name:
Win32.Infostealer.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-08-22 17:39:06 UTC
File Type:
PE (Exe)
Extracted files:
360
AV detection:
4 of 38 (10.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xnpoajxiqpnkhdibw733rqjguewekageojai7gx5wxkm6h4fh3za._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/250822-wf8wpabq3x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
System Location Discovery: System Language Discovery
Verdict:
Suspicious
Tags:
red_team_tool
YARA:
INDICATOR_TOOL_WEDGECUT
Link:
https://app.threat.zone/submission/4c2c29d8-3fe2-472c-a4ac-df73e272b2f0
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe bb5ee026e883daa38d01b7f7b8c126a12c4500c472408f9afdb5d4cf1f853ef2

(this sample)

Rhadamanthys

Executable exe b4157dfc903080cf1dde98845e362eae54e1576b5e80512a8952df51661d4b3a

  
Delivery method
Distributed via web download
  
Dropping
SHA256 b4157dfc903080cf1dde98845e362eae54e1576b5e80512a8952df51661d4b3a
  
Dropping
MD5 71303e7064eab5df73eee201ecb4e671
  
Dropping
SHA256 52b16a042b24ff41693b475895d1a395d37badc0381ba358f64f4c5a280465d1
  
Dropping
MD5 583bcfbb6bcf89919a4d51576207dc7b
  
Dropping
SHA256 896bef4e98ed08d2fec7b0b9352ae0a8a506c2d906502603ee5bbf3ff0902256
  
Dropping
MD5 6d616fb98cc456857c823224452dfd6f
  
Dropping
SHA256 758ca5a42acffb5c4606fb3bfcef6bd98a95961a9ef24af0dd9a6580cee291e6
  
Dropping
MD5 efb6e6ecae33f83d73666f25c9c74fd1

Comments