MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 beb2ebe5e8620cfac67848aa1f614abd1d1b060821c31d7752f49cbb9c065737. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: beb2ebe5e8620cfac67848aa1f614abd1d1b060821c31d7752f49cbb9c065737
SHA3-384 hash: 9bb17b1ce2d0e05cc7fc15fecf4e6534087cdc552c3d4749c72b6aed71875678237c2f85ea6c7d129e7c24b0f5017c1b
SHA1 hash: d48c06a3d6fd918c3745ad0195f91e2349e4d974
MD5 hash: 92f355f8ee65ee935ec967dc8445ff5c
humanhash: low-stream-magnesium-lithium
File name:Cryptorant Loader Setup 5.2.2.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:94'997'504 bytes
First seen:2025-10-21 16:08:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6f462fcc6b830b77fb3fef2add9dc570 (9 x CoinMiner, 3 x BitRAT, 2 x XWorm)
ssdeep 1572864:LScvrf7YccO5U/K6NrMaqWATeyo9UzhV2FJZeM7q9kG/msxwylOcCz2HsViP7xWj:XvrscteC6NrlD9vjYz/mIlOpWFpmFI
Threatray 1'813 similar samples on MalwareBazaar
TLSH T1562833661E8F381EC6C736F93A50CD3891A0FF9B7E5AC66D22DAD9B0CCD03A546544C2
TrID 45.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
13.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.4% (.EXE) Win32 Executable (generic) (4504/4/1)
5.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
5.6% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter burger
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Cryptorant Loader Setup 5.2.2.exe
Verdict:
Malicious activity
Analysis date:
2025-10-21 16:09:11 UTC
Tags:
miner winring0-sys vuln-driver
Link:
https://app.any.run/tasks/b3ee8cc1-c13d-4063-ad38-85ec21d86fc7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
no reply from clamd
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f7b015ad6ce0f5ad4052e6
Tags:
coinminer obfuscate xmrig sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a process from a recently created file
Сreating synchronization primitives
Creating a file in the %temp% subdirectories
Creating a window
Searching for synchronization primitives
Adding an exclusion to Microsoft Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/68f7b008c85c5c569730d339/reports/527137d6-9fa4-4010-acd3-d6f02fd85167/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/beb2ebe5e8620cfac67848aa1f614abd1d1b060821c31d7752f49cbb9c065737
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-21T13:04:00Z UTC
Last seen:
2025-10-21T16:27:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Win32.Agent.pef HEUR:Trojan.Win32.Agent.gen Trojan-PSW.Win32.Stealer.sb Trojan.Win64.Reflo.sb Trojan.Win32.Agent.rnd HEUR:Trojan.Win32.Miner.pef HEUR:Trojan.Win32.Generic PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/beb2ebe5e8620cfac67848aa1f614abd1d1b060821c31d7752f49cbb9c065737/results?tab=lookup
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1799258
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Detected Stratum mining protocol
Drops large PE files
Encrypted powershell cmdline option found
Found strings related to Crypto-Mining
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop EventLog
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1799258 Sample: Cryptorant Loader Setup 5.2.2.exe Startdate: 21/10/2025 Architecture: WINDOWS Score: 84 86 pool.hashvault.pro 2->86 116 Malicious sample detected (through community Yara rule) 2->116 118 Antivirus / Scanner detection for submitted sample 2->118 120 Multi AV Scanner detection for submitted file 2->120 122 12 other signatures 2->122 9 Cryptorant Loader Setup 5.2.2.exe 3 2->9         started        13 updater.exe 2->13         started        signatures3 process4 file5 70 C:\...\Cryptorant-Loader-Setup-5-2-2.exe, PE32+ 9->70 dropped 72 C:\...\Cryptorant Loader Setup 5.2.2.exe, PE32 9->72 dropped 126 Encrypted powershell cmdline option found 9->126 15 Cryptorant-Loader-Setup-5-2-2.exe 1 3 9->15         started        19 Cryptorant Loader Setup 5.2.2.exe 12 215 9->19         started        21 powershell.exe 23 9->21         started        74 C:\Windows\Temp\rvxssmhtycpi.sys, PE32+ 13->74 dropped 128 Modifies the context of a thread in another process (thread injection) 13->128 130 Adds a directory exclusion to Windows Defender 13->130 132 Sample is not signed and drops a device driver 13->132 23 dialer.exe 13->23         started        25 dialer.exe 13->25         started        28 powershell.exe 13->28         started        30 7 other processes 13->30 signatures6 process7 dnsIp8 76 C:\ProgramDatabehaviorgraphoogle\Chrome\updater.exe, PE32+ 15->76 dropped 90 Modifies the context of a thread in another process (thread injection) 15->90 92 Adds a directory exclusion to Windows Defender 15->92 32 dialer.exe 15->32         started        35 powershell.exe 23 15->35         started        37 cmd.exe 15->37         started        45 9 other processes 15->45 78 C:\Users\user\...\Cryptorant Loader.exe, PE32+ 19->78 dropped 80 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 19->80 dropped 82 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 19->82 dropped 84 12 other files (none is malicious) 19->84 dropped 39 cmd.exe 19->39         started        94 Loading BitLocker PowerShell Module 21->94 41 conhost.exe 21->41         started        96 Injects code into the Windows Explorer (explorer.exe) 23->96 98 Writes to foreign memory regions 23->98 100 Allocates memory in foreign processes 23->100 104 2 other signatures 23->104 47 3 other processes 23->47 88 216.219.85.122, 49685, 80 IS-AS-1US United States 25->88 102 Query firmware table information (likely to detect VMs) 25->102 43 conhost.exe 28->43         started        49 7 other processes 30->49 file9 signatures10 process11 signatures12 106 Contains functionality to inject code into remote processes 32->106 108 Writes to foreign memory regions 32->108 110 Allocates memory in foreign processes 32->110 114 3 other signatures 32->114 51 lsass.exe 32->51 injected 64 8 other processes 32->64 112 Loading BitLocker PowerShell Module 35->112 54 conhost.exe 35->54         started        56 conhost.exe 37->56         started        58 wusa.exe 37->58         started        66 3 other processes 39->66 60 conhost.exe 45->60         started        62 conhost.exe 45->62         started        68 7 other processes 45->68 process13 signatures14 124 Writes to foreign memory regions 51->124
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/beb2ebe5e8620cfac67848aa1f614abd1d1b060821c31d7752f49cbb9c065737
Gathering data
Verdict:
Malicious
Threat:
Family.XMRIG
Link:
https://tip.neiki.dev/file/beb2ebe5e8620cfac67848aa1f614abd1d1b060821c31d7752f49cbb9c065737
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-10-21 16:12:57 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
23 of 36 (63.89%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x2zoxzpimigpvrtyjcvb6ykkxuorwbqiehbr252s6solxhagk43q._file
Verdict:
malicious
Label(s):
unc_loader_055
Create hunting rule
Similar samples:
360184fad3ab5d7bd18f7c3199ceec0f34ee64979ac64c2cc155f7d57794f2bb
CoinMiner
41b78ed7f39e36f4551634007fd5370ce8bbe942c9e320a17b98057b0c82191b
CoinMiner
5dd9cbc64e7414cc479191cbef353c9456d75579d6453157b5f696edeba2d8b5
CoinMiner
70ef0ca420dfedb0204a12da7b0206647003a1296cc91f4ae9eb7c0d8d403812
CoinMiner
7b467d82dd8dc94bf7339c7f4349b64d940d37d2c6510ae48dfdc9b53bed9682
CoinMiner
7b50accfe80d370e374def391c5d57fbf8c7a468d1f20e1274e59839dafbf2db
CoinMiner
968adf76dcc8eea2eeaac8012f34e0c37e45e8a9efce6520d76881213c7b9b3d
CoinMiner
cb21db85c2051333889da882982fbf354e3a31f4134045eda6db4ac14961d5ef
CoinMiner
error
CoinMiner
f2fe93ff8c8b0b666b0e913e313a4d4b66525f5af2d285638486c27a308db117
CoinMiner
fc791cea301af15a8c46dfd5ddf048fbc52cb694d5e9118c41363675823a328b
CoinMiner
+ 1'803 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution persistence spyware stealer
Link:
https://tria.ge/reports/251021-tlj4eawpaq/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Checks installed software on the system
Obfuscated Files or Information: Command Obfuscation
Checks computer location settings
Creates new service(s)
Executes dropped EXE
Loads dropped DLL
Reads ssh keys stored on the system
Stops running service(s)
Command and Scripting Interpreter: PowerShell
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/beb2ebe5e862/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments