MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cdf6e9a3e756b36d191b494a77dc486c5034b62a7b95d4116032c661481bbd06. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cdf6e9a3e756b36d191b494a77dc486c5034b62a7b95d4116032c661481bbd06
SHA3-384 hash: 55194f3b6b8d06243e884c2e7248ba60f65f6bfb8c91d975104b0e7ea928c066a459e7405ca2ab7c2eacb3b90c10652a
SHA1 hash: 10b538eff666a79c4da988a70f9de8f982c76756
MD5 hash: 0fd6f9195eb2905ce0d301f6dc20b534
humanhash: california-missouri-stairway-butter
File name:SecuriteInfo.com.Win64.MalwareX-gen.23357.5775
Download: download sample
Signature CoinMiner
Create hunting rule
File size:1'907'200 bytes
First seen:2025-06-11 21:28:25 UTC
Last seen:2025-06-11 22:28:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ef8d4a7329b7ef282b569d08eff25452 (7 x LummaStealer, 1 x Smoke Loader, 1 x CoinMiner)
ssdeep 49152:gfS0roO3a+HkkZPqcp39XGsFvYlZkbm06bko78t7jKcQIA2O3NXO:gXVlF3rYlZum06bk7KHIAne
TLSH T11B958C395580D2D2FC32807981B162EC7821B737C22D3BFBD5A4E663AE076C56E9635C
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter SecuriteInfoCom
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
443
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
xmrig
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win64.MalwareX-gen.23357.5775
Verdict:
Malicious activity
Analysis date:
2025-06-11 21:52:39 UTC
Tags:
purecrypter github miner pureminer netreactor xmrig
Link:
https://app.any.run/tasks/af065a29-bd39-4fe4-ab99-0ed652c4a182

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/9040/
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.23357.5775.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6849f5ee07b5e8c1cfe65395
Tags:
philis trojan hello
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Connection attempt
Creating a window
Sending a custom TCP request
DNS request
Creating a process with a hidden window
Searching for synchronization primitives
Creating a service
Launching a service
Loading a system driver
Deleting a recently created file
Enabling autorun for a service
Unauthorized injection to a system process
Enabling autorun by creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/cdf6e9a3e756b36d191b494a77dc486c5034b62a7b95d4116032c661481bbd06
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/9afd736d-c7a4-4a02-8dac-1fb9f666dccb
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1712736
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Bypasses PowerShell execution policy
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to many ports of the same IP (likely port scanning)
Detected Stratum mining protocol
Encrypted powershell cmdline option found
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sets debug register (to hijack the execution of another thread)
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Xmrig
Suspicious powershell command line found
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1712736 Sample: SecuriteInfo.com.Win64.Malw... Startdate: 11/06/2025 Architecture: WINDOWS Score: 100 40 raw.githubusercontent.com 2->40 42 pki-goog.l.google.com 2->42 44 c.pki.goog 2->44 50 Sigma detected: Xmrig 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 11 other signatures 2->56 9 SecuriteInfo.com.Win64.MalwareX-gen.23357.5775.exe 1 2->9         started        12 powershell.exe 23 2->12         started        14 svchost.exe 2->14         started        16 6 other processes 2->16 signatures3 process4 dnsIp5 68 Sets debug register (to hijack the execution of another thread) 9->68 70 Writes to foreign memory regions 9->70 72 Allocates memory in foreign processes 9->72 78 2 other signatures 9->78 19 MSBuild.exe 16 2 9->19         started        23 conhost.exe 9->23         started        74 Loading BitLocker PowerShell Module 12->74 25 WmiPrvSE.exe 12->25         started        27 conhost.exe 12->27         started        76 Changes security center settings (notifications, updates, antivirus, firewall) 14->76 29 MpCmdRun.exe 14->29         started        38 127.0.0.1 unknown unknown 16->38 signatures6 process7 dnsIp8 46 45.142.122.114, 39001, 49301, 49683 DE-FIRSTCOLOwwwfirst-colonetDE Russian Federation 19->46 48 raw.githubusercontent.com 185.199.109.133, 443, 49690 FASTLYUS Netherlands 19->48 58 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 19->58 60 Found strings related to Crypto-Mining 19->60 62 Writes to foreign memory regions 19->62 66 2 other signatures 19->66 31 AddInProcess.exe 1 19->31         started        34 conhost.exe 29->34         started        signatures9 64 Detected Stratum mining protocol 46->64 process10 signatures11 80 Query firmware table information (likely to detect VMs) 31->80 36 conhost.exe 31->36         started        process12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cdf6e9a3e756b36d191b494a77dc486c5034b62a7b95d4116032c661481bbd06
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cdf6e9a3e756b36d191b494a77dc486c5034b62a7b95d4116032c661481bbd06/
Threat name:
Win64.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-06-11 09:55:37 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zx3oti7hk2zw2gi3jffhpxcinridjnrkpok5ielagldgcsa3xuda._file
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig execution miner
Link:
https://tria.ge/reports/250611-1cqcdszwaz/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Command and Scripting Interpreter: PowerShell
XMRig Miner payload
Xmrig family
xmrig
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a2c7ef8e-063f-4db8-8084-05d6f13e38ab
Unpacked files
SH256 hash:
cdf6e9a3e756b36d191b494a77dc486c5034b62a7b95d4116032c661481bbd06
MD5 hash:
0fd6f9195eb2905ce0d301f6dc20b534
SHA1 hash:
10b538eff666a79c4da988a70f9de8f982c76756
Link:
https://www.unpac.me/results/6996eb35-63cd-45c3-8668-d48d0513f14a/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cdf6e9a3e756/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe cdf6e9a3e756b36d191b494a77dc486c5034b62a7b95d4116032c661481bbd06

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3561078/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/9040/

Comments