MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d309712d8d5fd6ead0801faa17df6b388e4a2dcd29db2e1ad6addcdfd6321439. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d309712d8d5fd6ead0801faa17df6b388e4a2dcd29db2e1ad6addcdfd6321439
SHA3-384 hash: a2b316ecafa919ad7496dbe148514a5e8f8d0d8bec0cdfbc2befd4bdf56394e157954d9e737b30ff776e3cc9c2c23bd4
SHA1 hash: 8b261c71e04be6bf62606fa1879a9edb7837bb01
MD5 hash: b3b78fd663390a923f970110ad5b1b9b
humanhash: item-low-twelve-pluto
File name:IDM 6.42.57 Patch.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:7'070'976 bytes
First seen:2025-12-10 21:05:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c4b8b0aba9f9c876ca624bdbda64d516 (1 x Koadic, 1 x Sality, 1 x CoinMiner)
ssdeep 98304:9qFHL7il2MTCt3osPUYiYZAnLOdn3lr9CQdes5MsNI5mUz3eg6UfXqKigQhHAbtl:9qFr8/m3oVsvF5lMsNEA3/Pg6J8Xdj
TLSH T1F466B02E4F81CBA0D46CFE325C75D035DA64A8C8A8777A16F474B6B5316DAC60C831BE
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 50dc06939bc2ec70 (1 x CoinMiner)
Reporter aachum
Tags:CoinMiner crackingcity-com exe


Avatar
iamaachum
https://www.crackingcity.com/idm-crack/ => https://mega.nz/file/61gyTbxC#_mqOzMxirT_K3i-6LFyqpjbbtfqw7qrffmTCcp3J874

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
ES ES
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_d309712d8d5fd6ead0801faa17df6b388e4a2dcd29db2e1ad6addcdfd6321439.exe
Verdict:
Malicious activity
Analysis date:
2025-12-10 21:06:51 UTC
Tags:
winring0-sys vuln-driver
Link:
https://app.any.run/tasks/98c3adc9-d006-458d-b272-1894e46d2319

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/44234/
Detection(s):
Win.Dropper.Genericr-10034246-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6939e0c8bde6a3e5971002e4
Tags:
infosteal dropper virus shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
alien microsoft_visual_cc overlay
Link:
https://www.filescan.io/uploads/6939e0c598941bdf1de5bb83/reports/10fd7b80-74b0-4661-b7d3-a7fa6c6654cd/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/d309712d8d5fd6ead0801faa17df6b388e4a2dcd29db2e1ad6addcdfd6321439
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-06T04:22:00Z UTC
Last seen:
2025-12-12T15:47:00Z UTC
Hits:
~100
Detections:
BSS:Trojan.Win32.Generic HEUR:Trojan.Win32.Alien.gen HEUR:Trojan.BAT.Alien.gen
Link:
https://opentip.kaspersky.com/d309712d8d5fd6ead0801faa17df6b388e4a2dcd29db2e1ad6addcdfd6321439/results?tab=lookup
Gathering data
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1830592
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to detect sleep reduction / modifications
Found strings related to Crypto-Mining
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive system registry key value via command line tool
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Invoke-WebRequest Execution
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1830592 Sample: IDM 6.42.57 Patch.exe Startdate: 10/12/2025 Architecture: WINDOWS Score: 100 65 server.custompool.xyz 2->65 67 www.crackingcity.com 2->67 73 Malicious sample detected (through community Yara rule) 2->73 75 Multi AV Scanner detection for dropped file 2->75 77 Multi AV Scanner detection for submitted file 2->77 81 5 other signatures 2->81 10 IDM 6.42.57 Patch.exe 11 2->10         started        13 dlIhost.exe 2->13         started        17 svchost.exe 2->17         started        signatures3 79 Performs DNS queries to domains with low reputation 65->79 process4 dnsIp5 51 C:\Users\user\AppData\Local\...\t75389.exe, PE32 10->51 dropped 53 C:\Users\user\AppData\Local\...53SudoLC.exe, PE32 10->53 dropped 55 C:\Users\user\AppData\Local\...\IDMan.exe, PE32 10->55 dropped 57 2 other malicious files 10->57 dropped 19 cmd.exe 3 10->19         started        23 cmd.exe 2 10->23         started        71 server.custompool.xyz 45.77.240.51, 49693, 6203 AS-CHOOPAUS United States 13->71 89 Antivirus detection for dropped file 13->89 91 Multi AV Scanner detection for dropped file 13->91 93 Query firmware table information (likely to detect VMs) 13->93 25 conhost.exe 13->25         started        95 Changes security center settings (notifications, updates, antivirus, firewall) 17->95 27 MpCmdRun.exe 17->27         started        file6 signatures7 process8 file9 49 C:\Users\user\AppData\...\UpdateTask.xml, XML 19->49 dropped 83 Uses schtasks.exe or at.exe to add and modify task schedules 19->83 85 Adds a directory exclusion to Windows Defender 19->85 87 Queries sensitive system registry key value via command line tool 19->87 29 7za.exe 19->29         started        33 t75389.exe 19->33         started        35 powershell.exe 23 19->35         started        41 15 other processes 19->41 37 conhost.exe 23->37         started        39 conhost.exe 27->39         started        signatures10 process11 file12 61 C:\Users\user\AppData\Roaming\...\dlIhost.exe, PE32+ 29->61 dropped 63 C:\Users\user\AppData\...\WinRing0x64.sys, PE32+ 29->63 dropped 97 Found strings related to Crypto-Mining 29->97 99 Sample is not signed and drops a device driver 29->99 101 Suspicious powershell command line found 33->101 43 powershell.exe 33->43         started        103 Loading BitLocker PowerShell Module 35->103 signatures13 process14 dnsIp15 69 www.crackingcity.com 104.21.7.65, 443, 49692 CLOUDFLARENETUS United States 43->69 59 C:\Users\user\AppData\Roaming\...\dlIhost.7z, 7-zip 43->59 dropped 47 conhost.exe 43->47         started        file16 process17
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d309712d8d5fd6ead0801faa17df6b388e4a2dcd29db2e1ad6addcdfd6321439
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/b3b78fd663390a923f970110ad5b1b9b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d309712d8d5fd6ead0801faa17df6b388e4a2dcd29db2e1ad6addcdfd6321439/
Verdict:
Malicious
Threat:
Family.XMRIG
Link:
https://tip.neiki.dev/file/d309712d8d5fd6ead0801faa17df6b388e4a2dcd29db2e1ad6addcdfd6321439
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2025-12-06 02:55:11 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2mexclmnl7lovuead6vbpx3lhcheulonfhns4gwwvxon7vrscq4q._file
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig defense_evasion discovery execution miner persistence
Link:
https://tria.ge/reports/251210-zxtpwa1qhj/
Behaviour
Checks processor information in registry
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks computer location settings
Executes dropped EXE
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
XMRig Miner payload
Xmrig family
xmrig
Verdict:
Malicious
Tags:
Win.Dropper.Genericr-10034246-0
YARA:
n/a
Link:
https://app.threat.zone/submission/063c2ea4-235a-4859-959f-d54d9585369d
Unpacked files
SH256 hash:
d309712d8d5fd6ead0801faa17df6b388e4a2dcd29db2e1ad6addcdfd6321439
MD5 hash:
b3b78fd663390a923f970110ad5b1b9b
SHA1 hash:
8b261c71e04be6bf62606fa1879a9edb7837bb01
Link:
https://www.unpac.me/results/976aacea-3d13-41dd-bd99-d81da766917b/
SH256 hash:
e86055bf15c6c3b81bf193868164142377ead19d306fe25fe0bd4836d25e2f59
MD5 hash:
52fdc36503a49ef5eaaaa70e37e28bb9
SHA1 hash:
4a81096d4df805fc0e51587f5a459a791eda06d1
Link:
https://www.unpac.me/results/976aacea-3d13-41dd-bd99-d81da766917b/
SH256 hash:
7c583257181d482ef92b3c4a6936dae06e0426764e7c93f260d177f3894bfad4
MD5 hash:
6fa4bde600a5323f7cf0c49501898a3c
SHA1 hash:
a6d655025f74c97bff982b4cec1a1494b4093c80
Link:
https://www.unpac.me/results/976aacea-3d13-41dd-bd99-d81da766917b/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d309712d8d5f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe d309712d8d5fd6ead0801faa17df6b388e4a2dcd29db2e1ad6addcdfd6321439

(this sample)

CoinMiner

Executable exe a67109836839f25002d6a6e56666d6f94f7aafbd9a57c344b03b7ce55c69a32e

  
Link
https://tria.ge/251210-zdscpsdr8v/behavioral1
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/44234/
  
Dropping
SHA256 a67109836839f25002d6a6e56666d6f94f7aafbd9a57c344b03b7ce55c69a32e
  
Dropping
MD5 fa7b695798b759b1334030bda04fff3e

Comments