MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3573e019cb282db92a23ead87196558de89971879e987e4223297b2c70d9b38. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d3573e019cb282db92a23ead87196558de89971879e987e4223297b2c70d9b38
SHA3-384 hash: 59eee0dd778c6d3aaaa423c60b757a444bd924e7eafdd18774492e719247ec3a5bb83a4b99d47a81102e3f0642e48082
SHA1 hash: 99d80c650744f66f6500ae8e2d03fe5ec13076de
MD5 hash: da6070fe9445e93e0650a4604a58c808
humanhash: social-ack-comet-helium
File name:MTA Spoofer (undetected).exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:35'045'376 bytes
First seen:2025-06-23 15:08:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fadc5a257419d2541a6b13dfb5e311e2 (14 x XWorm, 5 x StormKitty, 3 x CoinMiner)
ssdeep 786432:00sGu+rjHovRY27RJFIj8QAIEucm1oRYNMRHU6OBidAPe8:00sGu+Xovr3F7QAIWRuMRHUZIdse
Threatray 1 similar samples on MalwareBazaar
TLSH T1C977339E73A4029EFEF7E176C813D203D67578821276462F01E0AA762F37761262F761
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
dhash icon 71d8d0d0d0f26459 (1 x CoinMiner)
Reporter burger
Tags:CoinMiner exe XMRIG

Intelligence

File Origin
# of uploads :
1
# of downloads :
539
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68596e3832ed47a3a8d69daa
Tags:
vmprotect autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Using the Windows Management Instrumentation requests
Searching for the window
Creating a process with a hidden window
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
anti-vm autoit microsoft_visual_cc packed packer_detected
Link:
https://www.filescan.io/uploads/68596e2a3faf8fcd7d3cde66/reports/3ddb935a-afbf-443e-8eae-8c4eeafbc6be/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/d3573e019cb282db92a23ead87196558de89971879e987e4223297b2c70d9b38
Result
Threat name:
BitCoin Miner, SilentXMRMiner, Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1721052
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Changes security center settings (notifications, updates, antivirus, firewall)
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Found direct / indirect Syscall (likely to bypass EDR)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
May enable test signing (to load unsigned drivers)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Xmrig
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected SilentXMRMiner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1721052 Sample: MTA Spoofer (undetected).exe Startdate: 23/06/2025 Architecture: WINDOWS Score: 100 120 pool-nyc.supportxmr.com 2->120 122 pool.supportxmr.com 2->122 136 Sigma detected: Xmrig 2->136 138 Malicious sample detected (through community Yara rule) 2->138 140 Antivirus detection for dropped file 2->140 142 10 other signatures 2->142 13 MTA Spoofer (undetected).exe 4 2->13         started        17 System64.exe 2->17         started        19 svchost.exe 2->19         started        21 5 other processes 2->21 signatures3 process4 file5 114 C:\Users\user\AppData\Local\...\spoofer.exe, PE32 13->114 dropped 116 C:\Users\user\AppData\Local\Temp\loader.exe, PE32+ 13->116 dropped 118 C:\Users\user\AppData\Local\...\autF5F1.tmp, PE32+ 13->118 dropped 194 Binary is likely a compiled AutoIt script file 13->194 23 loader.exe 13->23         started        26 spoofer.exe 1 3 13->26         started        196 Antivirus detection for dropped file 17->196 198 Multi AV Scanner detection for dropped file 17->198 200 Writes to foreign memory regions 17->200 204 2 other signatures 17->204 29 conhost.exe 3 17->29         started        202 Changes security center settings (notifications, updates, antivirus, firewall) 19->202 31 MpCmdRun.exe 19->31         started        33 WerFault.exe 21->33         started        signatures6 process7 file8 162 Antivirus detection for dropped file 23->162 164 Multi AV Scanner detection for dropped file 23->164 166 Writes to foreign memory regions 23->166 178 2 other signatures 23->178 35 conhost.exe 4 23->35         started        110 C:\Users\user\Desktop\SpoofLib.dll, PE32 26->110 dropped 112 C:\Users\user\Desktop\HWuser.sys, PE32+ 26->112 dropped 168 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 26->168 170 May enable test signing (to load unsigned drivers) 26->170 172 Sample is not signed and drops a device driver 26->172 174 Tries to detect virtualization through RDTSC time measurements 26->174 176 Adds a directory exclusion to Windows Defender 29->176 39 sihost64.exe 29->39         started        41 cmd.exe 29->41         started        43 cmd.exe 29->43         started        45 conhost.exe 31->45         started        signatures9 process10 file11 104 C:\Windows\System32\System64.exe, PE32+ 35->104 dropped 144 Adds a directory exclusion to Windows Defender 35->144 47 cmd.exe 1 35->47         started        50 cmd.exe 1 35->50         started        52 cmd.exe 1 35->52         started        146 Writes to foreign memory regions 39->146 148 Allocates memory in foreign processes 39->148 150 Creates a thread in another existing process (thread injection) 39->150 152 Found direct / indirect Syscall (likely to bypass EDR) 39->152 54 conhost.exe 39->54         started        56 powershell.exe 41->56         started        58 powershell.exe 41->58         started        60 conhost.exe 41->60         started        62 conhost.exe 43->62         started        64 taskkill.exe 43->64         started        signatures12 process13 signatures14 206 Drops executables to the windows directory (C:\Windows) and starts them 47->206 66 System64.exe 47->66         started        69 conhost.exe 47->69         started        208 Uses schtasks.exe or at.exe to add and modify task schedules 50->208 210 Adds a directory exclusion to Windows Defender 50->210 71 powershell.exe 23 50->71         started        73 powershell.exe 23 50->73         started        75 conhost.exe 50->75         started        77 conhost.exe 52->77         started        79 schtasks.exe 1 52->79         started        81 WerFault.exe 54->81         started        212 Loading BitLocker PowerShell Module 56->212 process15 signatures16 128 Writes to foreign memory regions 66->128 130 Allocates memory in foreign processes 66->130 132 Creates a thread in another existing process (thread injection) 66->132 83 conhost.exe 6 66->83         started        134 Loading BitLocker PowerShell Module 71->134 process17 file18 106 C:\Windows\System32\...\sihost64.exe, PE32+ 83->106 dropped 108 C:\Windows\System32\Microsoft\Libs\WR64.sys, PE32+ 83->108 dropped 154 Found strings related to Crypto-Mining 83->154 156 Injects code into the Windows Explorer (explorer.exe) 83->156 158 Drops executables to the windows directory (C:\Windows) and starts them 83->158 160 6 other signatures 83->160 87 sihost64.exe 83->87         started        90 cmd.exe 83->90         started        92 explorer.exe 83->92         started        signatures19 process20 dnsIp21 180 Antivirus detection for dropped file 87->180 182 Multi AV Scanner detection for dropped file 87->182 184 Writes to foreign memory regions 87->184 192 2 other signatures 87->192 95 conhost.exe 2 87->95         started        186 Adds a directory exclusion to Windows Defender 90->186 97 powershell.exe 90->97         started        100 powershell.exe 90->100         started        102 conhost.exe 90->102         started        124 pool-nyc.supportxmr.com 104.243.43.115, 443, 49691 RELIABLESITEUS United States 92->124 188 System process connects to network (likely due to code injection or exploit) 92->188 190 Query firmware table information (likely to detect VMs) 92->190 signatures22 process23 signatures24 126 Loading BitLocker PowerShell Module 97->126
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d3573e019cb282db92a23ead87196558de89971879e987e4223297b2c70d9b38
Gathering data
Threat name:
Win64.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2025-06-23 15:08:53 UTC
File Type:
PE+ (Exe)
Extracted files:
72
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2nlt4am4wkbnxevch2wyoglfldpitfyyphuypzbcgkl3fryntm4a._file
Verdict:
malicious
Label(s):
donut_injector
Create hunting rule
xmrig
Create hunting rule
Similar samples:
d3573e019cb282db92a23ead87196558de89971879e987e4223297b2c70d9b38
CoinMiner
error
CoinMiner
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig discovery execution miner
Link:
https://tria.ge/reports/250623-sjqyha1pv4/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
System Location Discovery: System Language Discovery
Drops file in System32 directory
Suspicious use of SetThreadContext
Cryptocurrency Miner
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
XMRig Miner payload
Xmrig family
xmrig
Verdict:
Malicious
Tags:
Win.Malware.Roxer-9788998-0
YARA:
n/a
Link:
https://app.threat.zone/submission/f7ff085d-3b9f-4c3e-ba73-deab252f918c
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d3573e019cb2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d3573e019cb282db92a23ead87196558de89971879e987e4223297b2c70d9b38

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::CopySid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::GetLengthSid
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::GetAce
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
ole32.dll::CoCreateInstanceEx
ole32.dll::CoInitializeSecurity
ole32.dll::CreateStreamOnHGlobal
MULTIMEDIA_APICan Play MultimediaWINMM.dll::mciSendStringW
WINMM.dll::timeGetTime
WINMM.dll::waveOutSetVolume
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AddAce
ADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetAclInformation
ADVAPI32.dll::GetSecurityDescriptorDacl
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::CreateProcessAsUserW
KERNEL32.dll::CreateProcessW
ADVAPI32.dll::CreateProcessWithLogonW
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
ADVAPI32.dll::OpenThreadToken
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::SetSystemPowerState
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileExW
KERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
IPHLPAPI.DLL::IcmpCreateFile
KERNEL32.dll::CreateFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
ADVAPI32.dll::GetUserNameW
ADVAPI32.dll::LogonUserW
ADVAPI32.dll::LookupPrivilegeValueW
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetAddConnection2W
MPR.dll::WNetUseConnectionW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegConnectRegistryW
ADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::BlockInput
USER32.dll::CloseDesktop
USER32.dll::CreateMenu
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::FindWindowW

Comments