MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da2d172c8d2c8e6d53a457e6991aaaf5805e16fa216749a4c87d757050db2903. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: da2d172c8d2c8e6d53a457e6991aaaf5805e16fa216749a4c87d757050db2903
SHA3-384 hash: 97e88c8477c842736921d86e2f229473a364428be4f26d8dabd8654cdbcfdd0d1e68c299595cd6062024bacd34332edd
SHA1 hash: 0dee7d5d36e4d914cc7632aca43f89c32f248b5e
MD5 hash: 9077da7cd22576198fabab99f0e572cc
humanhash: missouri-nevada-network-bakerloo
File name:Printer_Driver_SSL_support_v43.22.209.99.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:4'895'984 bytes
First seen:2026-03-03 20:21:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f6baa5eaa8231d4fe8e922a2e6d240ea (62 x CoinMiner, 22 x DCRat, 15 x LummaStealer)
ssdeep 98304:Jo5pB/b8fBiYjuWpQqMvHgWIGMKad3sNp+kcLDoyQ/jkNnz6WxG/:JopQ4YjuI9MvHguMKNp+RLD9796WY/
Threatray 1'204 similar samples on MalwareBazaar
TLSH T1E1363351F3CAD5BDC1A22DB6921847B18EE2FF152B8996D74B1079269D783C02A7C0CF
TrID 42.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
16.8% (.EXE) Win64 Executable (generic) (6522/11/2)
13.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.6% (.EXE) Win32 Executable (generic) (4504/4/1)
5.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter burger
Tags:CoinMiner exe signed

Code Signing Certificate

Organisation:Sony
Issuer:Sony
Algorithm:sha256WithRSAEncryption
Valid from:2026-02-20T00:00:00Z
Valid to:2028-02-20T00:00:00Z
Serial number: 38e3213e7174ff6c
Thumbprint Algorithm:SHA256
Thumbprint: 593ca2caf0f5457a3e48ccd46ab0bfbb994e0c521328812e8a1c8ab1694419eb
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
114
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
xmrig
Create hunting rule
ID:
1
File name:
Installer.exe
Verdict:
Malicious activity
Analysis date:
2026-03-03 20:15:49 UTC
Tags:
evasion loader stealer arch-exec telegram xmrig miner winring0-sys vuln-driver pastebin netreactor
Link:
https://app.any.run/tasks/0680fb2e-4d2d-4dfa-bf19-732a30e630e1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/55465/
Detection(s):
Win.Malware.7zip-10013374-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a7429fe1f958bf668348c0
Tags:
dropper virus sage
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
adaptive-context fingerprint installer installer keylogger microsoft_visual_cc overlay signed
Link:
https://www.filescan.io/uploads/69a742bd10e80629d4fabd42/reports/1b9a9f1b-2d71-491d-a877-68c6c8611fc6/overview
Verdict:
Malicious
Labled as:
Malware.7zip
Link:
https://www.hybrid-analysis.com/sample/da2d172c8d2c8e6d53a457e6991aaaf5805e16fa216749a4c87d757050db2903
Result
Gathering data
Verdict:
Malicious
File Type:
exe x32
Detections:
Trojan-Dropper.Win32.Agent.sb Trojan.Win32.Inject.sb HEUR:Trojan.Win64.Reflo.pef PDM:Trojan.Win32.Generic Trojan.Win32.SFX.sb Trojan.Win32.Miner.sb Trojan.Win32.Agent.rnd HEUR:Trojan.Win32.SFX.gen RiskTool.Miner.UDP.C&C RiskTool.BitCoinMiner.TCP.C&C
Link:
https://opentip.kaspersky.com/da2d172c8d2c8e6d53a457e6991aaaf5805e16fa216749a4c87d757050db2903/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8deb8097-a3dc-4bfb-b0fe-538e2d01466c
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1877842
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious PE digital signature
Connects to a pastebin service (likely for C&C)
Contains functionality to register a low level keyboard hook
Detected CypherIt Packer
Drops password protected ZIP file
Found strings related to Crypto-Mining
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop EventLog
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1877842 Sample: Printer_Driver_SSL_support_... Startdate: 03/03/2026 Architecture: WINDOWS Score: 100 83 pastebin.com 2->83 85 pool.hashvault.pro 2->85 103 Suricata IDS alerts for network traffic 2->103 105 Malicious sample detected (through community Yara rule) 2->105 107 Multi AV Scanner detection for submitted file 2->107 111 7 other signatures 2->111 10 Printer_Driver_SSL_support_v43.22.209.99.exe 8 2->10         started        14 lhhsgwktkatl.exe 2->14         started        signatures3 109 Connects to a pastebin service (likely for C&C) 83->109 process4 file5 73 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 10->73 dropped 75 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 10->75 dropped 113 Contains functionality to register a low level keyboard hook 10->113 16 cmd.exe 2 10->16         started        77 C:\Windows\Temp\ipuhhcjzuqdg.sys, PE32+ 14->77 dropped 115 Modifies the context of a thread in another process (thread injection) 14->115 117 Adds a directory exclusion to Windows Defender 14->117 119 Sample is not signed and drops a device driver 14->119 19 conhost.exe 14->19         started        22 powershell.exe 14->22         started        24 cmd.exe 14->24         started        26 6 other processes 14->26 signatures6 process7 dnsIp8 93 Detected CypherIt Packer 16->93 28 Setup.exe 1 2 16->28         started        32 conhost.exe 16->32         started        34 7z.exe 2 16->34         started        44 7 other processes 16->44 87 pool.hashvault.pro 185.84.98.5, 443, 49696 COLTENGINECOLTENGINENetworkIT Italy 19->87 89 185.84.98.85, 443, 49700, 49701 COLTENGINECOLTENGINENetworkIT Italy 19->89 91 pastebin.com 172.66.171.73, 443, 49699 CLOUDFLARENETUS United States 19->91 95 Found strings related to Crypto-Mining 19->95 97 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 19->97 99 Loading BitLocker PowerShell Module 22->99 36 conhost.exe 22->36         started        38 conhost.exe 24->38         started        40 wusa.exe 24->40         started        42 conhost.exe 26->42         started        46 4 other processes 26->46 signatures9 process10 file11 79 C:\ProgramData\...\lhhsgwktkatl.exe, PE32+ 28->79 dropped 121 Adds a directory exclusion to Windows Defender 28->121 48 powershell.exe 23 28->48         started        51 cmd.exe 1 28->51         started        53 sc.exe 1 28->53         started        55 8 other processes 28->55 123 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 32->123 81 C:\Users\user\AppData\Local\...\Setup.exe, PE32+ 34->81 dropped signatures12 process13 signatures14 101 Loading BitLocker PowerShell Module 48->101 57 conhost.exe 48->57         started        59 conhost.exe 51->59         started        61 wusa.exe 51->61         started        63 conhost.exe 53->63         started        65 conhost.exe 55->65         started        67 conhost.exe 55->67         started        69 conhost.exe 55->69         started        71 5 other processes 55->71 process15
Score:
61%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/da2d172c8d2c8e6d53a457e6991aaaf5805e16fa216749a4c87d757050db2903
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/da2d172c8d2c8e6d53a457e6991aaaf5805e16fa216749a4c87d757050db2903/
Verdict:
Malicious
Threat:
Family.XMRIG
Link:
https://tip.neiki.dev/file/da2d172c8d2c8e6d53a457e6991aaaf5805e16fa216749a4c87d757050db2903
Threat name:
Win32.Trojan.RedlineStealer
Create hunting rule
Status:
Malicious
First seen:
2026-03-03 20:20:51 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
9 of 36 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3iwrolenfshg2u5ek7tjsgvk6waf4fx2eftutjgipv2xaug3febq._file
Verdict:
malicious
Label(s):
unc_loader_055
Create hunting rule
Similar samples:
030341b8ce7dfcd95d3918808fbc8b6f3b540457c2c02a916afe012c4a4fd76f
CoinMiner
192c8d839f8bb794a6c4d07f98ebd71517d79e12974371130829de1ec61c3c5a
CoinMiner
1fbb7cc796ed31d975e436f3e164633914fccdaaeb5da6075862d87e3601dc33
CoinMiner
3006fbf4ad07f754a252a2d65bbd1df77abdd9361bcc53d8705ab18b6dcecc0f
CoinMiner
7aa20099672e8dc0f13bde889491b9db5f38b58a1a3bb80e39b17689cc512e00
CoinMiner
a509d90eaa00df8640c180439726fc0ed487dc30d236e19d1fc1514782e23671
CoinMiner
cfbf75c729655bd23b26df184d5091bcd0a5227b165f86a335150477e6af7237
CoinMiner
error
CoinMiner
+ 1'194 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig defense_evasion discovery execution miner persistence upx
Link:
https://tria.ge/reports/260303-y44yraez4p/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
UPX packed file
Contacts third-party web service commonly abused for C2
Checks computer location settings
Creates new service(s)
Executes dropped EXE
Loads dropped DLL
Stops running service(s)
Command and Scripting Interpreter: PowerShell
XMRig Miner payload
Xmrig family
xmrig
Unpacked files
SH256 hash:
da2d172c8d2c8e6d53a457e6991aaaf5805e16fa216749a4c87d757050db2903
MD5 hash:
9077da7cd22576198fabab99f0e572cc
SHA1 hash:
0dee7d5d36e4d914cc7632aca43f89c32f248b5e
Link:
https://www.unpac.me/results/0e62bda6-63bc-4c07-abc9-4dc51c749c7b/
SH256 hash:
7877a25f54444cd22b748d220d76008bb5a92dc56acaeec4c7a2c87167ab2023
MD5 hash:
9be7fc2aeb514bb02e05d7bb84b5d424
SHA1 hash:
bce4654cf7da07c973c5b1efeaa99e0bd87c57d5
Link:
https://www.unpac.me/results/0e62bda6-63bc-4c07-abc9-4dc51c749c7b/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/da2d172c8d2c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/da2d172c8d2c8e6d53a457e6991aaaf5805e16fa216749a4c87d757050db2903

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

CoinMiner

Executable exe a8f0697c54d7c3785c420c892ef36711977917f93c8dae3687fe8643428c94a4

CoinMiner

Executable exe da2d172c8d2c8e6d53a457e6991aaaf5805e16fa216749a4c87d757050db2903

(this sample)

  
Dropped by
SHA256 a8f0697c54d7c3785c420c892ef36711977917f93c8dae3687fe8643428c94a4
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/55465/
  
Dropped by
MD5 dcb6de04f727aee7c6794b19af03824e
  
URLhaus
https://urlhaus.abuse.ch/url/3789363/

Comments