MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ddaae439820a0df5411341c2354443fdf010a3ba8640aa78706e7d0386cb1281. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 19


Intelligence 19 IOCs YARA 34 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ddaae439820a0df5411341c2354443fdf010a3ba8640aa78706e7d0386cb1281
SHA3-384 hash: abeeea57b3bb28b22d5064f8bd4c71d81a07e62292c53f344c6d109ee7eb7739b5a68a56b930bf8c40f662b17527ba05
SHA1 hash: 5682a3b1dcf04945ceabc54e7c86743b41c4b179
MD5 hash: 2bd3ed808e3c3821bafacc9ebc95c51d
humanhash: ten-california-victor-sad
File name:loader.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:4'239'360 bytes
First seen:2026-02-02 18:52:41 UTC
Last seen:2026-02-02 19:48:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 98304:1YtPfk35y0/YVqdv1Mw4NW8rQyZPFW3hM5:1YtPfkI0sqd2fN+yZ9W
Threatray 334 similar samples on MalwareBazaar
TLSH T1AF1633F4F8B841D4F168BEFCEC64D7935BB2824637A1B52641E5E2B2C52A19D027C72C
TrID 56.5% (.EXE) Win64 Executable (generic) (10522/11/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter burger
Tags:CoinMiner exe XoriumStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
110
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
EvilCoder SilentCryptoMiner
Details
EvilCoder
extracted components, their filepaths, and possibly registry installation
PEPacker
a UPX version number and an unpacked binary
SilentCryptoMiner
AES-CBC decryption parameters, decrypted component(s), and possibly urls and a CryptoCurrency address
Link:
https://research.acce.ciphertechsolutions.com/results/dca64a40-759e-4420-8f4f-d5c7a2775ddd/
Malware family:
xmrig
Create hunting rule
ID:
1
File name:
loader.exe
Verdict:
Malicious activity
Analysis date:
2026-02-02 18:52:31 UTC
Tags:
pastebin auto-sch auto-reg miner winring0-sys vuln-driver xmrig crypto-regex pulsar rat upx
Link:
https://app.any.run/tasks/2a49a9c8-6a95-48fd-a360-6d75cc3fc152

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
R77
Create hunting rule
Link:
https://www.capesandbox.com/analysis/51319/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6980f26d0bdf9fb6cc096d63
Tags:
autorun cobalt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a window
Creating a file in the %AppData% subdirectories
Launching a process
Enabling the 'hidden' option for recently created files
Creating a file in the Program Files subdirectories
Running batch commands
Creating a service
Launching a service
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the Windows subdirectories
Searching for synchronization primitives
Connection attempt to an infection source
Creating a file in the system32 subdirectories
Using the Windows Management Instrumentation requests
Forced system process termination
Sending a TCP request to an infection source
Setting browser functions hooks
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking the Windows Security Center notifications
Blocking the Windows Defender launch
Enabling autorun for a service
Query of malicious DNS domain
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Enabling autorun
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed tiny vbnet
Link:
https://www.filescan.io/uploads/6980f2a3930564ff3c84b1f5/reports/0b35cc64-19ab-486a-ae37-62ccfe07a05a/overview
Verdict:
Malicious
Labled as:
MSIL.Packy.Generic
Link:
https://www.hybrid-analysis.com/sample/ddaae439820a0df5411341c2354443fdf010a3ba8640aa78706e7d0386cb1281
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-02-02T03:13:00Z UTC
Last seen:
2026-02-04T08:00:00Z UTC
Hits:
~10
Detections:
Trojan-PSW.MSIL.Agent.sb Trojan.Win32.Agent.sb Trojan.Win32.Agent.rnd HEUR:Trojan-Spy.MSIL.Stealer.gen HEUR:Trojan.Win32.Miner.pef HEUR:Trojan.Win32.Agent.pef HEUR:Trojan.MSIL.Exnet.gen PDM:Trojan.Win32.Tasker.cust PDM:Trojan.Win32.Generic Trojan.Win64.Reflo.sb HEUR:Trojan.Win32.Generic HEUR:Trojan.MSIL.Cryptos.gen Trojan-PSW.Win32.Stealer.sb RiskTool.Miner.UDP.C&C
Link:
https://opentip.kaspersky.com/ddaae439820a0df5411341c2354443fdf010a3ba8640aa78706e7d0386cb1281/results?tab=lookup
Malware family:
XMRig Miner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f6d892a0-27c2-4261-9c23-2f37720264b7
Result
Threat name:
Quasar, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1861913
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to a pastebin service (likely for C&C)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Disable Windows Defender real time protection (registry)
Drops PE files with benign system names
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found strings related to Crypto-Mining
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sample uses string decryption to hide its real strings
Sigma detected: Disable power options
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Schedule system process
Sigma detected: Stop EventLog
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Windows Service Tampering
Sigma detected: System File Execution Location Anomaly
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Unusual module load detection (module proxying)
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Quasar RAT
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1861913 Sample: loader.exe Startdate: 02/02/2026 Architecture: WINDOWS Score: 100 97 pastebin.com 2->97 99 bore.pub 2->99 101 pool.hashvault.pro 2->101 109 Found malware configuration 2->109 111 Malicious sample detected (through community Yara rule) 2->111 113 Multi AV Scanner detection for submitted file 2->113 117 18 other signatures 2->117 10 loader.exe 4 2->10         started        14 pniwpwjwqkyw.exe 2->14         started        16 svchost.exe 2->16 injected 18 3 other processes 2->18 signatures3 115 Connects to a pastebin service (likely for C&C) 97->115 process4 file5 87 C:\Users\user\AppData\Local\...\svchost.exe, PE32+ 10->87 dropped 89 C:\Users\user\AppData\...\Client-built.exe, PE32 10->89 dropped 91 C:\Users\user\AppData\...\loader.exe.log, CSV 10->91 dropped 163 Drops PE files with benign system names 10->163 20 svchost.exe 1 2 10->20         started        24 Client-built.exe 1 5 10->24         started        93 C:\Windows\Temp\dvjenxntephj.sys, PE32+ 14->93 dropped 165 Antivirus detection for dropped file 14->165 167 Multi AV Scanner detection for dropped file 14->167 169 Modifies the context of a thread in another process (thread injection) 14->169 173 3 other signatures 14->173 26 dialer.exe 14->26         started        28 dialer.exe 14->28         started        31 powershell.exe 14->31         started        37 6 other processes 14->37 171 Unusual module load detection (module proxying) 16->171 33 consent.exe 16->33         started        35 svchost.exe 16->35         started        signatures6 process7 dnsIp8 83 C:\ProgramData\...\pniwpwjwqkyw.exe, PE32+ 20->83 dropped 119 Antivirus detection for dropped file 20->119 121 Multi AV Scanner detection for dropped file 20->121 123 Uses powercfg.exe to modify the power settings 20->123 139 3 other signatures 20->139 39 dialer.exe 20->39         started        42 powershell.exe 20->42         started        44 cmd.exe 20->44         started        54 8 other processes 20->54 85 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32 24->85 dropped 125 Creates an undocumented autostart registry key 24->125 127 Uses schtasks.exe or at.exe to add and modify task schedules 24->127 141 2 other signatures 24->141 46 svchost.exe 8 24->46         started        50 schtasks.exe 1 24->50         started        129 Injects code into the Windows Explorer (explorer.exe) 26->129 131 Writes to foreign memory regions 26->131 143 3 other signatures 26->143 56 2 other processes 26->56 103 185.84.98.85, 443, 49698 COLTENGINECOLTENGINENetworkIT Italy 28->103 133 Query firmware table information (likely to detect VMs) 28->133 135 Found strings related to Crypto-Mining 28->135 137 Loading BitLocker PowerShell Module 31->137 52 conhost.exe 31->52         started        58 6 other processes 37->58 file9 signatures10 process11 dnsIp12 145 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 39->145 147 Contains functionality to inject code into remote processes 39->147 149 Writes to foreign memory regions 39->149 159 5 other signatures 39->159 60 lsass.exe 39->60 injected 63 winlogon.exe 39->63 injected 73 2 other processes 39->73 151 Loading BitLocker PowerShell Module 42->151 65 conhost.exe 42->65         started        75 2 other processes 44->75 105 bore.pub 159.223.171.199, 37020, 49696, 49699 CELANESE-US United States 46->105 107 pastebin.com 172.66.171.73, 443, 49694 CLOUDFLARENETUS United States 46->107 95 C:\Program Files\PulsarX AV\PulsarXAV.exe, PE32 46->95 dropped 153 Antivirus detection for dropped file 46->153 155 System process connects to network (likely due to code injection or exploit) 46->155 157 Multi AV Scanner detection for dropped file 46->157 161 4 other signatures 46->161 67 powershell.exe 7 15 46->67         started        69 schtasks.exe 1 46->69         started        71 conhost.exe 50->71         started        77 8 other processes 54->77 file13 signatures14 process15 signatures16 175 Writes to foreign memory regions 60->175 177 Unusual module load detection (module proxying) 60->177 179 Changes security center settings (notifications, updates, antivirus, firewall) 67->179 181 Disable Windows Defender real time protection (registry) 67->181 79 conhost.exe 67->79         started        81 conhost.exe 69->81         started        process17
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ddaae439820a0df5411341c2354443fdf010a3ba8640aa78706e7d0386cb1281
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.21 Win 64 Exe x64
Link:
https://app.malva.re/file/2bd3ed808e3c3821bafacc9ebc95c51d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ddaae439820a0df5411341c2354443fdf010a3ba8640aa78706e7d0386cb1281/
Verdict:
Malicious
Threat:
Family.XBINDER
Link:
https://tip.neiki.dev/file/ddaae439820a0df5411341c2354443fdf010a3ba8640aa78706e7d0386cb1281
Threat name:
ByteCode-MSIL.Trojan.XWormRAT
Create hunting rule
Status:
Malicious
First seen:
2026-02-02 08:08:41 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
4
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3wvoiomcbig7kqitihbdkrcd7xybbi52qzaku6dqnz6qhbwlckaq._file
Verdict:
malicious
Label(s):
unc_loader_063
Create hunting rule
quasarrat
Create hunting rule
unc_loader_055
Create hunting rule
r77rootkit
Create hunting rule
Similar samples:
584628c2ca43af54147e39e77f2f6edece4de6464127d82adff78bcd1e49648e
CoinMiner
596b5c77e69fa9f0004cf5daaae2ac3b925b5b4eddc4fa9620d29d330569b70e
CoinMiner
88db7224a27c32a9c8e5b12e7be3204d483d2e1dcdd7038ca2d9e553de4a397b
CoinMiner
cb0fbc3588dab06d99ad9c9af872613452ecbb6b7c71b00a6bca4bcc64bb8d00
CoinMiner
d6787107b40d3d9c65b07aea10e10fa14ff04efbb497b6caf5854812d8e7648b
CoinMiner
error
CoinMiner
fde56e00761a85ad495bd2d05654f3657922f665f58edfabcf43d2fa769f0d79
CoinMiner
ff0a72d1860c9cad62aa4e48afe58831edc35ef4947661c7335dd08e5f26e05b
CoinMiner
+ 324 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion evasion execution persistence trojan
Link:
https://tria.ge/reports/260202-xjtrlsas6f/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Enumerates physical storage devices
Drops file in Program Files directory
Hide Artifacts: Ignore Process Interrupts
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Contacts third-party web service commonly abused for C2
Power Settings
Checks BIOS information in registry
Checks computer location settings
Creates new service(s)
Executes dropped EXE
Indicator Removal: Clear Windows Event Logs
Stops running service(s)
Command and Scripting Interpreter: PowerShell
Modifies WinLogon for persistence
Modifies Windows Defender DisableAntiSpyware settings
Modifies Windows Defender Real-time Protection settings
Windows security bypass
Unpacked files
SH256 hash:
ddaae439820a0df5411341c2354443fdf010a3ba8640aa78706e7d0386cb1281
MD5 hash:
2bd3ed808e3c3821bafacc9ebc95c51d
SHA1 hash:
5682a3b1dcf04945ceabc54e7c86743b41c4b179
Link:
https://www.unpac.me/results/7d39f39e-7371-4dc8-b6c7-9d55350ffd2e/
SH256 hash:
8fe1354eab0afa298f97a6bdba22f0f76da9a7b58e408ba745ad2752c2c492bc
MD5 hash:
f8e73f843fa8b765c9207c38a0b9bcf7
SHA1 hash:
5194cf7caa3499a05222b197d68fd7cbf236e59c
Link:
https://www.unpac.me/results/7d39f39e-7371-4dc8-b6c7-9d55350ffd2e/
SH256 hash:
7a02c7dee0626d47b4c6b2950266b2c532b841c12f2627375c32720c60c6fb23
MD5 hash:
ecfc0ddc15125f40d80905548d4b06e2
SHA1 hash:
3bdec7448b2c443c51a5efbc8e6331e6788c4b3d
Link:
https://www.unpac.me/results/7d39f39e-7371-4dc8-b6c7-9d55350ffd2e/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ddaae439820a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ddaae439820a0df5411341c2354443fdf010a3ba8640aa78706e7d0386cb1281

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_Remcos_RAT
Create hunting rule
Author:daniyyell
Description:Detects Remcos RAT payloads and commands
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Indicator_MiniDumpWriteDump
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references
Rule name:MALWARE_Win_R77
Create hunting rule
Author:ditekSHen
Description:Detects r77 rootkit
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Suspicious_Process
Create hunting rule
Author:Security Research Team
Description:Suspicious process creation
Rule name:Suspicious_PssCaptureSnapshot_Usage
Create hunting rule
Author:Dana Behling - Just me not for personal curiosity, no company.
Description:Detects binaries abusing PssCaptureSnapshot in combination with typical combination that indicates malicious activity.
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Rootkit_R77_d0367e28
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/51319/

Comments