MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ddcd21cbbefbe87db9bf2d1560b3d116015ad0ca4d06a8ee2a6692e2bcc25329. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 15

Intelligence 15 IOCs YARA 29 File information Comments

SHA256 hash:	ddcd21cbbefbe87db9bf2d1560b3d116015ad0ca4d06a8ee2a6692e2bcc25329
SHA3-384 hash:	fc96bfc74482721267e0b7d723b921198345f9bb08edd537579ed2b55e6ad0c2196e971564c251193aeedcfbec7af45c
SHA1 hash:	1b1a118785591068cc2c589c049e056262876d33
MD5 hash:	6c5ecd0c95f9c0972837390cdd01f088
humanhash:	colorado-colorado-four-east
File name:	SecuriteInfo.com.Trojan.GenericKD.79768489.15440.19727
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	5'246'976 bytes
First seen:	2026-04-11 07:24:37 UTC
Last seen:	2026-04-11 08:23:25 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	24eb3a268bb916f486f2ac2a8136e0b3 (1 x CoinMiner)
ssdeep	98304:v7MnKRFpNZpm854v1VM46Nv34vbrvAp5pMyHNQJ9T8dL9fdJ:vgKTXZpMw9YacyHNndJ
Threatray	53 similar samples on MalwareBazaar
TLSH	T180361252A4ADDA33C035C67067C1D438FAA57EB904ED0B0DBB8876C749B73CC566AA13
TrID	33.1% (.EXE) Win64 Executable (generic) (6522/11/2) 25.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 10.4% (.ICL) Windows Icons Library (generic) (2059/9) 10.3% (.EXE) OS/2 Executable (generic) (2029/13) 10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
dhash icon	e896f070f0f0d0e8 (1 x CoinMiner)
Reporter	SecuriteInfoCom
Tags:	CoinMiner exe

Intelligence

File Origin

# of uploads :

# of downloads :

122

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/8dab5679-1bea-49da-bee9-f0d0a9830a68/

Malware family:

xmrig

ID:

File name:

rtm9ixtswf.exe

Verdict:

Malicious activity

Analysis date:

2026-04-02 01:41:40 UTC

Tags:

miner etherhiding winring0-sys vuln-driver upx xmrig

Link:

https://app.any.run/tasks/7a0979b1-f961-4a75-93c0-d44bfce3fbef

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/61099/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.79768489.15440.19727.UNOFFICIAL

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69d9f77666ab6d001dd1319b

Tags:

malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file

Launching a process

Creating a process with a hidden window

Creating a service

Launching a service

Creating a process from a recently created file

Creating a file in the Windows subdirectories

Sending a custom TCP request

Creating a file in the system32 subdirectories

Searching for synchronization primitives

Enabling autorun for a service

Moving of the original file

Disabling the operating system update service

Unauthorized injection to a system process

Adding an exclusion to Microsoft Defender

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

coinminer dealply installer installer-heuristic packed unsafe virus

Link:

https://www.filescan.io/uploads/69d9f76e9124ebc0874f1ec3/reports/76129557-ddbf-42f3-8a72-e0098101fcc0/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/ddcd21cbbefbe87db9bf2d1560b3d116015ad0ca4d06a8ee2a6692e2bcc25329

Verdict:

Adware

File Type:

exe x64

First seen:

2026-03-22T10:14:00Z UTC

Last seen:

2026-04-12T11:03:00Z UTC

Hits:

~1000

Link:

https://opentip.kaspersky.com/ddcd21cbbefbe87db9bf2d1560b3d116015ad0ca4d06a8ee2a6692e2bcc25329/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/b78564cb-0048-4e74-acd7-4776a20b9ed8

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ddcd21cbbefbe87db9bf2d1560b3d116015ad0ca4d06a8ee2a6692e2bcc25329

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ddcd21cbbefbe87db9bf2d1560b3d116015ad0ca4d06a8ee2a6692e2bcc25329/

Threat name:

Win64.Trojan.Kepavll

Status:

Malicious

First seen:

2026-03-23 19:11:40 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

13 of 24 (54.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3xgsds567puh3on7fukwbm6rcyavvugkjudkr3rkm2jofpgckmuq._file

Verdict:

malicious

Label(s):

coinminer

CoinMiner

3b93465de33b87e03e1932381c60acfd13f461e6ce8cc129b2ca0d04680321f8

CoinMiner

661c4da0df6414e3cf7855d47a142cc9858c1174cc992f29423e48ce420585e0

CoinMiner

error

CoinMiner

fa6780dc233272dee40a0e15a466666fb74d263a1be0d9c204e68da180e3461c

CoinMiner

ff0d1b2cddd488f80e76c5b9d0ee3a156572896d179df63996b6a899ebe86b82

CoinMiner

+ 43 additional samples on MalwareBazaar

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:xmrig defense_evasion execution miner persistence upx

Link:

https://tria.ge/reports/260411-h89f2adt9y/

Behaviour

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Launches sc.exe

Drops file in System32 directory

Suspicious use of SetThreadContext

UPX packed file

Power Settings

Creates new service(s)

Cryptocurrency Miner

Deletes itself

Disables service(s)

Executes dropped EXE

Stops running service(s)

Command and Scripting Interpreter: PowerShell

Server Software Component: Terminal Services DLL

Sets service image path in registry

XMRig Miner payload

Modifies security service

Suspicious use of NtCreateUserProcessOtherParentProcess

Xmrig family

xmrig

Unpacked files

SH256 hash:

ddcd21cbbefbe87db9bf2d1560b3d116015ad0ca4d06a8ee2a6692e2bcc25329

MD5 hash:

6c5ecd0c95f9c0972837390cdd01f088

SHA1 hash:

1b1a118785591068cc2c589c049e056262876d33

Link:

https://www.unpac.me/results/724f5b94-237f-45a7-b71f-4eebcc118d2b/

Malware family:

XMRig

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ddcd21cbbefb/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.85

Link:

https://yomi.yoroi.company/submissions/ddcd21cbbefbe87db9bf2d1560b3d116015ad0ca4d06a8ee2a6692e2bcc25329

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BLOWFISH_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for Blowfish constants

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	dgaagas Create hunting rule
Author:	Harshit
Description:	Uses certutil.exe to download a file named test.txt

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MAL_XMR_Miner_May19_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Monero Crypto Coin Miner
Reference:	https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/

Rule name:	MAL_XMR_Miner_May19_1_RID2E1B Create hunting rule
Author:	Florian Roth
Description:	Detects Monero Crypto Coin Miner
Reference:	https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	Mimikatz_Generic Create hunting rule
Author:	Still
Description:	attempts to match all variants of Mimikatz

Rule name:	Multi_Cryptominer_Xmrig_f9516741 Create hunting rule
Author:	Elastic Security

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	PUA_Crypto_Mining_CommandLine_Indicators_Oct21 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects command line parameters often used by crypto mining software
Reference:	https://www.poolwatch.io/coin/monero

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	rig_win64_xmrig_6_13_1_xmrig Create hunting rule
Author:	yarGen Rule Generator
Description:	rig_win64 - file xmrig.exe
Reference:	https://github.com/Neo23x0/yarGen

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	upx_largefile Create hunting rule
Author:	k3nr9

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

Rule name:	WHIRLPOOL_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for WhirlPool constants

Rule name:	Windows_Cryptominer_Generic_f53cfb9b Create hunting rule
Author:	Elastic Security

Rule name:	XMRIG_Monero_Miner Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Monero mining software
Reference:	https://github.com/xmrig/xmrig/releases