MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df2be42b8a63be17ff85f4516e308406afcd131afc183bc54fda8dfdb8b90685. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df2be42b8a63be17ff85f4516e308406afcd131afc183bc54fda8dfdb8b90685
SHA3-384 hash: 69873d895e9f068255ac5d62f70566110df77f5a69840a7f52f8cbcded5d53216f419587a4533eb8c8ad2fce54dba06e
SHA1 hash: c0ec96a8984726eeb6ed89b8179d63c93c309ba0
MD5 hash: cf5ee1a12b467b8a5d44354c3e6051d5
humanhash: lithium-alaska-kilo-island
File name:file
Download: download sample
Signature CoinMiner
Create hunting rule
File size:10'043'392 bytes
First seen:2026-05-27 01:48:06 UTC
Last seen:2026-05-27 02:15:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5b3ebef3da244b3ac4de5a75d6d1e4c5 (1 x CoinMiner)
ssdeep 49152:i+HWcQ42IY8TChpiMC7bjYu1GCrDyIpGRlWAcW/5XGvRKa7sOsu0/Z8ak6F6yGo1:Kj
TLSH T192A6CF407BE2BEF17291C11EB356C8344A5F3CB8F0DEEAE6904597A72482141AFED974
TrID 33.1% (.EXE) Win64 Executable (generic) (6522/11/2)
25.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.4% (.ICL) Windows Icons Library (generic) (2059/9)
10.3% (.EXE) OS/2 Executable (generic) (2029/13)
10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon cce4f0f29098f0e4 (1 x NanoCore, 1 x CoinMiner)
Reporter Bitsight
Tags:CoinMiner d52f85 dropped-by-amadey exe


Avatar
Bitsight
url: http://62.60.226.140/files/1781548144/f4parrN.exe

Intelligence

File Origin
# of uploads :
6
# of downloads :
143
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_df2be42b8a63be17ff85f4516e308406afcd131afc183bc54fda8dfdb8b90685.exe
Verdict:
Malicious activity
Analysis date:
2026-05-27 01:49:10 UTC
Tags:
evasion uac auto-reg auto-startup auto-sch telegram ip-check generic stealer
Link:
https://app.any.run/tasks/74bc302f-30c7-4112-818f-85a8aad6a640

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68076/
Detection(s):
SecuriteInfo.com.Variant.Lazy.351608.22423.28397.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
84.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a164d6f5b1db29f5a48421b
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a service
Restart of the analyzed sample
Creating a file
Creating a process from a recently created file
Сreating synchronization primitives
Adding an access-denied ACE
Creating a file in the %AppData% subdirectories
Launching a process
Loading a suspicious library
Enabling the 'hidden' option for recently created files
Creating a process with a hidden window
DNS request
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Modifying a system file
Creating a service
Launching the process to change the firewall settings
Searching for synchronization primitives
Running batch commands
Creating a file in the Windows subdirectories
Creating a file in the system32 subdirectories
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Enabling autorun for a service
Preventing system recovery
Unauthorized injection to a system process
Enabling autorun by creating a file
Changing the hosts file
Adding an exclusion to Microsoft Defender
Using obfuscated Powershell scripts
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/6a164d6812da0d249c593bf7/reports/52db7c4a-02f4-474d-8b46-51661e78bea7/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/df2be42b8a63be17ff85f4516e308406afcd131afc183bc54fda8dfdb8b90685
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-05-26T23:13:00Z UTC
Last seen:
2026-05-28T03:34:00Z UTC
Hits:
~100
Detections:
HEUR:Backdoor.Win64.Sero.gen Backdoor.Win64.Sero.sbb Backdoor.Win64.Sero.sba PDM:Trojan.Win32.Generic Trojan.Win32.Agent.sb Trojan.Win32.Agent.rnd Trojan-Spy.TeleBot.HTTP.C&C Trojan-Dropper.Win32.Injector.sb Backdoor.Win64.Sero.d Backdoor.Win32.Androm.sb Trojan.Win32.Vimditator.sb Trojan.Win32.Inject.sb RiskTool.Miner.UDP.C&C RiskTool.BitCoinMiner.UDP.C&C
Link:
https://opentip.kaspersky.com/df2be42b8a63be17ff85f4516e308406afcd131afc183bc54fda8dfdb8b90685/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/02a399e1-d13a-464b-b056-dde06e6929aa
Score:
85%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/df2be42b8a63be17ff85f4516e308406afcd131afc183bc54fda8dfdb8b90685
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/df2be42b8a63be17ff85f4516e308406afcd131afc183bc54fda8dfdb8b90685/
Verdict:
Malicious
Threat:
Family.XMRIG
Link:
https://tip.neiki.dev/file/df2be42b8a63be17ff85f4516e308406afcd131afc183bc54fda8dfdb8b90685
Threat name:
Win64.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2026-05-27 01:48:32 UTC
File Type:
PE+ (Exe)
Extracted files:
3
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=34v6ik4kmo7bp74f6riw4meea2x42ey27qmdxrkp3kg73ofza2cq._file
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig defense_evasion discovery evasion execution miner persistence privilege_escalation ransomware upx
Link:
https://tria.ge/reports/260527-b8a5xae19t/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Event Triggered Execution: Netsh Helper DLL
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Power Settings
Checks BIOS information in registry
Creates new service(s)
Drops startup file
Executes dropped EXE
Impair Defenses: Safe Mode Boot
Loads dropped DLL
Stops running service(s)
Command and Scripting Interpreter: PowerShell
Drops file in Drivers directory
Looks for VMWare Tools registry key
Modifies Windows Firewall
Looks for VirtualBox Guest Additions in registry
Modifies boot configuration data using bcdedit
XMRig Miner payload
Family: xmrig
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
df2be42b8a63be17ff85f4516e308406afcd131afc183bc54fda8dfdb8b90685
MD5 hash:
cf5ee1a12b467b8a5d44354c3e6051d5
SHA1 hash:
c0ec96a8984726eeb6ed89b8179d63c93c309ba0
Link:
https://www.unpac.me/results/8a85e8d8-d8d5-4fa1-a0e7-17b8b810b848/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/df2be42b8a63/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.10
Link:
https://yomi.yoroi.company/submissions/df2be42b8a63be17ff85f4516e308406afcd131afc183bc54fda8dfdb8b90685

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe df2be42b8a63be17ff85f4516e308406afcd131afc183bc54fda8dfdb8b90685

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/68076/

Comments