MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5ccb90afcfbb5bfea4485765374e8f30b2987459f7f506c879582bca6dcbc16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e5ccb90afcfbb5bfea4485765374e8f30b2987459f7f506c879582bca6dcbc16
SHA3-384 hash: 0b123be8495b687e8ff49a9eb1f919b3443a56030f7c20a73e4bbb1884c31d4bbcf5bd6732a82a1aeb0dfa3456e80d26
SHA1 hash: 7d6bdb6d5974a483b082cf8e6c107333ba495f59
MD5 hash: 97eb7ebd9ebc4be6126acd6b18fa56d9
humanhash: nebraska-idaho-eighteen-yankee
File name:97eb7ebd9ebc4be6126acd6b18fa56d9.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:8'825'240 bytes
First seen:2025-09-29 13:51:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 35a81d16af9f2ba6d515f11152d0364b (57 x CoinMiner, 2 x CobaltStrike)
ssdeep 196608:Tz3Rrsv2VEV1uHP6mwdMYI9r6d4KiLdy8+jAEQsp++V56NK7S:n3hOV1uHPzqMRQkTQAJC56N4
Threatray 764 similar samples on MalwareBazaar
TLSH T10796333D85EF752BC99D0CBE99060A9F81FDF8A76B192095522203FEC449F09E21F4B5
TrID 33.6% (.EXE) OS/2 Executable (generic) (2029/13)
33.1% (.EXE) Generic Win/DOS Executable (2002/3)
33.1% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
xmrig
Create hunting rule
ID:
1
File name:
97eb7ebd9ebc4be6126acd6b18fa56d9.exe
Verdict:
Malicious activity
Analysis date:
2025-09-29 14:00:21 UTC
Tags:
themida miner winring0-sys vuln-driver amsi-bypass xor-url xmrig generic
Link:
https://app.any.run/tasks/76961e97-2c67-4299-947d-c6005ba95542

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/29429/
Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68da8f2d7d643f33eab8bb7c
Tags:
packed spawn crypt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
Sending a custom TCP request
Running batch commands
Launching a process
Creating a service
Creating a file
Launching a service
Creating a process from a recently created file
Creating a file in the Windows subdirectories
Searching for synchronization primitives
Enabling autorun for a service
Adding an exclusion to Microsoft Defender
Changing the hosts file
Unauthorized injection to a system process
Enabling autorun by creating a file
Using obfuscated Powershell scripts
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated obfuscated overlay packed packed packer_detected themidawinlicense
Link:
https://www.filescan.io/uploads/68da8f6c74e5a28989984540/reports/27993cc4-d876-4a40-b254-3f11e6534654/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/e5ccb90afcfbb5bfea4485765374e8f30b2987459f7f506c879582bca6dcbc16
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-09-28T13:43:00Z UTC
Last seen:
2025-09-28T13:43:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.Agent.rnd HEUR:Trojan.Win32.Agent.pef Trojan-Dropper.Win32.Agent.sb BSS:Trojan.Win32.Generic RiskTool.Miner.UDP.C&C RiskTool.BitCoinMiner.UDP.C&C
Link:
https://opentip.kaspersky.com/e5ccb90afcfbb5bfea4485765374e8f30b2987459f7f506c879582bca6dcbc16/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/208d67f8-ada4-403f-b3cf-1ed53c571094
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1785905
Signature
.NET source code contains process injector
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
DNS related to crypt mining pools
Found direct / indirect Syscall (likely to bypass EDR)
Found strings related to Crypto-Mining
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Disable power options
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop EventLog
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1785905 Sample: TRddG8JzEM.exe Startdate: 29/09/2025 Architecture: WINDOWS Score: 100 69 xmr-eu1.nanopool.org 2->69 73 Malicious sample detected (through community Yara rule) 2->73 75 Antivirus / Scanner detection for submitted sample 2->75 77 Multi AV Scanner detection for submitted file 2->77 81 16 other signatures 2->81 9 updater.exe 1 2->9         started        13 powershell.exe 2 15 2->13         started        15 TRddG8JzEM.exe 1 3 2->15         started        17 3 other processes 2->17 signatures3 79 DNS related to crypt mining pools 69->79 process4 dnsIp5 61 C:\Windows\Temp\uvcfkjkscisv.sys, PE32+ 9->61 dropped 99 Antivirus detection for dropped file 9->99 101 Multi AV Scanner detection for dropped file 9->101 103 Query firmware table information (likely to detect VMs) 9->103 117 8 other signatures 9->117 20 dialer.exe 9->20         started        24 powershell.exe 23 9->24         started        26 cmd.exe 9->26         started        36 11 other processes 9->36 105 Writes to foreign memory regions 13->105 107 Modifies the context of a thread in another process (thread injection) 13->107 109 Injects a PE file into a foreign processes 13->109 28 dllhost.exe 13->28         started        30 conhost.exe 13->30         started        63 C:\ProgramDatabehaviorgraphoogle\Chrome\updater.exe, PE32+ 15->63 dropped 65 C:\Windows\System32\drivers\etc\hosts, ASCII 15->65 dropped 111 Uses powercfg.exe to modify the power settings 15->111 113 Modifies the hosts file 15->113 115 Adds a directory exclusion to Windows Defender 15->115 32 powershell.exe 23 15->32         started        34 cmd.exe 1 15->34         started        38 15 other processes 15->38 67 127.0.0.1 unknown unknown 17->67 file6 signatures7 process8 dnsIp9 71 51.15.193.130, 10343, 49687 OnlineSASFR France 20->71 83 Query firmware table information (likely to detect VMs) 20->83 85 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 20->85 40 conhost.exe 24->40         started        49 2 other processes 26->49 87 Suspicious powershell command line found 28->87 89 Obfuscated command line found 28->89 91 Injects code into the Windows Explorer (explorer.exe) 28->91 97 5 other signatures 28->97 42 powershell.exe 28->42         started        45 lsass.exe 28->45 injected 51 2 other processes 28->51 93 Found suspicious powershell code related to unpacking or dynamic code loading 32->93 95 Loading BitLocker PowerShell Module 32->95 47 conhost.exe 32->47         started        53 2 other processes 34->53 55 9 other processes 36->55 57 13 other processes 38->57 signatures10 process11 signatures12 119 Writes to foreign memory regions 42->119 121 Modifies the context of a thread in another process (thread injection) 42->121 123 Injects a PE file into a foreign processes 42->123 59 conhost.exe 42->59         started        process13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e5ccb90afcfbb5bfea4485765374e8f30b2987459f7f506c879582bca6dcbc16
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e5ccb90afcfbb5bfea4485765374e8f30b2987459f7f506c879582bca6dcbc16/
Verdict:
Malicious
Threat:
RiskTool.Miner.UDP
Link:
https://tip.neiki.dev/file/e5ccb90afcfbb5bfea4485765374e8f30b2987459f7f506c879582bca6dcbc16
Threat name:
Win64.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2025-09-29 10:44:02 UTC
File Type:
PE+ (Exe)
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4xglscx47o2372seqv3fg5hi6mfstb2ft57va3ehswblzjw4xqla._file
Verdict:
malicious
Label(s):
unc_loader_055
Create hunting rule
r77rootkit
Create hunting rule
Similar samples:
18c6899051a3d07c23523c42a8ff0101434a17d39f9836990891bf476f59369d
CoinMiner
294f1af51f6fc74b23f052c7ddabf9bad27d536930090c5ee37e1e7704991c76
CoinMiner
2f0ff1a3573cb45775b709b1e8df418ff7adcc5b678a52a768d02933b6174ca6
CoinMiner
54db44510d3c25894f89752c667b03e070863c5c86d15ff4c67f5f6564fb9091
CoinMiner
8d551a15974c71c391d2e685c36db56ff37b3b4f65d29fb4385eb33556f21f17
CoinMiner
e5ccb90afcfbb5bfea4485765374e8f30b2987459f7f506c879582bca6dcbc16
CoinMiner
error
CoinMiner
f59cf4ca5660457108b8fba581299630e197696c066b0e00171a2b87cac07b00
CoinMiner
f8626f86d774c3d65f29ae1c31c77eae9101ebc135446989307754498fb15bfa
CoinMiner
ff6ee4d16712bd542ca2860a4bfe3b9ca7dd88f70d54215e069ffc3ec2cb7ea6
CoinMiner
+ 754 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig defense_evasion execution miner persistence themida trojan
Link:
https://tria.ge/reports/250929-q7d8hagp4t/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Power Settings
Checks BIOS information in registry
Creates new service(s)
Executes dropped EXE
Stops running service(s)
Themida packer
Command and Scripting Interpreter: PowerShell
Drops file in Drivers directory
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Xmrig family
xmrig
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e0a9e429-002e-49da-aad0-0307e07a60e7
Unpacked files
SH256 hash:
e5ccb90afcfbb5bfea4485765374e8f30b2987459f7f506c879582bca6dcbc16
MD5 hash:
97eb7ebd9ebc4be6126acd6b18fa56d9
SHA1 hash:
7d6bdb6d5974a483b082cf8e6c107333ba495f59
Link:
https://www.unpac.me/results/06ed3b5b-59a7-48ce-83ce-8e204d7fced0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e5ccb90afcfb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e5ccb90afcfbb5bfea4485765374e8f30b2987459f7f506c879582bca6dcbc16

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Windows_Generic_Threat_e8abb835
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/29429/

Comments