MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea5f5c5e914eb4d1d4edd98dcc80c8c9750e4111aa4f863400fbaafaf575ba6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea5f5c5e914eb4d1d4edd98dcc80c8c9750e4111aa4f863400fbaafaf575ba6b
SHA3-384 hash: 7c4f00e9df55d54ff16ae2f65eee3d84b6482db8be6be5882f07f140ae0b3dd344e02df80936adefcf5df59cd13de219
SHA1 hash: 44bf77fd6ca8e82ae280b18b8667cc0bba880751
MD5 hash: fe0dc6cf2bf739e602b7891f63ccaa88
humanhash: august-cardinal-london-wyoming
File name:Game.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:78'014'645 bytes
First seen:2025-12-11 13:53:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e05e31a5063c852520cc6950fe83ad1a (13 x CoinMiner, 8 x ScarfaceStealer)
ssdeep 393216:ITI3xpBpYeoGmZcpmjz5GZd93ULfBPLoIJBsIyNOnS0B4AycWMCY6+Y3xjtFRYVD:IYrO/sJY2ByOjR5rs3wbvEN
TLSH T1A4086A4267EA04C4F9F7DA3589E69217D673BC166F3085CF224C172A1F736E08976B22
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
dhash icon 93c1e9e9e9e94907 (1 x CoinMiner)
Reporter lfr
Tags:CoinMiner exe


Avatar
lfr
https://www.patreon.com/file?h=145586990&m=578901585

Intelligence

File Origin
# of uploads :
1
# of downloads :
229
Origin country :
FR FR
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/839dde41-a094-44d6-9fd8-0bf2cd9fe968/
Malware family:
n/a
ID:
1
File name:
Game.exe
Verdict:
Suspicious activity
Analysis date:
2025-12-11 13:43:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d17adae9-caf5-462d-963d-abffa1e818fb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=693aca8da675b653bd1017af
Tags:
n/a
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm crypto expand fingerprint installer-heuristic lolbin microsoft_visual_cc nexe overlay packed packed
Link:
https://www.filescan.io/uploads/693acd0f64bd958a52102ea9/reports/1b56c408-cf84-45d3-bc4f-d43ed0e9c845/overview
Verdict:
Malicious
Labled as:
TR/W64.MalwareX
Link:
https://www.hybrid-analysis.com/sample/ea5f5c5e914eb4d1d4edd98dcc80c8c9750e4111aa4f863400fbaafaf575ba6b
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-12-11T07:44:00Z UTC
Last seen:
2025-12-11T10:57:00Z UTC
Hits:
~1000
Detections:
Trojan-PSW.Win64.Stealka.sb Trojan-PSW.Win64.Stealka.k Trojan-PSW.Win64.Stealer.sb
Link:
https://opentip.kaspersky.com/ea5f5c5e914eb4d1d4edd98dcc80c8c9750e4111aa4f863400fbaafaf575ba6b/results?tab=lookup
Score:
87%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ea5f5c5e914eb4d1d4edd98dcc80c8c9750e4111aa4f863400fbaafaf575ba6b
Gathering data
Verdict:
Malicious
Threat:
Family.XMRIG
Link:
https://tip.neiki.dev/file/ea5f5c5e914eb4d1d4edd98dcc80c8c9750e4111aa4f863400fbaafaf575ba6b
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-12-11 12:46:15 UTC
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5jpvyxurj22ndvhn3gg4zagizf2q4qirvjhymnaa7ovpv5lvxjvq._file
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig collection defense_evasion discovery execution exploit impact miner persistence ransomware spyware stealer trojan
Link:
https://tria.ge/reports/251211-q7rhtszmhj/
Behaviour
outlook_win_path
Checks processor information in registry
Delays execution with timeout.exe
Interacts with shadow copies
Modifies data under HKEY_USERS
Runs net.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
outlook_office_path
Browser Information Discovery
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Indicator Removal: File Deletion
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Power Settings
Cryptocurrency Miner
Disables service(s)
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Stops running service(s)
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Possible privilege escalation attempt
Deletes shadow copies
XMRig Miner payload
Modifies Windows Defender notification settings
Xmrig family
xmrig
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2b46cb37-39d8-491f-bfab-44f0a3d94954
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe ea5f5c5e914eb4d1d4edd98dcc80c8c9750e4111aa4f863400fbaafaf575ba6b

(this sample)

  
Delivery method
Distributed via web download

Comments