MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0eff94e8ed95c8ccb19decb14f7edcf036830502745ec47fd64152e8b6e42b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 10

Intelligence 10 IOCs YARA 21 File information Comments

SHA256 hash:	f0eff94e8ed95c8ccb19decb14f7edcf036830502745ec47fd64152e8b6e42b9
SHA3-384 hash:	6cdb204f12b7e09dfb5ad024c3ac06f114b7bb20b433f52c2a96b7ae731c88c6718d36efe832263692d1707d515ddc2b
SHA1 hash:	a65671f28d52ea1730e671316a29b233f0fb0397
MD5 hash:	9ec6bc11dee711237f01c0124f9ca00c
humanhash:	dakota-apart-seven-romeo
File name:	caaservices.exe
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	40'272'384 bytes
First seen:	2026-01-31 08:54:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7716121b91c589bad02078b163c20df1 (1 x CoinMiner)
ssdeep	786432:4l4ZJpuJOUgpC4ImWjEiO99uuhOzA6z9iP:pDpuJNUfNWWlOzpx
TLSH	T1CD97E0000AB929B6D073877049FECD7199767C9A751CC09F1096FE9F3D72B029E2963A
TrID	48.7% (.EXE) Win64 Executable (generic) (10522/11/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	Alex_sev
Tags:	BitCoinMiner CoinMiner exe

Intelligence

File Origin

# of uploads :

# of downloads :

123

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

caaservices.exe

Verdict:

No threats detected

Analysis date:

2026-01-31 08:46:46 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/2a2a2784-1b40-481e-a8ab-98c4b5c6885a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

81.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=697dc177d93e7233498c0885

Tags:

virus

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context anti-debug coinminer crypto fingerprint microsoft_visual_cc miner net obfuscated packed unsafe virus xor-pe

Link:

https://www.filescan.io/uploads/697dc386930564ff3c806a1e/reports/5b2e6312-da3e-4892-aa31-ec43535084f6/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/f0eff94e8ed95c8ccb19decb14f7edcf036830502745ec47fd64152e8b6e42b9

Verdict:

Adware

File Type:

exe x64

First seen:

2025-12-08T14:12:00Z UTC

Last seen:

2026-02-02T06:21:00Z UTC

Hits:

~10000

Detections:

BSS:Trojan.Win32.Generic not-a-virus:BSS:RiskTool.Win32.BitCoinMiner.ga

Link:

https://opentip.kaspersky.com/f0eff94e8ed95c8ccb19decb14f7edcf036830502745ec47fd64152e8b6e42b9/results?tab=lookup

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/f0eff94e8ed95c8ccb19decb14f7edcf036830502745ec47fd64152e8b6e42b9

Gathering data

Verdict:

Malicious

Threat:

RiskTool.Win32.BitCoinMiner

Link:

https://tip.neiki.dev/file/f0eff94e8ed95c8ccb19decb14f7edcf036830502745ec47fd64152e8b6e42b9

Threat name:

Win64.Coinminer.Generic

Status:

Malicious

First seen:

2025-12-16 11:04:19 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

10 of 36 (27.78%)

Threat level:

4/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6dx7stuo3foizsyz33frj57nz4bwqmcqe5c6yr75mqks5c3oik4q._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/260131-kt7d8sew7h/

Behaviour

Suspicious use of AdjustPrivilegeToken

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f0eff94e8ed95c8ccb19decb14f7edcf036830502745ec47fd64152e8b6e42b9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__MemoryWorkingSet Create hunting rule
Author:	Fernando Mercês
Description:	Anti-debug process memory working set size check
Reference:	http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	Jupyter_infostealer Create hunting rule
Author:	CD_R0M_
Description:	Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022

Rule name:	Lumma_Stealer_Detection Create hunting rule
Author:	ashizZz
Description:	Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:	https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	reverse_http Create hunting rule
Author:	CD_R0M_
Description:	Identify strings with http reversed (ptth)

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SUSP_XORed_MSDOS_Stub_Message Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed MSDOS stub message
Reference:	https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb

Rule name:	test_Malaysia Create hunting rule
Author:	rectifyq
Description:	Detects file containing malaysia string

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

any.run

https://app.any.run/tasks/2a2a2784-1b40-481e-a8ab-98c4b5c6885a

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample