MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5d51499525403ead8dc26730c407bff1a6df1f66c44605033471605c47ab7f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f5d51499525403ead8dc26730c407bff1a6df1f66c44605033471605c47ab7f5
SHA3-384 hash: 9f947614c5ef0315d6e7fa8240df5a2562f8cd366a944de9f338057b26a46730d42ac5bfb4fca009c4b15fafbb51e0aa
SHA1 hash: c7b491af6f3f427f7e56260d3b6def9dd86863dc
MD5 hash: 8cfa3f468bf1fb31641eeaff35683260
humanhash: fanta-network-item-nine
File name:SecuriteInfo.com.Win32.MalwareX-gen.24366.2768
Download: download sample
Signature CoinMiner
Create hunting rule
File size:52'224 bytes
First seen:2025-05-31 08:37:50 UTC
Last seen:2025-05-31 10:20:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 1536:HdhRB86inQRihxtrklsCetTvkeTLMW5ULuFUe0v0J0OehE50N7pL1lqpnbO9TbMr:HdhRB86inQRihxtrklsCetTvkeTLMW5P
TLSH T18A33254038E0CA0CC2D2A779E5E65F211FFB68D40B5BBB151B8C9BB684A16725E0FF15
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter SecuriteInfoCom
Tags:CoinMiner exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
427
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
bomb.exe
Verdict:
Malicious activity
Analysis date:
2025-05-30 17:48:57 UTC
Tags:
hausbomber loader stealer lumma payload ta558 apt stegocampaign reverseloader telegram python rat asyncrat remote auto generic ultravnc rmm-tool screenconnect github braodo themida ransomware wannacry evasion amadey botnet miner coinminer arch-exec scan smbscan bittorrent mozi
Link:
https://app.any.run/tasks/c3c7d209-47bf-4df2-acf4-f765f63705ea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/6506/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.24366.2768.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=683ac170acf88f5815e98661
Tags:
virus micro sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Launching cmd.exe command interpreter
Creating a process with a hidden window
Creating a file
Launching a process
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Creating a process from a recently created file
Running batch commands
Reading critical registry keys
Sending an HTTP GET request
Creating a window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a service
Launching the process to change the firewall settings
Blocking the Windows Defender launch
Unauthorized injection to a recently created process
Launching a tool to kill processes
Enabling autorun for a service
Forced shutdown of a browser
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
base64 evasive obfuscated
Link:
https://www.filescan.io/uploads/683ac003fd02ed5e05918023/reports/2e8cb71e-1a38-4645-8454-5f4aa51bc338/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/f5d51499525403ead8dc26730c407bff1a6df1f66c44605033471605c47ab7f5
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/bed58db3-2fd2-4a71-969c-2b06ce6e3589
Result
Threat name:
Arcane, Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.troj.adwa.spyw.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1702881
Signature
.NET source code contains a sample name check
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops executables to the windows directory (C:\Windows) and starts them
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the hosts file
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Mutes Antivirus updates and installments via hosts file black listing
Powershell drops PE file
Protects its processes via BreakOnTermination flag
Queries memory information (via WMI often done to detect virtual machines)
Queries pointing device information (via WMI, Win32_PointingDevice, often done to detect virtual machines)
Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive printer information (via WMI, Win32_Printer, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Capture Wi-Fi password
Sigma detected: Execution from Suspicious Folder
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Arcane Stealer
Yara detected Powershell decode and execute
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1702881 Sample: SecuriteInfo.com.Win32.Malw... Startdate: 31/05/2025 Architecture: WINDOWS Score: 100 134 z8hd74jqpxt19zq.hopto.org 2->134 136 xqpw71fnqtwe81v.hopto.org 2->136 138 58 other IPs or domains 2->138 164 Suricata IDS alerts for network traffic 2->164 166 Malicious sample detected (through community Yara rule) 2->166 168 Antivirus detection for dropped file 2->168 170 19 other signatures 2->170 13 SecuriteInfo.com.Win32.MalwareX-gen.24366.2768.exe 2 2->13         started        16 SystemDiagnosticsHost.exe 2->16         started        19 RC_ConnectedAccount.exe 2->19         started        21 6 other processes 2->21 signatures3 process4 file5 116 SecuriteInfo.com.W....24366.2768.exe.log, CSV 13->116 dropped 23 cmd.exe 1 13->23         started        154 Multi AV Scanner detection for dropped file 16->154 156 Reads the Security eventlog 16->156 158 Reads the System eventlog 16->158 160 Queries memory information (via WMI often done to detect virtual machines) 19->160 signatures6 process7 signatures8 190 Uses netsh to modify the Windows network and firewall settings 23->190 192 Tries to harvest and steal WLAN passwords 23->192 26 powershell.exe 18 38 23->26         started        31 conhost.exe 23->31         started        process9 dnsIp10 146 silentclickteam.co 172.67.190.206, 443, 49772, 49773 CLOUDFLARENETUS United States 26->146 110 C:\Users\user\AppData\Local\...\sn52zjrg.exe, PE32 26->110 dropped 112 C:\Users\user\AppData\Local\...\jbloeljm.exe, PE32 26->112 dropped 114 C:\Users\user\AppData\Local\...\bl3uhmkn.exe, PE32 26->114 dropped 214 Disables Windows Defender (deletes autostart) 26->214 216 Disable Windows Defender real time protection (registry) 26->216 218 Queries memory information (via WMI often done to detect virtual machines) 26->218 220 2 other signatures 26->220 33 jbloeljm.exe 26->33         started        38 bl3uhmkn.exe 1 9 26->38         started        40 sn52zjrg.exe 2 26->40         started        file11 signatures12 process13 dnsIp14 118 icanhazip.com 104.16.184.241, 49774, 80 CLOUDFLARENETUS United States 33->118 94 C:\Users\user\AppData\Local\Temp\xaitx.exe, PE32+ 33->94 dropped 96 C:\Users\user\AppData\...\jbloeljm.exe.log, ASCII 33->96 dropped 172 Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines) 33->172 174 Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines) 33->174 176 Queries sensitive printer information (via WMI, Win32_Printer, often done to detect virtual machines) 33->176 188 11 other signatures 33->188 42 xaitx.exe 33->42         started        46 cmd.exe 33->46         started        48 powershell.exe 33->48         started        59 3 other processes 33->59 98 C:\Windows\...\SystemDiagnosticsHost.exe, PE32 38->98 dropped 100 C:\Windows\Media\msldriver.dll, PE32+ 38->100 dropped 102 C:\Windows\Media\mppr.exe, PE32 38->102 dropped 104 3 other malicious files 38->104 dropped 178 Drops executables to the windows directory (C:\Windows) and starts them 38->178 180 Modifies the windows firewall 38->180 182 Queries memory information (via WMI often done to detect virtual machines) 38->182 50 mppr.exe 38->50         started        53 cmd.exe 38->53         started        61 7 other processes 38->61 184 Multi AV Scanner detection for dropped file 40->184 186 Protects its processes via BreakOnTermination flag 40->186 55 cmd.exe 1 40->55         started        57 cmd.exe 40->57         started        file15 signatures16 process17 dnsIp18 106 C:\Users\user\AppData\...\chrome_decrypt.dll, PE32+ 42->106 dropped 194 Contains functionality to inject threads in other processes 42->194 196 Writes to foreign memory regions 42->196 198 Allocates memory in foreign processes 42->198 67 2 other processes 42->67 200 Tries to harvest and steal WLAN passwords 46->200 69 4 other processes 46->69 202 Loading BitLocker PowerShell Module 48->202 63 conhost.exe 48->63         started        140 xqpw71fnqtwe81v.hopto.org 50->140 142 vvuuunwwgyuigi2.hopto.org 50->142 144 11 other IPs or domains 50->144 108 C:\Windows\System32\drivers\etc\hosts, ASCII 50->108 dropped 204 Mutes Antivirus updates and installments via hosts file black listing 50->204 206 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 50->206 208 Injects code into the Windows Explorer (explorer.exe) 50->208 212 3 other signatures 50->212 65 explorer.exe 50->65 injected 71 2 other processes 53->71 210 Uses schtasks.exe or at.exe to add and modify task schedules 55->210 73 2 other processes 55->73 75 2 other processes 57->75 77 5 other processes 59->77 79 14 other processes 61->79 file19 signatures20 process21 process22 81 msedge.exe 65->81         started        85 chrome.exe 67->85         started        87 chrome.exe 67->87         started        89 msedge.exe 77->89         started        dnsIp23 120 192.168.11.20, 137, 1900, 443 unknown unknown 81->120 130 2 other IPs or domains 81->130 162 Maps a DLL or memory area into another process 81->162 91 msedge.exe 81->91         started        122 7nvweq9tqyweo91.hopto.org 85->122 124 www.google.com 142.251.40.100, 443, 49777, 49783 GOOGLEUS United States 85->124 126 xqpw71fnqtwe81v.hopto.org 87->126 128 vvu8ghu9oij25i4.hopto.org 87->128 132 6 other IPs or domains 87->132 signatures24 process25 dnsIp26 148 vvuuunwwgyuigi2.hopto.org 91->148 150 dns.quad9.net 149.112.112.112, 443, 51716, 53229 QUAD9-AS-1US United States 91->150 152 19 other IPs or domains 91->152
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f5d51499525403ead8dc26730c407bff1a6df1f66c44605033471605c47ab7f5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f5d51499525403ead8dc26730c407bff1a6df1f66c44605033471605c47ab7f5/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-05-30 17:14:46 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6xkrjgkskqb6vwg4ezzqyqd374ng34pwnrcgaubti4lalrd2w72q._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/250531-kjwvratly6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Checks computer location settings
Blocklisted process makes network request
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/08890b05-de37-4817-886d-928a4a13f235
Unpacked files
SH256 hash:
f5d51499525403ead8dc26730c407bff1a6df1f66c44605033471605c47ab7f5
MD5 hash:
8cfa3f468bf1fb31641eeaff35683260
SHA1 hash:
c7b491af6f3f427f7e56260d3b6def9dd86863dc
Link:
https://www.unpac.me/results/a5048d5a-04f0-4e6a-9cf2-457a7e083b3e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f5d51499525403ead8dc26730c407bff1a6df1f66c44605033471605c47ab7f5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe f5d51499525403ead8dc26730c407bff1a6df1f66c44605033471605c47ab7f5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3555792/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/6506/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments