MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff0d1b2cddd488f80e76c5b9d0ee3a156572896d179df63996b6a899ebe86b82. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 19


Intelligence 19 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff0d1b2cddd488f80e76c5b9d0ee3a156572896d179df63996b6a899ebe86b82
SHA3-384 hash: 204a665fa626abfb8ce9a76e7ef8e4a5ee3be1644071dc6ce641bdebd391b75c183a479cb29059252d94b65e428fff1e
SHA1 hash: c50e6a7e9924b5d3fa61aff5416e8ab59323ad97
MD5 hash: 19db53ba9e43afcfff0aabf8e8c0ecf9
humanhash: romeo-beryllium-queen-xray
File name:file
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'967'941 bytes
First seen:2026-01-29 02:03:31 UTC
Last seen:2026-01-29 03:22:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 49152:7H1gas42hjwLMG9FFzraU4pAPpPWWRHTQJsSQhwaPBd/uaSsbk6P2s+IH:D1gf4bLd93/4pAx3RzQkuaPBP/r+sj
Threatray 63 similar samples on MalwareBazaar
TLSH T11FD501DC756072EFC86BD072DEA92C68EA5074BB931F4103942756ADDA0D88BDF244F2
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Bitsight
Tags:CoinMiner dropped-by-amadey exe fbf543


Avatar
Bitsight
url: http://130.12.180.43/files/6382108206/SIiNvbX.exe

Intelligence

File Origin
# of uploads :
5
# of downloads :
210
Origin country :
US US
Vendor Threat Intelligence
Malware configuration found for:
ConfuserEx
Details
Link:
https://research.acce.ciphertechsolutions.com/results/ab5802f3-5c4d-432d-928f-e3e8232aaa9b/
Malware family:
xmrig
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2026-01-29 02:06:13 UTC
Tags:
evasion confuser auto-sch-xml miner xmrig
Link:
https://app.any.run/tasks/4b53f023-9a41-4ea1-bbd7-af51076d9a9d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CoinMiner02
Create hunting rule
Link:
https://www.capesandbox.com/analysis/50589/
Detection(s):
SecuriteInfo.com.Variant.Barys.441891.3099.9192.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=697ac02bbec9764f452fb4a2
Tags:
coinminer xmrig crypt virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Launching a process
Connection attempt
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a file
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Sending a custom TCP request
Searching for synchronization primitives
Connection attempt to an infection source
Sending a TCP request to an infection source
Creating a service
Launching a service
Loading a system driver
Query of malicious DNS domain
Enabling autorun for a service
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys base64 confuser confuserex obfuscated obfuscated overlay packed packed reconnaissance unsafe
Link:
https://www.filescan.io/uploads/697ac0274156786ccbde1fe4/reports/fd0deba4-2287-47b2-8724-792c27c7c5dc/overview
Verdict:
Malicious
Labled as:
Barys.Generic
Link:
https://www.hybrid-analysis.com/sample/ff0d1b2cddd488f80e76c5b9d0ee3a156572896d179df63996b6a899ebe86b82
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-01-28T23:14:00Z UTC
Last seen:
2026-01-29T12:48:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan.Win32.Generic Trojan-PSW.PureLogs.TCP.C&C Trojan.Win32.Miner.sb Trojan.MSIL.Miner.sb PDM:Exploit.Win32.Generic HEUR:Trojan.Win32.Miner.gen RiskTool.BitCoinMiner.TCP.C&C not-a-virus:RiskTool.Win64.XMRigMiner.amq not-a-virus:RiskTool.Win64.XMRigMiner.a RiskTool.Miner.UDP.C&C not-a-virus:PDM:RiskTool.Win32.BitCoinMiner.ga not-a-virus:HEUR:RiskTool.Win32.BitMiner.gen
Link:
https://opentip.kaspersky.com/ff0d1b2cddd488f80e76c5b9d0ee3a156572896d179df63996b6a899ebe86b82/results?tab=lookup
Malware family:
XMRig Miner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/73c91b33-cb52-4064-a5e9-c6677262ad07
Score:
74%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ff0d1b2cddd488f80e76c5b9d0ee3a156572896d179df63996b6a899ebe86b82
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff0d1b2cddd488f80e76c5b9d0ee3a156572896d179df63996b6a899ebe86b82/
Verdict:
Malicious
Threat:
Family.XMRIG
Link:
https://tip.neiki.dev/file/ff0d1b2cddd488f80e76c5b9d0ee3a156572896d179df63996b6a899ebe86b82
Threat name:
Win64.Trojan.Jalapeno
Create hunting rule
Status:
Malicious
First seen:
2026-01-29 02:10:21 UTC
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=74grwlg52sepqdtwyw45b3r2cvsxfclnc6o7momww2ujt27inoba._file
Verdict:
malicious
Label(s):
xmrig
Create hunting rule
Similar samples:
4a0bea9546f24f31ad218405fe6110a1c46cbfdde2652aa8264d254a762a0788
CoinMiner
773f16b4c9411940b5db99eb6ada7eb940cc15920f548cf6d48cf14b6509707b
CoinMiner
a2eb9dd2e8f93cab40c27b4cad2a2d4f5ab91e86eb9a15a7605ae44e3082429e
CoinMiner
bb12cb60e24570ebd4b125b51d98ab463520bb841d25bced2cae2262dd0cabe9
CoinMiner
d2fcf28897ddc2137141d838b734664ff7592e03fcd467a433a51cb4976b4fb1
CoinMiner
error
CoinMiner
fa6780dc233272dee40a0e15a466666fb74d263a1be0d9c204e68da180e3461c
CoinMiner
ff0d1b2cddd488f80e76c5b9d0ee3a156572896d179df63996b6a899ebe86b82
CoinMiner
+ 53 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig execution miner persistence
Link:
https://tria.ge/reports/260129-chfhdafs3d/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
ConfuserEx .NET packer
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
XMRig Miner payload
Xmrig family
xmrig
Unpacked files
SH256 hash:
ff0d1b2cddd488f80e76c5b9d0ee3a156572896d179df63996b6a899ebe86b82
MD5 hash:
19db53ba9e43afcfff0aabf8e8c0ecf9
SHA1 hash:
c50e6a7e9924b5d3fa61aff5416e8ab59323ad97
Link:
https://www.unpac.me/results/329f5138-9051-4285-8e87-e609494c260a/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ff0d1b2cddd4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff0d1b2cddd488f80e76c5b9d0ee3a156572896d179df63996b6a899ebe86b82

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe ff0d1b2cddd488f80e76c5b9d0ee3a156572896d179df63996b6a899ebe86b82

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/50589/

Comments