MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 163f78541c2fbdad128997534ecc2ad31b112f779347c526dd4e071a608de85c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 9

Intelligence 9 IOCs YARA 16 File information Comments

SHA256 hash:	163f78541c2fbdad128997534ecc2ad31b112f779347c526dd4e071a608de85c
SHA3-384 hash:	51f21e9adf05e7ed40e150abb19266f7554b6b4a435c3bb18b9f9d9fb9e1465ea6ae9b0b01904397636fb36b068a9a0d
SHA1 hash:	d684662b6504a1f7157a9f52fe838b0447dba4c0
MD5 hash:	ea21c93c8093bef1c5745d11cce3853c
humanhash:	chicken-ceiling-ink-sweet
File name:	xfitaarch.sh
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	6'389'008 bytes
First seen:	2026-01-15 22:36:29 UTC
Last seen:	2026-01-16 01:01:45 UTC
File type:	elf
MIME type:	application/x-executable
ssdeep	98304:pQb0E6a6jn36FylX9OGfT1czRY06aESwpB4wH/E1AjJ6:pgJ6L36FylX9OGfq3ES4uwH/djJ6
TLSH	T101567D57B90F3C22F3CBF77C9E4B9360A7177990D3225072B9164218DAC36D8C6B5AA1
telfhash	t152c31aa6082dc95bcc717a696ebd6e2603c706c7b710ed95afe4c01c9f40c9ca2fa54d
TrID	50.1% (.) ELF Executable and Linkable format (Linux) (4022/12) 49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika	elf
Reporter	abuse_ch
Tags:	CoinMiner elf

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

PUA.Unix.Coinminer.XMRig-6683890-0

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

coinminer gcc masquerade miner monero rust xmrig

Link:

https://www.filescan.io/uploads/69696c263dd9d209505640ce/reports/84725110-7738-43d4-a7bd-f3c4b19d68b7/overview

Verdict:

Adware

File Type:

elf.64.le

First seen:

2021-11-02T14:09:00Z UTC

Last seen:

2026-01-15T20:07:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/163f78541c2fbdad128997534ecc2ad31b112f779347c526dd4e071a608de85c/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/0fb6d471-402e-473b-9d43-8816105611ca

Behavior Graph:

Download SVG

Malware family:

XMRig Miner

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c0d6b0d9-e479-4364-b2dc-7d5d4c980f45

Result

Threat name:

Xmrig

Detection:

malicious

Classification:

mine

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1851714

Signature

Antivirus / Scanner detection for submitted sample

Found strings related to Crypto-Mining

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Xmrig cryptocurrency miner

Behaviour

Behavior Graph:

Download SVG

Score:

92%

Verdict:

Malware

File Type:

ELF

Link:

https://malprob.io/report/163f78541c2fbdad128997534ecc2ad31b112f779347c526dd4e071a608de85c

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/163f78541c2fbdad128997534ecc2ad31b112f779347c526dd4e071a608de85c/

Threat name:

Linux.Coinminer.Generic

Status:

Malicious

First seen:

2021-11-03 03:52:25 UTC

File Type:

ELF64 Little (Exe)

AV detection:

20 of 36 (55.56%)

Threat level:

4/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cy7xqva4f6622eujs5ju5tbk2mnrcl3xsnd4kjw5jydruyen5boa._file

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:xmrig linux miner

Link:

https://tria.ge/reports/260115-2j1x5sgs7e/

Verdict:

Unknown

Tags:

cryptojacking xmrig

YARA:

MacOS_Cryptominer_Xmrig_241780a1 XMRIG_Monero_Miner Linux_Cryptominer_Camelot_cdd631c1 MAL_ELF_XMRig_Jul_09

Link:

https://app.threat.zone/submission/42414d30-1799-48f8-99ac-64bd78bcfaff

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.30

Link:

https://yomi.yoroi.company/submissions/163f78541c2fbdad128997534ecc2ad31b112f779347c526dd4e071a608de85c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BLOWFISH_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for Blowfish constants

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	enterpriseapps2 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Enterprise apps

Rule name:	F01_s1ckrule Create hunting rule
Author:	s1ckb017

Rule name:	ldpreload Create hunting rule
Author:	xorseed
Reference:	https://stuff.rop.io/

Rule name:	Linux_Cryptominer_Camelot_cdd631c1 Create hunting rule
Author:	Elastic Security

Rule name:	MacOS_Cryptominer_Xmrig_241780a1 Create hunting rule
Author:	Elastic Security

Rule name:	Multi_Cryptominer_Xmrig_f9516741 Create hunting rule
Author:	Elastic Security

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	setsockopt Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Hunts for setsockopt() red flags

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	unixredflags3 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Hunts for UNIX red flags

Rule name:	WHIRLPOOL_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for WhirlPool constants

Rule name:	XMRIG_Monero_Miner Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Monero mining software
Reference:	https://github.com/xmrig/xmrig/releases

Rule name:	xmrig_v1 Create hunting rule
Author:	RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

elf 163f78541c2fbdad128997534ecc2ad31b112f779347c526dd4e071a608de85c

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3758773/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample