MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a1ce7981617497fe17c998698146437831520e9ab4dd5c454097ccf061f093e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a1ce7981617497fe17c998698146437831520e9ab4dd5c454097ccf061f093e
SHA3-384 hash: 413e9726f9a6c66326e6b1030e7629125a8fde6c39351529777141a00bd2085d90ffccaa772203bb1115cbc5c7e7e3e4
SHA1 hash: 49e500ebbb278a25722de0581d8b1f8932dcab9a
MD5 hash: 0f36a9c83892d83df94b8e8ca0fb77fb
humanhash: cup-high-oscar-saturn
File name:smNoGPU.malware
Download: download sample
Signature CoinMiner
Create hunting rule
File size:5'738'496 bytes
First seen:2025-11-14 01:02:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 84364258335aa120aa66630a9ee645bf (4 x CoinMiner)
ssdeep 98304:/SPDHaHlqK+RLADEzgkKoi/FUl4XcPx0sJkI2eCGhP1KihWbxbi3cYi:/SPraFqKa4RFlMPG2CGRg9e3cY
Threatray 13 similar samples on MalwareBazaar
TLSH T19646D07BC21B4F9799BD2FBC934B5DBA72354060AD0BB23A9B7108F4D93994141AF348
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10522/11/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter XiAnzheng
Tags:CoinMiner exe miner Monero

Intelligence

File Origin
# of uploads :
1
# of downloads :
142
Origin country :
ID ID
Vendor Threat Intelligence
Malware family:
xmrig
Create hunting rule
ID:
1
File name:
smNoGPU.malware
Verdict:
Malicious activity
Analysis date:
2025-11-14 01:03:57 UTC
Tags:
anti-evasion auto-sch-xml miner winring0-sys vuln-driver xmrig
Link:
https://app.any.run/tasks/1eec6a60-2efd-449f-96f6-81bb36c437d0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38159/
Detection(s):
Win.Malware.Tedy-10039946-0
Create hunting rule

Win.Malware.Tedy-10039947-0
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69167fdc434cd67b17c10a31
Tags:
backdoor spawn crypt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Launching a process
Creating a file in the %temp% directory
Deleting a recently created file
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Creating a file in the Windows subdirectories
Replacing files
DNS request
Searching for synchronization primitives
Connecting to a cryptocurrency mining pool
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug coinminer crypt packed rozena unsafe
Link:
https://www.filescan.io/uploads/69167fd957cbae4ee079ed09/reports/a4317e22-3044-49b4-a4b1-9db9a6514f51/overview
Verdict:
Malicious
Labled as:
Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/7a1ce7981617497fe17c998698146437831520e9ab4dd5c454097ccf061f093e
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-10-27T11:01:00Z UTC
Last seen:
2025-11-14T00:52:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.Agent.xcaovi Trojan.Win32.Agent.sb HEUR:Trojan.Win32.Miner.gen Trojan.Win64.SilentCryptoMiner.abc Trojan.Win32.Inject.sb not-a-virus:RiskTool.Win32.BitCoinMiner.sb RiskTool.Miner.UDP.C&C RiskTool.BitCoinMiner.UDP.C&C not-a-virus:HEUR:RiskTool.Win32.BitMiner.gen
Link:
https://opentip.kaspersky.com/7a1ce7981617497fe17c998698146437831520e9ab4dd5c454097ccf061f093e/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4ec51139-8f50-4a23-bfb3-15f9b6d33c8e
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7a1ce7981617497fe17c998698146437831520e9ab4dd5c454097ccf061f093e
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/0f36a9c83892d83df94b8e8ca0fb77fb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a1ce7981617497fe17c998698146437831520e9ab4dd5c454097ccf061f093e/
Verdict:
Malicious
Threat:
Family.XMRIG
Link:
https://tip.neiki.dev/file/7a1ce7981617497fe17c998698146437831520e9ab4dd5c454097ccf061f093e
Threat name:
Win64.Trojan.Rozena
Create hunting rule
Status:
Malicious
First seen:
2025-10-27 16:43:38 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pioopgawc5ex7yl4tgdjqfdeg6brkihjvng5lrcubf6m6bq7be7a._file
Verdict:
malicious
Label(s):
xmrig
Create hunting rule
Similar samples:
473da87f8cd4614a6fc14e7496be635ccf2b1cb4a909824a4606fea01221c2ae
CoinMiner
67de54a5271a2354b492bbaf5bbead07cc1e24fd5efa94bdac2fc30f0475db1a
CoinMiner
6c5d5367fa6bf7e56282c74859c97006f3a20eb78969614a70e76c43deba606b
CoinMiner
6cb04057a0313bc34459aba72170f4039148aaace0b396b6c881b92769199853
CoinMiner
7a1ce7981617497fe17c998698146437831520e9ab4dd5c454097ccf061f093e
CoinMiner
882b403dcc4c6928de9d4a86bf4fbb650909485e828cba37258d68be81340739
CoinMiner
de16b5c3d206c6a7d3f9eb8db90c912e6b1ae04e7cccaec35861b09bc9ad91a1
CoinMiner
error
CoinMiner
+ 3 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig execution miner persistence
Link:
https://tria.ge/reports/251114-bejj7ayner/
Behaviour
Modifies data under HKEY_USERS
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Drops file in Program Files directory
Suspicious use of SetThreadContext
Power Settings
Executes dropped EXE
XMRig Miner payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Xmrig family
xmrig
Verdict:
Malicious
Tags:
Win.Malware.Tedy-10039946-0
YARA:
n/a
Link:
https://app.threat.zone/submission/5a668fcb-bce0-45ca-9b99-f1329517502c
Unpacked files
SH256 hash:
7a1ce7981617497fe17c998698146437831520e9ab4dd5c454097ccf061f093e
MD5 hash:
0f36a9c83892d83df94b8e8ca0fb77fb
SHA1 hash:
49e500ebbb278a25722de0581d8b1f8932dcab9a
Link:
https://www.unpac.me/results/b00f7144-d4fd-4a94-9e6f-3042dba91eb0/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7a1ce7981617/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7a1ce7981617497fe17c998698146437831520e9ab4dd5c454097ccf061f093e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

CoinMiner

Shortcut (lnk) lnk 4743c305a4fd08ac36fe1f52f5c6d2933bbad2d727ab64fe5bffa9b73c3b2f21

CoinMiner

Executable exe 7a1ce7981617497fe17c998698146437831520e9ab4dd5c454097ccf061f093e

(this sample)

  
Link
https://mega.nz/file/e5ZyyLSb#83Y85CSQFbdz8UV3DEmsWQCLvnhrcJ1uUoxLtHIKk1g
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/38159/
  
Dropped by
SHA256 4743c305a4fd08ac36fe1f52f5c6d2933bbad2d727ab64fe5bffa9b73c3b2f21
  
Dropped by
MD5 8ef445fb54bd20c9fef97eb006cbb14f

Comments