MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7eb01ca49e6e5172d3866625c18b327557531983c52a8560976a23f39b72fe24. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7eb01ca49e6e5172d3866625c18b327557531983c52a8560976a23f39b72fe24
SHA3-384 hash: b2f3bab3041a514678dd8bd76ebc47792982f692f81b704c895969a28ad6d677d8e0dfe9ec0ab1512e545ce885847e37
SHA1 hash: a43b362e357e1162f3e6b9de4628d06b6bbb9a64
MD5 hash: e654f14729e177bd70e2e907ddbf02dd
humanhash: orange-bulldog-mountain-california
File name:file
Download: download sample
Signature CoinMiner
Create hunting rule
File size:4'879'976 bytes
First seen:2026-01-10 21:01:06 UTC
Last seen:2026-01-10 21:06:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f6baa5eaa8231d4fe8e922a2e6d240ea (56 x CoinMiner, 22 x DCRat, 15 x LummaStealer)
ssdeep 98304:Wf58qnlBuu4ItJXi4Kl35tt+w7iX4P/LzLLga/yTukSEbtPTnulj+:WfLuuztJi4E5vr7iX0/QTjvPyj+
Threatray 1'165 similar samples on MalwareBazaar
TLSH T108363387B698D0FFD5A319BF10C45E4E66F7BAA01B7914EFA7800635981A2F24234377
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10522/11/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Bitsight
Tags:CoinMiner dropped-by-Stealc exe signed test1

Code Signing Certificate

Organisation:FileZilla FTP Client
Issuer:FileZilla FTP Client
Algorithm:sha256WithRSAEncryption
Valid from:2025-12-24T00:00:00Z
Valid to:2030-12-24T00:00:00Z
Serial number: 3010edb326dc0f81
Intelligence: 14 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: c3bdb12dd0565b796cab743ef8c6fab84e7a2d25d38f58a3e5a71a797a648feb
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
Bitsight
url: https://filezilla.cc/Driver_EN_msc_AMD_v22.39.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
180
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
amadey
Create hunting rule
ID:
1
File name:
Nuclear Bomb.zip
Verdict:
Malicious activity
Analysis date:
2026-01-10 18:35:39 UTC
Tags:
auto metasploit framework arch-exec github stealer stealc python powershell xenorat rat anti-evasion credentialflusher possible-phishing clickfix amadey botnet phishing anydesk rmm-tool loader putty svc miner generic networm amus coinminer adware cryptowall ransomware azorult telegram irc asyncrat purelogs havoc tool tinynuke njrat guloader vidar koistealer xred meterpreter koiloader xmrig autohotkey evasion ghostsocks proxyware rhadamanthys bdaejec backdoor cobaltstrike whitesnakestealer quasar gh0st pushware whitesnake bladabindi bruteratel smb redline formbook websocket purecrypter java stealerium remcos wannacry noescape wiper mimikatz xworm agenttesla pyinstaller clipper diamotrix scan smbscan screenconnect rdp donutloader jigsaw dcrat pastebin deerstealer muckstealer discord lumma hijackloader offloader remote gh0stcringe cryptolocker eicar-test braodo teamviewer meshagent pythonstealer schoolboy
Link:
https://app.any.run/tasks/6ec5b656-8582-45f3-82f8-560232399718

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/48504/
Detection(s):
Win.Malware.7zip-10013374-0
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6962be41f50945831dffcdcd
Tags:
shellcode dropper sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Running batch commands
Creating a process with a hidden window
Launching a process
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
DNS request
Replacing files
Сreating synchronization primitives
Creating a service
Creating a file
Launching a service
Creating a file in the Windows subdirectories
Searching for synchronization primitives
Enabling autorun for a service
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context fingerprint installer installer installer-heuristic keylogger microsoft_visual_cc obfuscated overlay signed stealer
Link:
https://www.filescan.io/uploads/6962be3930368802bb7f7e78/reports/fc7065a2-5ee7-4720-938e-df52918c07c3/overview
Verdict:
Malicious
Labled as:
Malware.7zip
Link:
https://www.hybrid-analysis.com/sample/7eb01ca49e6e5172d3866625c18b327557531983c52a8560976a23f39b72fe24
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-10T18:11:00Z UTC
Last seen:
2026-01-11T02:00:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Miner.sb Trojan.Win32.Inject.sb Trojan.Win32.Agent.rnd HEUR:Trojan.Win32.SFX.gen HEUR:Trojan.Win32.Miner.pef Trojan-Dropper.Win32.Agent.sb Trojan.Win32.SFX.sb PDM:Trojan.Win32.Generic RiskTool.Miner.UDP.C&C
Link:
https://opentip.kaspersky.com/7eb01ca49e6e5172d3866625c18b327557531983c52a8560976a23f39b72fe24/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/fe0d1b28-ccb4-44db-9868-cb898840c7eb
Score:
57%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/7eb01ca49e6e5172d3866625c18b327557531983c52a8560976a23f39b72fe24
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout SFX 7z Win 32 Exe x86
Link:
https://app.malva.re/file/e654f14729e177bd70e2e907ddbf02dd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7eb01ca49e6e5172d3866625c18b327557531983c52a8560976a23f39b72fe24/
Verdict:
Malicious
Threat:
Family.XMRIG
Link:
https://tip.neiki.dev/file/7eb01ca49e6e5172d3866625c18b327557531983c52a8560976a23f39b72fe24
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-01-10 21:01:51 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=p2ybzje6nzixfu4gmys4dczsovlvggmdyuvikyexnir7hg3s7ysa._file
Verdict:
malicious
Label(s):
unc_loader_055
Create hunting rule
Similar samples:
1b95497b3247ace77bd2c28c96803a47f69ec7d35ad84dde377d1ee3684193c5
CoinMiner
222e03c097595d8bee2bc348b7ac716a308a566d61ffb14a343610bc4656aeb8
CoinMiner
502a4c498c1f14e9176959e54548f2af53a240eb9f769f11f9dfeeec7fc87b29
CoinMiner
86a0497b6b95420d558cc3a6cbaa79f4d599474edf8910ecbca7802888464201
CoinMiner
91781da6c1db66ebd379e2008b897729ef011d064770a50d3acdaf01f2e95850
CoinMiner
+ 1'155 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig defense_evasion discovery execution miner persistence upx
Link:
https://tria.ge/reports/260110-zvah8af14f/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
UPX packed file
Contacts third-party web service commonly abused for C2
Checks computer location settings
Creates new service(s)
Executes dropped EXE
Loads dropped DLL
Stops running service(s)
Command and Scripting Interpreter: PowerShell
XMRig Miner payload
Xmrig family
xmrig
Verdict:
Malicious
Tags:
Win.Malware.7zip-10013374-0
YARA:
n/a
Link:
https://app.threat.zone/submission/fb40531d-2ba6-4c35-9838-b6ddc0f6c18b
Unpacked files
SH256 hash:
7eb01ca49e6e5172d3866625c18b327557531983c52a8560976a23f39b72fe24
MD5 hash:
e654f14729e177bd70e2e907ddbf02dd
SHA1 hash:
a43b362e357e1162f3e6b9de4628d06b6bbb9a64
Link:
https://www.unpac.me/results/933db329-1b07-4fd7-a6af-4fbae5b1525e/
SH256 hash:
ee822702382c8c9e57d3b423bbec8dcb733fcba94790f47785cdac554bc3f95c
MD5 hash:
4607c466b3f200f5dde0675ddf01c8fe
SHA1 hash:
67af1ed9d005f9c236af6325254eaf39041237ae
Link:
https://www.unpac.me/results/933db329-1b07-4fd7-a6af-4fbae5b1525e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7eb01ca49e6e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7eb01ca49e6e5172d3866625c18b327557531983c52a8560976a23f39b72fe24

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe 7eb01ca49e6e5172d3866625c18b327557531983c52a8560976a23f39b72fe24

(this sample)

  
Dropped by
StealC
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3743524/
Cape
Cape
https://www.capesandbox.com/analysis/48504/

Comments