MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c57caf3120b3ce67ab5a52e167f9768997dde1364a1a398ef61fb38ff3ed1f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 17

Intelligence 17 IOCs YARA 28 File information Comments

SHA256 hash:	9c57caf3120b3ce67ab5a52e167f9768997dde1364a1a398ef61fb38ff3ed1f0
SHA3-384 hash:	3b9ee631eebcd7331a573cf1b9100c60ca9b2eba0a25935d1fae5351b0abe6da12cc04adaa0d344541ca87de447ae827
SHA1 hash:	a8e1f12735dcef275c2b88037e19e5d13a4c33c4
MD5 hash:	0758ccd764f2925d4dff96042e5cb95b
humanhash:	delaware-spring-sweet-pasta
File name:	file
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	4'918'368 bytes
First seen:	2026-01-16 21:03:35 UTC
Last seen:	2026-01-17 17:00:34 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f6baa5eaa8231d4fe8e922a2e6d240ea (60 x CoinMiner, 22 x DCRat, 15 x LummaStealer)
ssdeep	98304:6G54KUvLJ83D4O5fJPbNCyCaposYcX5LIT9Ktcu4FUf1Z50f:6GyKU23D4OFRb9OsYcXC9KteO50f
Threatray	1'186 similar samples on MalwareBazaar
TLSH	T135363306FAE4D276E3A7243F14D862A1A1BBF62D733A80C787945B7B1B152F44E3414B
TrID	38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 24.6% (.EXE) Win64 Executable (generic) (10522/11/4) 11.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 10.5% (.EXE) Win32 Executable (generic) (4504/4/1) 4.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	Bitsight
Tags:	CoinMiner dropped-by-Stealc exe signed test1

Code Signing Certificate

Organisation:	FileZilla
Issuer:	FileZilla
Algorithm:	sha384WithRSAEncryption
Valid from:	2026-01-12T00:00:00Z
Valid to:	2032-01-12T00:00:00Z
Serial number:	147560e99575ef29
Intelligence:	11 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	cfa5b27095bc5228308260c4444aaa2e99caf267bbf014ca47b8aeb63aa2de15
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Bitsight

url: https://filezilla.cc/Driver_EN_msc_AMD_v22.39.exe

Intelligence

File Origin

# of uploads :

# of downloads :

221

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

xmrig

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2026-01-16 21:05:59 UTC

Tags:

arch-exec miner github winring0-sys vuln-driver upx xmrig

Link:

https://app.any.run/tasks/a14eb3c8-494f-4be8-aa3c-f86e80a1e6e5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/49126/

Detection(s):

Win.Malware.7zip-10013374-0

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=696aa7e7ef906a21abcdd8f3

Tags:

dropper crypt sage

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

adaptive-context fingerprint installer installer installer-heuristic keylogger microsoft_visual_cc obfuscated overlay signed

Link:

https://www.filescan.io/uploads/696aa7e4584f1963ad57d74c/reports/d16397e4-c847-461d-bc91-e67f78911f52/overview

Verdict:

Malicious

Labled as:

Malware.7zip

Link:

https://www.hybrid-analysis.com/sample/9c57caf3120b3ce67ab5a52e167f9768997dde1364a1a398ef61fb38ff3ed1f0

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-01-16T16:54:00Z UTC

Last seen:

2026-01-18T06:42:00Z UTC

Hits:

~100

Detections:

Trojan-Dropper.Win32.Agent.sb Trojan.Win32.SFX.sb Trojan.Win32.Miner.sb Trojan.Win32.Inject.sb Trojan.Win32.Agent.rnd HEUR:Trojan.Win32.SFX.gen HEUR:Trojan.Win32.Miner.pef RiskTool.Miner.UDP.C&C RiskTool.BitCoinMiner.TCP.C&C

Link:

https://opentip.kaspersky.com/9c57caf3120b3ce67ab5a52e167f9768997dde1364a1a398ef61fb38ff3ed1f0/results?tab=lookup

Malware family:

XMRig Miner

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/35023a1e-1e32-45c3-9aac-17397288cc5b

Score:

56%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/9c57caf3120b3ce67ab5a52e167f9768997dde1364a1a398ef61fb38ff3ed1f0

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9c57caf3120b3ce67ab5a52e167f9768997dde1364a1a398ef61fb38ff3ed1f0/

Verdict:

Malicious

Threat:

Family.XMRIG

Link:

https://tip.neiki.dev/file/9c57caf3120b3ce67ab5a52e167f9768997dde1364a1a398ef61fb38ff3ed1f0

Threat name:

Win32.Malware.Heuristic

Status:

Malicious

First seen:

2026-01-16 21:04:38 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

13 of 24 (54.17%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=trl4v4ysbm6om6vvuuxbm74xncmx3xqtmsq2hghpmh5tr7z62hya._file

Verdict:

malicious

Label(s):

unc_loader_055

CoinMiner

3774c53aca05c170b5c22c787e7693ae216af823426c3bf46a34043c809b602a

CoinMiner

66bd199d4ffcf1792b46c400a6eed9f71a88321f3057776e1a428f112cf7086c

CoinMiner

91781da6c1db66ebd379e2008b897729ef011d064770a50d3acdaf01f2e95850

CoinMiner

error

CoinMiner

fd3550391fea1a00a68314e70e813175bc133b11bd1f6ff880ce86b446daf4d6

CoinMiner

+ 1'176 additional samples on MalwareBazaar

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:xmrig defense_evasion discovery execution miner persistence upx

Link:

https://tria.ge/reports/260116-zwwsvagy7e/

Behaviour

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Launches sc.exe

Drops file in System32 directory

Suspicious use of SetThreadContext

UPX packed file

Contacts third-party web service commonly abused for C2

Checks computer location settings

Creates new service(s)

Executes dropped EXE

Loads dropped DLL

Stops running service(s)

Command and Scripting Interpreter: PowerShell

XMRig Miner payload

Xmrig family

xmrig

Verdict:

Malicious

Tags:

Win.Malware.7zip-10013374-0

YARA:

n/a

Link:

https://app.threat.zone/submission/b100830d-2662-42ab-8a7b-a2186f1119e2

Unpacked files

SH256 hash:

9c57caf3120b3ce67ab5a52e167f9768997dde1364a1a398ef61fb38ff3ed1f0

MD5 hash:

0758ccd764f2925d4dff96042e5cb95b

SHA1 hash:

a8e1f12735dcef275c2b88037e19e5d13a4c33c4

Link:

https://www.unpac.me/results/f3eae37a-15f7-4448-973e-5cfd8c1a7c85/

SH256 hash:

21cb69079b87814d030eb20d63c16d6530c987a06aea122aa1f8a6f4719be84c

MD5 hash:

cfaf7eab9010bd4c5fdd0f72e9bc7b81

SHA1 hash:

be37da6098aa2d582235f1f274d5027b63703899

Link:

https://www.unpac.me/results/f3eae37a-15f7-4448-973e-5cfd8c1a7c85/

Malware family:

XMRig

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9c57caf3120b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9c57caf3120b3ce67ab5a52e167f9768997dde1364a1a398ef61fb38ff3ed1f0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BLOWFISH_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for Blowfish constants

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	ldpreload Create hunting rule
Author:	xorseed
Reference:	https://stuff.rop.io/

Rule name:	MacOS_Cryptominer_Xmrig_241780a1 Create hunting rule
Author:	Elastic Security

Rule name:	MALWARE_Win_CoinMiner02 Create hunting rule
Author:	ditekSHen
Description:	Detects coinmining malware

Rule name:	MAL_XMR_Miner_May19_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Monero Crypto Coin Miner
Reference:	https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/

Rule name:	MAL_XMR_Miner_May19_1_RID2E1B Create hunting rule
Author:	Florian Roth
Description:	Detects Monero Crypto Coin Miner
Reference:	https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	Mimikatz_Generic Create hunting rule
Author:	Still
Description:	attempts to match all variants of Mimikatz

Rule name:	Multi_Cryptominer_Xmrig_f9516741 Create hunting rule
Author:	Elastic Security

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	rig_win64_xmrig_6_13_1_xmrig Create hunting rule
Author:	yarGen Rule Generator
Description:	rig_win64 - file xmrig.exe
Reference:	https://github.com/Neo23x0/yarGen

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	upx_largefile Create hunting rule
Author:	k3nr9

Rule name:	WHIRLPOOL_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for WhirlPool constants

Rule name:	Windows_Cryptominer_Generic_f53cfb9b Create hunting rule
Author:	Elastic Security

Rule name:	XMRIG_Monero_Miner Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Monero mining software
Reference:	https://github.com/xmrig/xmrig/releases