MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 001ba935c6d09702e2ca8a41a74daba441f49aa71572a356352b26ca3f9e465a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



CoinMiner


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments

SHA256 hash: 001ba935c6d09702e2ca8a41a74daba441f49aa71572a356352b26ca3f9e465a
SHA3-384 hash: aa7aff4641a2938b997516d3a003ef1d1f2ba658748f7b1f8ecc1b79ecf56487489ea415cc1fb60c31f46165c4d3dab2
SHA1 hash: 3dbf0c8ca39b05595f1790d1954b6084c34dcf45
MD5 hash: 0da68a55a4752acb0e7dd233294564db
humanhash: alpha-apart-bravo-freddie
File name:kworkerd-netns
Download: download sample
Signature CoinMiner
File size:333'964 bytes
First seen:2026-06-26 09:09:35 UTC
Last seen:Never
File type: elf
MIME type:application/x-sharedlib
ssdeep 6144:dorSpWWzrizwImuau1F4AtsZYyvtyq9+JIy50ENIkwlBoOfrEVNmN3:dofKu03vtUSzXUk3
TLSH T1DE642A0A77608FE4E274C13006F74B96A6FE21A656F24985D33DEE107E9034C6A5FF98
telfhash t1da41e984a83209ef7efb55008c642625c506e625f8b38f20ef18d6c1476842eb64ee4f
Magika elf
Reporter abuse_ch
Tags:CoinMiner elf upx-dec


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 fa5410f4aa035782d0c0ccd8cb7ae228e35e3049702d60fd574dd414d111896e
File size (compressed) :132'140 bytes
File size (de-compressed) :333'964 bytes
Format:linux/mips
Packed file: fa5410f4aa035782d0c0ccd8cb7ae228e35e3049702d60fd574dd414d111896e

Intelligence


File Origin
# of uploads :
1
# of downloads :
86
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
DNS request
Connection attempt
Changes the time when the file was created, accessed, or modified
Changes access rights for a written file
Creating a file in the %temp% directory
Collects information on the CPU
Sets a written file as executable
Opens a port
Runs as daemon
Launching a process
Manages services
Substitutes an application name
Kills critical processes
Creates or modifies files in /cron to set up autorun
Deleting of the original file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 gcc mirai
Verdict:
Malicious
File Type:
elf.32.be
First seen:
2026-06-26T09:27:00Z UTC
Last seen:
2026-06-26T12:21:00Z UTC
Hits:
~10
Status:
terminated
Behavior Graph:
%3 guuid=b9e1a9d3-1900-0000-5002-dda878100000 pid=4216 /usr/bin/sudo guuid=573487d5-1900-0000-5002-dda87e100000 pid=4222 /tmp/sample.bin guuid=b9e1a9d3-1900-0000-5002-dda878100000 pid=4216->guuid=573487d5-1900-0000-5002-dda87e100000 pid=4222 execve
Gathering data
Result
Threat name:
Detection:
malicious
Classification:
evad.mine
Score:
68 / 100
Signature
Antivirus / Scanner detection for submitted sample
Contains symbols with names commonly found in malware
Found strings related to Crypto-Mining
Performs DNS TXT record lookups
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1934117 Sample: kworkerd-netns.elf Startdate: 26/06/2026 Architecture: LINUX Score: 68 33 api.robotmarkethub.com 2->33 35 109.202.202.202, 80 INIT7CH Switzerland 2->35 37 4 other IPs or domains 2->37 39 Antivirus / Scanner detection for submitted sample 2->39 41 Yara detected Xmrig cryptocurrency miner 2->41 43 Contains symbols with names commonly found in malware 2->43 10 kworkerd-netns.elf 2->10         started        13 systemd sh 2->13         started        15 systemd snapd-env-generator 2->15         started        17 3 other processes 2->17 signatures3 45 Performs DNS TXT record lookups 33->45 process4 signatures5 47 Found strings related to Crypto-Mining 10->47 19 kworkerd-netns.elf 10->19         started        21 sh wget 13->21         started        process6 process7 23 kworkerd-netns.elf 19->23         started        process8 25 kworkerd-netns.elf sh 23->25         started        27 kworkerd-netns.elf sh 23->27         started        process9 29 sh systemctl 25->29         started        31 sh systemctl 27->31         started       
Threat name:
Linux.Trojan.Generic
Status:
Suspicious
First seen:
2026-06-26 09:10:34 UTC
File Type:
ELF32 Big (SO)
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:elf_arm_mips_ko_so
Rule name:enterpriseapps2
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:setsockopt
Author:Tim Brown @timb_machine
Description:Hunts for setsockopt() red flags
Rule name:unixredflags3
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

elf 001ba935c6d09702e2ca8a41a74daba441f49aa71572a356352b26ca3f9e465a

(this sample)

  
Delivery method
Distributed via web download

Comments