MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 036283407ccf8ecff4105810b91c1faf6f17c138e77f28d0ef0f3109b22ef785. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



CoinMiner


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments

SHA256 hash: 036283407ccf8ecff4105810b91c1faf6f17c138e77f28d0ef0f3109b22ef785
SHA3-384 hash: f268a7b6947414eda767040af2ed129ac7aee69370d881efe33bfc8c2f1723a4cb743de7c596ce6de194c557f832d804
SHA1 hash: 5ffeb865e557756fa1b9655833c602fecb01a423
MD5 hash: 3421ef1f3d1a1bbb8f595f2f319700f0
humanhash: friend-river-triple-early
File name:kworkerd
Download: download sample
Signature CoinMiner
File size:110'360 bytes
First seen:2026-06-20 06:01:27 UTC
Last seen:2026-06-20 09:35:14 UTC
File type: elf
MIME type:application/x-sharedlib
ssdeep 3072:CdxevimPCbbDDcR894cfTfDw/gUSMkmKeTbtR1ChG:CdxeRPCzoF0ByKkbHUhG
TLSH T159B312166CFD8B60F1988FF309A761BC3A6DEEA77D0D83241D75B981F07D421060E5A6
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:CoinMiner elf

Intelligence


File Origin
# of uploads :
2
# of downloads :
67
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sends data to a server
Manages services
Sets a written file as executable
Creating a file in the %temp% directory
Receives data from a server
Deleting a recently created file
Launching a process
Connection attempt
Creating a file
Collects information on the CPU
Changes the time when the file was created, accessed, or modified
Opens a port
Changes access rights for a written file
DNS request
Runs as daemon
Substitutes an application name
Creates or modifies files in /cron to set up autorun
Deleting of the original file
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
custom
Botnet:
unknown
Number of open files:
1
Number of processes launched:
1
Processes remaning?
false
Remote TCP ports scanned:
not identified
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Malicious
File Type:
elf.64.le
First seen:
2026-06-20T03:17:00Z UTC
Last seen:
2026-06-22T03:08:00Z UTC
Hits:
~100
Status:
terminated
Behavior Graph:
%3 guuid=f40640e7-1900-0000-c2a5-cb1c000b0000 pid=2816 /usr/bin/sudo guuid=be6fc4e9-1900-0000-c2a5-cb1c080b0000 pid=2824 /tmp/sample.bin write-file guuid=f40640e7-1900-0000-c2a5-cb1c000b0000 pid=2816->guuid=be6fc4e9-1900-0000-c2a5-cb1c080b0000 pid=2824 execve guuid=f259aeeb-1900-0000-c2a5-cb1c0f0b0000 pid=2831 /tmp/sample.bin zombie guuid=be6fc4e9-1900-0000-c2a5-cb1c080b0000 pid=2824->guuid=f259aeeb-1900-0000-c2a5-cb1c0f0b0000 pid=2831 clone guuid=afdfb5eb-1900-0000-c2a5-cb1c100b0000 pid=2832 /tmp/sample.bin net send-data write-config write-file zombie guuid=f259aeeb-1900-0000-c2a5-cb1c0f0b0000 pid=2831->guuid=afdfb5eb-1900-0000-c2a5-cb1c100b0000 pid=2832 clone ffee5cfb-bb94-52c2-8935-ae3a87e774db 127.0.0.1:42780 guuid=afdfb5eb-1900-0000-c2a5-cb1c100b0000 pid=2832->ffee5cfb-bb94-52c2-8935-ae3a87e774db con 54d92a3b-1447-55af-b534-047898c60c8d 1.1.1.1:53 guuid=afdfb5eb-1900-0000-c2a5-cb1c100b0000 pid=2832->54d92a3b-1447-55af-b534-047898c60c8d send: 40B guuid=afdfb5eb-1900-0000-c2a5-cb1c100b0000 pid=2834 /tmp/sample.bin zombie guuid=afdfb5eb-1900-0000-c2a5-cb1c100b0000 pid=2832->guuid=afdfb5eb-1900-0000-c2a5-cb1c100b0000 pid=2834 clone guuid=a66a21ed-1900-0000-c2a5-cb1c160b0000 pid=2838 /usr/bin/dash guuid=afdfb5eb-1900-0000-c2a5-cb1c100b0000 pid=2832->guuid=a66a21ed-1900-0000-c2a5-cb1c160b0000 pid=2838 execve guuid=23fb6425-1a00-0000-c2a5-cb1ca10b0000 pid=2977 /usr/bin/dash zombie guuid=afdfb5eb-1900-0000-c2a5-cb1c100b0000 pid=2832->guuid=23fb6425-1a00-0000-c2a5-cb1ca10b0000 pid=2977 execve guuid=57b24ced-1900-0000-c2a5-cb1c170b0000 pid=2839 /usr/bin/systemctl guuid=a66a21ed-1900-0000-c2a5-cb1c160b0000 pid=2838->guuid=57b24ced-1900-0000-c2a5-cb1c170b0000 pid=2839 execve guuid=8e0c9125-1a00-0000-c2a5-cb1ca20b0000 pid=2978 /usr/bin/systemctl guuid=23fb6425-1a00-0000-c2a5-cb1ca10b0000 pid=2977->guuid=8e0c9125-1a00-0000-c2a5-cb1ca20b0000 pid=2978 execve guuid=b4d80166-1a00-0000-c2a5-cb1c670c0000 pid=3175 /usr/bin/dash guuid=01760c66-1a00-0000-c2a5-cb1c690c0000 pid=3177 /tmp/.d write-file guuid=b4d80166-1a00-0000-c2a5-cb1c670c0000 pid=3175->guuid=01760c66-1a00-0000-c2a5-cb1c690c0000 pid=3177 execve guuid=99b3d467-1a00-0000-c2a5-cb1c6c0c0000 pid=3180 /tmp/.d zombie guuid=01760c66-1a00-0000-c2a5-cb1c690c0000 pid=3177->guuid=99b3d467-1a00-0000-c2a5-cb1c6c0c0000 pid=3180 clone guuid=092be867-1a00-0000-c2a5-cb1c6d0c0000 pid=3181 /tmp/.d delete-file net send-data write-file zombie guuid=99b3d467-1a00-0000-c2a5-cb1c6c0c0000 pid=3180->guuid=092be867-1a00-0000-c2a5-cb1c6d0c0000 pid=3181 clone guuid=092be867-1a00-0000-c2a5-cb1c6d0c0000 pid=3181->ffee5cfb-bb94-52c2-8935-ae3a87e774db send: 15B guuid=092be867-1a00-0000-c2a5-cb1c6d0c0000 pid=3181->54d92a3b-1447-55af-b534-047898c60c8d send: 80B 0a8043c9-917f-591f-8444-89639bba3210 91.239.211.89:8000 guuid=092be867-1a00-0000-c2a5-cb1c6d0c0000 pid=3181->0a8043c9-917f-591f-8444-89639bba3210 send: 68B guuid=092be867-1a00-0000-c2a5-cb1c6d0c0000 pid=3211 /tmp/.d guuid=092be867-1a00-0000-c2a5-cb1c6d0c0000 pid=3181->guuid=092be867-1a00-0000-c2a5-cb1c6d0c0000 pid=3211 clone guuid=bab82187-1a00-0000-c2a5-cb1c900c0000 pid=3216 /usr/bin/dash guuid=092be867-1a00-0000-c2a5-cb1c6d0c0000 pid=3181->guuid=bab82187-1a00-0000-c2a5-cb1c900c0000 pid=3216 execve guuid=bfd17887-1a00-0000-c2a5-cb1c920c0000 pid=3218 /usr/bin/dash guuid=092be867-1a00-0000-c2a5-cb1c6d0c0000 pid=3181->guuid=bfd17887-1a00-0000-c2a5-cb1c920c0000 pid=3218 execve guuid=092be867-1a00-0000-c2a5-cb1c6d0c0000 pid=3222 /tmp/.d guuid=092be867-1a00-0000-c2a5-cb1c6d0c0000 pid=3181->guuid=092be867-1a00-0000-c2a5-cb1c6d0c0000 pid=3222 clone guuid=af7d4f87-1a00-0000-c2a5-cb1c910c0000 pid=3217 /usr/bin/dash guuid=bab82187-1a00-0000-c2a5-cb1c900c0000 pid=3216->guuid=af7d4f87-1a00-0000-c2a5-cb1c910c0000 pid=3217 clone guuid=78c2b387-1a00-0000-c2a5-cb1c940c0000 pid=3220 /usr/bin/dash guuid=bfd17887-1a00-0000-c2a5-cb1c920c0000 pid=3218->guuid=78c2b387-1a00-0000-c2a5-cb1c940c0000 pid=3220 clone
Result
Threat name:
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
96 / 100
Signature
Drops invisible ELF files
Executes itself again with its parent PID as an argument (indicative of hampering debugging)
Executes the "crontab" command typically for achieving persistence
Found strings related to Crypto-Mining
Opens /sys/class/net/* files useful for querying network interface information
Performs DNS TXT record lookups
Sample deletes itself
Sample tries to persist itself using cron
Searches for CPU information (likely indicative of DDoS capability)
Suricata IDS alerts for network traffic
Writes identical ELF files to multiple locations
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1931302 Sample: kworkerd.elf Startdate: 20/06/2026 Architecture: LINUX Score: 96 106 api.robotmarkethub.com 2->106 108 91.239.211.89, 36046, 36048, 36054 HOSTKEY-ASNL Germany 2->108 110 3 other IPs or domains 2->110 112 Suricata IDS alerts for network traffic 2->112 114 Yara detected Xmrig cryptocurrency miner 2->114 13 systemd sh 2->13         started        15 kworkerd.elf 2->15         started        18 systemd snapd-env-generator 2->18         started        20 3 other processes 2->20 signatures3 116 Performs DNS TXT record lookups 106->116 process4 signatures5 22 sh sh 13->22         started        24 sh wget 13->24         started        27 sh rm 13->27         started        138 Found strings related to Crypto-Mining 15->138 29 kworkerd.elf 15->29         started        process6 file7 31 sh 22->31         started        33 sh 22->33         started        35 sh wget 22->35         started        41 17 other processes 22->41 104 /tmp/..redis-sentinel, POSIX 24->104 dropped 39 kworkerd.elf 29->39         started        process8 file9 43 sh .d 31->43         started        45 sh .d 33->45         started        96 /tmp/.d, ELF 35->96 dropped 122 Writes identical ELF files to multiple locations 35->122 124 Drops invisible ELF files 35->124 47 kworkerd.elf sh 39->47         started        49 kworkerd.elf sh 39->49         started        98 /run/.d, ELF 41->98 dropped 100 /dev/shm/.d, ELF 41->100 dropped 126 Searches for CPU information (likely indicative of DDoS capability) 41->126 128 Sample deletes itself 41->128 51 sh awk 41->51         started        53 sh cut 41->53         started        55 sh 41->55         started        57 sh 41->57         started        signatures10 process11 process12 59 .d 43->59         started        61 .d 45->61         started        63 sh systemctl 47->63         started        65 sh systemctl 49->65         started        process13 67 .d 59->67         started        71 .d 61->71         started        file14 102 /var/spool/cron/crontabs/root, ASCII 67->102 dropped 130 Opens /sys/class/net/* files useful for querying network interface information 67->130 132 Sample deletes itself 67->132 134 Sample tries to persist itself using cron 67->134 73 .d sh 67->73         started        76 .d sh 67->76         started        78 .d sh 71->78         started        80 .d sh 71->80         started        signatures15 process16 signatures17 82 sh crontab 73->82         started        86 sh crontab 76->86         started        136 Executes itself again with its parent PID as an argument (indicative of hampering debugging) 78->136 88 sh crontab 78->88         started        90 sh crontab 80->90         started        process18 file19 92 /var/spool/cron/crontabs/tmp.BLNhcX, ASCII 82->92 dropped 94 /var/spool/cron/crontabs/tmp.M8eAPR, ASCII 88->94 dropped 118 Sample tries to persist itself using cron 88->118 120 Executes the "crontab" command typically for achieving persistence 88->120 signatures20
Threat name:
Linux.Trojan.Generic
Status:
Suspicious
First seen:
2026-06-20 03:11:38 UTC
File Type:
ELF64 Little (SO)
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
antivm defense_evasion discovery execution linux persistence privilege_escalation
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to tmp directory
Changes its process name
Checks CPU configuration
Reads system network configuration
Creates/modifies Cron job
Enumerates active TCP sockets
Enumerates running processes
Modifies systemd
Reads MAC address of network interface
Deletes itself
Modifies Watchdog functionality
Please note that we are no longer able to provide a coverage score for Virus Total.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

elf 036283407ccf8ecff4105810b91c1faf6f17c138e77f28d0ef0f3109b22ef785

(this sample)

  
Delivery method
Distributed via web download

Comments