MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c2f8bcfed50f3962964d84ad5a40e0e9bdc3cafaad9f26d090cd04bf3027f63. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0c2f8bcfed50f3962964d84ad5a40e0e9bdc3cafaad9f26d090cd04bf3027f63
SHA3-384 hash: 4a39b66ca3426ed159632bf1a89794f39944aab6ce68501501c39bf31d5fb59c24f54b3600b890c271ca123db752b95f
SHA1 hash: 50a067315f92264207d4215ab4d8b5771a228d8f
MD5 hash: 50a8425c1352765dacedf5bea779a0a0
humanhash: salami-pennsylvania-east-kitten
File name:who.sh
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'023 bytes
First seen:2026-04-07 11:29:08 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:eNJnwNnWV1iE8z31oYId/IkKj4J1dUL8qit5bRM1cPP1qYXHb4:Cp0WVkoYCwzjUm8qit5bRecPP1qYX74
TLSH T13841EA919D94E1B06BA780386FAF22AE6116118B3F031D7CB49E2019E7FD9460376DB3
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:CoinMiner sh

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
DE DE
Vendor Threat Intelligence
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
base64 expand lolbin obfuscated
Link:
https://www.filescan.io/uploads/69d4ea98972c219c8d7bb49e/reports/e5adcc42-2f02-4491-b775-ec7edb8e9fcd/overview
Verdict:
Adware
File Type:
unix shell
First seen:
2026-04-07T08:37:00Z UTC
Last seen:
2026-04-07T13:24:00Z UTC
Hits:
~10
Detections:
not-a-virus:HEUR:Downloader.Shell.Miner.a
Link:
https://opentip.kaspersky.com/0c2f8bcfed50f3962964d84ad5a40e0e9bdc3cafaad9f26d090cd04bf3027f63/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/370ee60e-6d4c-4138-99fa-0bca48a4abec
Behavior Graph:
Download SVG
%3 guuid=0461a868-1800-0000-fe91-dfa07f0c0000 pid=3199 /usr/bin/sudo guuid=9181786a-1800-0000-fe91-dfa0830c0000 pid=3203 /tmp/sample.bin guuid=0461a868-1800-0000-fe91-dfa07f0c0000 pid=3199->guuid=9181786a-1800-0000-fe91-dfa0830c0000 pid=3203 execve guuid=66d5e46a-1800-0000-fe91-dfa0850c0000 pid=3205 /usr/bin/nproc guuid=9181786a-1800-0000-fe91-dfa0830c0000 pid=3203->guuid=66d5e46a-1800-0000-fe91-dfa0850c0000 pid=3205 execve guuid=4162666b-1800-0000-fe91-dfa0880c0000 pid=3208 /usr/bin/hostname guuid=9181786a-1800-0000-fe91-dfa0830c0000 pid=3203->guuid=4162666b-1800-0000-fe91-dfa0880c0000 pid=3208 execve guuid=b54fc76b-1800-0000-fe91-dfa08a0c0000 pid=3210 /usr/bin/nproc guuid=9181786a-1800-0000-fe91-dfa0830c0000 pid=3203->guuid=b54fc76b-1800-0000-fe91-dfa08a0c0000 pid=3210 execve guuid=ce74166c-1800-0000-fe91-dfa08b0c0000 pid=3211 /usr/bin/uname guuid=9181786a-1800-0000-fe91-dfa0830c0000 pid=3203->guuid=ce74166c-1800-0000-fe91-dfa08b0c0000 pid=3211 execve guuid=7e366b6c-1800-0000-fe91-dfa08e0c0000 pid=3214 /usr/bin/mkdir guuid=9181786a-1800-0000-fe91-dfa0830c0000 pid=3203->guuid=7e366b6c-1800-0000-fe91-dfa08e0c0000 pid=3214 execve guuid=96d1b86c-1800-0000-fe91-dfa08f0c0000 pid=3215 /usr/bin/wget dns net send-data write-file guuid=9181786a-1800-0000-fe91-dfa0830c0000 pid=3203->guuid=96d1b86c-1800-0000-fe91-dfa08f0c0000 pid=3215 execve guuid=db78c16c-1800-0000-fe91-dfa0900c0000 pid=3216 /usr/bin/tar write-file guuid=9181786a-1800-0000-fe91-dfa0830c0000 pid=3203->guuid=db78c16c-1800-0000-fe91-dfa0900c0000 pid=3216 execve guuid=7894a2a3-1800-0000-fe91-dfa0bd0c0000 pid=3261 /usr/bin/mv guuid=9181786a-1800-0000-fe91-dfa0830c0000 pid=3203->guuid=7894a2a3-1800-0000-fe91-dfa0bd0c0000 pid=3261 execve guuid=b755fda3-1800-0000-fe91-dfa0bf0c0000 pid=3263 /usr/bin/chmod guuid=9181786a-1800-0000-fe91-dfa0830c0000 pid=3203->guuid=b755fda3-1800-0000-fe91-dfa0bf0c0000 pid=3263 execve guuid=bacd48a4-1800-0000-fe91-dfa0c00c0000 pid=3264 /usr/sbin/sysctl write-file guuid=9181786a-1800-0000-fe91-dfa0830c0000 pid=3203->guuid=bacd48a4-1800-0000-fe91-dfa0c00c0000 pid=3264 execve guuid=d76373b8-1a00-0000-fe91-dfa096110000 pid=4502 /usr/bin/bash guuid=9181786a-1800-0000-fe91-dfa0830c0000 pid=3203->guuid=d76373b8-1a00-0000-fe91-dfa096110000 pid=4502 clone guuid=feff89b8-1a00-0000-fe91-dfa09a110000 pid=4506 /usr/bin/cat write-config guuid=9181786a-1800-0000-fe91-dfa0830c0000 pid=3203->guuid=feff89b8-1a00-0000-fe91-dfa09a110000 pid=4506 execve guuid=ccfaedb8-1a00-0000-fe91-dfa09b110000 pid=4507 /usr/bin/systemctl guuid=9181786a-1800-0000-fe91-dfa0830c0000 pid=3203->guuid=ccfaedb8-1a00-0000-fe91-dfa09b110000 pid=4507 execve guuid=58ff22e2-1a00-0000-fe91-dfa033120000 pid=4659 /usr/bin/systemctl guuid=9181786a-1800-0000-fe91-dfa0830c0000 pid=3203->guuid=58ff22e2-1a00-0000-fe91-dfa033120000 pid=4659 execve guuid=f18ae402-1b00-0000-fe91-dfa0c3120000 pid=4803 /usr/bin/systemctl guuid=9181786a-1800-0000-fe91-dfa0830c0000 pid=3203->guuid=f18ae402-1b00-0000-fe91-dfa0c3120000 pid=4803 execve guuid=f8a47106-1b00-0000-fe91-dfa0cd120000 pid=4813 /usr/bin/rm delete-file guuid=9181786a-1800-0000-fe91-dfa0830c0000 pid=3203->guuid=f8a47106-1b00-0000-fe91-dfa0cd120000 pid=4813 execve 4f6baed0-9587-596c-82b3-fd721afe4cc1 10.0.2.3:53 guuid=96d1b86c-1800-0000-fe91-dfa08f0c0000 pid=3215->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 164B 75aab096-419b-50ef-be46-7d76b6a90e4c github.com:443 guuid=96d1b86c-1800-0000-fe91-dfa08f0c0000 pid=3215->75aab096-419b-50ef-be46-7d76b6a90e4c send: 802B f8c5e44f-328d-5324-8bbd-da50752b9120 release-assets.githubusercontent.com:0 guuid=96d1b86c-1800-0000-fe91-dfa08f0c0000 pid=3215->f8c5e44f-328d-5324-8bbd-da50752b9120 con f0eebea5-e97d-507c-a771-59cac353877c release-assets.githubusercontent.com:443 guuid=96d1b86c-1800-0000-fe91-dfa08f0c0000 pid=3215->f0eebea5-e97d-507c-a771-59cac353877c send: 1664B guuid=d1dd4e6d-1800-0000-fe91-dfa0920c0000 pid=3218 /usr/bin/tar guuid=db78c16c-1800-0000-fe91-dfa0900c0000 pid=3216->guuid=d1dd4e6d-1800-0000-fe91-dfa0920c0000 pid=3218 clone guuid=dffd6f6d-1800-0000-fe91-dfa0930c0000 pid=3219 /usr/bin/gzip guuid=d1dd4e6d-1800-0000-fe91-dfa0920c0000 pid=3218->guuid=dffd6f6d-1800-0000-fe91-dfa0930c0000 pid=3219 execve
Score:
1%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/0c2f8bcfed50f3962964d84ad5a40e0e9bdc3cafaad9f26d090cd04bf3027f63
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0c2f8bcfed50f3962964d84ad5a40e0e9bdc3cafaad9f26d090cd04bf3027f63/
Verdict:
Malicious
Threat:
Family.XMRIG
Link:
https://tip.neiki.dev/file/0c2f8bcfed50f3962964d84ad5a40e0e9bdc3cafaad9f26d090cd04bf3027f63
Threat name:
Linux.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-04-07 05:23:24 UTC
File Type:
Text (Shell)
AV detection:
7 of 38 (18.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bqxyxt7nkdzzmkle3bfnljaob2n5ypfpvlm7e3ijbtiex4ycp5rq._file
Result
Malware family:
xmrig_linux
Create hunting rule
Score:
  10/10
Tags:
family:xmrig family:xmrig_linux defense_evasion discovery linux miner persistence privilege_escalation
Link:
https://tria.ge/reports/260407-nlssnad19l/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
System Network Configuration Discovery
Writes file to shm directory
Writes file to tmp directory
Reads CPU attributes
Modifies systemd
File and Directory Permissions Modification
XMRig Miner payload
Xmrig family
Xmrig_linux family
xmrig
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.33
Link:
https://yomi.yoroi.company/submissions/0c2f8bcfed50f3962964d84ad5a40e0e9bdc3cafaad9f26d090cd04bf3027f63

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

sh 0c2f8bcfed50f3962964d84ad5a40e0e9bdc3cafaad9f26d090cd04bf3027f63

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3813601/
  
Delivery method
Distributed via web download

Comments