MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21c9ee9681865b3f6a20ac8149a5b7d54ab76ad22ab02ba23c4261ee2a303aeb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Kinsing

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	21c9ee9681865b3f6a20ac8149a5b7d54ab76ad22ab02ba23c4261ee2a303aeb
SHA3-384 hash:	e1d529f3df19fe9099a37d2a80658d8d19a1c84aac1a7a6aade53e5e0ce9b024a0f080582036715b0702f4e9caf084ef
SHA1 hash:	fbb666e6c2ef52613dc9927a37d236b8c169ae13
MD5 hash:	d6e57e9704d8185d3784a64122ffd17b
humanhash:	whiskey-utah-green-edward
File name:	acb.sh
Download:	download sample
Signature	Kinsing Create hunting rule
File size:	16'880 bytes
First seen:	2026-03-26 22:53:12 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	384:rfcMihlH2wx2vUaQa5/eN86704s80ooJQYgykWT4yCtvUsDjdWOoJwCQ:zcg7YJDj8OoJwCQ
TLSH	T1B972218EB011ED74295DC4B59CE2287D602BA00A4D623F10B45C7E786B9DA05F7B9BFC
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	Kinsing sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://78.153.140.16/curl-amd64	6b9e23cb675be370a18a0c4482dc566be28920d4f1cd8ba6b4527f80acf978d3	Kinsing	elf kinsing ua-wget
http://78.153.140.16/curl-aarch64	n/a	n/a	elf kinsing ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

YARA.SIGNATURE_BASE_MAL_Payload_F5_BIG_IP_Exploitations_Jul20_1.UNOFFICIAL

Txt.Malware.Sustes-6779550-1

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

bash coinminer kinsing lolbin miner payload sustes

Link:

https://www.filescan.io/uploads/69c5b8dd2346b9da57a9afb8/reports/64fe0dff-c0ab-4d35-b749-a1766af8c810/overview

Result

Gathering data

Verdict:

Malicious

File Type:

unix shell

Detections:

HEUR:Trojan-Downloader.Shell.Miner.gen

Link:

https://opentip.kaspersky.com/21c9ee9681865b3f6a20ac8149a5b7d54ab76ad22ab02ba23c4261ee2a303aeb/results?tab=lookup

Status:

Failed

Link:

https://sandbox.kunai.rocks/analysis/49cdcfe2-6b0a-4799-a83d-d642a61dfb3b

Score:

81%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/21c9ee9681865b3f6a20ac8149a5b7d54ab76ad22ab02ba23c4261ee2a303aeb

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/21c9ee9681865b3f6a20ac8149a5b7d54ab76ad22ab02ba23c4261ee2a303aeb/

Verdict:

Malicious

Threat:

Family.KINSING

Link:

https://tip.neiki.dev/file/21c9ee9681865b3f6a20ac8149a5b7d54ab76ad22ab02ba23c4261ee2a303aeb

Threat name:

Linux.Exploit.CVE-2020-7961

Status:

Malicious

First seen:

2026-03-26 22:54:26 UTC

File Type:

Text (Shell)

AV detection:

20 of 36 (55.56%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ehe65fubqznt62ravsautjnx2vflo2wsfkycxir4ijq64krqhlvq._file

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:kinsing family:kinsing_rootkit family:xmrig antivm defense_evasion discovery exection execution linux loader miner persistence privilege_escalation rootkit upx

Link:

https://tria.ge/reports/260326-2t28ysfv7n/

Behaviour

Enumerates kernel/hardware configuration

Process Discovery

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

Reads CPU attributes

UPX packed file

Abuse Elevation Control Mechanism: Sudo and Sudo Caching

Attempts to change immutable files

Checks hardware identifiers (DMI)

Creates/modifies Cron job

Enumerates running processes

Modifies systemd

Reads hardware information

Reads list of loaded kernel modules

File and Directory Permissions Modification

Executes dropped EXE

Flushes firewall rules

Loads a kernel module

Modifies the dynamic linker configuration file

XMRig Miner payload

Kinsing

Kinsing Rootkit

Kinsing Rootkit payload

Kinsing family

Kinsing payload

Kinsing_rootkit family

Xmrig family

xmrig

Malware family:

H2Miner

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/21c9ee968186/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/21c9ee9681865b3f6a20ac8149a5b7d54ab76ad22ab02ba23c4261ee2a303aeb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Linux_Trojan_Kinsing_2c1ffe78 Create hunting rule
Author:	Elastic Security

Rule name:	MAL_Payload_F5_BIG_IP_Exploitations_Jul20_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects code found in report on exploits against CVE-2020-5902 F5 BIG-IP vulnerability by NCC group
Reference:	https://research.nccgroup.com/2020/07/05/rift-f5-networks-k52145254-tmui-rce-vulnerability-cve-2020-5902-intelligence/