MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 228d2aa4f5ba5bd3f7a56bbaf6b02520a00e57cca5458f99bc57b034b32819f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 228d2aa4f5ba5bd3f7a56bbaf6b02520a00e57cca5458f99bc57b034b32819f5
SHA3-384 hash: 32fc6c094e441f5fed8fc2ccecb821af1667f9af46ee3f7410586796e0018d447f6589e69340496b41cd7c9756a4d8b1
SHA1 hash: 7c6976834377ecd946392f5adfa3db53d60fb0a8
MD5 hash: 5e315e153f778c75229d0c9149adf2ca
humanhash: undress-saturn-seventeen-blue
File name:x6.pdf
Download: download sample
Signature CoinMiner
Create hunting rule
File size:54'464 bytes
First seen:2026-02-18 07:56:15 UTC
Last seen:2026-02-18 08:31:17 UTC
File type: elf
MIME type:application/x-executable
ssdeep 768:MIHlRwJ4vtvaSyedC8pkxpYgrSghD73OoUEr+4n:M2laJ4vh1LQ8expxB7OOr+i
TLSH T16C331B36A59360FCC19BC474876BB5276D32BB9502343F7B1798ED311E60E2D26AD710
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:CoinMiner elf

Intelligence

File Origin
# of uploads :
2
# of downloads :
33
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.ELF.Miner-RE.91197654.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm coinminer masquerade miner
Link:
https://www.filescan.io/uploads/699570a397feb4afd6497925/reports/2b4a6051-88cb-4433-ad2d-053665de2fda/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
not packed
Botnet:
unknown
Number of open files:
12
Number of processes launched:
6
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/228d2aa4f5ba5bd3f7a56bbaf6b02520a00e57cca5458f99bc57b034b32819f5
Behaviour
Persistence
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Result
Gathering data
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/c12f2254-3fda-466c-9ad9-b54623114598
Behavior Graph:
Download SVG
%3 guuid=32cc2738-1700-0000-25cc-6a553d0d0000 pid=3389 /usr/bin/sudo guuid=08f4193a-1700-0000-25cc-6a55460d0000 pid=3398 /tmp/sample.bin write-file guuid=32cc2738-1700-0000-25cc-6a553d0d0000 pid=3389->guuid=08f4193a-1700-0000-25cc-6a55460d0000 pid=3398 execve guuid=1766343a-1700-0000-25cc-6a55470d0000 pid=3399 /usr/bin/dash guuid=08f4193a-1700-0000-25cc-6a55460d0000 pid=3398->guuid=1766343a-1700-0000-25cc-6a55470d0000 pid=3399 execve guuid=53b7da3a-1700-0000-25cc-6a554e0d0000 pid=3406 /usr/bin/dash guuid=08f4193a-1700-0000-25cc-6a55460d0000 pid=3398->guuid=53b7da3a-1700-0000-25cc-6a554e0d0000 pid=3406 execve guuid=b5f3523b-1700-0000-25cc-6a55520d0000 pid=3410 /usr/bin/dash write-file guuid=08f4193a-1700-0000-25cc-6a55460d0000 pid=3398->guuid=b5f3523b-1700-0000-25cc-6a55520d0000 pid=3410 execve guuid=9fec813b-1700-0000-25cc-6a55540d0000 pid=3412 /usr/bin/dash write-file guuid=08f4193a-1700-0000-25cc-6a55460d0000 pid=3398->guuid=9fec813b-1700-0000-25cc-6a55540d0000 pid=3412 execve guuid=1384b03b-1700-0000-25cc-6a55560d0000 pid=3414 /usr/bin/dash guuid=08f4193a-1700-0000-25cc-6a55460d0000 pid=3398->guuid=1384b03b-1700-0000-25cc-6a55560d0000 pid=3414 execve guuid=dcf5903c-1700-0000-25cc-6a555c0d0000 pid=3420 /tmp/sample.bin write-file zombie guuid=08f4193a-1700-0000-25cc-6a55460d0000 pid=3398->guuid=dcf5903c-1700-0000-25cc-6a555c0d0000 pid=3420 clone guuid=94bf5c3a-1700-0000-25cc-6a55490d0000 pid=3401 /usr/bin/dash guuid=1766343a-1700-0000-25cc-6a55470d0000 pid=3399->guuid=94bf5c3a-1700-0000-25cc-6a55490d0000 pid=3401 clone guuid=a0c2633a-1700-0000-25cc-6a554a0d0000 pid=3402 /usr/bin/dash guuid=1766343a-1700-0000-25cc-6a55470d0000 pid=3399->guuid=a0c2633a-1700-0000-25cc-6a554a0d0000 pid=3402 clone guuid=19db683a-1700-0000-25cc-6a554b0d0000 pid=3403 /usr/bin/dash guuid=94bf5c3a-1700-0000-25cc-6a55490d0000 pid=3401->guuid=19db683a-1700-0000-25cc-6a554b0d0000 pid=3403 clone guuid=a7ff6d3a-1700-0000-25cc-6a554c0d0000 pid=3404 /usr/bin/grep guuid=94bf5c3a-1700-0000-25cc-6a55490d0000 pid=3401->guuid=a7ff6d3a-1700-0000-25cc-6a554c0d0000 pid=3404 execve guuid=e34a033b-1700-0000-25cc-6a55500d0000 pid=3408 /usr/bin/mkdir guuid=53b7da3a-1700-0000-25cc-6a554e0d0000 pid=3406->guuid=e34a033b-1700-0000-25cc-6a55500d0000 pid=3408 execve guuid=caefd33b-1700-0000-25cc-6a55580d0000 pid=3416 /usr/bin/systemctl write-file guuid=1384b03b-1700-0000-25cc-6a55560d0000 pid=3414->guuid=caefd33b-1700-0000-25cc-6a55580d0000 pid=3416 execve guuid=d74d9a3c-1700-0000-25cc-6a555d0d0000 pid=3421 /tmp/sample.bin write-file guuid=dcf5903c-1700-0000-25cc-6a555c0d0000 pid=3420->guuid=d74d9a3c-1700-0000-25cc-6a555d0d0000 pid=3421 execve guuid=5cc3a43c-1700-0000-25cc-6a555e0d0000 pid=3422 /usr/bin/dash guuid=d74d9a3c-1700-0000-25cc-6a555d0d0000 pid=3421->guuid=5cc3a43c-1700-0000-25cc-6a555e0d0000 pid=3422 execve guuid=49b52a3d-1700-0000-25cc-6a55660d0000 pid=3430 /usr/bin/dash guuid=d74d9a3c-1700-0000-25cc-6a555d0d0000 pid=3421->guuid=49b52a3d-1700-0000-25cc-6a55660d0000 pid=3430 execve guuid=9cf7923d-1700-0000-25cc-6a55690d0000 pid=3433 /usr/bin/dash write-file guuid=d74d9a3c-1700-0000-25cc-6a555d0d0000 pid=3421->guuid=9cf7923d-1700-0000-25cc-6a55690d0000 pid=3433 execve guuid=e098c73d-1700-0000-25cc-6a556b0d0000 pid=3435 /usr/bin/dash write-file guuid=d74d9a3c-1700-0000-25cc-6a555d0d0000 pid=3421->guuid=e098c73d-1700-0000-25cc-6a556b0d0000 pid=3435 execve guuid=3ea2f63d-1700-0000-25cc-6a556d0d0000 pid=3437 /usr/bin/dash guuid=d74d9a3c-1700-0000-25cc-6a555d0d0000 pid=3421->guuid=3ea2f63d-1700-0000-25cc-6a556d0d0000 pid=3437 execve guuid=c136e13e-1700-0000-25cc-6a55730d0000 pid=3443 /usr/bin/dash guuid=d74d9a3c-1700-0000-25cc-6a555d0d0000 pid=3421->guuid=c136e13e-1700-0000-25cc-6a55730d0000 pid=3443 execve guuid=1a43573f-1700-0000-25cc-6a55770d0000 pid=3447 /usr/bin/dash guuid=d74d9a3c-1700-0000-25cc-6a555d0d0000 pid=3421->guuid=1a43573f-1700-0000-25cc-6a55770d0000 pid=3447 execve guuid=c23a843f-1700-0000-25cc-6a55790d0000 pid=3449 /usr/bin/dash guuid=d74d9a3c-1700-0000-25cc-6a555d0d0000 pid=3421->guuid=c23a843f-1700-0000-25cc-6a55790d0000 pid=3449 execve guuid=d9f33b3e-1e00-0000-25cc-6a55ac140000 pid=5292 /usr/bin/dash guuid=d74d9a3c-1700-0000-25cc-6a555d0d0000 pid=3421->guuid=d9f33b3e-1e00-0000-25cc-6a55ac140000 pid=5292 execve guuid=b0f9813f-1e00-0000-25cc-6a55b1140000 pid=5297 /usr/bin/dash guuid=d74d9a3c-1700-0000-25cc-6a555d0d0000 pid=3421->guuid=b0f9813f-1e00-0000-25cc-6a55b1140000 pid=5297 execve guuid=9c027e40-1e00-0000-25cc-6a55b3140000 pid=5299 /usr/bin/dash write-file guuid=d74d9a3c-1700-0000-25cc-6a555d0d0000 pid=3421->guuid=9c027e40-1e00-0000-25cc-6a55b3140000 pid=5299 execve guuid=4164ef40-1e00-0000-25cc-6a55b4140000 pid=5300 /usr/bin/dash write-file guuid=d74d9a3c-1700-0000-25cc-6a555d0d0000 pid=3421->guuid=4164ef40-1e00-0000-25cc-6a55b4140000 pid=5300 execve guuid=233e5e41-1e00-0000-25cc-6a55b5140000 pid=5301 /usr/bin/dash guuid=d74d9a3c-1700-0000-25cc-6a555d0d0000 pid=3421->guuid=233e5e41-1e00-0000-25cc-6a55b5140000 pid=5301 execve guuid=83e96243-1e00-0000-25cc-6a55b7140000 pid=5303 /usr/bin/dash guuid=d74d9a3c-1700-0000-25cc-6a555d0d0000 pid=3421->guuid=83e96243-1e00-0000-25cc-6a55b7140000 pid=5303 execve guuid=22696544-1e00-0000-25cc-6a55b9140000 pid=5305 /usr/bin/dash guuid=d74d9a3c-1700-0000-25cc-6a555d0d0000 pid=3421->guuid=22696544-1e00-0000-25cc-6a55b9140000 pid=5305 execve guuid=4774c744-1e00-0000-25cc-6a55ba140000 pid=5306 /usr/bin/dash guuid=d74d9a3c-1700-0000-25cc-6a555d0d0000 pid=3421->guuid=4774c744-1e00-0000-25cc-6a55ba140000 pid=5306 execve guuid=ff360d44-2500-0000-25cc-6a55c6140000 pid=5318 /usr/bin/dash guuid=d74d9a3c-1700-0000-25cc-6a555d0d0000 pid=3421->guuid=ff360d44-2500-0000-25cc-6a55c6140000 pid=5318 execve guuid=99e69a44-2500-0000-25cc-6a55cb140000 pid=5323 /usr/bin/dash guuid=d74d9a3c-1700-0000-25cc-6a555d0d0000 pid=3421->guuid=99e69a44-2500-0000-25cc-6a55cb140000 pid=5323 execve guuid=04be1245-2500-0000-25cc-6a55cd140000 pid=5325 /usr/bin/dash write-file guuid=d74d9a3c-1700-0000-25cc-6a555d0d0000 pid=3421->guuid=04be1245-2500-0000-25cc-6a55cd140000 pid=5325 execve guuid=54e94a45-2500-0000-25cc-6a55ce140000 pid=5326 /usr/bin/dash write-file guuid=d74d9a3c-1700-0000-25cc-6a555d0d0000 pid=3421->guuid=54e94a45-2500-0000-25cc-6a55ce140000 pid=5326 execve guuid=05d87e45-2500-0000-25cc-6a55cf140000 pid=5327 /usr/bin/dash guuid=d74d9a3c-1700-0000-25cc-6a555d0d0000 pid=3421->guuid=05d87e45-2500-0000-25cc-6a55cf140000 pid=5327 execve guuid=f2c97a46-2500-0000-25cc-6a55d1140000 pid=5329 /usr/bin/dash guuid=d74d9a3c-1700-0000-25cc-6a555d0d0000 pid=3421->guuid=f2c97a46-2500-0000-25cc-6a55d1140000 pid=5329 execve guuid=9fecf446-2500-0000-25cc-6a55d3140000 pid=5331 /usr/bin/dash guuid=d74d9a3c-1700-0000-25cc-6a555d0d0000 pid=3421->guuid=9fecf446-2500-0000-25cc-6a55d3140000 pid=5331 execve guuid=94e52347-2500-0000-25cc-6a55d4140000 pid=5332 /usr/bin/dash guuid=d74d9a3c-1700-0000-25cc-6a555d0d0000 pid=3421->guuid=94e52347-2500-0000-25cc-6a55d4140000 pid=5332 execve guuid=2508cc3c-1700-0000-25cc-6a55600d0000 pid=3424 /usr/bin/dash guuid=5cc3a43c-1700-0000-25cc-6a555e0d0000 pid=3422->guuid=2508cc3c-1700-0000-25cc-6a55600d0000 pid=3424 clone guuid=7f1dd13c-1700-0000-25cc-6a55610d0000 pid=3425 /usr/bin/dash guuid=5cc3a43c-1700-0000-25cc-6a555e0d0000 pid=3422->guuid=7f1dd13c-1700-0000-25cc-6a55610d0000 pid=3425 clone guuid=1e34d43c-1700-0000-25cc-6a55620d0000 pid=3426 /usr/bin/dash guuid=2508cc3c-1700-0000-25cc-6a55600d0000 pid=3424->guuid=1e34d43c-1700-0000-25cc-6a55620d0000 pid=3426 clone guuid=f6acd73c-1700-0000-25cc-6a55630d0000 pid=3427 /usr/bin/grep guuid=2508cc3c-1700-0000-25cc-6a55600d0000 pid=3424->guuid=f6acd73c-1700-0000-25cc-6a55630d0000 pid=3427 execve guuid=cd184f3d-1700-0000-25cc-6a55670d0000 pid=3431 /usr/bin/mkdir guuid=49b52a3d-1700-0000-25cc-6a55660d0000 pid=3430->guuid=cd184f3d-1700-0000-25cc-6a55670d0000 pid=3431 execve guuid=7e231a3e-1700-0000-25cc-6a556f0d0000 pid=3439 /usr/bin/systemctl write-file guuid=3ea2f63d-1700-0000-25cc-6a556d0d0000 pid=3437->guuid=7e231a3e-1700-0000-25cc-6a556f0d0000 pid=3439 execve guuid=349c0a3f-1700-0000-25cc-6a55750d0000 pid=3445 /usr/bin/grep guuid=c136e13e-1700-0000-25cc-6a55730d0000 pid=3443->guuid=349c0a3f-1700-0000-25cc-6a55750d0000 pid=3445 execve guuid=2758ab3f-1700-0000-25cc-6a557a0d0000 pid=3450 /usr/bin/curl net guuid=c23a843f-1700-0000-25cc-6a55790d0000 pid=3449->guuid=2758ab3f-1700-0000-25cc-6a557a0d0000 pid=3450 execve 48626d9b-63c6-5d07-91e3-915918183433 77.90.185.76:80 guuid=2758ab3f-1700-0000-25cc-6a557a0d0000 pid=3450->48626d9b-63c6-5d07-91e3-915918183433 con guuid=22089e3e-1e00-0000-25cc-6a55ad140000 pid=5293 /usr/bin/dash guuid=d9f33b3e-1e00-0000-25cc-6a55ac140000 pid=5292->guuid=22089e3e-1e00-0000-25cc-6a55ad140000 pid=5293 clone guuid=0766ad3e-1e00-0000-25cc-6a55ae140000 pid=5294 /usr/bin/dash guuid=d9f33b3e-1e00-0000-25cc-6a55ac140000 pid=5292->guuid=0766ad3e-1e00-0000-25cc-6a55ae140000 pid=5294 clone guuid=3be8b23e-1e00-0000-25cc-6a55af140000 pid=5295 /usr/bin/dash guuid=22089e3e-1e00-0000-25cc-6a55ad140000 pid=5293->guuid=3be8b23e-1e00-0000-25cc-6a55af140000 pid=5295 clone guuid=356ebc3e-1e00-0000-25cc-6a55b0140000 pid=5296 /usr/bin/grep guuid=22089e3e-1e00-0000-25cc-6a55ad140000 pid=5293->guuid=356ebc3e-1e00-0000-25cc-6a55b0140000 pid=5296 execve guuid=e259d33f-1e00-0000-25cc-6a55b2140000 pid=5298 /usr/bin/mkdir guuid=b0f9813f-1e00-0000-25cc-6a55b1140000 pid=5297->guuid=e259d33f-1e00-0000-25cc-6a55b2140000 pid=5298 execve guuid=f088aa41-1e00-0000-25cc-6a55b6140000 pid=5302 /usr/bin/systemctl write-file guuid=233e5e41-1e00-0000-25cc-6a55b5140000 pid=5301->guuid=f088aa41-1e00-0000-25cc-6a55b6140000 pid=5302 execve guuid=987bbc43-1e00-0000-25cc-6a55b8140000 pid=5304 /usr/bin/grep guuid=83e96243-1e00-0000-25cc-6a55b7140000 pid=5303->guuid=987bbc43-1e00-0000-25cc-6a55b8140000 pid=5304 execve guuid=52702045-1e00-0000-25cc-6a55bb140000 pid=5307 /usr/bin/curl net guuid=4774c744-1e00-0000-25cc-6a55ba140000 pid=5306->guuid=52702045-1e00-0000-25cc-6a55bb140000 pid=5307 execve guuid=52702045-1e00-0000-25cc-6a55bb140000 pid=5307->48626d9b-63c6-5d07-91e3-915918183433 con guuid=4a8e3544-2500-0000-25cc-6a55c7140000 pid=5319 /usr/bin/dash guuid=ff360d44-2500-0000-25cc-6a55c6140000 pid=5318->guuid=4a8e3544-2500-0000-25cc-6a55c7140000 pid=5319 clone guuid=e5a43b44-2500-0000-25cc-6a55c8140000 pid=5320 /usr/bin/dash guuid=ff360d44-2500-0000-25cc-6a55c6140000 pid=5318->guuid=e5a43b44-2500-0000-25cc-6a55c8140000 pid=5320 clone guuid=57873d44-2500-0000-25cc-6a55c9140000 pid=5321 /usr/bin/dash guuid=4a8e3544-2500-0000-25cc-6a55c7140000 pid=5319->guuid=57873d44-2500-0000-25cc-6a55c9140000 pid=5321 clone guuid=ad534144-2500-0000-25cc-6a55ca140000 pid=5322 /usr/bin/grep guuid=4a8e3544-2500-0000-25cc-6a55c7140000 pid=5319->guuid=ad534144-2500-0000-25cc-6a55ca140000 pid=5322 execve guuid=bac0bf44-2500-0000-25cc-6a55cc140000 pid=5324 /usr/bin/mkdir guuid=99e69a44-2500-0000-25cc-6a55cb140000 pid=5323->guuid=bac0bf44-2500-0000-25cc-6a55cc140000 pid=5324 execve guuid=306aa645-2500-0000-25cc-6a55d0140000 pid=5328 /usr/bin/systemctl write-file guuid=05d87e45-2500-0000-25cc-6a55cf140000 pid=5327->guuid=306aa645-2500-0000-25cc-6a55d0140000 pid=5328 execve guuid=ccf5a146-2500-0000-25cc-6a55d2140000 pid=5330 /usr/bin/grep guuid=f2c97a46-2500-0000-25cc-6a55d1140000 pid=5329->guuid=ccf5a146-2500-0000-25cc-6a55d2140000 pid=5330 execve guuid=30324d47-2500-0000-25cc-6a55d5140000 pid=5333 /usr/bin/curl net guuid=94e52347-2500-0000-25cc-6a55d4140000 pid=5332->guuid=30324d47-2500-0000-25cc-6a55d5140000 pid=5333 execve guuid=30324d47-2500-0000-25cc-6a55d5140000 pid=5333->48626d9b-63c6-5d07-91e3-915918183433 con
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/236126ea-d05e-4024-ab11-5e678e0e3c57
Result
Threat name:
Miner
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1870942
Signature
Executes the "crontab" command typically for achieving persistence
Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions
Multi AV Scanner detection for submitted file
Sample tries to persist itself using cron
Searches for VM related strings in files or piped streams (probably for evasion)
Yara detected Generic Downloader
Yara detected Miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1870942 Sample: x6.pdf.elf Startdate: 18/02/2026 Architecture: LINUX Score: 80 114 109.202.202.202, 80 INIT7CH Switzerland 2->114 116 91.189.91.42, 443 CANONICAL-ASGB United Kingdom 2->116 118 2 other IPs or domains 2->118 120 Multi AV Scanner detection for submitted file 2->120 122 Yara detected Generic Downloader 2->122 124 Yara detected Miner 2->124 11 x6.pdf.elf 2->11         started        14 dash rm 2->14         started        16 dash rm 2->16         started        18 python3.8 dpkg 2->18         started        signatures3 process4 signatures5 134 Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions 11->134 20 x6.pdf.elf 11->20         started        22 x6.pdf.elf sh 11->22         started        24 x6.pdf.elf sh 11->24         started        26 3 other processes 11->26 process6 process7 28 x6.pdf.elf exe exe exe exe exe exe exe exe exe exe exe exe exe exe exe exe exe 20->28         started        32 sh crontab 22->32         started        34 sh 22->34         started        36 sh mkdir 24->36         started        38 sh systemctl 26->38         started        file8 110 /root/.bashrc, ASCII 28->110 dropped 136 Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions 28->136 40 exe sh 28->40         started        42 exe sh 28->42         started        44 exe sh 28->44         started        51 99 other processes 28->51 112 /var/spool/cron/crontabs/tmp.NZ7HCm, ASCII 32->112 dropped 138 Sample tries to persist itself using cron 32->138 140 Executes the "crontab" command typically for achieving persistence 32->140 46 sh crontab 34->46         started        49 sh grep 34->49         started        signatures9 process10 signatures11 53 sh crontab 40->53         started        57 sh 40->57         started        59 sh crontab 42->59         started        61 sh 42->61         started        63 sh crontab 44->63         started        65 sh 44->65         started        142 Executes the "crontab" command typically for achieving persistence 46->142 67 sh crontab 51->67         started        69 sh crontab 51->69         started        71 77 other processes 51->71 process12 file13 92 /var/spool/cron/crontabs/tmp.HNv1Wl, ASCII 53->92 dropped 126 Sample tries to persist itself using cron 53->126 128 Executes the "crontab" command typically for achieving persistence 53->128 73 sh crontab 57->73         started        76 sh grep 57->76         started        94 /var/spool/cron/crontabs/tmp.zRroYJ, ASCII 59->94 dropped 78 sh crontab 61->78         started        80 sh grep 61->80         started        96 /var/spool/cron/crontabs/tmp.2k8bhF, ASCII 63->96 dropped 82 sh crontab 65->82         started        84 sh grep 65->84         started        98 /var/spool/cron/crontabs/tmp.pClgdY, ASCII 67->98 dropped 100 /var/spool/cron/crontabs/tmp.vW9LCt, ASCII 69->100 dropped 102 /var/spool/cron/crontabs/tmp.yoQMkF, ASCII 71->102 dropped 104 /var/spool/cron/crontabs/tmp.w9AGow, ASCII 71->104 dropped 106 /var/spool/cron/crontabs/tmp.uygVVa, ASCII 71->106 dropped 108 9 other malicious files 71->108 dropped 130 Searches for VM related strings in files or piped streams (probably for evasion) 71->130 86 sh crontab 71->86         started        88 sh crontab 71->88         started        90 26 other processes 71->90 signatures14 process15 signatures16 132 Executes the "crontab" command typically for achieving persistence 73->132
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/228d2aa4f5ba5bd3f7a56bbaf6b02520a00e57cca5458f99bc57b034b32819f5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/228d2aa4f5ba5bd3f7a56bbaf6b02520a00e57cca5458f99bc57b034b32819f5/
Threat name:
Linux.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-02-18 08:10:40 UTC
AV detection:
7 of 23 (30.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ekgsvjhvxjn5h55fno5pnmbfecqa4v6muvcy7gn4k6ydjmzidh2q._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
antivm discovery execution linux persistence privilege_escalation
Link:
https://tria.ge/reports/260218-jstlbacz6d/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Checks CPU configuration
Reads CPU attributes
Checks hardware identifiers (DMI)
Creates/modifies Cron job
Reads hardware information
Runs EXE from memory
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/228d2aa4f5ba/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

elf 228d2aa4f5ba5bd3f7a56bbaf6b02520a00e57cca5458f99bc57b034b32819f5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3763432/
  
Delivery method
Distributed via web download

Comments