MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26986a0e1191438a458efbb6907a19b7ca44ee88ddb37c1938b2b7d9b697379d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 26986a0e1191438a458efbb6907a19b7ca44ee88ddb37c1938b2b7d9b697379d
SHA3-384 hash: 80bf09cc336a0cf013ccbd8c4b360d7a5c274d4a01fcc6e02fad2c51b3b81313f73dc0540197751878e2a6499ef3d7ce
SHA1 hash: 9001998272676accfeaadb17721a7afdd4aa7db7
MD5 hash: 706f361ca2ba275d8a9f5f863d8d8ca4
humanhash: moon-seven-twenty-kansas
File name:kworkerd-writeback
Download: download sample
Signature CoinMiner
Create hunting rule
File size:329'176 bytes
First seen:2026-06-20 06:03:09 UTC
Last seen:Never
File type: elf
MIME type:application/x-sharedlib
ssdeep 6144:q0vNlk/00Lckn0UpDXAFB6cB5GaQMGMiXMJYLgCIRR0BrjsVGJOMwkIp:lGAwrdaicZiskAMwkIp
TLSH T108645B02FF441E43C5411FB15D7B07B6A3AD48916CA8E13D9E0BBF2506B38B9A5DB389
Magika elf
Reporter abuse_ch
Tags:CoinMiner elf upx-dec


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 50f59b6efe71baad62541f4a344a0d7b8b1d39a0254ff58a1839781679515fd3
File size (compressed) :115'904 bytes
File size (de-compressed) :329'176 bytes
Format:linux/ppc32
Packed file: 50f59b6efe71baad62541f4a344a0d7b8b1d39a0254ff58a1839781679515fd3

Intelligence

File Origin
# of uploads :
1
# of downloads :
59
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Connection attempt
Opens a port
Changes access rights for a written file
Receives data from a server
Changes the time when the file was created, accessed, or modified
DNS request
Runs as daemon
Sets a written file as executable
Manages services
Collects information on the CPU
Creating a file
Sends data to a server
Launching a process
Creates or modifies files in /cron to set up autorun
Substitutes an application name
Kills critical processes
Deleting of the original file
Creates or modifies files in /init.d to set up autorun
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
base64 gcc
Link:
https://www.filescan.io/uploads/6a362d349799578a6c42c476/reports/89a9440e-1642-4502-bc25-4f8e2a3a0675/overview
Verdict:
Malicious
File Type:
elf.32.be
First seen:
2026-06-20T04:38:00Z UTC
Last seen:
2026-06-20T04:50:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/26986a0e1191438a458efbb6907a19b7ca44ee88ddb37c1938b2b7d9b697379d/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/95cec865-fa07-4329-b1c5-b8b4b3755dd4
Behavior Graph:
Download SVG
%3 guuid=f794993f-1f00-0000-de6a-93af3f140000 pid=5183 /usr/bin/sudo guuid=bba52142-1f00-0000-de6a-93af40140000 pid=5184 /tmp/sample.bin guuid=f794993f-1f00-0000-de6a-93af3f140000 pid=5183->guuid=bba52142-1f00-0000-de6a-93af40140000 pid=5184 execve
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/4828a6e0-d94a-41e9-b1ec-98fdc76983ee
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1931293
Signature
Antivirus / Scanner detection for submitted sample
Drops invisible ELF files
Executes itself again with its parent PID as an argument (indicative of hampering debugging)
Executes the "crontab" command typically for achieving persistence
Found strings related to Crypto-Mining
Opens /sys/class/net/* files useful for querying network interface information
Performs DNS TXT record lookups
Sample deletes itself
Sample tries to persist itself using cron
Searches for CPU information (likely indicative of DDoS capability)
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1931293 Sample: kworkerd-writeback.elf Startdate: 20/06/2026 Architecture: LINUX Score: 92 84 api.robotmarkethub.com 2->84 86 91.239.211.89, 34904, 34906, 37704 HOSTKEY-ASNL Germany 2->86 94 Antivirus / Scanner detection for submitted sample 2->94 96 Yara detected Xmrig cryptocurrency miner 2->96 13 systemd sh 2->13         started        15 kworkerd-writeback.elf 2->15         started        18 systemd snapd-env-generator 2->18         started        20 systemd snapd-env-generator 2->20         started        signatures3 98 Performs DNS TXT record lookups 84->98 process4 signatures5 22 sh sh 13->22         started        24 sh wget 13->24         started        27 sh rm 13->27         started        110 Found strings related to Crypto-Mining 15->110 29 kworkerd-writeback.elf 15->29         started        process6 file7 31 sh 22->31         started        33 sh wget 22->33         started        37 sh grep 22->37         started        41 5 other processes 22->41 80 /tmp/..redis-sentinel, POSIX 24->80 dropped 39 kworkerd-writeback.elf 29->39         started        process8 file9 43 sh .d 31->43         started        76 /tmp/.d, ELF 33->76 dropped 90 Drops invisible ELF files 33->90 92 Searches for CPU information (likely indicative of DDoS capability) 37->92 45 kworkerd-writeback.elf sh 39->45         started        47 kworkerd-writeback.elf sh 39->47         started        49 sh awk 41->49         started        51 sh cut 41->51         started        53 sh 41->53         started        signatures10 process11 process12 55 .d 43->55         started        57 sh systemctl 45->57         started        59 sh systemctl 47->59         started        process13 61 .d 55->61         started        file14 82 /var/spool/cron/crontabs/root, ASCII 61->82 dropped 104 Opens /sys/class/net/* files useful for querying network interface information 61->104 106 Sample deletes itself 61->106 108 Sample tries to persist itself using cron 61->108 65 .d sh 61->65         started        68 .d sh 61->68         started        signatures15 process16 signatures17 88 Executes itself again with its parent PID as an argument (indicative of hampering debugging) 65->88 70 sh crontab 65->70         started        74 sh crontab 68->74         started        process18 file19 78 /var/spool/cron/crontabs/tmp.UD2MnR, ASCII 70->78 dropped 100 Sample tries to persist itself using cron 70->100 102 Executes the "crontab" command typically for achieving persistence 70->102 signatures20
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/26986a0e1191438a458efbb6907a19b7ca44ee88ddb37c1938b2b7d9b697379d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/26986a0e1191438a458efbb6907a19b7ca44ee88ddb37c1938b2b7d9b697379d/
Threat name:
Linux.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-06-20 06:04:31 UTC
File Type:
ELF32 Big (SO)
AV detection:
4 of 36 (11.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e2mgudqrsfbyurmo7o3ja6qzw7fej3ui3wzxygjywk35tnuxg6oq._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
linux
Link:
https://tria.ge/reports/260620-gsfncadv3l/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/26986a0e1191438a458efbb6907a19b7ca44ee88ddb37c1938b2b7d9b697379d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

elf 50f59b6efe71baad62541f4a344a0d7b8b1d39a0254ff58a1839781679515fd3

CoinMiner

elf 26986a0e1191438a458efbb6907a19b7ca44ee88ddb37c1938b2b7d9b697379d

(this sample)

  
Dropped by
SHA256 50f59b6efe71baad62541f4a344a0d7b8b1d39a0254ff58a1839781679515fd3
  
URLhaus
https://urlhaus.abuse.ch/url/3868024/
  
Delivery method
Distributed via web download
  
Dropped by
MD5 3a5d7a39bae10b9171315bab6cf99cbe

Comments