MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3928c5874249cc71b2d88e5c0c00989ac394238747bb7638897fc210531b4aab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3928c5874249cc71b2d88e5c0c00989ac394238747bb7638897fc210531b4aab
SHA3-384 hash: 455cccbf7fbb7175ed8b74eb49180dbe9334f916f19f53eb55f25380f761f40d4cf0848512781af9ad29c49fd60583f4
SHA1 hash: 75612233d32768186d0557dd39abbbd3284a2a29
MD5 hash: 2833c82055bf2d29c65cd9cf6684449a
humanhash: uncle-queen-failed-mississippi
File name:linuxsys
Download: download sample
Signature CoinMiner
Create hunting rule
File size:7'018'688 bytes
First seen:2023-01-26 23:56:46 UTC
Last seen:Never
File type: elf
MIME type:application/x-sharedlib
ssdeep 196608:ob59/FouGsmUvvR2MMMHWtBOiP/5duYQHM:oiTQYQs
TLSH T14F666D07B6A318FCC1AAD870865FD573B931B8984211797B3794AA302F27F605B1DFA1
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Reporter ventress
Tags:CoinMiner elf

Intelligence

File Origin
# of uploads :
1
# of downloads :
153
Origin country :
CH CH
Vendor Threat Intelligence
Detection(s):
Unix.Trojan.Generic-9919438-0
Create hunting rule

PUA.Unix.Coinminer.XMRig-6683890-0
Create hunting rule

Multios.Coinminer.Miner-6781728-2
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
coinminer monero packed virus
Link:
https://www.filescan.io/uploads/63d31350528134caf0434a6c/reports/21c71890-27a6-4099-a7e9-67e15902e3ba/overview
Result
Verdict:
MALICIOUS
Malware family:
Log4Shell
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/deafc02a-093a-4c40-acdc-3f13cdb9326b
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.mine
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1159936
Signature
Antivirus / Scanner detection for submitted sample
Found strings related to Crypto-Mining
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample reads /proc/mounts (often used for finding a writable filesystem)
Stdout / stderr contain strings indicative of a mining client
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 792673 Sample: linuxsys.elf Startdate: 27/01/2023 Architecture: LINUX Score: 88 40 109.202.202.202, 80 INIT7CH Switzerland 2->40 42 91.189.91.42, 443 CANONICAL-ASGB United Kingdom 2->42 44 91.189.91.43, 443 CANONICAL-ASGB United Kingdom 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus / Scanner detection for submitted sample 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 4 other signatures 2->52 9 systemd logrotate 2->9         started        11 systemd mandb linuxsys.elf 2->11         started        14 systemd install 2->14         started        16 systemd find 2->16         started        signatures3 process4 signatures5 18 logrotate sh 9->18         started        20 logrotate sh 9->20         started        22 logrotate gzip 9->22         started        24 logrotate gzip 9->24         started        54 Sample reads /proc/mounts (often used for finding a writable filesystem) 11->54 process6 process7 26 sh invoke-rc.d 18->26         started        28 sh rsyslog-rotate 20->28         started        process8 30 invoke-rc.d runlevel 26->30         started        32 invoke-rc.d systemctl 26->32         started        34 invoke-rc.d ls 26->34         started        36 invoke-rc.d systemctl 26->36         started        38 rsyslog-rotate systemctl 28->38         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3928c5874249cc71b2d88e5c0c00989ac394238747bb7638897fc210531b4aab/
Threat name:
Linux.Coinminer.BitCoinMiner
Create hunting rule
Status:
Malicious
First seen:
2022-06-25 08:17:07 UTC
File Type:
ELF64 Little (SO)
AV detection:
24 of 39 (61.54%)
Threat level:
  4/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=heumlb2cjhghdmwyrzoayaeytlbzii4hi65xmoejp7bbauy3jkvq._file
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig antivm linux miner
Link:
https://tria.ge/reports/230126-3zkrjafh47/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to tmp directory
Reads CPU attributes
Attempts to identify hypervisor via CPU configuration
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3928c5874249cc71b2d88e5c0c00989ac394238747bb7638897fc210531b4aab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:Linux_Trojan_Pornoasset_927f314f
Create hunting rule
Author:Elastic Security
Rule name:MacOS_Cryptominer_Generic_333129b7
Create hunting rule
Author:Elastic Security
Rule name:MacOS_Cryptominer_Xmrig_241780a1
Create hunting rule
Author:Elastic Security
Rule name:setsockopt
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for setsockopt() red flags
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags
Rule name:XMRIG_Monero_Miner
Create hunting rule
Author:Florian Roth
Description:Detects Monero mining software
Reference:https://github.com/xmrig/xmrig/releases

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments


Avatar
Sí, soy yo commented on 2023-01-27 00:08:04 UTC

Miner
IoC:
http://18.130.193.222/wp-content/linuxsys
http://18.130.193.222/wp-content/config.json