MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42b9ec9a225710020107a6b5ab17af7ca832f46631835ca937e84f2529f0a3f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 42b9ec9a225710020107a6b5ab17af7ca832f46631835ca937e84f2529f0a3f5
SHA3-384 hash: 902e3b4c1dd8d3254812ab2a87881ea174becff3997f3b6e3f2d05e62a5ac10e5cfeea64edbb9333656f52b7573f7623
SHA1 hash: a86001382b7908efcabb7799b2672c50f4a9a82b
MD5 hash: 7aacff4679245e08b8e3faad59737b28
humanhash: vegan-lion-freddie-edward
File name:wow.sh
Download: download sample
Signature CoinMiner
Create hunting rule
File size:1'812 bytes
First seen:2026-01-12 23:57:25 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:J+xol4m3KTg85WZKTIRKTI2oKT5jKTe3MhiW7zKTImLKTLKTIL:J+WDZ85WZ/dEjx3M5uSN
TLSH T12E31EEA2BB21AD7B30CDA8B4F11D92501EA3B6A735A2671468C53C71E74F904D339E70
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:CoinMiner sh
URLMalware sample (SHA256 hash)SignatureTags
http://91.92.241.10/xmrign/an/aCoinMiner elf geofenced mirai ua-wget USA x86
http://91.92.241.10/xmrig_config.jsonn/an/aCoinMiner config geofenced json ua-wget USA

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/69658a9fc82deb762e7ac678/reports/9a95413e-a93f-4df5-aeee-0fbf456686fd/overview
Verdict:
Adware
File Type:
unix shell
First seen:
2026-01-12T21:17:00Z UTC
Last seen:
2026-01-12T21:35:00Z UTC
Hits:
~10
Detections:
not-a-virus:HEUR:Downloader.Shell.Miner.a
Link:
https://opentip.kaspersky.com/42b9ec9a225710020107a6b5ab17af7ca832f46631835ca937e84f2529f0a3f5/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/3e33be02-b88e-446d-9951-3ad174796dbb
Behavior Graph:
Download SVG
%3 guuid=bb8a257f-1900-0000-ba89-1e1364140000 pid=5220 /usr/bin/sudo guuid=8bab0981-1900-0000-ba89-1e1365140000 pid=5221 /tmp/sample.bin guuid=bb8a257f-1900-0000-ba89-1e1364140000 pid=5220->guuid=8bab0981-1900-0000-ba89-1e1365140000 pid=5221 execve guuid=977b9d81-1900-0000-ba89-1e1366140000 pid=5222 /usr/bin/pgrep guuid=8bab0981-1900-0000-ba89-1e1365140000 pid=5221->guuid=977b9d81-1900-0000-ba89-1e1366140000 pid=5222 execve guuid=65ebcaa6-1900-0000-ba89-1e1368140000 pid=5224 /usr/bin/rm guuid=8bab0981-1900-0000-ba89-1e1365140000 pid=5221->guuid=65ebcaa6-1900-0000-ba89-1e1368140000 pid=5224 execve guuid=8e532da7-1900-0000-ba89-1e1369140000 pid=5225 /usr/bin/wget net send-data write-file guuid=8bab0981-1900-0000-ba89-1e1365140000 pid=5221->guuid=8e532da7-1900-0000-ba89-1e1369140000 pid=5225 execve guuid=dc878b3b-1b00-0000-ba89-1e137e140000 pid=5246 /usr/bin/wget net send-data write-file guuid=8bab0981-1900-0000-ba89-1e1365140000 pid=5221->guuid=dc878b3b-1b00-0000-ba89-1e137e140000 pid=5246 execve guuid=1fec3548-1b00-0000-ba89-1e1380140000 pid=5248 /usr/bin/chmod guuid=8bab0981-1900-0000-ba89-1e1365140000 pid=5221->guuid=1fec3548-1b00-0000-ba89-1e1380140000 pid=5248 execve guuid=7e29b848-1b00-0000-ba89-1e1382140000 pid=5250 /usr/sbin/sysctl write-file guuid=8bab0981-1900-0000-ba89-1e1365140000 pid=5221->guuid=7e29b848-1b00-0000-ba89-1e1382140000 pid=5250 execve 42b10e74-c922-5f34-bfe6-aaef3c3cb0e7 91.92.241.10:80 guuid=8e532da7-1900-0000-ba89-1e1369140000 pid=5225->42b10e74-c922-5f34-bfe6-aaef3c3cb0e7 send: 264B guuid=dc878b3b-1b00-0000-ba89-1e137e140000 pid=5246->42b10e74-c922-5f34-bfe6-aaef3c3cb0e7 send: 144B
Score:
0%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/42b9ec9a225710020107a6b5ab17af7ca832f46631835ca937e84f2529f0a3f5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/42b9ec9a225710020107a6b5ab17af7ca832f46631835ca937e84f2529f0a3f5/
Verdict:
Malicious
Threat:
Family.XMRIG
Link:
https://tip.neiki.dev/file/42b9ec9a225710020107a6b5ab17af7ca832f46631835ca937e84f2529f0a3f5
Threat name:
Win32.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2026-01-12 23:58:26 UTC
File Type:
Text (Shell)
AV detection:
5 of 24 (20.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ik46zgrck4iaeaihu222wf5ppsudf5dgggbvzkjx5bhskkpqup2q._file
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig antivm defense_evasion discovery execution linux miner persistence privilege_escalation
Link:
https://tria.ge/reports/260112-31b6saav5f/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to tmp directory
Changes its process name
Checks CPU configuration
Reads CPU attributes
Checks hardware identifiers (DMI)
Creates/modifies Cron job
Enumerates running processes
Modifies init.d
Modifies rc script
Modifies systemd
Reads hardware information
File and Directory Permissions Modification
Executes dropped EXE
XMRig Miner payload
Xmrig family
xmrig
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/42b9ec9a225710020107a6b5ab17af7ca832f46631835ca937e84f2529f0a3f5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

sh 42b9ec9a225710020107a6b5ab17af7ca832f46631835ca937e84f2529f0a3f5

(this sample)

CoinMiner

elf 96fc528ca5e7d1c2b3add5e31b8797cb126f704976c8fbeaecdbf0aa4309ad46

  
URLhaus
https://urlhaus.abuse.ch/url/3756884/
  
Delivery method
Distributed via web download
  
Dropping
MD5 cf127d66124c390ca0f0b42c6385c3c8
  
Dropping
SHA256 96fc528ca5e7d1c2b3add5e31b8797cb126f704976c8fbeaecdbf0aa4309ad46

Comments