MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49061a4ad78f4891c747acff4fbb75b816635069625ea654f22f41810e2be45a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49061a4ad78f4891c747acff4fbb75b816635069625ea654f22f41810e2be45a
SHA3-384 hash: 6fd455de9e620496595264d824d21b480baf51c29293671153c06da172252f18e5c00695245fac7251417debde398c95
SHA1 hash: cb770faff1d3b85118fd74b1a7c5f9edf849b08b
MD5 hash: 6dedc8ebc7b8919a68a4163c0c849455
humanhash: north-vegan-mango-massachusetts
File name:kworkerd-netns-rt
Download: download sample
File size:386'320 bytes
First seen:2026-06-27 17:27:54 UTC
Last seen:2026-06-27 21:27:29 UTC
File type: elf
MIME type:application/x-executable
ssdeep 6144:bDkGfYHYGsVoidzivGYG3xekCMIvx5MwEw150IA+lngH8YFstGQxMfOY/rLEs4Vz:XkGfYHYG6lulkCXvx5yhIAeYqEQxMfO/
TLSH T16084229C96900F7EF30B427959F70E385718A7A664529B82F709EDCCC82720DBC56379
telfhash t13ad01230043403b0d18dcc1d05dcfb0868a071eba5510c1fca84c89096609475d00c2c
Magika elf
Reporter abuse_ch
Tags:elf

Intelligence

File Origin
# of uploads :
3
# of downloads :
73
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a file in the %temp% directory
Kills processes
Creating a file
Deleting a recently created file
Changes the time when the file was created, accessed, or modified
Changes access rights for a written file
Sets a written file as executable
Connection attempt
Launching a process
Manages services
Creating a process from a recently created file
Sends data to a server
Runs as daemon
Receives data from a server
Collects information on the CPU
Opens a port
Creates or modifies files in /cron to set up autorun
Substitutes an application name
Kills critical processes
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/f239a47a-6d4c-4a6f-9faf-85c460172b34
Behavior Graph:
Download SVG
%3 guuid=f63073b8-1f00-0000-2f57-86c148140000 pid=5192 /usr/bin/sudo guuid=aa8844bd-1f00-0000-2f57-86c149140000 pid=5193 /tmp/sample.bin guuid=f63073b8-1f00-0000-2f57-86c148140000 pid=5192->guuid=aa8844bd-1f00-0000-2f57-86c149140000 pid=5193 execve
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/27cd0e5e-30f9-4154-851e-f5997bfb9856
Result
Threat name:
Mirai, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1934487
Signature
Antivirus detection for dropped file
Drops invisible ELF files
Executes itself again with its parent PID as an argument (indicative of hampering debugging)
Executes the "crontab" command typically for achieving persistence
Found strings related to Crypto-Mining
Opens /sys/class/net/* files useful for querying network interface information
Performs DNS TXT record lookups
Sample deletes itself
Sample tries to persist itself using cron
Yara detected Mirai
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1934487 Sample: kworkerd-netns-rt.elf Startdate: 27/06/2026 Architecture: LINUX Score: 96 58 nzr.narxzz.biz.id 2->58 60 nzr.narxzz.biz.id 103.253.212.175, 36510, 6868 CRI-AS-APCVRumahwebIndonesiaID Indonesia 2->60 62 loader.sh 172.67.155.14, 38582, 43796, 443 CLOUDFLARENET-CloudflareIncUS Canada 2->62 66 Antivirus detection for dropped file 2->66 68 Yara detected Mirai 2->68 70 Yara detected Xmrig cryptocurrency miner 2->70 11 kworkerd-netns-rt.elf 2->11         started        15 systemd sh 2->15         started        17 systemd snapd-env-generator 2->17         started        19 systemd snapd-env-generator 2->19         started        signatures3 72 Performs DNS TXT record lookups 58->72 process4 file5 54 /tmp/.5432, ELF 11->54 dropped 78 Drops invisible ELF files 11->78 80 Sample deletes itself 11->80 21 kworkerd-netns-rt.elf .5432 11->21         started        24 sh wget 15->24         started        26 sh sh 15->26         started        28 sh rm 15->28         started        signatures6 process7 signatures8 76 Found strings related to Crypto-Mining 21->76 30 .5432 21->30         started        process9 process10 32 .5432 30->32         started        signatures11 64 Opens /sys/class/net/* files useful for querying network interface information 32->64 35 .5432 sh 32->35         started        38 .5432 sh 32->38         started        40 .5432 sh 32->40         started        42 .5432 sh 32->42         started        process12 signatures13 74 Executes itself again with its parent PID as an argument (indicative of hampering debugging) 35->74 44 sh crontab 35->44         started        48 sh crontab 38->48         started        50 sh systemctl 40->50         started        52 sh systemctl 42->52         started        process14 file15 56 /var/spool/cron/crontabs/tmp.kDpQzb, ASCII 44->56 dropped 82 Sample tries to persist itself using cron 44->82 84 Executes the "crontab" command typically for achieving persistence 44->84 signatures16
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/49061a4ad78f4891c747acff4fbb75b816635069625ea654f22f41810e2be45a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/49061a4ad78f4891c747acff4fbb75b816635069625ea654f22f41810e2be45a/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jedbuswxr5ejdr2hvt7u7o3vxalggudjmjpkmvhsf5aycdrl4rna._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/260627-v2ez3acw5q/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:TH_Generic_MassHunt_Linux_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Linux malware mass-hunt rule - 2026
Reference:https://cyfare.net/
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf 49061a4ad78f4891c747acff4fbb75b816635069625ea654f22f41810e2be45a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3876995/
  
Delivery method
Distributed via web download

Comments