MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6bfcf6860490b0952ee283f22b0f5cb536a48a6e3d8676b2596e68651929fed2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 5

Intelligence 5 IOCs YARA 1 File information Comments

SHA256 hash:	6bfcf6860490b0952ee283f22b0f5cb536a48a6e3d8676b2596e68651929fed2
SHA3-384 hash:	ef71ceb037cd0041d124aa105a1319dfb2482c89dd7d60078ac6cf5f7e9393fe63e455befbc59566329f553b098d6628
SHA1 hash:	956184d31f475d077c1d3287d4bf14111e064b1c
MD5 hash:	ce57af9dd1804eb766c95e31423e60fa
humanhash:	green-kentucky-arkansas-chicken
File name:	get1.sh
Download:	download sample
File size:	2'310 bytes
First seen:	2026-04-04 16:59:45 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:LnWQ7xBAjHeD2z4wV6vlId/IkKj4Q1d48OcKQZJnVILSwTph:jWQdBA7LsxNCwzjrS8E/
TLSH	T1A44176E57C5058B86ACBC9304AB65432E02311277E02346C70BFE01C7B7AD55B1BDDB6
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Gathering data

Detection(s):

YARA.SIGNATURE_BASE_PUA_Crypto_Mining_Commandline_Indicators_Oct21.UNOFFICIAL

Gathering data

Verdict:

Adware

File Type:

unix shell

First seen:

2026-04-04T14:10:00Z UTC

Last seen:

2026-04-04T14:48:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/6bfcf6860490b0952ee283f22b0f5cb536a48a6e3d8676b2596e68651929fed2/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/07120a2d-ddc0-4e41-ac43-861fcc69d77d

Behavior Graph:

Download SVG

Score:

Verdict:

Benign

File Type:

SCRIPT

Link:

https://malprob.io/report/6bfcf6860490b0952ee283f22b0f5cb536a48a6e3d8676b2596e68651929fed2

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6bfcf6860490b0952ee283f22b0f5cb536a48a6e3d8676b2596e68651929fed2/

Verdict:

Malicious

Threat:

Family.XMRIG

Link:

https://tip.neiki.dev/file/6bfcf6860490b0952ee283f22b0f5cb536a48a6e3d8676b2596e68651929fed2

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=np6pnbqescyjklxcqpzcwd24wu3kjctohwdhnmsznzugkgjj73ja._file

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:xmrig antivm credential_access defense_evasion discovery execution linux miner persistence privilege_escalation

Link:

https://tria.ge/reports/260404-vh45vafx5w/

Behaviour

Software Deployment Tools

Enumerates kernel/hardware configuration

Reads runtime system information

System Network Configuration Discovery

Writes file to shm directory

Writes file to tmp directory

Deobfuscate/Decode Files or Information

Changes its process name

Checks CPU configuration

Reads CPU attributes

Checks hardware identifiers (DMI)

Creates/modifies Cron job

Deletes log files

Modifies init.d

Reads hardware information

Write file to user bin folder

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies PAM framework files

OS Credential Dumping

XMRig Miner payload

Xmrig family

xmrig

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.33

Link:

https://yomi.yoroi.company/submissions/6bfcf6860490b0952ee283f22b0f5cb536a48a6e3d8676b2596e68651929fed2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	PUA_Crypto_Mining_CommandLine_Indicators_Oct21 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects command line parameters often used by crypto mining software
Reference:	https://www.poolwatch.io/coin/monero

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 6bfcf6860490b0952ee283f22b0f5cb536a48a6e3d8676b2596e68651929fed2

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3811168/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample