MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 71223c24385de60d8215fdfa51c48f62ea8018f24892cedbe012a0149d388db6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 71223c24385de60d8215fdfa51c48f62ea8018f24892cedbe012a0149d388db6
SHA3-384 hash: e253626184af1572de1703bc7ebdc4469bd0eee68c090d89605c517700ffab9a3ab77d7bc152a4e0b6c6f5f4d2cfaeaa
SHA1 hash: 59f1008e121c4b61d37dc9a2c6ea5f58418f02e2
MD5 hash: 82000f585ef7aa261b6dde9001dd7fc1
humanhash: sierra-uranus-freddie-table
File name:x
Download: download sample
Signature CoinMiner
Create hunting rule
File size:3'039'976 bytes
First seen:2026-01-02 22:50:13 UTC
Last seen:Never
File type: elf
MIME type:application/x-sharedlib
ssdeep 49152:WHDn0iweGDmCrFlnaAQZGwmHzqq+7ila13Xg1HMLg6IqomfJC1XxHAc+1bq7Hreh:WH70zeGDZr9QZGwm9++l4kur1pqHGssL
TLSH T1CDE55B5BB5A354BDC1AAC834475FC9B3B920785942253A7B32C5AB302B33E604F5DFA1
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:CoinMiner elf

Intelligence

File Origin
# of uploads :
1
# of downloads :
40
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
coinminer gcc miner monero pup xmrig
Link:
https://www.filescan.io/uploads/69584bad127d6a14e0cd5140/reports/2e2e2ccd-c80e-4e54-b077-665fac56b33c/overview
Verdict:
Adware
File Type:
elf.64.le
First seen:
2025-12-25T00:08:00Z UTC
Last seen:
2026-01-04T02:37:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/71223c24385de60d8215fdfa51c48f62ea8018f24892cedbe012a0149d388db6/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/8e4f632a-f178-4e3d-89e1-ea5c53648f28
Behavior Graph:
Download SVG
%3 guuid=0cb6523e-1b00-0000-8de6-8a91e9080000 pid=2281 /usr/bin/sudo guuid=92ea3142-1b00-0000-8de6-8a91f4080000 pid=2292 /tmp/sample.bin mprotect-exec guuid=0cb6523e-1b00-0000-8de6-8a91e9080000 pid=2281->guuid=92ea3142-1b00-0000-8de6-8a91f4080000 pid=2292 execve guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294 /tmp/sample.bin net send-data write-config zombie guuid=92ea3142-1b00-0000-8de6-8a91f4080000 pid=2292->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294 clone 66469864-0573-5c4f-8c7e-ec690f1a4149 104.243.33.118:80 guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->66469864-0573-5c4f-8c7e-ec690f1a4149 send: 477B guuid=16d04443-1b00-0000-8de6-8a91f7080000 pid=2295 /usr/bin/dash guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=16d04443-1b00-0000-8de6-8a91f7080000 pid=2295 execve guuid=d26d118c-1b00-0000-8de6-8a9180090000 pid=2432 /usr/bin/dash guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=d26d118c-1b00-0000-8de6-8a9180090000 pid=2432 execve guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2551 /tmp/sample.bin write-file zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2551 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2560 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2560 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2561 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2561 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2562 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2562 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2564 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2564 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2586 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2586 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2588 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2588 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2589 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2589 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2590 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2590 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2602 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2602 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2603 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2603 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2604 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2604 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2605 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2605 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2619 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2619 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2620 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2620 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2621 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2621 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2622 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2622 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2638 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2638 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2639 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2639 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2640 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2640 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2641 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2641 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2662 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2662 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2663 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2663 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2664 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2664 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2665 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2665 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2684 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2684 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2685 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2685 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2686 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2686 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2687 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2687 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2708 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2708 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2709 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2709 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2710 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2710 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2711 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2711 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2726 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2726 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2727 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2727 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2728 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2728 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2730 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2730 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2747 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2747 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2748 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2748 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2749 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2749 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2750 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2750 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2770 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2770 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2771 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2771 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2772 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2772 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2773 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2773 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2788 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2788 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2789 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2789 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2790 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2790 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2791 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2791 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2813 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2813 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2814 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2814 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2815 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2815 clone guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2816 /tmp/sample.bin zombie guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2294->guuid=9f631743-1b00-0000-8de6-8a91f6080000 pid=2816 clone guuid=b687a443-1b00-0000-8de6-8a91f8080000 pid=2296 /usr/bin/systemctl guuid=16d04443-1b00-0000-8de6-8a91f7080000 pid=2295->guuid=b687a443-1b00-0000-8de6-8a91f8080000 pid=2296 execve guuid=524d528c-1b00-0000-8de6-8a9182090000 pid=2434 /usr/bin/systemctl guuid=d26d118c-1b00-0000-8de6-8a9180090000 pid=2432->guuid=524d528c-1b00-0000-8de6-8a9182090000 pid=2434 execve
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/3c1d1b2d-4fdb-4d21-975c-1026e56ce58b
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.mine
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1843884
Signature
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample tries to persist itself using cron
Tries to load the MSR kernel module used for reading/writing to CPUs model specific register
Writes to CPU model specific registers (MSR) (e.g. miners improve performance by disabling HW prefetcher)
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1843884 Sample: x.elf Startdate: 03/01/2026 Architecture: LINUX Score: 84 37 104.243.33.118, 52010, 80 RELIABLESITEUS United States 2->37 39 daisy.ubuntu.com 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected Xmrig cryptocurrency miner 2->45 47 Detected Stratum mining protocol 2->47 9 x.elf 2->9         started        12 systemd snapd-env-generator 2->12         started        14 systemd snapd-env-generator 2->14         started        16 python3.8 dpkg 2->16         started        signatures3 process4 signatures5 53 Found strings related to Crypto-Mining 9->53 18 x.elf 9->18         started        process6 file7 35 /etc/cron.d/nextjs-server, ASCII 18->35 dropped 49 Writes to CPU model specific registers (MSR) (e.g. miners improve performance by disabling HW prefetcher) 18->49 51 Sample tries to persist itself using cron 18->51 22 x.elf sh 18->22         started        24 x.elf sh 18->24         started        26 x.elf sh 18->26         started        signatures8 process9 process10 28 sh modprobe 22->28         started        31 sh systemctl 24->31         started        33 sh systemctl 26->33         started        signatures11 55 Tries to load the MSR kernel module used for reading/writing to CPUs model specific register 28->55
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/71223c24385de60d8215fdfa51c48f62ea8018f24892cedbe012a0149d388db6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/71223c24385de60d8215fdfa51c48f62ea8018f24892cedbe012a0149d388db6/
Threat name:
Linux.Coinminer.XMRig
Create hunting rule
Status:
Malicious
First seen:
2025-12-25 10:32:43 UTC
File Type:
ELF64 Little (SO)
AV detection:
17 of 36 (47.22%)
Threat level:
  4/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oerdyjbylxta3aqv7x5fdrepmlviaghsjcjm5w7ackqbjhjyrw3a._file
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig discovery execution linux miner persistence privilege_escalation
Link:
https://tria.ge/reports/260102-2sre3afx8g/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to tmp directory
Changes its process name
Creates/modifies Cron job
Modifies systemd
Verdict:
Unknown
Tags:
cryptojacking coinminer xmrig
YARA:
CoinMiner_Strings PUA_Crypto_Mining_CommandLine_Indicators_Oct21 XMRIG_Monero_Miner
Link:
https://app.threat.zone/submission/9672b3a8-8a0c-45f6-96c2-241089a75056
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/71223c24385d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/71223c24385de60d8215fdfa51c48f62ea8018f24892cedbe012a0149d388db6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CoinMiner_Strings
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects mining pool protocol string in Executable
Reference:https://minergate.com/faq/what-pool-address
Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:Linux_Trojan_Pornoasset_927f314f
Create hunting rule
Author:Elastic Security
Rule name:PUA_Crypto_Mining_CommandLine_Indicators_Oct21
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects command line parameters often used by crypto mining software
Reference:https://www.poolwatch.io/coin/monero
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags
Rule name:XMRIG_Monero_Miner
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Monero mining software
Reference:https://github.com/xmrig/xmrig/releases
Rule name:xmrig_v1
Create hunting rule
Author:RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

elf 71223c24385de60d8215fdfa51c48f62ea8018f24892cedbe012a0149d388db6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3749340/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3749341/
  
URLhaus
https://urlhaus.abuse.ch/url/3749342/
  
URLhaus
https://urlhaus.abuse.ch/url/3749344/

Comments