MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79990925039b1f007166624e5a032b1da8032bf64f6fe9323155ca2aad31f887. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79990925039b1f007166624e5a032b1da8032bf64f6fe9323155ca2aad31f887
SHA3-384 hash: b9a2c55955d4c1410283f709b7767d4e774be9e9e7d78c1f755c5662a05e153849ac47d312a528c68c96e8c9c060285e
SHA1 hash: 3fadc870336c42c3c78a64fad85c37ae8b33388c
MD5 hash: cff521bd68898b829de2fa7b0882a897
humanhash: football-glucose-mississippi-island
File name:run-CN.sh
Download: download sample
Signature CoinMiner
Create hunting rule
File size:6'354 bytes
First seen:2025-08-01 17:31:43 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 192:2I848CzDN1eEXOKD5+rqaBxayH3MeYV9XMNZlu:hvnc95PA9Xyu
TLSH T197D17405FB81DAF425D8C168044A1D80694B511B3D492C18FCEDB5EABF28B6C62FDBF6
Magika shell
Reporter abuse_ch
Tags:CoinMiner sh
URLMalware sample (SHA256 hash)SignatureTags
http://162.248.53.119:8000/mon.sh1e891ab1521b27923233e694f60fdbf0e1b840e657d8b1ffdefd8b5ef5e38964 CoinMinerCoinMiner
http://162.248.53.119:8000/yes.tar.gzn/an/aopendir
https://cdn.tempfile.pro/0c748b9e8bc6b5b4/hub01.binn/an/an/a

Intelligence

File Origin
# of uploads :
1
# of downloads :
33
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Txt.Malware.Sustes-6779550-1
Create hunting rule

Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/3f9c66eb-1b49-4cd4-91e0-c012b5d5efa2
Behavior Graph:
Download SVG
%3 guuid=ffa709ef-1600-0000-7086-1c2d040d0000 pid=3332 /usr/bin/sudo guuid=ac6192f1-1600-0000-7086-1c2d080d0000 pid=3336 /tmp/sample.bin guuid=ffa709ef-1600-0000-7086-1c2d040d0000 pid=3332->guuid=ac6192f1-1600-0000-7086-1c2d080d0000 pid=3336 execve guuid=08ced8f2-1600-0000-7086-1c2d0c0d0000 pid=3340 /usr/bin/systemctl guuid=ac6192f1-1600-0000-7086-1c2d080d0000 pid=3336->guuid=08ced8f2-1600-0000-7086-1c2d0c0d0000 pid=3340 execve guuid=67522bf4-1600-0000-7086-1c2d110d0000 pid=3345 /usr/bin/bash guuid=ac6192f1-1600-0000-7086-1c2d080d0000 pid=3336->guuid=67522bf4-1600-0000-7086-1c2d110d0000 pid=3345 clone guuid=754e4ffb-1600-0000-7086-1c2d240d0000 pid=3364 /usr/bin/bash guuid=ac6192f1-1600-0000-7086-1c2d080d0000 pid=3336->guuid=754e4ffb-1600-0000-7086-1c2d240d0000 pid=3364 clone guuid=82c3f2fb-1600-0000-7086-1c2d290d0000 pid=3369 /usr/bin/id guuid=ac6192f1-1600-0000-7086-1c2d080d0000 pid=3336->guuid=82c3f2fb-1600-0000-7086-1c2d290d0000 pid=3369 execve guuid=4d5e76fc-1600-0000-7086-1c2d2c0d0000 pid=3372 /usr/bin/mkdir guuid=ac6192f1-1600-0000-7086-1c2d080d0000 pid=3336->guuid=4d5e76fc-1600-0000-7086-1c2d2c0d0000 pid=3372 execve guuid=7463ccfc-1600-0000-7086-1c2d2e0d0000 pid=3374 /usr/bin/wget dns net send-data guuid=ac6192f1-1600-0000-7086-1c2d080d0000 pid=3336->guuid=7463ccfc-1600-0000-7086-1c2d2e0d0000 pid=3374 execve guuid=d8be101c-1700-0000-7086-1c2d730d0000 pid=3443 /usr/bin/mv guuid=ac6192f1-1600-0000-7086-1c2d080d0000 pid=3336->guuid=d8be101c-1700-0000-7086-1c2d730d0000 pid=3443 execve guuid=0a758e1c-1700-0000-7086-1c2d750d0000 pid=3445 /usr/bin/rm guuid=ac6192f1-1600-0000-7086-1c2d080d0000 pid=3336->guuid=0a758e1c-1700-0000-7086-1c2d750d0000 pid=3445 execve guuid=ae94e61c-1700-0000-7086-1c2d770d0000 pid=3447 /usr/bin/chmod guuid=ac6192f1-1600-0000-7086-1c2d080d0000 pid=3336->guuid=ae94e61c-1700-0000-7086-1c2d770d0000 pid=3447 execve guuid=40773b1d-1700-0000-7086-1c2d790d0000 pid=3449 /usr/lib/dev/systemdev/systemd-mont guuid=ac6192f1-1600-0000-7086-1c2d080d0000 pid=3336->guuid=40773b1d-1700-0000-7086-1c2d790d0000 pid=3449 execve guuid=0c7f481d-1700-0000-7086-1c2d7a0d0000 pid=3450 /usr/bin/sleep guuid=ac6192f1-1600-0000-7086-1c2d080d0000 pid=3336->guuid=0c7f481d-1700-0000-7086-1c2d7a0d0000 pid=3450 execve guuid=f755d54a-1700-0000-7086-1c2dd10d0000 pid=3537 /usr/bin/ps guuid=ac6192f1-1600-0000-7086-1c2d080d0000 pid=3336->guuid=f755d54a-1700-0000-7086-1c2dd10d0000 pid=3537 execve guuid=e23b444e-1700-0000-7086-1c2dd80d0000 pid=3544 /usr/bin/curl net send-data write-file guuid=ac6192f1-1600-0000-7086-1c2d080d0000 pid=3336->guuid=e23b444e-1700-0000-7086-1c2dd80d0000 pid=3544 execve guuid=f2784c91-1700-0000-7086-1c2d660e0000 pid=3686 /usr/bin/chmod guuid=ac6192f1-1600-0000-7086-1c2d080d0000 pid=3336->guuid=f2784c91-1700-0000-7086-1c2d660e0000 pid=3686 execve guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=3687 /tmp/jdk_x64-srvmon mprotect-exec guuid=ac6192f1-1600-0000-7086-1c2d080d0000 pid=3336->guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=3687 execve guuid=f508b691-1700-0000-7086-1c2d680e0000 pid=3688 /usr/bin/sleep guuid=ac6192f1-1600-0000-7086-1c2d080d0000 pid=3336->guuid=f508b691-1700-0000-7086-1c2d680e0000 pid=3688 execve guuid=87dee7af-1700-0000-7086-1c2ddc0e0000 pid=3804 /usr/bin/ps guuid=ac6192f1-1600-0000-7086-1c2d080d0000 pid=3336->guuid=87dee7af-1700-0000-7086-1c2ddc0e0000 pid=3804 execve guuid=2189c8b5-1700-0000-7086-1c2d010f0000 pid=3841 /usr/bin/sleep guuid=ac6192f1-1600-0000-7086-1c2d080d0000 pid=3336->guuid=2189c8b5-1700-0000-7086-1c2d010f0000 pid=3841 execve guuid=cb934ec2-1800-0000-7086-1c2d9f110000 pid=4511 /usr/bin/ps guuid=ac6192f1-1600-0000-7086-1c2d080d0000 pid=3336->guuid=cb934ec2-1800-0000-7086-1c2d9f110000 pid=4511 execve guuid=84686acd-1800-0000-7086-1c2daa110000 pid=4522 /usr/bin/rm guuid=ac6192f1-1600-0000-7086-1c2d080d0000 pid=3336->guuid=84686acd-1800-0000-7086-1c2daa110000 pid=4522 execve guuid=9d07d1cd-1800-0000-7086-1c2dac110000 pid=4524 /usr/bin/rm guuid=ac6192f1-1600-0000-7086-1c2d080d0000 pid=3336->guuid=9d07d1cd-1800-0000-7086-1c2dac110000 pid=4524 execve guuid=89b23af4-1600-0000-7086-1c2d120d0000 pid=3346 /usr/bin/wget dns net send-data guuid=67522bf4-1600-0000-7086-1c2d110d0000 pid=3345->guuid=89b23af4-1600-0000-7086-1c2d120d0000 pid=3346 execve 4f6baed0-9587-596c-82b3-fd721afe4cc1 10.0.2.3:53 guuid=89b23af4-1600-0000-7086-1c2d120d0000 pid=3346->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 72B 0690ccd5-4816-5f11-94dc-7c585f38cdea ipv4.icanhazip.com:0 guuid=89b23af4-1600-0000-7086-1c2d120d0000 pid=3346->0690ccd5-4816-5f11-94dc-7c585f38cdea con d0ecfe49-aa79-583f-85c6-85ac97075256 ipv4.icanhazip.com:80 guuid=89b23af4-1600-0000-7086-1c2d120d0000 pid=3346->d0ecfe49-aa79-583f-85c6-85ac97075256 send: 133B guuid=4b345afb-1600-0000-7086-1c2d250d0000 pid=3365 /usr/bin/bash guuid=754e4ffb-1600-0000-7086-1c2d240d0000 pid=3364->guuid=4b345afb-1600-0000-7086-1c2d250d0000 pid=3365 clone guuid=fbb95ffb-1600-0000-7086-1c2d260d0000 pid=3366 /usr/bin/sed guuid=754e4ffb-1600-0000-7086-1c2d240d0000 pid=3364->guuid=fbb95ffb-1600-0000-7086-1c2d260d0000 pid=3366 execve guuid=7c0566fb-1600-0000-7086-1c2d270d0000 pid=3367 /usr/bin/cut guuid=754e4ffb-1600-0000-7086-1c2d240d0000 pid=3364->guuid=7c0566fb-1600-0000-7086-1c2d270d0000 pid=3367 execve guuid=7463ccfc-1600-0000-7086-1c2d2e0d0000 pid=3374->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 68B b4e27614-81b3-59ca-8787-716d0d292a6d cdn.tempfile.pro:0 guuid=7463ccfc-1600-0000-7086-1c2d2e0d0000 pid=3374->b4e27614-81b3-59ca-8787-716d0d292a6d con e0beffae-5a5b-5021-9f66-3b7bd68d1c4e cdn.tempfile.pro:443 guuid=7463ccfc-1600-0000-7086-1c2d2e0d0000 pid=3374->e0beffae-5a5b-5021-9f66-3b7bd68d1c4e send: 776B 2f67bf0f-8453-5800-9e7b-37101ce5849f 162.248.53.119:8000 guuid=e23b444e-1700-0000-7086-1c2dd80d0000 pid=3544->2f67bf0f-8453-5800-9e7b-37101ce5849f send: 87B guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=3763 /tmp/jdk_x64-srvmon zombie guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=3687->guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=3763 clone guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=3765 /tmp/jdk_x64-srvmon net guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=3687->guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=3765 clone guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=3766 /tmp/jdk_x64-srvmon dns net send-data zombie guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=3687->guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=3766 clone guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=3767 /tmp/jdk_x64-srvmon dns net send-data zombie guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=3687->guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=3767 clone guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=3768 /tmp/jdk_x64-srvmon guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=3687->guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=3768 clone guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=3769 /tmp/jdk_x64-srvmon guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=3687->guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=3769 clone guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=4001 /tmp/jdk_x64-srvmon net send-data zombie guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=3687->guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=4001 clone guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=4206 /tmp/jdk_x64-srvmon guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=3687->guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=4206 clone guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=4207 /tmp/jdk_x64-srvmon send-data zombie guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=3687->guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=4207 clone a7eef23b-3bd8-5389-bd5c-62af93207a18 127.0.0.1:9 guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=3765->a7eef23b-3bd8-5389-bd5c-62af93207a18 con a7584e78-d7f5-5f4f-a42d-f2588183f47a ::1:9 guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=3765->a7584e78-d7f5-5f4f-a42d-f2588183f47a con guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=3766->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 45B dc9b0c2b-84ee-5f76-ae0d-ba8f9c3b0eca dero-node-maikze.mysrv.cloud:10300 guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=3766->dc9b0c2b-84ee-5f76-ae0d-ba8f9c3b0eca send: 638B a3e784c2-479a-560c-ae1c-6e3685e7be69 dero-node-maikze.mysrv.cloud:443 guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=3766->a3e784c2-479a-560c-ae1c-6e3685e7be69 send: 367B ba76c5c9-61c3-5246-80ac-65f61cd35a66 dero.rabidmining.com:10100 guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=3766->ba76c5c9-61c3-5246-80ac-65f61cd35a66 con 7e4c6214-83c9-5d53-9dc2-209ad8d981e6 127.0.0.1:44748 guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=3766->7e4c6214-83c9-5d53-9dc2-209ad8d981e6 send: 182B fc5020ad-45e7-5349-be28-62f73e235d9b 127.0.0.1:44754 guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=3766->fc5020ad-45e7-5349-be28-62f73e235d9b send: 182B guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=3767->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 128B guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=3767->a3e784c2-479a-560c-ae1c-6e3685e7be69 send: 367B guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=3767->ba76c5c9-61c3-5246-80ac-65f61cd35a66 send: 930B guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=3767->7e4c6214-83c9-5d53-9dc2-209ad8d981e6 send: 7067B guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=3767->fc5020ad-45e7-5349-be28-62f73e235d9b send: 7067B guuid=9e401eb4-1800-0000-7086-1c2d68110000 pid=4456 /tmp/jdk_x64-srvmon mprotect-exec net guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=3768->guuid=9e401eb4-1800-0000-7086-1c2d68110000 pid=4456 execve guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=4001->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 83B guuid=d10481e6-1800-0000-7086-1c2dd1110000 pid=4561 /tmp/jdk_x64-srvmon mprotect-exec net guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=4206->guuid=d10481e6-1800-0000-7086-1c2dd1110000 pid=4561 execve guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=4207->ba76c5c9-61c3-5246-80ac-65f61cd35a66 send: 468B guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=4207->7e4c6214-83c9-5d53-9dc2-209ad8d981e6 send: 7834B guuid=6e12a991-1700-0000-7086-1c2d670e0000 pid=4207->fc5020ad-45e7-5349-be28-62f73e235d9b send: 7834B f729ef60-53f8-59ec-91e2-a2ae6cbd2b4b 127.0.0.1:18081 guuid=9e401eb4-1800-0000-7086-1c2d68110000 pid=4456->f729ef60-53f8-59ec-91e2-a2ae6cbd2b4b con guuid=9e401eb4-1800-0000-7086-1c2d68110000 pid=4540 /tmp/jdk_x64-srvmon guuid=9e401eb4-1800-0000-7086-1c2d68110000 pid=4456->guuid=9e401eb4-1800-0000-7086-1c2d68110000 pid=4540 clone guuid=9e401eb4-1800-0000-7086-1c2d68110000 pid=4541 /tmp/jdk_x64-srvmon net send-data guuid=9e401eb4-1800-0000-7086-1c2d68110000 pid=4456->guuid=9e401eb4-1800-0000-7086-1c2d68110000 pid=4541 clone guuid=9e401eb4-1800-0000-7086-1c2d68110000 pid=4542 /tmp/jdk_x64-srvmon send-data guuid=9e401eb4-1800-0000-7086-1c2d68110000 pid=4456->guuid=9e401eb4-1800-0000-7086-1c2d68110000 pid=4542 clone guuid=9e401eb4-1800-0000-7086-1c2d68110000 pid=4543 /tmp/jdk_x64-srvmon send-data guuid=9e401eb4-1800-0000-7086-1c2d68110000 pid=4456->guuid=9e401eb4-1800-0000-7086-1c2d68110000 pid=4543 clone guuid=9e401eb4-1800-0000-7086-1c2d68110000 pid=4544 /tmp/jdk_x64-srvmon guuid=9e401eb4-1800-0000-7086-1c2d68110000 pid=4456->guuid=9e401eb4-1800-0000-7086-1c2d68110000 pid=4544 clone guuid=9e401eb4-1800-0000-7086-1c2d68110000 pid=4668 /tmp/jdk_x64-srvmon send-data guuid=9e401eb4-1800-0000-7086-1c2d68110000 pid=4456->guuid=9e401eb4-1800-0000-7086-1c2d68110000 pid=4668 clone guuid=9e401eb4-1800-0000-7086-1c2d68110000 pid=4673 /tmp/jdk_x64-srvmon guuid=9e401eb4-1800-0000-7086-1c2d68110000 pid=4456->guuid=9e401eb4-1800-0000-7086-1c2d68110000 pid=4673 clone guuid=9e401eb4-1800-0000-7086-1c2d68110000 pid=4701 /tmp/jdk_x64-srvmon send-data guuid=9e401eb4-1800-0000-7086-1c2d68110000 pid=4456->guuid=9e401eb4-1800-0000-7086-1c2d68110000 pid=4701 clone guuid=9e401eb4-1800-0000-7086-1c2d68110000 pid=4541->a7eef23b-3bd8-5389-bd5c-62af93207a18 con guuid=9e401eb4-1800-0000-7086-1c2d68110000 pid=4541->a7584e78-d7f5-5f4f-a42d-f2588183f47a con guuid=9e401eb4-1800-0000-7086-1c2d68110000 pid=4541->f729ef60-53f8-59ec-91e2-a2ae6cbd2b4b send: 570B guuid=9e401eb4-1800-0000-7086-1c2d68110000 pid=4542->f729ef60-53f8-59ec-91e2-a2ae6cbd2b4b send: 226B guuid=9e401eb4-1800-0000-7086-1c2d68110000 pid=4543->f729ef60-53f8-59ec-91e2-a2ae6cbd2b4b send: 544B guuid=d10481e6-1800-0000-7086-1c2dd1110000 pid=4561->f729ef60-53f8-59ec-91e2-a2ae6cbd2b4b con guuid=d10481e6-1800-0000-7086-1c2dd1110000 pid=4622 /tmp/jdk_x64-srvmon guuid=d10481e6-1800-0000-7086-1c2dd1110000 pid=4561->guuid=d10481e6-1800-0000-7086-1c2dd1110000 pid=4622 clone guuid=d10481e6-1800-0000-7086-1c2dd1110000 pid=4623 /tmp/jdk_x64-srvmon net guuid=d10481e6-1800-0000-7086-1c2dd1110000 pid=4561->guuid=d10481e6-1800-0000-7086-1c2dd1110000 pid=4623 clone guuid=d10481e6-1800-0000-7086-1c2dd1110000 pid=4624 /tmp/jdk_x64-srvmon send-data guuid=d10481e6-1800-0000-7086-1c2dd1110000 pid=4561->guuid=d10481e6-1800-0000-7086-1c2dd1110000 pid=4624 clone guuid=d10481e6-1800-0000-7086-1c2dd1110000 pid=4625 /tmp/jdk_x64-srvmon send-data guuid=d10481e6-1800-0000-7086-1c2dd1110000 pid=4561->guuid=d10481e6-1800-0000-7086-1c2dd1110000 pid=4625 clone guuid=d10481e6-1800-0000-7086-1c2dd1110000 pid=4626 /tmp/jdk_x64-srvmon guuid=d10481e6-1800-0000-7086-1c2dd1110000 pid=4561->guuid=d10481e6-1800-0000-7086-1c2dd1110000 pid=4626 clone guuid=d10481e6-1800-0000-7086-1c2dd1110000 pid=4677 /tmp/jdk_x64-srvmon guuid=d10481e6-1800-0000-7086-1c2dd1110000 pid=4561->guuid=d10481e6-1800-0000-7086-1c2dd1110000 pid=4677 clone guuid=d10481e6-1800-0000-7086-1c2dd1110000 pid=4779 /tmp/jdk_x64-srvmon guuid=d10481e6-1800-0000-7086-1c2dd1110000 pid=4561->guuid=d10481e6-1800-0000-7086-1c2dd1110000 pid=4779 clone guuid=d10481e6-1800-0000-7086-1c2dd1110000 pid=4781 /tmp/jdk_x64-srvmon send-data guuid=d10481e6-1800-0000-7086-1c2dd1110000 pid=4561->guuid=d10481e6-1800-0000-7086-1c2dd1110000 pid=4781 clone guuid=d10481e6-1800-0000-7086-1c2dd1110000 pid=4785 /tmp/jdk_x64-srvmon send-data guuid=d10481e6-1800-0000-7086-1c2dd1110000 pid=4561->guuid=d10481e6-1800-0000-7086-1c2dd1110000 pid=4785 clone guuid=d10481e6-1800-0000-7086-1c2dd1110000 pid=5317 /tmp/jdk_x64-srvmon send-data guuid=d10481e6-1800-0000-7086-1c2dd1110000 pid=4561->guuid=d10481e6-1800-0000-7086-1c2dd1110000 pid=5317 clone guuid=d10481e6-1800-0000-7086-1c2dd1110000 pid=4623->a7eef23b-3bd8-5389-bd5c-62af93207a18 con guuid=d10481e6-1800-0000-7086-1c2dd1110000 pid=4623->a7584e78-d7f5-5f4f-a42d-f2588183f47a con guuid=d10481e6-1800-0000-7086-1c2dd1110000 pid=4624->f729ef60-53f8-59ec-91e2-a2ae6cbd2b4b send: 200B guuid=d10481e6-1800-0000-7086-1c2dd1110000 pid=4625->f729ef60-53f8-59ec-91e2-a2ae6cbd2b4b send: 51B guuid=9e401eb4-1800-0000-7086-1c2d68110000 pid=4668->f729ef60-53f8-59ec-91e2-a2ae6cbd2b4b send: 968B guuid=9e401eb4-1800-0000-7086-1c2d68110000 pid=4701->f729ef60-53f8-59ec-91e2-a2ae6cbd2b4b send: 425B guuid=d10481e6-1800-0000-7086-1c2dd1110000 pid=4781->f729ef60-53f8-59ec-91e2-a2ae6cbd2b4b send: 1310B guuid=d10481e6-1800-0000-7086-1c2dd1110000 pid=4785->f729ef60-53f8-59ec-91e2-a2ae6cbd2b4b send: 269B guuid=d10481e6-1800-0000-7086-1c2dd1110000 pid=5317->f729ef60-53f8-59ec-91e2-a2ae6cbd2b4b send: 680B
Score:
7%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/79990925039b1f007166624e5a032b1da8032bf64f6fe9323155ca2aad31f887
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/79990925039b1f007166624e5a032b1da8032bf64f6fe9323155ca2aad31f887/
Verdict:
Malicious
Threat:
HEUR:Downloader.Shell.Miner
Link:
https://tip.neiki.dev/file/79990925039b1f007166624e5a032b1da8032bf64f6fe9323155ca2aad31f887
Threat name:
Win32.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2025-08-01 17:32:18 UTC
File Type:
Text (Shell)
AV detection:
7 of 23 (30.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pgmqsjidtmpqa4lgmjhfuazldwuagk7wj5x6smrrkxfcvljr7cdq._file
Result
Malware family:
xmrig_linux
Create hunting rule
Score:
  10/10
Tags:
family:xmrig_linux antivm defense_evasion discovery linux miner upx
Link:
https://tria.ge/reports/250801-v4cygsek8z/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Checks CPU configuration
Reads CPU attributes
UPX packed file
Enumerates running processes
File and Directory Permissions Modification
Executes dropped EXE
Xmrig_linux family
xmrig
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.44
Link:
https://yomi.yoroi.company/submissions/79990925039b1f007166624e5a032b1da8032bf64f6fe9323155ca2aad31f887

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_LNX_SH_CryptoMiner_Indicators_Dec20_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects helper script used in a crypto miner campaign
Reference:https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Rule name:SUSP_LNX_SH_CryptoMiner_Indicators_Dec20_1_RID364E
Create hunting rule
Author:Florian Roth
Description:Detects helper script used in a crypto miner campaign
Reference:https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

sh 79990925039b1f007166624e5a032b1da8032bf64f6fe9323155ca2aad31f887

(this sample)

CoinMiner

sh 1e891ab1521b27923233e694f60fdbf0e1b840e657d8b1ffdefd8b5ef5e38964

CoinMiner

sh 778ec852860f474f7172948a24cf5cccdcef4f644db42dceefaff5b08ac556fd

CoinMiner

sh 6cdc9ae50dac41db620137c6b9d33be81f0af07828b7f38c630419596f4c27f4

CoinMiner

sh 2c60ff4c5ffdad29f0425aa4951506b99fd5792f2e299962fbc99969f5e82850

CoinMiner

sh b8b15833c5fed4b3d1393d1d6729099fca39aad8199fd6f8c7e5fb3f36d9732f

CoinMiner

sh f8560caec2a2cd1f7a969234f3454dac9977d1025093b2e091f6f8b529c919ff

CoinMiner

sh c11ff09814008a0c73cdcc03ad0805806102f067326bb578f94cf0370acce45a

CoinMiner

sh 81260923a80e2a13088be82c23304c6f55980d0ce66d5c1848a59d9673d51677

  
URLhaus
https://urlhaus.abuse.ch/url/3584199/
  
Delivery method
Distributed via web download
  
Dropping
MD5 bc95533f302f29b870c191323376cbfb
  
Dropping
SHA256 81260923a80e2a13088be82c23304c6f55980d0ce66d5c1848a59d9673d51677

Comments