MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89b54cb1327c87c2fe8aeb3d3c6e81cd8d2bc7122acbc2cca3dee6aa446788dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 89b54cb1327c87c2fe8aeb3d3c6e81cd8d2bc7122acbc2cca3dee6aa446788dd
SHA3-384 hash: c45c1867ca37591b24b481ed10765ab4faa545f3cd255cbc34d1aea3b04328743b022cd3ec85a34a2f19b138167ebbc6
SHA1 hash: d0abf3d92c4ab82c48441fa082fdb23b7ca932cb
MD5 hash: 392014a4c917a18c502287c34ce1166e
humanhash: skylark-romeo-nineteen-five
File name:kworkerd-rcu
Download: download sample
Signature CoinMiner
Create hunting rule
File size:351'352 bytes
First seen:2026-06-20 06:03:00 UTC
Last seen:Never
File type: elf
MIME type:application/x-sharedlib
ssdeep 6144:UAS2llSfl6lAm6r33vfo9fOFUwabW71uexnaHAVziL7NSMi6KJ:UASvt6C/g9fOK+DaHA5q7NbiTJ
TLSH T189745B4ADF350FBFC5AECE3016AE022715DE8C5A92F66B3761BCCD08B55A60446E3C58
telfhash t16c41c988b43649bb7db65514cc151636d646f615f8b28f10ef1cc9814a2882a6949f8f
Magika elf
Reporter abuse_ch
Tags:CoinMiner elf upx-dec


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 77bf85c043145dd34d7069fff7c3924074303294396ba775c070d1ff2c3a1e80
File size (compressed) :139'960 bytes
File size (de-compressed) :351'352 bytes
Format:linux/mipsel
Packed file: 77bf85c043145dd34d7069fff7c3924074303294396ba775c070d1ff2c3a1e80

Intelligence

File Origin
# of uploads :
1
# of downloads :
58
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Detection(s):
Unix.Trojan.Mirai-10058997-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
DNS request
Changes the time when the file was created, accessed, or modified
Creating a file in the %temp% directory
Changes access rights for a written file
Sends data to a server
Collects information on the CPU
Receives data from a server
Sets a written file as executable
Opens a port
Connection attempt
Runs as daemon
Launching a process
Manages services
Creates or modifies files in /cron to set up autorun
Substitutes an application name
Deleting of the original file
Verdict:
Malicious
File Type:
elf.32.le
First seen:
2026-06-20T04:38:00Z UTC
Last seen:
2026-06-22T00:36:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/89b54cb1327c87c2fe8aeb3d3c6e81cd8d2bc7122acbc2cca3dee6aa446788dd/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/2558381e-ba35-474d-8b20-3473049e9c0d
Behavior Graph:
Download SVG
%3
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a745d077-2620-4281-92c6-bf163dfdfc95
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1931294
Signature
Antivirus / Scanner detection for submitted sample
Contains symbols with names commonly found in malware
Drops invisible ELF files
Executes itself again with its parent PID as an argument (indicative of hampering debugging)
Executes the "crontab" command typically for achieving persistence
Found strings related to Crypto-Mining
Opens /sys/class/net/* files useful for querying network interface information
Performs DNS TXT record lookups
Sample deletes itself
Sample tries to persist itself using cron
Searches for CPU information (likely indicative of DDoS capability)
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1931294 Sample: kworkerd-rcu.elf Startdate: 20/06/2026 Architecture: LINUX Score: 96 84 api.robotmarkethub.com 2->84 86 91.239.211.89, 37760, 39242, 39244 HOSTKEY-ASNL Germany 2->86 94 Antivirus / Scanner detection for submitted sample 2->94 96 Yara detected Xmrig cryptocurrency miner 2->96 98 Contains symbols with names commonly found in malware 2->98 13 systemd sh 2->13         started        15 kworkerd-rcu.elf 2->15         started        18 systemd snapd-env-generator 2->18         started        20 systemd snapd-env-generator 2->20         started        signatures3 100 Performs DNS TXT record lookups 84->100 process4 signatures5 22 sh sh 13->22         started        24 sh wget 13->24         started        27 sh rm 13->27         started        112 Found strings related to Crypto-Mining 15->112 29 kworkerd-rcu.elf 15->29         started        process6 file7 31 sh 22->31         started        33 sh wget 22->33         started        37 sh grep 22->37         started        41 5 other processes 22->41 80 /tmp/..redis-sentinel, POSIX 24->80 dropped 39 kworkerd-rcu.elf 29->39         started        process8 file9 43 sh .d 31->43         started        76 /tmp/.d, ELF 33->76 dropped 90 Drops invisible ELF files 33->90 92 Searches for CPU information (likely indicative of DDoS capability) 37->92 45 kworkerd-rcu.elf sh 39->45         started        47 kworkerd-rcu.elf sh 39->47         started        49 sh awk 41->49         started        51 sh cut 41->51         started        53 sh 41->53         started        signatures10 process11 process12 55 .d 43->55         started        57 sh systemctl 45->57         started        59 sh systemctl 47->59         started        process13 61 .d 55->61         started        file14 82 /var/spool/cron/crontabs/root, ASCII 61->82 dropped 106 Opens /sys/class/net/* files useful for querying network interface information 61->106 108 Sample deletes itself 61->108 110 Sample tries to persist itself using cron 61->110 65 .d sh 61->65         started        68 .d sh 61->68         started        signatures15 process16 signatures17 88 Executes itself again with its parent PID as an argument (indicative of hampering debugging) 65->88 70 sh crontab 65->70         started        74 sh crontab 68->74         started        process18 file19 78 /var/spool/cron/crontabs/tmp.mhGbop, ASCII 70->78 dropped 102 Sample tries to persist itself using cron 70->102 104 Executes the "crontab" command typically for achieving persistence 70->104 signatures20
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/89b54cb1327c87c2fe8aeb3d3c6e81cd8d2bc7122acbc2cca3dee6aa446788dd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/89b54cb1327c87c2fe8aeb3d3c6e81cd8d2bc7122acbc2cca3dee6aa446788dd/
Threat name:
Linux.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2026-06-20 06:05:53 UTC
File Type:
ELF32 Little (SO)
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rg2uzmjspsd4f7uk5m6ty3ubzwgsxrysflf4ftfd33tkurdhrdoq._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/260620-gsefaadv3j/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/89b54cb1327c87c2fe8aeb3d3c6e81cd8d2bc7122acbc2cca3dee6aa446788dd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:elf_arm_mips_ko_so
Create hunting rule
Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:setsockopt
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for setsockopt() red flags
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

elf 77bf85c043145dd34d7069fff7c3924074303294396ba775c070d1ff2c3a1e80

CoinMiner

elf 89b54cb1327c87c2fe8aeb3d3c6e81cd8d2bc7122acbc2cca3dee6aa446788dd

(this sample)

  
Dropped by
SHA256 77bf85c043145dd34d7069fff7c3924074303294396ba775c070d1ff2c3a1e80
  
URLhaus
https://urlhaus.abuse.ch/url/3868021/
  
Delivery method
Distributed via web download
  
Dropped by
MD5 96342a612e8a9907cb0a6ebb99ed11f5

Comments