MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae54f5cc038825e241d2daaa16080582ff610ab1ee8af4016b13aac3a7a4097d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoinMiner

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	ae54f5cc038825e241d2daaa16080582ff610ab1ee8af4016b13aac3a7a4097d
SHA3-384 hash:	c549eabea5b55c24fb8af1ff029073bfe1d3905020889939caaadb0e79f2a61268133dc6a257c6b56498b6ac24215b47
SHA1 hash:	15b46556dc59fa61c9d5f89fcd43fb25ec39102d
MD5 hash:	429bd0de6b2a5b3b57c62bc1f4dcd8ab
humanhash:	mobile-lion-purple-iowa
File name:	4thepool_miner.sh
Download:	download sample
Signature	CoinMiner Create hunting rule
File size:	22'656 bytes
First seen:	2025-12-21 18:13:15 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	384:hOUS1SKKJW78mIxR0Q/+c7+F68gHdVf+0+0tSJyqeW1VTed0:wUS1SxJW78RJN7+F6thqyqeW1Jee
TLSH	T12EA2B722524536B5220E45B8D897A0402A76106B411C393C76DEBB48BF9CFAD73FF7B6
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	CoinMiner sh

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

coinminer

Link:

https://www.filescan.io/uploads/694838f6a7163552ba036d08/reports/7de4cbc5-5e2f-4f36-81f2-22aec548d122/overview

Verdict:

Adware

File Type:

unix shell

First seen:

2025-12-15T13:12:00Z UTC

Last seen:

2025-12-21T15:02:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/ae54f5cc038825e241d2daaa16080582ff610ab1ee8af4016b13aac3a7a4097d/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/0b964d32-a233-4a4c-b216-5a8bb6b641e7

Behavior Graph:

Download SVG

Score:

Verdict:

Benign

File Type:

SCRIPT

Link:

https://malprob.io/report/ae54f5cc038825e241d2daaa16080582ff610ab1ee8af4016b13aac3a7a4097d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ae54f5cc038825e241d2daaa16080582ff610ab1ee8af4016b13aac3a7a4097d/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vzkpltadras6eqos3kvbmcafql7wccvr52fpiallcovmhj5ebf6q._file

Result

Malware family:

xmrig_linux

Score:

10/10

Tags:

family:xmrig_linux antivm defense_evasion discovery linux miner persistence privilege_escalation upx

Link:

https://tria.ge/reports/251221-wtzj6sgz8a/

Behaviour

Enumerates kernel/hardware configuration

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

Reads CPU attributes

UPX packed file

Abuse Elevation Control Mechanism: Sudo and Sudo Caching

Enumerates running processes

Modifies systemd

File and Directory Permissions Modification

Executes dropped EXE

Xmrig_linux family

xmrig

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

sh ae54f5cc038825e241d2daaa16080582ff610ab1ee8af4016b13aac3a7a4097d

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3739558/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample