MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dad581567f173b41ab1069ab45f21f1385fcebf94a6da7b66532ddfdfd36e34e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dad581567f173b41ab1069ab45f21f1385fcebf94a6da7b66532ddfdfd36e34e
SHA3-384 hash: 9fcf75c86a3f8e9aab3bbcd928c8437198488494ce386d8b184e0b80646ea91d414e632869fd312daea24869f4ed5c94
SHA1 hash: c8e728055743343a005c78cee4e3ba71f0d36934
MD5 hash: 7086f1dadf37fe3d629315ea0e314a3f
humanhash: skylark-seven-high-bakerloo
File name:i686
Download: download sample
Signature CoinMiner
Create hunting rule
File size:1'675'264 bytes
First seen:2025-06-24 23:01:00 UTC
Last seen:Never
File type: elf
MIME type:application/x-sharedlib
ssdeep 49152:VWnh7siVfUaLUnpkO+RAm/nNwnrRKOQ71eAu43:onhYQcaLUnpZ+WNoeAu43
TLSH T1ED7533BF3DC9527A87F1E34864B6AB0E3212D7F8453425B8BEC0487523DEB7854A2931
Magika elf
Reporter abuse_ch
Tags:CoinMiner elf

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
DE DE
Vendor Threat Intelligence
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=685b2e73b06783b9ebd71efblinux22vpnfull_triage
Tags:
overt virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Sends data to a server
Creating a process from a recently created file
Changes the time when the file was created, accessed, or modified
Collects information on the CPU
Connection attempt
Collects information on the RAM
Changes access rights for a written file
Kills processes
Launching a process
Deleting a recently created file
Runs as daemon
Receives data from a server
Creates or modifies files in /cron to set up autorun
Substitutes an application name
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
UPX
Botnet:
unknown
Number of open files:
65
Number of processes launched:
13
Processes remaning?
true
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/dad581567f173b41ab1069ab45f21f1385fcebf94a6da7b66532ddfdfd36e34e
Behaviour
Process Renaming
Information Gathering
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e9e9332e-4aff-4f2c-b173-b80e047be0fa
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1722309
Signature
Connects to many ports of the same IP (likely port scanning)
Executes the "crontab" command typically for achieving persistence
Executes the "iptables" command to insert, remove and/or manipulate rules
Found strings related to Crypto-Mining
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Opens /sys/class/net/* files useful for querying network interface information
Sample is packed with UPX
Sample tries to persist itself using cron
Suricata IDS alerts for network traffic
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1722309 Sample: i686.elf Startdate: 25/06/2025 Architecture: LINUX Score: 100 98 67.107.106.161 XO-AS15US United States 2->98 100 46.222.131.44 XFERAES Spain 2->100 102 98 other IPs or domains 2->102 116 Suricata IDS alerts for network traffic 2->116 118 Malicious sample detected (through community Yara rule) 2->118 120 Multi AV Scanner detection for submitted file 2->120 122 3 other signatures 2->122 15 i686.elf 2->15         started        signatures3 process4 signatures5 126 Found strings related to Crypto-Mining 15->126 18 i686.elf 15->18         started        process6 signatures7 114 Opens /sys/class/net/* files useful for querying network interface information 18->114 21 i686.elf 18->21         started        23 i686.elf sh 18->23         started        25 i686.elf sh 18->25         started        27 6 other processes 18->27 process8 process9 29 i686.elf i686.elf 21->29         started        31 sh crontab 23->31         started        35 sh crontab 23->35         started        37 sh 23->37         started        39 sh iptables 25->39         started        41 sh iptables 25->41         started        45 2 other processes 25->45 43 sh iptables 27->43         started        47 3 other processes 27->47 file10 49 i686.elf 29->49         started        96 /var/spool/cron/crontabs/tmp.Blk1sC, ASCII 31->96 dropped 104 Sample tries to persist itself using cron 31->104 106 Executes the "crontab" command typically for achieving persistence 31->106 108 Executes the "iptables" command to insert, remove and/or manipulate rules 43->108 signatures11 process12 signatures13 112 Opens /sys/class/net/* files useful for querying network interface information 49->112 52 i686.elf 49->52         started        54 i686.elf sh 49->54         started        56 i686.elf sh 49->56         started        58 6 other processes 49->58 process14 process15 60 i686.elf i686.elf 52->60         started        62 sh crontab 54->62         started        66 sh crontab 54->66         started        68 sh 54->68         started        70 sh iptables 56->70         started        72 sh iptables 56->72         started        76 2 other processes 56->76 74 sh iptables 58->74         started        78 3 other processes 58->78 file16 80 i686.elf 60->80         started        94 /var/spool/cron/crontabs/tmp.5uGp3N, ASCII 62->94 dropped 128 Sample tries to persist itself using cron 62->128 130 Executes the "crontab" command typically for achieving persistence 62->130 132 Executes the "iptables" command to insert, remove and/or manipulate rules 74->132 signatures17 process18 signatures19 110 Opens /sys/class/net/* files useful for querying network interface information 80->110 83 i686.elf 80->83         started        85 i686.elf sh 80->85         started        87 i686.elf sh 80->87         started        89 6 other processes 80->89 process20 process21 91 sh crontab 85->91         started        signatures22 124 Executes the "crontab" command typically for achieving persistence 91->124
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/dad581567f173b41ab1069ab45f21f1385fcebf94a6da7b66532ddfdfd36e34e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dad581567f173b41ab1069ab45f21f1385fcebf94a6da7b66532ddfdfd36e34e/
Threat name:
Linux.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-06-24 23:03:34 UTC
File Type:
ELF32 Little (SO)
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3lkycvt7c45udkyqngvul4q7coc7z27zjjw2pntfglo737jw4nha._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery execution linux persistence privilege_escalation rootkit upx
Link:
https://tria.ge/reports/250624-21bpkszqw4/
Behaviour
Creates/modifies Cron job
Loads a kernel module
Contacts a large (59965) amount of remote hosts
Creates a large amount of network flows
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6aca61c3-8373-4095-8d54-a0c3b871038d
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dad581567f173b41ab1069ab45f21f1385fcebf94a6da7b66532ddfdfd36e34e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_ELF_LNX_UPX_Compressed_File
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a suspicious ELF binary with UPX compression
Reference:Internal Research
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:upx_packed_elf_v1
Create hunting rule
Author:RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

elf dad581567f173b41ab1069ab45f21f1385fcebf94a6da7b66532ddfdfd36e34e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3568521/
  
Delivery method
Distributed via web download

Comments