MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 e20b8e1d8337cec11d40db7580f42460abbc2b60ce0938bf2c746a32e0747421. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
CoinMiner
Vendor detections: 6
| SHA256 hash: | e20b8e1d8337cec11d40db7580f42460abbc2b60ce0938bf2c746a32e0747421 |
|---|---|
| SHA3-384 hash: | fd2094452211e44921407ff54c6eedfc3401d04c05ce7b198d34d77a25f4a2aab3c58cc7c794300abdb29d6d59fcb4b2 |
| SHA1 hash: | cc88d65077d3d3128d94aaa0dead1d6a759dac5a |
| MD5 hash: | 38260596704d742a36fd21642a89fd2c |
| humanhash: | september-seventeen-burger-september |
| File name: | dota3_82.156.212.174.tar.gz |
| Download: | download sample |
| Signature | CoinMiner |
| File size: | 311'296 bytes |
| First seen: | 2026-05-29 09:40:38 UTC |
| Last seen: | Never |
| File type: | gz |
| MIME type: | application/gzip |
| ssdeep | 6144:1kR7o/wGrxvjYAJ0VDfxG4iLFsHJ5AZ7noTOB6TN3GNa84QECWuoH2/dDWKJP:yR7o/CAJwZGBQ5CqOBHaZBw5VDr |
| TLSH | T1DB64231E8DF92FE617F9B124B34E55A2599214E066144BCB36A3CFB3F46D0EB8391870 |
| Magika | gzip |
| Reporter |  nullblue67 |
| Tags: | CoinMiner dota3 mdrfckr Outlaw ssh-bruteforce XMRIG |
Intelligence
File Origin
# of uploads :
1
# of downloads :
69
Origin country :
ESFile Archive Information
This file archive contains 1 file(s), sorted by their relevance:
| File name: | e20b8e1d8337cec11d40db7580f42460abbc2b60ce0938bf2c746a32e0747421~ |
|---|---|
| File size: | 413'388 bytes |
| SHA256 hash: | cc735b6eca8b5fc298870dec6187ab560405f21fadbaf2c914050ff211b659e6 |
| MD5 hash: | 6c8e372b26c979e5ee3fd93cb6fda216 |
| MIME type: | application/x-tar |
| Signature | CoinMiner |
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
96.5%
Tags:
malware
Verdict:
Malicious
File Type:
gz
First seen:
2026-05-29T06:55:00Z UTC
Last seen:
2026-05-30T23:15:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Shell.Miner.gen HEUR:Trojan.Shell.Agent.dh HEUR:Trojan.Shell.Agent.df HEUR:Trojan.Shell.Agent.ck HEUR:Trojan-Dropper.Shell.Agent.c not-a-virus:HEUR:RiskTool.Shell.MinerDownloader.f
Gathering data
Threat name:
Linux.Trojan.Malgent
Status:
Malicious
First seen:
2026-05-29 09:41:26 UTC
File Type:
Binary (Archive)
Extracted files:
10
AV detection:
15 of 24 (62.50%)
Threat level:
5/5
Detection(s):
Suspicious file
Result
Malware family:
xmrig_linux
Score:
10/10
Tags:
family:xmrig_linux antivm defense_evasion discovery linux miner persistence rootkit upx
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to tmp directory
Checks CPU configuration
Reads CPU attributes
Attempts to change immutable files
Enumerates running processes
Write file to user bin folder
File and Directory Permissions Modification
Executes dropped EXE
Loads a kernel module
Family: xmrig
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
No further information available
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.Outlaw "dota3" variant — captured by NullBlue67 via Cowrie SSH honeypot on 2026-05-29 10:35 UTC.
Source IP: 82.156.212.174 (CN · Shenzhen Tencent) — VT 6+3/91
Credentials: admin:admin123
Persistence: mdrfckr SSH key (Outlaw group signature)
Password change attempt: admin → mtYqu9qFTtja
Second dota3 capture in 7 days. First was ef355778546bc6e044330691404b63eddf83d7fc6073047394a25dd0e98c7d7d (2026-05-22 from 102.210.149.105 ZA). Different tarball hash but identical Outlaw kill chain and internal .rsync/ structure.
Tarball structure (gzip + tar, .rsync/):
- a/ → crond (UPX-packed XMRig fork)
- b/ → run (Perl Stealth ShellBot v0.2a)
- c/ → kthreadadd32/64 (multi-arch helpers, mdrfckr key embedded in binary)
Defender markers:
- Filename pattern: dota3.tar.gz dropped to /var/tmp/
- Directory: .rsync/ (Outlaw signature, persists since v1)
- Marker file: /var/tmp/.systemcache436621
- Cron entries: ~/.configrc7/a/upd, b/sync, c/aptitude
- Process names: edac0 (shellbot disguise), kthreadadd, crond, tsm
- SSH key: ends with "mdrfckr"
Network IOCs (from prior dota3 binary analysis):
- XMR pool: 179.43.139.83:80 (active)
- IRC C2: 179.43.139.83:443 channel #001
- Failover siblings: 179.43.139.80/81/82/84 (commented in config)
- XMR wallet: 483fmPjXwX75xmkaJ3dm4vVGWZLHn3GDuKycHypVLr9SgiT6oaZgVh26iZRpwKEkTZCAmUS8tykuwUorM3zGtWxPBFqwuxS
Kill chain captured in Cowrie:
1. SSH brute admin:admin123
2. chattr -ia ~/.ssh + rm -rf .ssh + mkdir .ssh
3. echo "ssh-rsa AAAAB...mdrfckr" > authorized_keys
4. passwd admin → mtYqu9qFTtja
5. recon (cpuinfo, free, uname, lscpu, df, top, w)
6. rm -rf /var/tmp/dota* (upgrade prior install)
7. SFTP upload tarball
8. base64-decoded launcher (.X291-unix marker)
Operator regenerates tarball hash per drop while keeping internal binaries identical. Hash-based blocking unreliable; recommend YARA on .rsync/ structure + mdrfckr key + 179.43.139.0/24 outbound traffic.
Reported to ThreatFox + VirusTotal same day.
Defensive-only research — sample not executed.