MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 e3b35476ea7d4de4b689a952ab25ed5ad1063149a03c0f342cfba9ad26bd614a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
CoinMiner
Vendor detections: 7
| SHA256 hash: | e3b35476ea7d4de4b689a952ab25ed5ad1063149a03c0f342cfba9ad26bd614a |
|---|---|
| SHA3-384 hash: | 9ba7b677ec9822896835959bbcb024fed71c79a944936c237abf3e7a2455e5a7e4ac0c15ed82d7149ff3b20eac36d6f8 |
| SHA1 hash: | 3315d6d57e02c244d568529ae832025d98ac3414 |
| MD5 hash: | 36fa15d891dfbf58013db21dfa473ac2 |
| humanhash: | four-yellow-arizona-india |
| File name: | run.sh |
| Download: | download sample |
| Signature | CoinMiner |
| File size: | 7'722 bytes |
| First seen: | 2025-08-27 13:53:04 UTC |
| Last seen: | Never |
| File type: | sh |
| MIME type: | text/x-shellscript |
| ssdeep | 192:F8XyzHWZzzDN19xDkIam3qarbayHDPMTMvlgYm:MzvLzaUNjm+gR |
| TLSH | T1B0F1C706F6D0DAB42988C568844A1840794F922B5D092C48F8FDB56DFF2476C71FDBEB |
| Magika | shell |
| Reporter |  abuse_ch |
| Tags: | CoinMiner sh |
Shell script dropper
This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.
| URL | Malware sample (SHA256 hash) | Signature | Tags |
|---|---|---|---|
| http://162.248.53.119:8000/yes.tar.gz | n/a | n/a | opendir |
| http://162.248.53.119:8000/mon.sh | 1e891ab1521b27923233e694f60fdbf0e1b840e657d8b1ffdefd8b5ef5e38964 | CoinMiner | CoinMiner |
| https://github.com/el3ctr0wqw1/xmrig-vrl2/releases/download/main/xmrig-vrl | n/a | n/a | n/a |
Intelligence
File Origin
# of uploads :
1
# of downloads :
38
Origin country :
DEVendor Threat Intelligence
Detection(s):
Verdict:
Malicious
File Type:
unix shell
Detections:
HEUR:Trojan-Downloader.Shell.Agent.bc
Status:
terminated
Behavior Graph:
Score:
7%
Verdict:
Benign
File Type:
SCRIPT
Verdict:
Malicious
Threat:
Family.XMRIG
Threat name:
Script-PowerShell.Trojan.Heuristic
Status:
Malicious
First seen:
2025-08-27 13:53:45 UTC
File Type:
Text (Shell)
AV detection:
9 of 24 (37.50%)
Threat level:
2/5
Detection(s):
Suspicious file
Result
Malware family:
xmrig_linux
Score:
10/10
Tags:
family:xmrig family:xmrig_linux antivm defense_evasion discovery execution linux miner persistence privilege_escalation
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Checks CPU configuration
Reads CPU attributes
Checks hardware identifiers (DMI)
Creates/modifies Cron job
Enumerates running processes
Reads hardware information
File and Directory Permissions Modification
Executes dropped EXE
XMRig Miner payload
Xmrig family
Xmrig_linux family
xmrig
Malware family:
XMRig
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
4537e474274cf7e7e1920f0ba0ccd7fc219b2698a5af85689649ceb7962953ce
Delivery method
Distributed via web download
Dropping
MD5 0782916ee8c331309e8fd467529ed93d
Dropping
SHA256 4537e474274cf7e7e1920f0ba0ccd7fc219b2698a5af85689649ceb7962953ce
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.