MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6e09041ef99c529827b12f93d988dc29320fffdb604fbebbfc7403cffae6baf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



CoinMiner


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments

SHA256 hash: e6e09041ef99c529827b12f93d988dc29320fffdb604fbebbfc7403cffae6baf
SHA3-384 hash: 231ea3e854c487b6fc70d9f1801aa2f1280adb5a558b54b008938ea19919b7461c367a3f2feb3cbb9bd050b4c51d055a
SHA1 hash: eb3735257c0e387fdf77627b7dbd9d41c7c2c031
MD5 hash: e9e5d59a5c4581af3bce8f73cac1ce2e
humanhash: fourteen-wisconsin-beer-monkey
File name:kworkerd-cgroup
Download: download sample
Signature CoinMiner
File size:115'308 bytes
First seen:2026-06-20 21:23:40 UTC
Last seen:2026-06-21 13:42:48 UTC
File type: elf
MIME type:application/x-sharedlib
ssdeep 1536:Dh+Fy88PsZr9RO0VrDB6ETv7oXPYy55VuS9driXjMvp2/mBTU6ZdgWDhNI:DhpPsZZRbDBx7+54SajB/9wnD3I
TLSH T1E1B3126DD4C279F6D31E62FE963688BA25CB1181A32A8D10C7C0E29474F252B7F412F6
telfhash t1e4a0029254a8087016540551872a627a51e3cc03d5a70048568382920344e160aa7a92
Magika elf
Reporter abuse_ch
Tags:CoinMiner elf mirai

Intelligence


File Origin
# of uploads :
5
# of downloads :
83
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Result
Verdict:
Malware
Maliciousness:

Behaviour
Runs as daemon
Sends data to a server
Sets a written file as executable
Creating a file in the %temp% directory
Manages services
Receives data from a server
Connection attempt
Launching a process
Creating a file
Collects information on the CPU
Changes the time when the file was created, accessed, or modified
Opens a port
Changes access rights for a written file
DNS request
Substitutes an application name
Creates or modifies files in /cron to set up autorun
Deleting of the original file
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
custom
Botnet:
unknown
Number of open files:
1
Number of processes launched:
1
Processes remaning?
false
Remote TCP ports scanned:
not identified
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Malicious
File Type:
elf.32.le
First seen:
2026-06-20T16:31:00Z UTC
Last seen:
2026-06-22T00:36:00Z UTC
Hits:
~10
Status:
terminated
Behavior Graph:
%3 guuid=e2ea2645-1900-0000-5b72-78fc2d140000 pid=5165 /usr/bin/sudo guuid=fce0c047-1900-0000-5b72-78fc2e140000 pid=5166 /tmp/sample.bin write-file guuid=e2ea2645-1900-0000-5b72-78fc2d140000 pid=5165->guuid=fce0c047-1900-0000-5b72-78fc2e140000 pid=5166 execve guuid=96b19f4a-1900-0000-5b72-78fc2f140000 pid=5167 /tmp/sample.bin guuid=fce0c047-1900-0000-5b72-78fc2e140000 pid=5166->guuid=96b19f4a-1900-0000-5b72-78fc2f140000 pid=5167 clone guuid=6f92de4a-1900-0000-5b72-78fc30140000 pid=5168 /tmp/sample.bin delete-file net send-data write-config write-file zombie guuid=96b19f4a-1900-0000-5b72-78fc2f140000 pid=5167->guuid=6f92de4a-1900-0000-5b72-78fc30140000 pid=5168 clone ffee5cfb-bb94-52c2-8935-ae3a87e774db 127.0.0.1:42780 guuid=6f92de4a-1900-0000-5b72-78fc30140000 pid=5168->ffee5cfb-bb94-52c2-8935-ae3a87e774db con 0a8043c9-917f-591f-8444-89639bba3210 91.239.211.89:8000 guuid=6f92de4a-1900-0000-5b72-78fc30140000 pid=5168->0a8043c9-917f-591f-8444-89639bba3210 send: 383B 54d92a3b-1447-55af-b534-047898c60c8d 1.1.1.1:53 guuid=6f92de4a-1900-0000-5b72-78fc30140000 pid=5168->54d92a3b-1447-55af-b534-047898c60c8d send: 80B guuid=6f92de4a-1900-0000-5b72-78fc30140000 pid=5169 /tmp/sample.bin guuid=6f92de4a-1900-0000-5b72-78fc30140000 pid=5168->guuid=6f92de4a-1900-0000-5b72-78fc30140000 pid=5169 clone guuid=207e594c-1900-0000-5b72-78fc32140000 pid=5170 /usr/bin/dash guuid=6f92de4a-1900-0000-5b72-78fc30140000 pid=5168->guuid=207e594c-1900-0000-5b72-78fc32140000 pid=5170 execve guuid=22b6bb87-1900-0000-5b72-78fc48140000 pid=5192 /usr/bin/dash guuid=6f92de4a-1900-0000-5b72-78fc30140000 pid=5168->guuid=22b6bb87-1900-0000-5b72-78fc48140000 pid=5192 execve guuid=985eaecf-1900-0000-5b72-78fc69140000 pid=5225 /usr/bin/dash guuid=6f92de4a-1900-0000-5b72-78fc30140000 pid=5168->guuid=985eaecf-1900-0000-5b72-78fc69140000 pid=5225 execve guuid=77cef3cf-1900-0000-5b72-78fc6b140000 pid=5227 /usr/bin/dash guuid=6f92de4a-1900-0000-5b72-78fc30140000 pid=5168->guuid=77cef3cf-1900-0000-5b72-78fc6b140000 pid=5227 execve guuid=6f92de4a-1900-0000-5b72-78fc30140000 pid=5229 /tmp/sample.bin guuid=6f92de4a-1900-0000-5b72-78fc30140000 pid=5168->guuid=6f92de4a-1900-0000-5b72-78fc30140000 pid=5229 clone guuid=7c5a9a4c-1900-0000-5b72-78fc33140000 pid=5171 /usr/bin/systemctl guuid=207e594c-1900-0000-5b72-78fc32140000 pid=5170->guuid=7c5a9a4c-1900-0000-5b72-78fc33140000 pid=5171 execve guuid=a4bdee87-1900-0000-5b72-78fc49140000 pid=5193 /usr/bin/systemctl guuid=22b6bb87-1900-0000-5b72-78fc48140000 pid=5192->guuid=a4bdee87-1900-0000-5b72-78fc49140000 pid=5193 execve guuid=ced9d7cf-1900-0000-5b72-78fc6a140000 pid=5226 /usr/bin/dash guuid=985eaecf-1900-0000-5b72-78fc69140000 pid=5225->guuid=ced9d7cf-1900-0000-5b72-78fc6a140000 pid=5226 clone guuid=8fe227d0-1900-0000-5b72-78fc6c140000 pid=5228 /usr/bin/dash guuid=77cef3cf-1900-0000-5b72-78fc6b140000 pid=5227->guuid=8fe227d0-1900-0000-5b72-78fc6c140000 pid=5228 clone
Result
Threat name:
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
76 / 100
Signature
Executes itself again with its parent PID as an argument (indicative of hampering debugging)
Executes the "crontab" command typically for achieving persistence
Found strings related to Crypto-Mining
Opens /sys/class/net/* files useful for querying network interface information
Performs DNS TXT record lookups
Sample deletes itself
Sample tries to persist itself using cron
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1931390 Sample: kworkerd-cgroup.elf Startdate: 20/06/2026 Architecture: LINUX Score: 76 57 api.robotmarkethub.com 2->57 59 91.239.211.89, 34890, 37686, 80 HOSTKEY-ASNL Germany 2->59 63 Yara detected Xmrig cryptocurrency miner 2->63 10 kworkerd-cgroup.elf 2->10         started        13 systemd sh 2->13         started        15 systemd snapd-env-generator 2->15         started        17 systemd snapd-env-generator 2->17         started        signatures3 65 Performs DNS TXT record lookups 57->65 process4 signatures5 67 Found strings related to Crypto-Mining 10->67 19 kworkerd-cgroup.elf 10->19         started        21 sh wget 13->21         started        24 sh sh 13->24         started        26 sh rm 13->26         started        process6 file7 28 kworkerd-cgroup.elf 19->28         started        51 /tmp/..redis-sentinel, Bourne-Again 21->51 dropped process8 file9 55 /var/spool/cron/crontabs/root, ASCII 28->55 dropped 73 Opens /sys/class/net/* files useful for querying network interface information 28->73 75 Sample deletes itself 28->75 77 Sample tries to persist itself using cron 28->77 32 kworkerd-cgroup.elf sh 28->32         started        35 kworkerd-cgroup.elf sh 28->35         started        37 kworkerd-cgroup.elf sh 28->37         started        39 kworkerd-cgroup.elf sh 28->39         started        signatures10 process11 signatures12 61 Executes itself again with its parent PID as an argument (indicative of hampering debugging) 32->61 41 sh crontab 32->41         started        45 sh crontab 35->45         started        47 sh systemctl 37->47         started        49 sh systemctl 39->49         started        process13 file14 53 /var/spool/cron/crontabs/tmp.c4Uyxj, ASCII 41->53 dropped 69 Sample tries to persist itself using cron 41->69 71 Executes the "crontab" command typically for achieving persistence 41->71 signatures15
Threat name:
Linux.Backdoor.Mirai
Status:
Malicious
First seen:
2026-06-20 21:24:55 UTC
File Type:
ELF32 Little (SO)
AV detection:
13 of 38 (34.21%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
antivm defense_evasion discovery execution linux persistence privilege_escalation
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to tmp directory
Changes its process name
Checks CPU configuration
Reads system network configuration
Creates/modifies Cron job
Enumerates active TCP sockets
Enumerates running processes
Modifies systemd
Reads MAC address of network interface
Deletes itself
Modifies Watchdog functionality
Please note that we are no longer able to provide a coverage score for Virus Total.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

elf e6e09041ef99c529827b12f93d988dc29320fffdb604fbebbfc7403cffae6baf

(this sample)

  
Delivery method
Distributed via web download

Comments