MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f38504f53f6a25c405cfa272572eb0ededbbb4b9399b8aec1706d5e2b990f1c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f38504f53f6a25c405cfa272572eb0ededbbb4b9399b8aec1706d5e2b990f1c9
SHA3-384 hash: 4213c4a2515de92f3a29ee4e1aa13109c467a4a41df1a6675f8d13614ea676646e67e8a6e4dc26b0dddb1e1b63157da0
SHA1 hash: a7682b85430201f66c5805483cdc26698c2d13c9
MD5 hash: 2ece51136675938eb9cafb8cb687c3b2
humanhash: diet-emma-november-earth
File name:xmrig_x86_truncated.elf
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'260'992 bytes
First seen:2026-06-04 21:35:51 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 49152:TMFHJ16P2CZlHTtE3le6Aj6qZmGi7ukUzX093B9VK/OQGthOlgPE1IiM0AZVl:yr6P2CZlp4ledj/mf7ukUzX093B9VK/s
TLSH T120A55C4BE5E350FCC5DAC0354B2BD963BAB178AD42247E7B2194AA302B63F90671DF11
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter nullblue67
Tags:CoinMiner docker-api elf miner Monero XMRIG

Intelligence

File Origin
# of uploads :
1
# of downloads :
56
Origin country :
ES ES
Vendor Threat Intelligence
No detections
Result
Verdict:
Malware
Maliciousness:
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
golang miner
Link:
https://www.filescan.io/uploads/6a21efdc12da0d249c655e5e/reports/3b2d7cae-57ef-4414-90a0-e8042f5629da/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
not packed
Botnet:
unknown
Number of open files:
0
Number of processes launched:
1
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/f38504f53f6a25c405cfa272572eb0ededbbb4b9399b8aec1706d5e2b990f1c9
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Unknown
File Type:
elf.64.le
First seen:
2026-06-03T12:02:00Z UTC
Last seen:
2026-06-03T14:09:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/f38504f53f6a25c405cfa272572eb0ededbbb4b9399b8aec1706d5e2b990f1c9/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/45bef946-9551-40dd-9633-2d4bf6da0825
Behavior Graph:
Download SVG
%3
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/504d7913-b3fd-41c5-b905-3c9fc24cddab
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/f38504f53f6a25c405cfa272572eb0ededbbb4b9399b8aec1706d5e2b990f1c9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f38504f53f6a25c405cfa272572eb0ededbbb4b9399b8aec1706d5e2b990f1c9/
Threat name:
Linux.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2026-06-04 21:36:35 UTC
File Type:
ELF64 Little (Exe)
AV detection:
13 of 36 (36.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6ocqj5j7nis4ibopujzfolvq5xw3xnfzhgnyv3axa3k6fomq6heq._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
linux
Link:
https://tria.ge/reports/260604-1f5aqagv5j/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DriveBy
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/f38504f53f6a25c405cfa272572eb0ededbbb4b9399b8aec1706d5e2b990f1c9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Trojan_Pornoasset_927f314f
Create hunting rule
Author:Elastic Security
Rule name:TH_Generic_MassHunt_Linux_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Linux malware mass-hunt rule - 2026
Reference:https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments


Avatar
commented on 2026-06-04 21:37:54 UTC

🍯 Captured by NullBlue67 via Docker API honeypot — 2026-06-04.

⚠️ TRUNCATED SAMPLE — Only first 2.26 MB of ~8.3 MB original ELF captured (auto-fetch stream terminated early). Real binary at source URL will have different SHA256.

Delivery chain:
• Attacker 189.110.239.137 hit Docker API /containers/create with alpine container
• Container first queries api.github.com/repos/MoneroOcean/xmrig/releases/latest (version detection)
• Then fetches binary from http://92.60.77.99:8888/xmrig-x86 (operator-hosted repack)
• Filename + GitHub query suggest XMRig MoneroOcean fork (likely v6.26.0-mo3)

Static analysis:
• ELF 64-bit x86_64, statically linked
• Entry point 0x40e053
• 10 program headers, 3 LOAD segments
• Section headers at offset 0x7e9870 (beyond captured bounds)

Reported infrastructure:
• 92.60.77.99:8888 → ThreatFox + AbuseIPDB
• 189.110.239.137 → ThreatFox + AbuseIPDB (91%)

#xmrig #monero #moneroocean #docker-api #cryptojacking #truncated-sample