MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b404fdf117cd7f7c3e7d6b84a8cb94d84c2443a5ee3894cfe620a6885ab273a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0b404fdf117cd7f7c3e7d6b84a8cb94d84c2443a5ee3894cfe620a6885ab273a
SHA3-384 hash: 7eb92c140755d2aa441d15c4a57a8852445c244e112d022f80ce67781ec5fcf357f180b96d491bc45edb5c6afb2ac1f5
SHA1 hash: 37638b1ee3309c467e27a40209808fecab83b83a
MD5 hash: fcd0805772e1e5882c3b50b6c41b7f74
humanhash: music-leopard-equal-sodium
File name:kswapd0
Download: download sample
File size:6'946'995 bytes
First seen:2026-06-21 06:07:24 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 49152:6zhaV7WV2cNmVAYdmT53RTQrLKnpYbmPOGyDZzbOt1wwkrnOQAHHEt5EW:yTKbn21qnOQAnEjEW
TLSH T12A66F6176B2CE70FC628313459B1DE842B6A1C9645DB9527B385F309E9F20AC4DAECF1
telfhash t1289002120485544c657408746d3cf14266e0ac1290340818fb145d82021c418235c468
gimphash e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Magika elf
Reporter abuse_ch
Tags:elf upx-dec


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 845ade32207c427b414b345b06d31944cd02457b632c78c43e31a031f30cc20a
File size (compressed) :1'689'072 bytes
File size (de-compressed) :6'946'995 bytes
Format:linux/mips
Packed file: 845ade32207c427b414b345b06d31944cd02457b632c78c43e31a031f30cc20a

Intelligence

File Origin
# of uploads :
1
# of downloads :
59
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Linux.BackDoor.Vision.6.26715.9047.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Changes the time when the file was created, accessed, or modified
Changes access rights for a written file
Sends data to a server
Creating a process from a recently created file
Receives data from a server
Creating a file in the %temp% subdirectories
Connection attempt
Runs as daemon
Launching a process
Creates or modifies files in /cron to set up autorun
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypto golang reconnaissance
Link:
https://www.filescan.io/uploads/6a377fdc90632a45f72f4e66/reports/f09def77-fab4-4a1f-905b-33c19a479bab/overview
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/fc7c1b39-827d-4bc2-a7be-c503b694b0fb
Behavior Graph:
Download SVG
%3 guuid=a579c2f9-1e00-0000-fb10-c1f638140000 pid=5176 /usr/bin/sudo guuid=f0e438fc-1e00-0000-fb10-c1f639140000 pid=5177 /tmp/sample.bin guuid=a579c2f9-1e00-0000-fb10-c1f638140000 pid=5176->guuid=f0e438fc-1e00-0000-fb10-c1f639140000 pid=5177 execve
Gathering data
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1931432
Signature
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/0b404fdf117cd7f7c3e7d6b84a8cb94d84c2443a5ee3894cfe620a6885ab273a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0b404fdf117cd7f7c3e7d6b84a8cb94d84c2443a5ee3894cfe620a6885ab273a/
Threat name:
Linux.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-06-21 06:10:33 UTC
File Type:
ELF32 Big (Exe)
AV detection:
6 of 36 (16.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bnae7xyrptl7pq7h224evdfzjwcmerb2l3rysth6mifgrbnle45a._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery execution persistence privilege_escalation
Link:
https://tria.ge/reports/260621-gvrtdsbw6p/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
Creates/modifies Cron job
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.30
Link:
https://yomi.yoroi.company/submissions/0b404fdf117cd7f7c3e7d6b84a8cb94d84c2443a5ee3894cfe620a6885ab273a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:F01_s1ckrule
Create hunting rule
Author:s1ckb017
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:Golang_Find_CSC846
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:Golang_Find_CSC846_Simple
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:setsockopt
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for setsockopt() red flags
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:TH_Generic_MassHunt_Linux_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Linux malware mass-hunt rule - 2026
Reference:https://cyfare.net/
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf 845ade32207c427b414b345b06d31944cd02457b632c78c43e31a031f30cc20a

elf 0b404fdf117cd7f7c3e7d6b84a8cb94d84c2443a5ee3894cfe620a6885ab273a

(this sample)

  
Dropped by
SHA256 845ade32207c427b414b345b06d31944cd02457b632c78c43e31a031f30cc20a
  
Dropped by
MD5 3e97ad183c44be321d84407fa4b8f62c
  
URLhaus
https://urlhaus.abuse.ch/url/3868643/
  
Delivery method
Distributed via web download

Comments