MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1234978ed17b64813372138d8ae5fb0c02515a342b7cc4a91d8e4072f3b4033f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1234978ed17b64813372138d8ae5fb0c02515a342b7cc4a91d8e4072f3b4033f
SHA3-384 hash: 2595d8fe7bfefc658102eb62ce86105bfe3bb4846b3b338b4fd5a3982fe9fbb56ea9b1f3855c1e73ac5ea9ed18334a1c
SHA1 hash: 2bc18c99de845e785b2421408e3ce3c66fd6f30f
MD5 hash: a6ad2bd2e8ce4589c7855356f22f7a6f
humanhash: kentucky-five-april-ten
File name:ethd0
Download: download sample
File size:2'444'332 bytes
First seen:2026-02-18 18:59:25 UTC
Last seen:2026-02-18 22:23:22 UTC
File type: elf
MIME type:application/x-executable
ssdeep 49152:BYu4FteYqzDCmq+L7t+TDG67RsT3sqIiS9y2/GUvNSrm:LmUYqzVqIOGWijIiMz//vNSi
TLSH T1D8B53397455CF921B62C0C38C3C992CA7E196CD3D14B1861B920219F5EF2BDB3B791AE
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf UPX
File size (compressed) :2'444'332 bytes
File size (de-compressed) :8'423'400 bytes
Format:linux/amd64
Unpacked file: a016ae8260ad5ba3a1beab945c741b04c999ca3e57a611e2bf82af64197e9a00

Intelligence

File Origin
# of uploads :
2
# of downloads :
59
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
anti-vm crypto packed upx
Link:
https://www.filescan.io/uploads/69960c68cd25bfe1dfd4f0e7/reports/b2bfe41a-df26-4a18-9130-7874a01ae184/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
UPX
Botnet:
unknown
Number of open files:
63
Number of processes launched:
13
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/1234978ed17b64813372138d8ae5fb0c02515a342b7cc4a91d8e4072f3b4033f
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Result
Gathering data
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/5b0c870b-65d2-4b74-a4ac-bc6af3b0fd6f
Behavior Graph:
Download SVG
%3 guuid=53640bd8-1b00-0000-85bc-6e0bf70b0000 pid=3063 /usr/bin/sudo guuid=e849b9d9-1b00-0000-85bc-6e0bfe0b0000 pid=3070 /tmp/sample.bin mprotect-exec guuid=53640bd8-1b00-0000-85bc-6e0bf70b0000 pid=3063->guuid=e849b9d9-1b00-0000-85bc-6e0bfe0b0000 pid=3070 execve guuid=e849b9d9-1b00-0000-85bc-6e0bfe0b0000 pid=3164 /tmp/sample.bin guuid=e849b9d9-1b00-0000-85bc-6e0bfe0b0000 pid=3070->guuid=e849b9d9-1b00-0000-85bc-6e0bfe0b0000 pid=3164 clone guuid=e849b9d9-1b00-0000-85bc-6e0bfe0b0000 pid=3165 /tmp/sample.bin guuid=e849b9d9-1b00-0000-85bc-6e0bfe0b0000 pid=3070->guuid=e849b9d9-1b00-0000-85bc-6e0bfe0b0000 pid=3165 clone guuid=e849b9d9-1b00-0000-85bc-6e0bfe0b0000 pid=3166 /tmp/sample.bin guuid=e849b9d9-1b00-0000-85bc-6e0bfe0b0000 pid=3070->guuid=e849b9d9-1b00-0000-85bc-6e0bfe0b0000 pid=3166 clone guuid=e849b9d9-1b00-0000-85bc-6e0bfe0b0000 pid=3167 /tmp/sample.bin guuid=e849b9d9-1b00-0000-85bc-6e0bfe0b0000 pid=3070->guuid=e849b9d9-1b00-0000-85bc-6e0bfe0b0000 pid=3167 clone guuid=e849b9d9-1b00-0000-85bc-6e0bfe0b0000 pid=3168 /tmp/sample.bin guuid=e849b9d9-1b00-0000-85bc-6e0bfe0b0000 pid=3070->guuid=e849b9d9-1b00-0000-85bc-6e0bfe0b0000 pid=3168 clone guuid=e849b9d9-1b00-0000-85bc-6e0bfe0b0000 pid=3169 /tmp/sample.bin guuid=e849b9d9-1b00-0000-85bc-6e0bfe0b0000 pid=3070->guuid=e849b9d9-1b00-0000-85bc-6e0bfe0b0000 pid=3169 clone guuid=1040950b-1c00-0000-85bc-6e0b740c0000 pid=3188 /tmp/sample.bin mprotect-exec zombie guuid=e849b9d9-1b00-0000-85bc-6e0bfe0b0000 pid=3070->guuid=1040950b-1c00-0000-85bc-6e0b740c0000 pid=3188 execve guuid=1040950b-1c00-0000-85bc-6e0b740c0000 pid=3227 /tmp/sample.bin zombie guuid=1040950b-1c00-0000-85bc-6e0b740c0000 pid=3188->guuid=1040950b-1c00-0000-85bc-6e0b740c0000 pid=3227 clone guuid=1040950b-1c00-0000-85bc-6e0b740c0000 pid=3228 /tmp/sample.bin guuid=1040950b-1c00-0000-85bc-6e0b740c0000 pid=3188->guuid=1040950b-1c00-0000-85bc-6e0b740c0000 pid=3228 clone guuid=1040950b-1c00-0000-85bc-6e0b740c0000 pid=3229 /tmp/sample.bin guuid=1040950b-1c00-0000-85bc-6e0b740c0000 pid=3188->guuid=1040950b-1c00-0000-85bc-6e0b740c0000 pid=3229 clone guuid=1040950b-1c00-0000-85bc-6e0b740c0000 pid=3230 /tmp/sample.bin write-file zombie guuid=1040950b-1c00-0000-85bc-6e0b740c0000 pid=3188->guuid=1040950b-1c00-0000-85bc-6e0b740c0000 pid=3230 clone guuid=1040950b-1c00-0000-85bc-6e0b740c0000 pid=3231 /tmp/sample.bin guuid=1040950b-1c00-0000-85bc-6e0b740c0000 pid=3188->guuid=1040950b-1c00-0000-85bc-6e0b740c0000 pid=3231 clone guuid=1040950b-1c00-0000-85bc-6e0b740c0000 pid=3232 /tmp/sample.bin guuid=1040950b-1c00-0000-85bc-6e0b740c0000 pid=3188->guuid=1040950b-1c00-0000-85bc-6e0b740c0000 pid=3232 clone guuid=1040950b-1c00-0000-85bc-6e0b740c0000 pid=3235 /tmp/sample.bin guuid=1040950b-1c00-0000-85bc-6e0b740c0000 pid=3188->guuid=1040950b-1c00-0000-85bc-6e0b740c0000 pid=3235 clone guuid=1dade933-1c00-0000-85bc-6e0ba10c0000 pid=3233 /tmp/sample.bin guuid=1040950b-1c00-0000-85bc-6e0b740c0000 pid=3230->guuid=1dade933-1c00-0000-85bc-6e0ba10c0000 pid=3233 clone guuid=fe53f933-1c00-0000-85bc-6e0ba20c0000 pid=3234 /usr/bin/pgrep guuid=1040950b-1c00-0000-85bc-6e0b740c0000 pid=3230->guuid=fe53f933-1c00-0000-85bc-6e0ba20c0000 pid=3234 execve
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a34e3cec-2e22-4c19-996f-76ce71b06d0c
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1871441
Signature
Executes the "crontab" command typically for achieving persistence
Sample tries to persist itself using cron
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1871441 Sample: ethd0.elf Startdate: 18/02/2026 Architecture: LINUX Score: 48 33 5.59.248.236, 38590, 443 METRO-SET-ASMetrosetAutonomousSystemRU Czech Republic 2->33 35 speed.cloudflare.com 162.159.140.220, 43400, 80 CLOUDFLARENETUS United States 2->35 9 ethd0.elf 2->9         started        process3 process4 11 ethd0.elf ethd0.elf 9->11         started        process5 13 ethd0.elf bash 11->13         started        15 ethd0.elf crontab 11->15         started        18 ethd0.elf pgrep 11->18         started        20 7 other processes 11->20 signatures6 22 bash crontab 13->22         started        26 bash 13->26         started        43 Executes the "crontab" command typically for achieving persistence 15->43 process7 file8 31 /var/spool/cron/crontabs/tmp.LzCaPJ, ASCII 22->31 dropped 37 Sample tries to persist itself using cron 22->37 39 Executes the "crontab" command typically for achieving persistence 22->39 28 bash crontab 26->28         started        signatures9 process10 signatures11 41 Executes the "crontab" command typically for achieving persistence 28->41
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/1234978ed17b64813372138d8ae5fb0c02515a342b7cc4a91d8e4072f3b4033f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1234978ed17b64813372138d8ae5fb0c02515a342b7cc4a91d8e4072f3b4033f/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ci2jpdwrpnsicm3scogyvzp3bqbfcwrufn6mjki5rzahf45uam7q._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery execution linux persistence privilege_escalation upx
Link:
https://tria.ge/reports/260218-xn3kbafs7a/
Behaviour
GoLang User-Agent
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to tmp directory
Reads CPU attributes
Creates/modifies Cron job
Enumerates running processes
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.29
Link:
https://yomi.yoroi.company/submissions/1234978ed17b64813372138d8ae5fb0c02515a342b7cc4a91d8e4072f3b4033f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf 1234978ed17b64813372138d8ae5fb0c02515a342b7cc4a91d8e4072f3b4033f

(this sample)

elf a016ae8260ad5ba3a1beab945c741b04c999ca3e57a611e2bf82af64197e9a00

  
URLhaus
https://urlhaus.abuse.ch/url/3780655/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3780666/
  
Dropping
SHA256 a016ae8260ad5ba3a1beab945c741b04c999ca3e57a611e2bf82af64197e9a00
  
Dropping
MD5 2e89a36763a385412ba4e0d5c40f2333

Comments