MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 263c72fe081c8e25693d9beea424519d895fe3176b18129c4f4bb6c06daf5283. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



ConnectBack


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash: 263c72fe081c8e25693d9beea424519d895fe3176b18129c4f4bb6c06daf5283
SHA3-384 hash: 0a43892737fce12de3389a2962ff532848db78704faf0ab4b095da68abc77e8d3aa9356f503a452fec21c0e200faf468
SHA1 hash: f19be8cd4c09b92507bf761ec1000e4b3e7427c7
MD5 hash: f20bce33daac921c7cc64cb81ac01f80
humanhash: cold-july-three-idaho
File name:d
Download: download sample
Signature ConnectBack
File size:250 bytes
First seen:2026-06-22 15:41:24 UTC
Last seen:2026-06-23 14:12:14 UTC
File type: elf
MIME type:application/x-executable
ssdeep 6:BnX//In8/r1uBxHocmTno9Q3RQdygg5XJYD:BvwncrAH3mH532D
TLSH T158D080330B0A41DADAD5123F6678595CD77B8976574966310860DC010C09A045F53C76
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika unknown
Reporter BlinkzSec
Tags:ConnectBack

Intelligence


File Origin
# of uploads :
2
# of downloads :
53
Origin country :
FR FR
Vendor Threat Intelligence
No detections
Result
Verdict:
Malware
Maliciousness:

Behaviour
Collects information on the OS
Sends data to a server
Connection attempt
Receives data from a server
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
UPX
Botnet:
unknown
Number of open files:
11
Number of processes launched:
1
Processes remaning?
false
Remote TCP ports scanned:
not identified
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Malicious
File Type:
elf.64.le
First seen:
2026-06-22T13:02:00Z UTC
Last seen:
2026-06-24T10:17:00Z UTC
Hits:
~10
Detections:
HEUR:Backdoor.Linux.Mswr.a Backdoor.Linux.RevShell.c HEUR:Trojan.Linux.Shellcode.gen
Status:
terminated
Behavior Graph:
%3 guuid=97f2f4c0-1e00-0000-d497-bb163d140000 pid=5181 /usr/bin/sudo guuid=23a034c5-1e00-0000-d497-bb163e140000 pid=5182 /tmp/sample.bin net send-data guuid=97f2f4c0-1e00-0000-d497-bb163d140000 pid=5181->guuid=23a034c5-1e00-0000-d497-bb163e140000 pid=5182 execve b552c079-4e0f-58bc-b479-72597b8dd283 91.92.241.19:4446 guuid=23a034c5-1e00-0000-d497-bb163e140000 pid=5182->b552c079-4e0f-58bc-b479-72597b8dd283 send: 3885B 4f6baed0-9587-596c-82b3-fd721afe4cc1 10.0.2.3:53 guuid=23a034c5-1e00-0000-d497-bb163e140000 pid=5182->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 52B
Threat name:
Linux.Backdoor.ConnectBack
Status:
Malicious
First seen:
2026-06-22 15:35:38 UTC
File Type:
ELF64 Little (Exe)
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Result
Malware family:
connectback
Score:
  10/10
Tags:
family:connectback backdoor discovery linux
Behaviour
Reads runtime system information
Reads system network configuration
Reads system routing table
Malware Config
C2 Extraction:
91.92.241.19:4446
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Trojan_Metasploit_69e20012
Author:Elastic Security
Rule name:TH_Generic_MassHunt_Linux_Malware_2026_CYFARE
Author:CYFARE
Description:Generic Linux malware mass-hunt rule - 2026
Reference:https://cyfare.net/

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ConnectBack

elf 263c72fe081c8e25693d9beea424519d895fe3176b18129c4f4bb6c06daf5283

(this sample)

  
Delivery method
Distributed via web download

Comments