MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 37cd2dedf46cd8a98a917b92b9a141e7e84c82312b0fb07c0c6c31ab47e538b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 37cd2dedf46cd8a98a917b92b9a141e7e84c82312b0fb07c0c6c31ab47e538b2
SHA3-384 hash: 75f15fc0b58faf00231ed4b1f6b8bbc7480de2a7cbd44cbf4dbd25e86d0168448ac4ccfdf62edbf420c3672474963964
SHA1 hash: 87e94d9fbce0a231f07b8907716e26319b73fdd5
MD5 hash: 8afa0be11fc9d6890e29f7b4f8dbf273
humanhash: stairway-four-zulu-spring
File name:w4rr7.x86
Download: download sample
File size:1'011'808 bytes
First seen:2026-05-14 13:36:38 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 24576:9ztvhXYhE9zFSYt4rPgUh1Z13sTAm0stkwpP9tGeu:jhXYhWT+xBR436K9u
TLSH T1E4258E8EEB92D4E2F5A341F50A8FD7F3153496164003F6F2EB4DAA7634367526E07228
telfhash t104b012100cc1010e542bce140c08000228623803d80e7f405d008191642c44d4e6c08e
Magika elf
Reporter abuse_ch
Tags:elf upx-dec


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 a287341f1aeb319a71d9e0b029ce2b007b97ac93889abe69813f537a0f2c9a9e
File size (compressed) :364'056 bytes
File size (de-compressed) :1'011'808 bytes
Format:linux/i386
Packed file: a287341f1aeb319a71d9e0b029ce2b007b97ac93889abe69813f537a0f2c9a9e

Intelligence

File Origin
# of uploads :
1
# of downloads :
35
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Linux.Mirai.10456.8392.5880.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Runs as daemon
Collects information on the CPU
Creating a file
Receives data from a server
Creating a file in the %temp% directory
Sends data to a server
Connection attempt
Performs a bruteforce attack in the network
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
gcc masquerade rust
Link:
https://www.filescan.io/uploads/6a05d01486e92bda702faca4/reports/cbc3533b-cee6-4f90-a6b4-f77b5d81428d/overview
Verdict:
Unknown
File Type:
elf.32.le
Link:
https://opentip.kaspersky.com/37cd2dedf46cd8a98a917b92b9a141e7e84c82312b0fb07c0c6c31ab47e538b2/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/a0feb9eb-4bec-4baf-a12f-ad873a5f48a6
Behavior Graph:
Download SVG
%3 guuid=137d7e09-1a00-0000-40dc-0ce166090000 pid=2406 /usr/bin/sudo guuid=cc5d720b-1a00-0000-40dc-0ce16d090000 pid=2413 /tmp/sample.bin guuid=137d7e09-1a00-0000-40dc-0ce166090000 pid=2406->guuid=cc5d720b-1a00-0000-40dc-0ce16d090000 pid=2413 execve guuid=f78ca90b-1a00-0000-40dc-0ce16e090000 pid=2414 /tmp/sample.bin guuid=cc5d720b-1a00-0000-40dc-0ce16d090000 pid=2413->guuid=f78ca90b-1a00-0000-40dc-0ce16e090000 pid=2414 clone guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2415 /tmp/sample.bin net send-data write-file zombie guuid=f78ca90b-1a00-0000-40dc-0ce16e090000 pid=2414->guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2415 clone c21beb2f-d67a-5687-8b3f-672ae8bb07a0 77.90.51.233:443 guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2415->c21beb2f-d67a-5687-8b3f-672ae8bb07a0 send: 28B guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2420 /tmp/sample.bin guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2415->guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2420 clone guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2421 /tmp/sample.bin guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2415->guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2421 clone guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2427 /tmp/sample.bin zombie guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2415->guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2427 clone guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2428 /tmp/sample.bin guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2415->guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2428 clone guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2433 /tmp/sample.bin net zombie guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2415->guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2433 clone guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2444 /tmp/sample.bin net zombie guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2415->guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2444 clone 19b1d0ea-44c8-5172-b684-694ec4940faf 10.0.2.131:23 guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2433->19b1d0ea-44c8-5172-b684-694ec4940faf con f617b7c2-98c0-5389-99d7-bf3b8a4997ab 10.0.2.49:23 guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2433->f617b7c2-98c0-5389-99d7-bf3b8a4997ab con 06a71f96-0f02-5c60-87e8-0cd3be02c538 10.0.2.78:23 guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2433->06a71f96-0f02-5c60-87e8-0cd3be02c538 con 03360dc1-6d7c-5128-bad4-4547a40c3650 10.0.2.117:23 guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2433->03360dc1-6d7c-5128-bad4-4547a40c3650 con 9a0ed8c7-0188-5a40-adcb-8821fa47bcc5 10.0.2.98:23 guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2433->9a0ed8c7-0188-5a40-adcb-8821fa47bcc5 con 7ab78412-5098-5e5a-82c8-1f338e788e19 10.0.2.94:23 guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2433->7ab78412-5098-5e5a-82c8-1f338e788e19 con 93febd72-e095-5e72-aab5-0bd1fb459192 10.0.2.37:23 guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2433->93febd72-e095-5e72-aab5-0bd1fb459192 con 584070f2-72ba-50d4-ac08-f3f1492b8cb8 10.0.2.89:23 guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2433->584070f2-72ba-50d4-ac08-f3f1492b8cb8 con e6f2a0a9-a229-5df1-88df-0c94dd66e8fd 10.0.2.231:23 guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2433->e6f2a0a9-a229-5df1-88df-0c94dd66e8fd con a55de37e-cc8d-5cf9-a109-761b764e780b 10.0.2.174:23 guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2433->a55de37e-cc8d-5cf9-a109-761b764e780b con 4267179e-2f4c-50ec-80b4-59798e2b8edc 10.0.2.233:23 guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2433->4267179e-2f4c-50ec-80b4-59798e2b8edc con b1fe540a-aced-55ee-ad4d-c2f08099b035 10.0.2.205:23 guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2433->b1fe540a-aced-55ee-ad4d-c2f08099b035 con 444437a0-836c-59cc-ac35-102298c5715f 10.0.2.112:23 guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2433->444437a0-836c-59cc-ac35-102298c5715f con b7eeb7b3-d7c9-5d65-be37-01701e5a7ccd 10.0.2.137:23 guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2433->b7eeb7b3-d7c9-5d65-be37-01701e5a7ccd con cc5156b0-75cc-5b13-a180-a94e7f10d750 10.0.2.7:23 guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2433->cc5156b0-75cc-5b13-a180-a94e7f10d750 con 65a0da61-205a-51ca-a431-bb3f2a15ea95 10.0.2.127:23 guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2433->65a0da61-205a-51ca-a431-bb3f2a15ea95 con dbc25bb8-bb73-5135-aec1-eb316704b06f 10.0.2.177:23 guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2433->dbc25bb8-bb73-5135-aec1-eb316704b06f con 33b32c7f-b898-594a-a6ba-b45cbf63010d 10.0.2.245:23 guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2433->33b32c7f-b898-594a-a6ba-b45cbf63010d con cd0a1fe5-32ed-55c5-b928-5019014a4072 10.0.2.139:23 guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2433->cd0a1fe5-32ed-55c5-b928-5019014a4072 con guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2444->cd0a1fe5-32ed-55c5-b928-5019014a4072 con 1de9ea4e-ddb5-56bd-928c-f1964732b756 10.0.2.248:23 guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2444->1de9ea4e-ddb5-56bd-928c-f1964732b756 con 95c9bab7-0179-5be8-b158-f801fcd2d7c9 10.0.2.202:23 guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2444->95c9bab7-0179-5be8-b158-f801fcd2d7c9 con 482f4bc6-c403-5652-81db-57395e0a0234 10.0.2.179:23 guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2444->482f4bc6-c403-5652-81db-57395e0a0234 con 1d484d46-ddc7-5321-8055-0017b37b3302 10.0.2.198:23 guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2444->1d484d46-ddc7-5321-8055-0017b37b3302 con 0eba8f5b-4727-5b5a-9ad5-d5468d0de661 10.0.2.100:23 guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2444->0eba8f5b-4727-5b5a-9ad5-d5468d0de661 con 63ad2643-5d8d-5c0f-bbee-d7c77950a7c4 10.0.2.25:23 guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2444->63ad2643-5d8d-5c0f-bbee-d7c77950a7c4 con b5aed56e-e369-53d7-9509-f77d3ac3a45d 10.0.2.56:23 guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2444->b5aed56e-e369-53d7-9509-f77d3ac3a45d con 9b4d003b-43fe-5f79-aaee-a9d240df0d3f 10.0.2.10:23 guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2444->9b4d003b-43fe-5f79-aaee-a9d240df0d3f con e6550b14-b992-5245-84d7-e63109d0d178 10.0.2.68:23 guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2444->e6550b14-b992-5245-84d7-e63109d0d178 con 4db94741-2d1e-52bc-aa6e-92047a897736 10.0.2.161:23 guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2444->4db94741-2d1e-52bc-aa6e-92047a897736 con 84b52c36-8882-502f-965b-64ae8cea113f 10.0.2.165:23 guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2444->84b52c36-8882-502f-965b-64ae8cea113f con 732c522c-180d-5a68-99bc-c2684ab8fc8b 10.0.2.172:23 guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2444->732c522c-180d-5a68-99bc-c2684ab8fc8b con 215f415e-8f2e-52ee-b4c3-e0ae847fe6ac 10.0.2.41:23 guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2444->215f415e-8f2e-52ee-b4c3-e0ae847fe6ac con 0a8a1c62-e420-5f98-9d75-5086390fc25d 10.0.2.133:23 guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2444->0a8a1c62-e420-5f98-9d75-5086390fc25d con 6acf1a5f-fe96-526d-867a-0880fc110011 10.0.2.128:23 guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2444->6acf1a5f-fe96-526d-867a-0880fc110011 con 15405c63-9a39-5a1e-aba8-586c2d1322c4 10.0.2.75:23 guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2444->15405c63-9a39-5a1e-aba8-586c2d1322c4 con 06ba13cd-b6d5-5877-8e43-e1021fa3e47d 10.0.2.196:23 guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2444->06ba13cd-b6d5-5877-8e43-e1021fa3e47d con 1b7890a9-a5e0-5a1d-ad8a-99edbcf19fac 10.0.2.40:23 guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2444->1b7890a9-a5e0-5a1d-ad8a-99edbcf19fac con 32bf2936-4fbb-5219-aa2c-07c5a3f6c9f4 10.0.2.82:23 guuid=a7b5b40b-1a00-0000-40dc-0ce16f090000 pid=2444->32bf2936-4fbb-5219-aa2c-07c5a3f6c9f4 con
Gathering data
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1913471
Signature
Drops invisible ELF files
Writes identical ELF files to multiple locations
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1913471 Sample: w4rr7.x86.elf Startdate: 14/05/2026 Architecture: LINUX Score: 48 23 185.125.190.26, 443 CANONICAL-ASGB United Kingdom 2->23 25 77.90.51.233, 443, 57926, 58086 ASGHOSTNETDE Germany 2->25 7 w4rr7.x86.elf 2->7         started        process3 process4 9 w4rr7.x86.elf 7->9         started        process5 11 w4rr7.x86.elf 9->11         started        file6 15 /var/tmp/.w4rr7, ELF 11->15 dropped 17 /tmp/.w4rr7, ELF 11->17 dropped 19 /run/.w4rr7, ELF 11->19 dropped 21 /dev/shm/.w4rr7, ELF 11->21 dropped 27 Writes identical ELF files to multiple locations 11->27 29 Drops invisible ELF files 11->29 signatures7
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/37cd2dedf46cd8a98a917b92b9a141e7e84c82312b0fb07c0c6c31ab47e538b2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/37cd2dedf46cd8a98a917b92b9a141e7e84c82312b0fb07c0c6c31ab47e538b2/
Threat name:
Linux.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2026-05-14 13:37:32 UTC
File Type:
ELF32 Little (Exe)
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g7gs33puntmktcurpojltikb47uezarrfmh3a7amnqy2wr7fhcza._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery linux
Link:
https://tria.ge/reports/260514-qwmeqsfx2s/
Behaviour
Reads runtime system information
Writes file to shm directory
Writes file to tmp directory
Reads CPU attributes
Enumerates running processes
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/37cd2dedf46cd8a98a917b92b9a141e7e84c82312b0fb07c0c6c31ab47e538b2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:F01_s1ckrule
Create hunting rule
Author:s1ckb017
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:malwareelf55503
Create hunting rule
Rule name:setsockopt
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for setsockopt() red flags
Rule name:TH_Generic_MassHunt_Linux_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Linux malware mass-hunt rule - 2026
Reference:https://cyfare.net/
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf a287341f1aeb319a71d9e0b029ce2b007b97ac93889abe69813f537a0f2c9a9e

elf 37cd2dedf46cd8a98a917b92b9a141e7e84c82312b0fb07c0c6c31ab47e538b2

(this sample)

  
Dropped by
SHA256 a287341f1aeb319a71d9e0b029ce2b007b97ac93889abe69813f537a0f2c9a9e
  
URLhaus
https://urlhaus.abuse.ch/url/3846781/
  
Delivery method
Distributed via web download
  
Dropped by
MD5 c9415d97b18e469fe07100420c30379d

Comments