MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d6f920992c6e41f82584fd558cf0415f255a9b50ef3628e2b0dafb8014ed0ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d6f920992c6e41f82584fd558cf0415f255a9b50ef3628e2b0dafb8014ed0ef
SHA3-384 hash: 5088856b7635d4810903862d8ca36bc266ceddb15ac3775ae692031a523eb785e0275ad1a8fa419610ea4c5784b1e6cb
SHA1 hash: c9b7e754aa2f280e252eda9669f1af0661260658
MD5 hash: b403e46d54dea0e65b1b8694a1ca65f2
humanhash: iowa-single-oxygen-failed
File name:3vrtjbxplo
Download: download sample
File size:326'002 bytes
First seen:2026-04-04 19:14:10 UTC
Last seen:2026-04-05 13:18:30 UTC
File type: elf
MIME type:application/x-sharedlib
ssdeep 6144:1gr6qZDnFJLIqJ/dGpU3UCKYQYqlZdadbMtwDtVx5SgW97msQfMAI:EdDLdJ/4pU3LQ8bMtwDvx5bG7msQfMAI
TLSH T179641211EE401F9BCCAFDF755AAB03272B8C54DA83A1A32E537C8D2D789864049D3C89
telfhash t11eb02bc8c23f01f0fd92756e9034cad2819bc80200e05d200e00d080c41012f5146f8c
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf

Intelligence

File Origin
# of uploads :
3
# of downloads :
75
Origin country :
DE DE
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Changes access rights for a written file
Mounts file systems
Connection attempt
Runs as daemon
Launching a process
Sends data to a server
DNS request
Creating a process from a recently created file
Creating a file
Creates or modifies symbolic links
Creating a file in the %temp% directory
Deleting a recently created file
Changes the time when the file was created, accessed, or modified
Receives data from a server
Sets a written file as executable
Creates or modifies files in /cron to set up autorun
Deletes a system binary file
Substitutes an application name
Writes files to system directory
Gathering data
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
mips
Packer:
custom
Botnet:
unknown
Number of open files:
7
Number of processes launched:
1
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/3d6f920992c6e41f82584fd558cf0415f255a9b50ef3628e2b0dafb8014ed0ef
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Clean
File Type:
elf.32.le
First seen:
2026-04-04T16:27:00Z UTC
Last seen:
2026-04-06T13:12:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/3d6f920992c6e41f82584fd558cf0415f255a9b50ef3628e2b0dafb8014ed0ef/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/b454002b-5988-4c4d-ad2e-dfbb200ce883
Behavior Graph:
Download SVG
%3 guuid=c49bcfd8-1b00-0000-9df1-f1fe0f0c0000 pid=3087 /usr/bin/sudo guuid=947fbcdb-1b00-0000-9df1-f1fe160c0000 pid=3094 /tmp/sample.bin guuid=c49bcfd8-1b00-0000-9df1-f1fe0f0c0000 pid=3087->guuid=947fbcdb-1b00-0000-9df1-f1fe160c0000 pid=3094 execve
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/359bfaf8-dcf6-48e9-8968-275c581b452b
Result
Threat name:
n/a
Detection:
clean
Classification:
n/a
Score:
1 / 100
Link:
https://www.joesandbox.com/analysis/1893495
Behaviour
Behavior Graph:
n/a
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/3d6f920992c6e41f82584fd558cf0415f255a9b50ef3628e2b0dafb8014ed0ef
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d6f920992c6e41f82584fd558cf0415f255a9b50ef3628e2b0dafb8014ed0ef/
Threat name:
Linux.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-04-04 19:15:45 UTC
File Type:
ELF32 Little (SO)
AV detection:
4 of 38 (10.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hvxzecmsy3sb7asyj7kvrtyecxzflknvb3zwfdrlbwx3qako2dxq._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
antivm credential_access discovery execution persistence privilege_escalation
Link:
https://tria.ge/reports/260404-xxsrgabx3n/
Behaviour
Reads runtime system information
Writes file to tmp directory
Changes its process name
Reads process memory
Checks SCSI settings
Checks hardware identifiers (DMI)
Creates/modifies Cron job
Enumerates running processes
Modifies systemd
Write file to user bin folder
Writes file to system bin folder
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/3d6f920992c6e41f82584fd558cf0415f255a9b50ef3628e2b0dafb8014ed0ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:elf_arm_mips_ko_so
Create hunting rule
Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf 3d6f920992c6e41f82584fd558cf0415f255a9b50ef3628e2b0dafb8014ed0ef

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3811224/
  
Delivery method
Distributed via web download

Comments