MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 444571b5a27a3f7d1d8e263300a2d505e7cb90d6f65307ee3837935ac4e2e92f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 26 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 444571b5a27a3f7d1d8e263300a2d505e7cb90d6f65307ee3837935ac4e2e92f
SHA3-384 hash: 47083586ff2af4751dec0019fd4442684a586e16128a733f26812b9b41a5d3c08448fe0c2c9d666256cbe1178307d9ca
SHA1 hash: e77c1e03a8dbc7e89e004921384b57598c151840
MD5 hash: b9e14de06bb087ac20ce3b2c37027e07
humanhash: hotel-white-chicken-chicken
File name:agent-linux-amd64
Download: download sample
File size:12'607'823 bytes
First seen:2026-05-28 11:26:30 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 98304:1AisPF9YHMwY+dRoPNgv5aDl07OCnw8EIcp7rhwIOfFPt8moTXcTAyMDAN8JQfEM:1KYZY+DomY3v1Rp7mIuGRXMrKPJQfDa+
TLSH T141C68D07EC6559E9C1ED91318A769222BBB1BC495B2023D73B60F7382F73BD06A79740
telfhash t133747696ac253eb64fc003639cf8c59463e6e4035451aadcafb05235f4e788d72bb71a
gimphash e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter cndlsec

Intelligence

File Origin
# of uploads :
1
# of downloads :
15
Origin country :
US US
Vendor Threat Intelligence
No detections
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Collects information on the CPU
Collects information on the RAM
Creating a file
Sends data to a server
Connection attempt
Receives data from a server
Runs as daemon
Collects information on the OS
Collects information on the network activity
Launching a process
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
true
Architecture:
x86
Packer:
custom
Botnet:
unknown
Number of open files:
1
Number of processes launched:
4
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/444571b5a27a3f7d1d8e263300a2d505e7cb90d6f65307ee3837935ac4e2e92f
Behaviour
Anti-VM
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Clean
File Type:
elf.64.le
First seen:
2026-05-28T09:47:00Z UTC
Last seen:
2026-05-30T02:27:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/444571b5a27a3f7d1d8e263300a2d505e7cb90d6f65307ee3837935ac4e2e92f/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/b220fb07-5d30-440b-b4c0-7992fc61ce68
Behavior Graph:
Download SVG
%3 guuid=099dc73b-1700-0000-d39a-db0e840e0000 pid=3716 /usr/bin/sudo guuid=67ee723d-1700-0000-d39a-db0e900e0000 pid=3728 /tmp/sample.bin dns net send-data write-file guuid=099dc73b-1700-0000-d39a-db0e840e0000 pid=3716->guuid=67ee723d-1700-0000-d39a-db0e900e0000 pid=3728 execve 4f6baed0-9587-596c-82b3-fd721afe4cc1 10.0.2.3:53 guuid=67ee723d-1700-0000-d39a-db0e900e0000 pid=3728->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 168B 71d5fbeb-6e3e-587d-bea9-4cc9e23c5081 api.ipify.org:443 guuid=67ee723d-1700-0000-d39a-db0e900e0000 pid=3728->71d5fbeb-6e3e-587d-bea9-4cc9e23c5081 send: 1554B afcfd9c8-6088-5bf7-b2e0-ba4afb484d0d ping0.cc:443 guuid=67ee723d-1700-0000-d39a-db0e900e0000 pid=3728->afcfd9c8-6088-5bf7-b2e0-ba4afb484d0d send: 1518B f73e4fb5-383b-575d-9de3-0b09132236f8 zhangge.okappx.ggff.net:443 guuid=67ee723d-1700-0000-d39a-db0e900e0000 pid=3728->f73e4fb5-383b-575d-9de3-0b09132236f8 send: 332B guuid=67ee723d-1700-0000-d39a-db0e900e0000 pid=3743 /tmp/sample.bin guuid=67ee723d-1700-0000-d39a-db0e900e0000 pid=3728->guuid=67ee723d-1700-0000-d39a-db0e900e0000 pid=3743 clone guuid=67ee723d-1700-0000-d39a-db0e900e0000 pid=3744 /tmp/sample.bin dns net send-data guuid=67ee723d-1700-0000-d39a-db0e900e0000 pid=3728->guuid=67ee723d-1700-0000-d39a-db0e900e0000 pid=3744 clone guuid=67ee723d-1700-0000-d39a-db0e900e0000 pid=3745 /tmp/sample.bin dns net guuid=67ee723d-1700-0000-d39a-db0e900e0000 pid=3728->guuid=67ee723d-1700-0000-d39a-db0e900e0000 pid=3745 clone guuid=67ee723d-1700-0000-d39a-db0e900e0000 pid=3746 /tmp/sample.bin dns net send-data guuid=67ee723d-1700-0000-d39a-db0e900e0000 pid=3728->guuid=67ee723d-1700-0000-d39a-db0e900e0000 pid=3746 clone guuid=67ee723d-1700-0000-d39a-db0e900e0000 pid=3911 /tmp/sample.bin guuid=67ee723d-1700-0000-d39a-db0e900e0000 pid=3728->guuid=67ee723d-1700-0000-d39a-db0e900e0000 pid=3911 clone guuid=67ee723d-1700-0000-d39a-db0e900e0000 pid=3744->71d5fbeb-6e3e-587d-bea9-4cc9e23c5081 send: 222B guuid=67ee723d-1700-0000-d39a-db0e900e0000 pid=3744->f73e4fb5-383b-575d-9de3-0b09132236f8 con f43594d0-8d24-51fe-b0b8-c08325547577 zhangge.okappx.ggff.net:53 guuid=67ee723d-1700-0000-d39a-db0e900e0000 pid=3744->f43594d0-8d24-51fe-b0b8-c08325547577 con 81ce6a51-595f-5ea9-bced-b036dee3cf06 ping0.cc:53 guuid=67ee723d-1700-0000-d39a-db0e900e0000 pid=3744->81ce6a51-595f-5ea9-bced-b036dee3cf06 con 68a7a461-f335-5e13-8a25-6a1559e762a9 api.ipify.org:53 guuid=67ee723d-1700-0000-d39a-db0e900e0000 pid=3745->68a7a461-f335-5e13-8a25-6a1559e762a9 con guuid=67ee723d-1700-0000-d39a-db0e900e0000 pid=3746->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 94B guuid=67ee723d-1700-0000-d39a-db0e900e0000 pid=3746->afcfd9c8-6088-5bf7-b2e0-ba4afb484d0d send: 269B guuid=67ee723d-1700-0000-d39a-db0e900e0000 pid=3746->f73e4fb5-383b-575d-9de3-0b09132236f8 send: 2127B guuid=b31ea6d6-1700-0000-d39a-db0e8e100000 pid=4238 /tmp/sample.bin guuid=67ee723d-1700-0000-d39a-db0e900e0000 pid=3746->guuid=b31ea6d6-1700-0000-d39a-db0e8e100000 pid=4238 clone guuid=ee45afd6-1700-0000-d39a-db0e8f100000 pid=4239 /usr/bin/dash guuid=67ee723d-1700-0000-d39a-db0e900e0000 pid=3746->guuid=ee45afd6-1700-0000-d39a-db0e8f100000 pid=4239 execve guuid=a70cedd6-1700-0000-d39a-db0e90100000 pid=4240 /usr/bin/top guuid=ee45afd6-1700-0000-d39a-db0e8f100000 pid=4239->guuid=a70cedd6-1700-0000-d39a-db0e90100000 pid=4240 execve guuid=a822f3d6-1700-0000-d39a-db0e91100000 pid=4241 /usr/bin/mawk guuid=ee45afd6-1700-0000-d39a-db0e8f100000 pid=4239->guuid=a822f3d6-1700-0000-d39a-db0e91100000 pid=4241 execve
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e8930ee9-6d0d-4655-93af-04364bdc12ce
Score:
95%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/444571b5a27a3f7d1d8e263300a2d505e7cb90d6f65307ee3837935ac4e2e92f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/444571b5a27a3f7d1d8e263300a2d505e7cb90d6f65307ee3837935ac4e2e92f/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/444571b5a27a3f7d1d8e263300a2d505e7cb90d6f65307ee3837935ac4e2e92f
Threat name:
Linux.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-05-28 11:27:40 UTC
File Type:
ELF64 Little (Exe)
AV detection:
7 of 38 (18.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ircxdnncpi7x2hmoeyzqbiwvaxt4xegw6zjqp3ryg6jvvrhc5exq._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery linux
Link:
https://tria.ge/reports/260528-nj6lqsfs8x/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to tmp directory
Reads CPU attributes
Enumerates running processes
Looks up external IP address via web service
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.59
Link:
https://yomi.yoroi.company/submissions/444571b5a27a3f7d1d8e263300a2d505e7cb90d6f65307ee3837935ac4e2e92f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:enterpriseunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise UNIX
Rule name:F01_s1ckrule
Create hunting rule
Author:s1ckb017
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:Golang_Find_CSC846
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:Golang_Find_CSC846_Simple
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:setsockopt
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for setsockopt() red flags
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Suspicious_Golang_Binary
Create hunting rule
Author:Tim Machac
Description:Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)
Rule name:test_Malaysia
Create hunting rule
Author:rectifyq
Description:Detects file containing malaysia string
Rule name:TH_Generic_MassHunt_Linux_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Linux malware mass-hunt rule - 2026
Reference:https://cyfare.net/
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments