MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4dc06ecee904b9165fa699b026045c1b6408cc7061df3d2a7bc2b7b4f0879f4d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LockBit


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4dc06ecee904b9165fa699b026045c1b6408cc7061df3d2a7bc2b7b4f0879f4d
SHA3-384 hash: 526b3280f02e507febfc4217d877c1b3fffc526ea98da83a325369183824cefb9ca4fdb51e480151e2129d92631c85bd
SHA1 hash: 41e1e094c19fffde494c24ef4cab0d7577d5a025
MD5 hash: ca93d47bcc55e2e1bd4a679afc8e2e25
humanhash: kansas-quebec-lima-carbon
File name:LockBit_LINUX_AMD64
Download: download sample
Signature LockBit
Create hunting rule
File size:385'634 bytes
First seen:2025-09-20 01:27:29 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 6144:UIUFThyET/ZOhh5++4hg3nTBiHnqAHDYpzKaN7arPSnSURUd:3UFsmZOhh5+TWkCz6zunc
TLSH T18A845A07A29320FCCEC385322FAB3113626BBE4E271EBED1379A9621758B6711771751
telfhash t14cf0b47c87fb20a461ab86103393f57589312cd0429b30b2832e9814cbf0fc51872901
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter Lacorte1337
Tags:elf linux lockbit lockbit 5.0 lockbit5 Ransomware

Intelligence

File Origin
# of uploads :
1
# of downloads :
606
Origin country :
BR BR
Vendor Threat Intelligence
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file in the %temp% subdirectories
Creating a file
Collects information on the CPU
Traces processes
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
threat
Link:
https://www.filescan.io/uploads/68ce0319254431b688d62e86/reports/7d54b96a-67cf-4379-aed8-67a57f4f0ea1/overview
Verdict:
Unknown
File Type:
elf.64.le
Link:
https://opentip.kaspersky.com/4dc06ecee904b9165fa699b026045c1b6408cc7061df3d2a7bc2b7b4f0879f4d/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/d7b10182-d06c-47c0-a792-6289918d4360
Behavior Graph:
Download SVG
%3 guuid=b3621156-1900-0000-68da-ad7322100000 pid=4130 /usr/bin/sudo guuid=7c424558-1900-0000-68da-ad732a100000 pid=4138 /tmp/sample.bin mprotect-exec write-file guuid=b3621156-1900-0000-68da-ad7322100000 pid=4130->guuid=7c424558-1900-0000-68da-ad732a100000 pid=4138 execve guuid=7c424558-1900-0000-68da-ad732a100000 pid=4140 /tmp/sample.bin write-file guuid=7c424558-1900-0000-68da-ad732a100000 pid=4138->guuid=7c424558-1900-0000-68da-ad732a100000 pid=4140 clone guuid=7c424558-1900-0000-68da-ad732a100000 pid=4141 /tmp/sample.bin write-file guuid=7c424558-1900-0000-68da-ad732a100000 pid=4138->guuid=7c424558-1900-0000-68da-ad732a100000 pid=4141 clone guuid=7c424558-1900-0000-68da-ad732a100000 pid=4154 /tmp/sample.bin write-file guuid=7c424558-1900-0000-68da-ad732a100000 pid=4138->guuid=7c424558-1900-0000-68da-ad732a100000 pid=4154 clone guuid=7c424558-1900-0000-68da-ad732a100000 pid=4155 /tmp/sample.bin write-file guuid=7c424558-1900-0000-68da-ad732a100000 pid=4138->guuid=7c424558-1900-0000-68da-ad732a100000 pid=4155 clone guuid=7c424558-1900-0000-68da-ad732a100000 pid=4775 /tmp/sample.bin write-file guuid=7c424558-1900-0000-68da-ad732a100000 pid=4138->guuid=7c424558-1900-0000-68da-ad732a100000 pid=4775 clone guuid=7c424558-1900-0000-68da-ad732a100000 pid=4776 /tmp/sample.bin delete-file write-file guuid=7c424558-1900-0000-68da-ad732a100000 pid=4138->guuid=7c424558-1900-0000-68da-ad732a100000 pid=4776 clone
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/873b7079-0fbb-473d-ac61-35e21f0c68d8
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/4dc06ecee904b9165fa699b026045c1b6408cc7061df3d2a7bc2b7b4f0879f4d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4dc06ecee904b9165fa699b026045c1b6408cc7061df3d2a7bc2b7b4f0879f4d/
Threat name:
Linux.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2025-09-20 01:28:43 UTC
File Type:
ELF64 Little (Exe)
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jxag5txjas4rmx5gtgycmbc4dnsartdqmhpt2kt3yk33j4eht5gq._file
Result
Malware family:
lockbit
Create hunting rule
Score:
  10/10
Tags:
family:lockbit credential_access defense_evasion discovery execution linux persistence privilege_escalation ransomware spyware stealer
Link:
https://tria.ge/reports/250920-bvlz9axxcv/
Behaviour
Reads runtime system information
Writes file to tmp directory
Reads CPU attributes
Creates/modifies Cron job
Deletes log files
Deletes journal logs
Reads user data of web browsers
Renames itself
Traces itself
Lockbit
Lockbit family
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/75b672ae-7fc9-4217-a39b-335959eb976c
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.03
Link:
https://yomi.yoroi.company/submissions/4dc06ecee904b9165fa699b026045c1b6408cc7061df3d2a7bc2b7b4f0879f4d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments