MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ddefa7635a60e03ff39678587427cc09f810a65b1c33e1d065174fbf98042ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ddefa7635a60e03ff39678587427cc09f810a65b1c33e1d065174fbf98042ef
SHA3-384 hash: 72ae5d0956875cca97e9abdbd2262c215fafb544e1382d636737eed027ddbf80e8e65ef1772e3e8faefe266f23103200
SHA1 hash: 177db5523faa16ea4eebcbcf05ed74c22d7d9772
MD5 hash: 9690c731f827a245e9d7773bca8a49ae
humanhash: maine-high-cardinal-aspen
File name:linux_386
Download: download sample
File size:1'743'360 bytes
First seen:2026-03-20 06:52:58 UTC
Last seen:2026-03-20 07:28:48 UTC
File type: elf
MIME type:application/x-executable
ssdeep 49152:ITF6X8DXTpS5GJGPjqJ7G6cVbzaUm0BNmbJS9KXrH0jEO:ITFi8jkoJIeWbWUvy+KXrUjEO
TLSH T14D8533C926D1D8710C105B05B34EF7EC8E89A02FF1B0B56954CB53AD913F63BA6A99F0
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf UPX
File size (compressed) :1'743'360 bytes
File size (de-compressed) :4'313'088 bytes
Format:linux/i386
Unpacked file: c8f3b84814fe469e2d551c141b37bf74e350bfeafb31a530d2582788cc445789

Intelligence

File Origin
# of uploads :
2
# of downloads :
80
Origin country :
DE DE
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/7ee9b0f5-dee4-43d0-8379-8edc58163e98/
Detection(s):
SecuriteInfo.com.Linux.Siggen.11938.24836.22721.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Runs as daemon
Manages services
Launching a process
Creating a process from a recently created file
Creating a file
Changes the time when the file was created, accessed, or modified
Creating a file in the %temp% directory
Deleting a recently created file
Writes files to system directory
Deletes a system binary file
Creates or modifies files in /init.d to set up autorun
Creates or modifies symbolic links in /init.d to set up autorun
Gathering data
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
UPX
Botnet:
unknown
Number of open files:
1
Number of processes launched:
4
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/4ddefa7635a60e03ff39678587427cc09f810a65b1c33e1d065174fbf98042ef
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Unknown
File Type:
elf.32.le
Link:
https://opentip.kaspersky.com/4ddefa7635a60e03ff39678587427cc09f810a65b1c33e1d065174fbf98042ef/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/5cb4aaaa-a212-4df1-9df0-66a2baaa1b2d
Behavior Graph:
Download SVG
%3 guuid=bbd7cff7-1600-0000-f148-f34f3a0d0000 pid=3386 /usr/bin/sudo guuid=6b07e4f9-1600-0000-f148-f34f400d0000 pid=3392 /tmp/sample.bin guuid=bbd7cff7-1600-0000-f148-f34f3a0d0000 pid=3386->guuid=6b07e4f9-1600-0000-f148-f34f400d0000 pid=3392 execve guuid=6b07e4f9-1600-0000-f148-f34f400d0000 pid=3441 /tmp/sample.bin guuid=6b07e4f9-1600-0000-f148-f34f400d0000 pid=3392->guuid=6b07e4f9-1600-0000-f148-f34f400d0000 pid=3441 clone guuid=6b07e4f9-1600-0000-f148-f34f400d0000 pid=3442 /tmp/sample.bin guuid=6b07e4f9-1600-0000-f148-f34f400d0000 pid=3392->guuid=6b07e4f9-1600-0000-f148-f34f400d0000 pid=3442 clone guuid=6b07e4f9-1600-0000-f148-f34f400d0000 pid=3443 /tmp/sample.bin guuid=6b07e4f9-1600-0000-f148-f34f400d0000 pid=3392->guuid=6b07e4f9-1600-0000-f148-f34f400d0000 pid=3443 clone guuid=6b07e4f9-1600-0000-f148-f34f400d0000 pid=3444 /tmp/sample.bin guuid=6b07e4f9-1600-0000-f148-f34f400d0000 pid=3392->guuid=6b07e4f9-1600-0000-f148-f34f400d0000 pid=3444 clone guuid=9927d30b-1700-0000-f148-f34f770d0000 pid=3447 /tmp/sample.bin delete-file write-config write-file zombie guuid=6b07e4f9-1600-0000-f148-f34f400d0000 pid=3392->guuid=9927d30b-1700-0000-f148-f34f770d0000 pid=3447 execve guuid=9927d30b-1700-0000-f148-f34f770d0000 pid=3460 /tmp/sample.bin zombie guuid=9927d30b-1700-0000-f148-f34f770d0000 pid=3447->guuid=9927d30b-1700-0000-f148-f34f770d0000 pid=3460 clone guuid=9927d30b-1700-0000-f148-f34f770d0000 pid=3461 /tmp/sample.bin guuid=9927d30b-1700-0000-f148-f34f770d0000 pid=3447->guuid=9927d30b-1700-0000-f148-f34f770d0000 pid=3461 clone guuid=9927d30b-1700-0000-f148-f34f770d0000 pid=3462 /tmp/sample.bin guuid=9927d30b-1700-0000-f148-f34f770d0000 pid=3447->guuid=9927d30b-1700-0000-f148-f34f770d0000 pid=3462 clone guuid=9927d30b-1700-0000-f148-f34f770d0000 pid=3464 /tmp/sample.bin guuid=9927d30b-1700-0000-f148-f34f770d0000 pid=3447->guuid=9927d30b-1700-0000-f148-f34f770d0000 pid=3464 clone guuid=ebb4ab16-1700-0000-f148-f34f980d0000 pid=3480 /usr/bin/dash guuid=9927d30b-1700-0000-f148-f34f770d0000 pid=3447->guuid=ebb4ab16-1700-0000-f148-f34f980d0000 pid=3480 execve guuid=a25c7a17-1700-0000-f148-f34f9c0d0000 pid=3484 /usr/bin/systemctl guuid=9927d30b-1700-0000-f148-f34f770d0000 pid=3447->guuid=a25c7a17-1700-0000-f148-f34f9c0d0000 pid=3484 execve guuid=22e1e93c-1700-0000-f148-f34f180e0000 pid=3608 /usr/bin/systemctl guuid=9927d30b-1700-0000-f148-f34f770d0000 pid=3447->guuid=22e1e93c-1700-0000-f148-f34f180e0000 pid=3608 execve guuid=e5cb6667-1700-0000-f148-f34f8a0e0000 pid=3722 /usr/bin/systemctl guuid=9927d30b-1700-0000-f148-f34f770d0000 pid=3447->guuid=e5cb6667-1700-0000-f148-f34f8a0e0000 pid=3722 execve guuid=f4cd877b-1700-0000-f148-f34fd80e0000 pid=3800 /usr/sbin/update-rc.d guuid=9927d30b-1700-0000-f148-f34f770d0000 pid=3447->guuid=f4cd877b-1700-0000-f148-f34fd80e0000 pid=3800 execve guuid=777018b3-1700-0000-f148-f34f850f0000 pid=3973 /usr/sbin/update-rc.d guuid=9927d30b-1700-0000-f148-f34f770d0000 pid=3447->guuid=777018b3-1700-0000-f148-f34f850f0000 pid=3973 execve guuid=f7f355fa-1700-0000-f148-f34fbd100000 pid=4285 /etc/init.d/systemd-logind guuid=9927d30b-1700-0000-f148-f34f770d0000 pid=3447->guuid=f7f355fa-1700-0000-f148-f34fbd100000 pid=4285 execve guuid=35080e17-1700-0000-f148-f34f9a0d0000 pid=3482 /boot/System zombie guuid=ebb4ab16-1700-0000-f148-f34f980d0000 pid=3480->guuid=35080e17-1700-0000-f148-f34f9a0d0000 pid=3482 execve guuid=1f1a9617-1700-0000-f148-f34f9e0d0000 pid=3486 /usr/bin/sleep guuid=35080e17-1700-0000-f148-f34f9a0d0000 pid=3482->guuid=1f1a9617-1700-0000-f148-f34f9e0d0000 pid=3486 execve guuid=8038d169-2000-0000-f148-f34f76150000 pid=5494 /boot/System.img-6.8.0-8 delete-file write-file guuid=35080e17-1700-0000-f148-f34f9a0d0000 pid=3482->guuid=8038d169-2000-0000-f148-f34f76150000 pid=5494 execve guuid=2a7d9070-2000-0000-f148-f34f7b150000 pid=5499 /usr/bin/sleep guuid=35080e17-1700-0000-f148-f34f9a0d0000 pid=3482->guuid=2a7d9070-2000-0000-f148-f34f7b150000 pid=5499 execve guuid=2fdaba13-0000-0000-f148-f34f01000000 pid=1 /usr/lib/systemd/systemd guuid=b11b5d69-1700-0000-f148-f34f8e0e0000 pid=3726 /boot/System.img-6.8.0-8 guuid=2fdaba13-0000-0000-f148-f34f01000000 pid=1->guuid=b11b5d69-1700-0000-f148-f34f8e0e0000 pid=3726 execve guuid=b11b5d69-1700-0000-f148-f34f8e0e0000 pid=3786 /boot/System.img-6.8.0-8 guuid=b11b5d69-1700-0000-f148-f34f8e0e0000 pid=3726->guuid=b11b5d69-1700-0000-f148-f34f8e0e0000 pid=3786 clone guuid=b11b5d69-1700-0000-f148-f34f8e0e0000 pid=3787 /boot/System.img-6.8.0-8 guuid=b11b5d69-1700-0000-f148-f34f8e0e0000 pid=3726->guuid=b11b5d69-1700-0000-f148-f34f8e0e0000 pid=3787 clone guuid=b11b5d69-1700-0000-f148-f34f8e0e0000 pid=3788 /boot/System.img-6.8.0-8 guuid=b11b5d69-1700-0000-f148-f34f8e0e0000 pid=3726->guuid=b11b5d69-1700-0000-f148-f34f8e0e0000 pid=3788 clone guuid=b11b5d69-1700-0000-f148-f34f8e0e0000 pid=3789 /boot/System.img-6.8.0-8 guuid=b11b5d69-1700-0000-f148-f34f8e0e0000 pid=3726->guuid=b11b5d69-1700-0000-f148-f34f8e0e0000 pid=3789 clone guuid=a53e587a-1700-0000-f148-f34fcf0e0000 pid=3791 /boot/System.img-6.8.0-8 delete-file send-data write-config write-file zombie guuid=b11b5d69-1700-0000-f148-f34f8e0e0000 pid=3726->guuid=a53e587a-1700-0000-f148-f34fcf0e0000 pid=3791 execve 6c5d1b18-0ba2-50d1-953e-64e339f197d1 scan.504.su:56999 guuid=a53e587a-1700-0000-f148-f34fcf0e0000 pid=3791->6c5d1b18-0ba2-50d1-953e-64e339f197d1 send: 86B guuid=a53e587a-1700-0000-f148-f34fcf0e0000 pid=3813 /boot/System.img-6.8.0-8 zombie guuid=a53e587a-1700-0000-f148-f34fcf0e0000 pid=3791->guuid=a53e587a-1700-0000-f148-f34fcf0e0000 pid=3813 clone guuid=a53e587a-1700-0000-f148-f34fcf0e0000 pid=3814 /boot/System.img-6.8.0-8 dns net send-data zombie guuid=a53e587a-1700-0000-f148-f34fcf0e0000 pid=3791->guuid=a53e587a-1700-0000-f148-f34fcf0e0000 pid=3814 clone guuid=a53e587a-1700-0000-f148-f34fcf0e0000 pid=3816 /boot/System.img-6.8.0-8 dns net send-data zombie guuid=a53e587a-1700-0000-f148-f34fcf0e0000 pid=3791->guuid=a53e587a-1700-0000-f148-f34fcf0e0000 pid=3816 clone guuid=a53e587a-1700-0000-f148-f34fcf0e0000 pid=3824 /boot/System.img-6.8.0-8 guuid=a53e587a-1700-0000-f148-f34fcf0e0000 pid=3791->guuid=a53e587a-1700-0000-f148-f34fcf0e0000 pid=3824 clone guuid=a53e587a-1700-0000-f148-f34fcf0e0000 pid=3828 /boot/System.img-6.8.0-8 send-data zombie guuid=a53e587a-1700-0000-f148-f34fcf0e0000 pid=3791->guuid=a53e587a-1700-0000-f148-f34fcf0e0000 pid=3828 clone guuid=a53e587a-1700-0000-f148-f34fcf0e0000 pid=3845 /boot/System.img-6.8.0-8 guuid=a53e587a-1700-0000-f148-f34fcf0e0000 pid=3791->guuid=a53e587a-1700-0000-f148-f34fcf0e0000 pid=3845 clone guuid=d89d679c-1700-0000-f148-f34f1f0f0000 pid=3871 /usr/bin/dash guuid=a53e587a-1700-0000-f148-f34fcf0e0000 pid=3791->guuid=d89d679c-1700-0000-f148-f34f1f0f0000 pid=3871 execve guuid=3ed137a4-1700-0000-f148-f34f460f0000 pid=3910 /usr/bin/dash guuid=a53e587a-1700-0000-f148-f34fcf0e0000 pid=3791->guuid=3ed137a4-1700-0000-f148-f34f460f0000 pid=3910 execve guuid=5d9840a5-1700-0000-f148-f34f4c0f0000 pid=3916 /usr/bin/dash guuid=a53e587a-1700-0000-f148-f34fcf0e0000 pid=3791->guuid=5d9840a5-1700-0000-f148-f34f4c0f0000 pid=3916 execve guuid=c0b044a6-1700-0000-f148-f34f520f0000 pid=3922 /usr/sbin/update-rc.d guuid=a53e587a-1700-0000-f148-f34fcf0e0000 pid=3791->guuid=c0b044a6-1700-0000-f148-f34f520f0000 pid=3922 execve guuid=203b07d9-1700-0000-f148-f34f1d100000 pid=4125 /usr/sbin/update-rc.d guuid=a53e587a-1700-0000-f148-f34fcf0e0000 pid=3791->guuid=203b07d9-1700-0000-f148-f34f1d100000 pid=4125 execve guuid=6726eb1a-1800-0000-f148-f34f55110000 pid=4437 /etc/init.d/network-manger guuid=a53e587a-1700-0000-f148-f34fcf0e0000 pid=3791->guuid=6726eb1a-1800-0000-f148-f34f55110000 pid=4437 execve guuid=c529ba1e-1800-0000-f148-f34f67110000 pid=4455 /usr/sbin/update-rc.d guuid=a53e587a-1700-0000-f148-f34fcf0e0000 pid=3791->guuid=c529ba1e-1800-0000-f148-f34f67110000 pid=4455 execve guuid=b0d7bb3f-1800-0000-f148-f34f18120000 pid=4632 /usr/sbin/update-rc.d guuid=a53e587a-1700-0000-f148-f34fcf0e0000 pid=3791->guuid=b0d7bb3f-1800-0000-f148-f34f18120000 pid=4632 execve guuid=5a3adf6a-1800-0000-f148-f34fc5120000 pid=4805 /etc/init.d/udev-teriger-net guuid=a53e587a-1700-0000-f148-f34fcf0e0000 pid=3791->guuid=5a3adf6a-1800-0000-f148-f34fc5120000 pid=4805 execve guuid=3c8a8b7d-1700-0000-f148-f34fe10e0000 pid=3809 /usr/bin/systemctl guuid=f4cd877b-1700-0000-f148-f34fd80e0000 pid=3800->guuid=3c8a8b7d-1700-0000-f148-f34fe10e0000 pid=3809 execve guuid=a53e587a-1700-0000-f148-f34fcf0e0000 pid=3814->6c5d1b18-0ba2-50d1-953e-64e339f197d1 con 4f6baed0-9587-596c-82b3-fd721afe4cc1 10.0.2.3:53 guuid=a53e587a-1700-0000-f148-f34fcf0e0000 pid=3814->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 40B guuid=a53e587a-1700-0000-f148-f34fcf0e0000 pid=3816->6c5d1b18-0ba2-50d1-953e-64e339f197d1 send: 368B guuid=a53e587a-1700-0000-f148-f34fcf0e0000 pid=3816->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 40B guuid=0b49c481-1700-0000-f148-f34ff30e0000 pid=3827 /usr/bin/uname guuid=a53e587a-1700-0000-f148-f34fcf0e0000 pid=3816->guuid=0b49c481-1700-0000-f148-f34ff30e0000 pid=3827 execve guuid=a53e587a-1700-0000-f148-f34fcf0e0000 pid=3828->6c5d1b18-0ba2-50d1-953e-64e339f197d1 send: 237B guuid=304ef29c-1700-0000-f148-f34f230f0000 pid=3875 /usr/bin/killai zombie guuid=d89d679c-1700-0000-f148-f34f1f0f0000 pid=3871->guuid=304ef29c-1700-0000-f148-f34f230f0000 pid=3875 execve guuid=be0f1a9d-1700-0000-f148-f34f250f0000 pid=3877 /usr/bin/sleep guuid=304ef29c-1700-0000-f148-f34f230f0000 pid=3875->guuid=be0f1a9d-1700-0000-f148-f34f250f0000 pid=3877 execve guuid=394c9343-2300-0000-f148-f34f7c150000 pid=5500 /usr/local/sbin/nginx-1 delete-file write-file guuid=304ef29c-1700-0000-f148-f34f230f0000 pid=3875->guuid=394c9343-2300-0000-f148-f34f7c150000 pid=5500 execve guuid=625a5749-2300-0000-f148-f34f81150000 pid=5505 /usr/bin/sleep guuid=304ef29c-1700-0000-f148-f34f230f0000 pid=3875->guuid=625a5749-2300-0000-f148-f34f81150000 pid=5505 execve guuid=885e8ba4-1700-0000-f148-f34f470f0000 pid=3911 /usr/sbin/.at.atloy zombie guuid=3ed137a4-1700-0000-f148-f34f460f0000 pid=3910->guuid=885e8ba4-1700-0000-f148-f34f470f0000 pid=3911 execve guuid=7248dea4-1700-0000-f148-f34f490f0000 pid=3913 /usr/bin/sleep guuid=885e8ba4-1700-0000-f148-f34f470f0000 pid=3911->guuid=7248dea4-1700-0000-f148-f34f490f0000 pid=3913 execve guuid=3b908ca5-1700-0000-f148-f34f4e0f0000 pid=3918 /tmp/.font-unix-helpver zombie guuid=5d9840a5-1700-0000-f148-f34f4c0f0000 pid=3916->guuid=3b908ca5-1700-0000-f148-f34f4e0f0000 pid=3918 execve guuid=3ff9baa5-1700-0000-f148-f34f500f0000 pid=3920 /usr/bin/sleep guuid=3b908ca5-1700-0000-f148-f34f4e0f0000 pid=3918->guuid=3ff9baa5-1700-0000-f148-f34f500f0000 pid=3920 execve guuid=9cb9d8a7-1700-0000-f148-f34f540f0000 pid=3924 /usr/bin/systemctl guuid=c0b044a6-1700-0000-f148-f34f520f0000 pid=3922->guuid=9cb9d8a7-1700-0000-f148-f34f540f0000 pid=3924 execve guuid=9ab035b5-1700-0000-f148-f34f8d0f0000 pid=3981 /usr/bin/systemctl guuid=777018b3-1700-0000-f148-f34f850f0000 pid=3973->guuid=9ab035b5-1700-0000-f148-f34f8d0f0000 pid=3981 execve guuid=803b1fb6-1700-0000-f148-f34f8e0f0000 pid=3982 /usr/bin/systemctl guuid=777018b3-1700-0000-f148-f34f850f0000 pid=3973->guuid=803b1fb6-1700-0000-f148-f34f8e0f0000 pid=3982 execve guuid=08a077da-1700-0000-f148-f34f25100000 pid=4133 /usr/bin/systemctl guuid=203b07d9-1700-0000-f148-f34f1d100000 pid=4125->guuid=08a077da-1700-0000-f148-f34f25100000 pid=4133 execve guuid=7d1068db-1700-0000-f148-f34f29100000 pid=4137 /usr/bin/systemctl guuid=203b07d9-1700-0000-f148-f34f1d100000 pid=4125->guuid=7d1068db-1700-0000-f148-f34f29100000 pid=4137 execve guuid=5cfba8fa-1700-0000-f148-f34fc0100000 pid=4288 /boot/System.img-6.8.0-8 delete-file write-file guuid=f7f355fa-1700-0000-f148-f34fbd100000 pid=4285->guuid=5cfba8fa-1700-0000-f148-f34fc0100000 pid=4288 execve guuid=5cfba8fa-1700-0000-f148-f34fc0100000 pid=4321 /boot/System.img-6.8.0-8 guuid=5cfba8fa-1700-0000-f148-f34fc0100000 pid=4288->guuid=5cfba8fa-1700-0000-f148-f34fc0100000 pid=4321 clone guuid=5cfba8fa-1700-0000-f148-f34fc0100000 pid=4322 /boot/System.img-6.8.0-8 guuid=5cfba8fa-1700-0000-f148-f34fc0100000 pid=4288->guuid=5cfba8fa-1700-0000-f148-f34fc0100000 pid=4322 clone guuid=5cfba8fa-1700-0000-f148-f34fc0100000 pid=4323 /boot/System.img-6.8.0-8 guuid=5cfba8fa-1700-0000-f148-f34fc0100000 pid=4288->guuid=5cfba8fa-1700-0000-f148-f34fc0100000 pid=4323 clone guuid=5cfba8fa-1700-0000-f148-f34fc0100000 pid=4324 /boot/System.img-6.8.0-8 guuid=5cfba8fa-1700-0000-f148-f34fc0100000 pid=4288->guuid=5cfba8fa-1700-0000-f148-f34fc0100000 pid=4324 clone guuid=5cfba8fa-1700-0000-f148-f34fc0100000 pid=4325 /boot/System.img-6.8.0-8 guuid=5cfba8fa-1700-0000-f148-f34fc0100000 pid=4288->guuid=5cfba8fa-1700-0000-f148-f34fc0100000 pid=4325 clone guuid=bec1391b-1800-0000-f148-f34f56110000 pid=4438 /usr/local/sbin/nginx-1 delete-file write-file guuid=6726eb1a-1800-0000-f148-f34f55110000 pid=4437->guuid=bec1391b-1800-0000-f148-f34f56110000 pid=4438 execve guuid=bec1391b-1800-0000-f148-f34f56110000 pid=4450 /usr/local/sbin/nginx-1 guuid=bec1391b-1800-0000-f148-f34f56110000 pid=4438->guuid=bec1391b-1800-0000-f148-f34f56110000 pid=4450 clone guuid=bec1391b-1800-0000-f148-f34f56110000 pid=4451 /usr/local/sbin/nginx-1 guuid=bec1391b-1800-0000-f148-f34f56110000 pid=4438->guuid=bec1391b-1800-0000-f148-f34f56110000 pid=4451 clone guuid=bec1391b-1800-0000-f148-f34f56110000 pid=4452 /usr/local/sbin/nginx-1 guuid=bec1391b-1800-0000-f148-f34f56110000 pid=4438->guuid=bec1391b-1800-0000-f148-f34f56110000 pid=4452 clone guuid=bec1391b-1800-0000-f148-f34f56110000 pid=4454 /usr/local/sbin/nginx-1 guuid=bec1391b-1800-0000-f148-f34f56110000 pid=4438->guuid=bec1391b-1800-0000-f148-f34f56110000 pid=4454 clone guuid=9ed4fd1f-1800-0000-f148-f34f6c110000 pid=4460 /usr/bin/systemctl guuid=c529ba1e-1800-0000-f148-f34f67110000 pid=4455->guuid=9ed4fd1f-1800-0000-f148-f34f6c110000 pid=4460 execve guuid=bd088f41-1800-0000-f148-f34f23120000 pid=4643 /usr/bin/systemctl guuid=b0d7bb3f-1800-0000-f148-f34f18120000 pid=4632->guuid=bd088f41-1800-0000-f148-f34f23120000 pid=4643 execve guuid=807d6a42-1800-0000-f148-f34f2a120000 pid=4650 /usr/bin/systemctl guuid=b0d7bb3f-1800-0000-f148-f34f18120000 pid=4632->guuid=807d6a42-1800-0000-f148-f34f2a120000 pid=4650 execve guuid=1aaa2e6b-1800-0000-f148-f34fc9120000 pid=4809 /usr/lib/id.sericer.conf delete-file write-file guuid=5a3adf6a-1800-0000-f148-f34fc5120000 pid=4805->guuid=1aaa2e6b-1800-0000-f148-f34fc9120000 pid=4809 execve guuid=1aaa2e6b-1800-0000-f148-f34fc9120000 pid=4835 /usr/lib/id.sericer.conf guuid=1aaa2e6b-1800-0000-f148-f34fc9120000 pid=4809->guuid=1aaa2e6b-1800-0000-f148-f34fc9120000 pid=4835 clone guuid=1aaa2e6b-1800-0000-f148-f34fc9120000 pid=4836 /usr/lib/id.sericer.conf guuid=1aaa2e6b-1800-0000-f148-f34fc9120000 pid=4809->guuid=1aaa2e6b-1800-0000-f148-f34fc9120000 pid=4836 clone guuid=1aaa2e6b-1800-0000-f148-f34fc9120000 pid=4837 /usr/lib/id.sericer.conf guuid=1aaa2e6b-1800-0000-f148-f34fc9120000 pid=4809->guuid=1aaa2e6b-1800-0000-f148-f34fc9120000 pid=4837 clone guuid=1aaa2e6b-1800-0000-f148-f34fc9120000 pid=4838 /usr/lib/id.sericer.conf guuid=1aaa2e6b-1800-0000-f148-f34fc9120000 pid=4809->guuid=1aaa2e6b-1800-0000-f148-f34fc9120000 pid=4838 clone guuid=8038d169-2000-0000-f148-f34f76150000 pid=5495 /boot/System.img-6.8.0-8 guuid=8038d169-2000-0000-f148-f34f76150000 pid=5494->guuid=8038d169-2000-0000-f148-f34f76150000 pid=5495 clone guuid=8038d169-2000-0000-f148-f34f76150000 pid=5496 /boot/System.img-6.8.0-8 guuid=8038d169-2000-0000-f148-f34f76150000 pid=5494->guuid=8038d169-2000-0000-f148-f34f76150000 pid=5496 clone guuid=8038d169-2000-0000-f148-f34f76150000 pid=5497 /boot/System.img-6.8.0-8 guuid=8038d169-2000-0000-f148-f34f76150000 pid=5494->guuid=8038d169-2000-0000-f148-f34f76150000 pid=5497 clone guuid=8038d169-2000-0000-f148-f34f76150000 pid=5498 /boot/System.img-6.8.0-8 guuid=8038d169-2000-0000-f148-f34f76150000 pid=5494->guuid=8038d169-2000-0000-f148-f34f76150000 pid=5498 clone guuid=394c9343-2300-0000-f148-f34f7c150000 pid=5501 /usr/local/sbin/nginx-1 guuid=394c9343-2300-0000-f148-f34f7c150000 pid=5500->guuid=394c9343-2300-0000-f148-f34f7c150000 pid=5501 clone guuid=394c9343-2300-0000-f148-f34f7c150000 pid=5502 /usr/local/sbin/nginx-1 guuid=394c9343-2300-0000-f148-f34f7c150000 pid=5500->guuid=394c9343-2300-0000-f148-f34f7c150000 pid=5502 clone guuid=394c9343-2300-0000-f148-f34f7c150000 pid=5503 /usr/local/sbin/nginx-1 guuid=394c9343-2300-0000-f148-f34f7c150000 pid=5500->guuid=394c9343-2300-0000-f148-f34f7c150000 pid=5503 clone guuid=394c9343-2300-0000-f148-f34f7c150000 pid=5504 /usr/local/sbin/nginx-1 guuid=394c9343-2300-0000-f148-f34f7c150000 pid=5500->guuid=394c9343-2300-0000-f148-f34f7c150000 pid=5504 clone
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c6ff16de-eb26-49ff-b765-88956f110f06
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1886722
Signature
Drops files in suspicious directories
Drops invisible ELF files
Executes the "crontab" command typically for achieving persistence
Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Sample tries to persist itself using /etc/profile
Sample tries to persist itself using cron
Sample tries to persist itself using System V runlevels
Writes ELF files to hidden directories
Writes identical ELF files to multiple locations
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1886722 Sample: linux_386.elf Startdate: 20/03/2026 Architecture: LINUX Score: 88 98 scan.504.su 199.48.247.167, 40350, 56999 GIGANEWSUS United States 2->98 100 Multi AV Scanner detection for submitted file 2->100 102 Sample is packed with UPX 2->102 10 systemd System.img-6.8.0-8 2->10         started        12 linux_386.elf 2->12         started        14 systemd snapd-env-generator 2->14         started        16 8 other processes 2->16 signatures3 process4 process5 18 System.img-6.8.0-8 System.img-6.8.0-8 10->18         started        22 linux_386.elf linux_386.elf 12->22         started        file6 78 /usr/sbin/.write_test_s25p, ASCII 18->78 dropped 80 /usr/sbin/.write_test_jrx7, ASCII 18->80 dropped 82 /usr/sbin/.write_test_gwc8, ASCII 18->82 dropped 90 39 other malicious files 18->90 dropped 104 Writes ELF files to hidden directories 18->104 106 Writes identical ELF files to multiple locations 18->106 108 Sample tries to persist itself using /etc/profile 18->108 114 3 other signatures 18->114 24 System.img-6.8.0-8 crontab 18->24         started        28 System.img-6.8.0-8 crontab 18->28         started        30 System.img-6.8.0-8 update-rc.d 18->30         started        38 17 other processes 18->38 84 /etc/rc.local.tmp_gk6qn, POSIX 22->84 dropped 86 /etc/init.d/systemd-logind.tmp_yrnhk, POSIX 22->86 dropped 88 /etc/init.d/.write_test_ywbg, ASCII 22->88 dropped 92 2 other malicious files 22->92 dropped 110 Drops files in suspicious directories 22->110 112 Sample tries to persist itself using System V runlevels 22->112 32 linux_386.elf sh 22->32         started        34 linux_386.elf update-rc.d 22->34         started        36 linux_386.elf update-rc.d 22->36         started        40 4 other processes 22->40 signatures7 process8 file9 94 /var/spool/cron/crontabs/tmp.q8gKV2, ASCII 24->94 dropped 116 Sample tries to persist itself using cron 24->116 118 Executes the "crontab" command typically for achieving persistence 24->118 96 /var/spool/cron/crontabs/tmp.RncGGb, ASCII 28->96 dropped 42 update-rc.d systemctl 30->42         started        44 sh System 32->44         started        120 Sample tries to persist itself using System V runlevels 34->120 46 update-rc.d systemctl 34->46         started        56 2 other processes 36->56 48 sh killai 38->48         started        50 sh .at.atloy 38->50         started        52 sh .font-unix-helpver 38->52         started        58 7 other processes 38->58 54 systemd-logind System.img-6.8.0-8 40->54         started        signatures10 process11 process12 60 System sleep 44->60         started        62 System System.img-6.8.0-8 44->62         started        70 5 other processes 44->70 64 killai sleep 48->64         started        72 4 other processes 48->72 66 .at.atloy sleep 50->66         started        74 2 other processes 50->74 68 .font-unix-helpver sleep 52->68         started        76 2 other processes 52->76
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/4ddefa7635a60e03ff39678587427cc09f810a65b1c33e1d065174fbf98042ef
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4ddefa7635a60e03ff39678587427cc09f810a65b1c33e1d065174fbf98042ef/
Threat name:
Linux.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-03-20 06:53:27 UTC
File Type:
ELF32 Little (Exe)
AV detection:
10 of 38 (26.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jxppu5rvuyhah7zzm6cyoqt4ycpycctfwhbt4higkf2px6mailxq._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
defense_evasion discovery linux persistence privilege_escalation upx
Link:
https://tria.ge/reports/260320-hnrqgsbw5r/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to tmp directory
Modifies Bash startup script
UPX packed file
Creates/modifies environment variables
Modifies init.d
Modifies rc script
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.84
Link:
https://yomi.yoroi.company/submissions/4ddefa7635a60e03ff39678587427cc09f810a65b1c33e1d065174fbf98042ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:GoBinTest
Create hunting rule
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SUSP_ELF_LNX_UPX_Compressed_File
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a suspicious ELF binary with UPX compression
Reference:Internal Research
Rule name:TH_Generic_MassHunt_Linux_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Linux malware mass-hunt rule - 2026
Reference:https://cyfare.net/
Rule name:UPXProtectorv10x2
Create hunting rule
Author:malware-lu
Rule name:upx_packed_elf_v1
Create hunting rule
Author:RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf 4ddefa7635a60e03ff39678587427cc09f810a65b1c33e1d065174fbf98042ef

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3800098/
  
Delivery method
Distributed via web download

Comments