MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57a8456ad140665dccb2a885c31bbea27223f5d049baafd8a4fd535e5b083c7c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57a8456ad140665dccb2a885c31bbea27223f5d049baafd8a4fd535e5b083c7c
SHA3-384 hash: 562ea909fd86a146dec36e8f5a06661ffc618f779365005ee66484797c46a802df189cee6f15aae456b16c023dcace23
SHA1 hash: 660a88135557fed0556544ddee42c1268265bfe8
MD5 hash: 9607eb46c56ab6ade8e218288c39febc
humanhash: lion-nebraska-virginia-five
File name:i686
Download: download sample
File size:148'220 bytes
First seen:2026-01-26 13:09:15 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 3072:Q+oI4wLCJeACkPL8XPNbuzkG5PdAFoV18eBYUE:QRV78mkEdA2VGe6U
TLSH T139E31746AA43DFB3D44310F102A29B219B71FC3B4836D98AE3B67DB49A115D1E71A37C
telfhash t13a91aaf22ef60cecb3d04405d64e57939d09e63f241072b647a2aa9533f6f829276c39
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf

Intelligence

File Origin
# of uploads :
1
# of downloads :
31
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
not packed
Botnet:
unknown
Number of open files:
2
Number of processes launched:
9
Processes remaning?
true
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/57a8456ad140665dccb2a885c31bbea27223f5d049baafd8a4fd535e5b083c7c
Behaviour
Process Renaming
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Result
Gathering data
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/a5339c19-2e0c-4c63-bb8c-826124a8a227
Behavior Graph:
Download SVG
%3 guuid=837867da-1600-0000-7814-d4f7020f0000 pid=3842 /usr/bin/sudo guuid=ab442bdc-1600-0000-7814-d4f7090f0000 pid=3849 /tmp/sample.bin guuid=837867da-1600-0000-7814-d4f7020f0000 pid=3842->guuid=ab442bdc-1600-0000-7814-d4f7090f0000 pid=3849 execve guuid=097a5cdc-1600-0000-7814-d4f70b0f0000 pid=3851 /tmp/sample.bin guuid=ab442bdc-1600-0000-7814-d4f7090f0000 pid=3849->guuid=097a5cdc-1600-0000-7814-d4f70b0f0000 pid=3851 clone guuid=c03369dc-1600-0000-7814-d4f70c0f0000 pid=3852 /tmp/sample.bin dns net send-data write-config write-file zombie guuid=097a5cdc-1600-0000-7814-d4f70b0f0000 pid=3851->guuid=c03369dc-1600-0000-7814-d4f70c0f0000 pid=3852 clone 4f6baed0-9587-596c-82b3-fd721afe4cc1 10.0.2.3:53 guuid=c03369dc-1600-0000-7814-d4f70c0f0000 pid=3852->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 1782B da51d428-a92c-5ff5-8f30-f64b2fae81ba xxx.caoxxip.top:2235 guuid=c03369dc-1600-0000-7814-d4f70c0f0000 pid=3852->da51d428-a92c-5ff5-8f30-f64b2fae81ba con guuid=10d1e7de-1600-0000-7814-d4f7140f0000 pid=3860 /tmp/sample.bin guuid=c03369dc-1600-0000-7814-d4f70c0f0000 pid=3852->guuid=10d1e7de-1600-0000-7814-d4f7140f0000 pid=3860 clone guuid=afe8ecde-1600-0000-7814-d4f7150f0000 pid=3861 /tmp/sample.bin guuid=c03369dc-1600-0000-7814-d4f70c0f0000 pid=3852->guuid=afe8ecde-1600-0000-7814-d4f7150f0000 pid=3861 clone guuid=3c1cf5df-1600-0000-7814-d4f7200f0000 pid=3872 /usr/bin/dash guuid=c03369dc-1600-0000-7814-d4f70c0f0000 pid=3852->guuid=3c1cf5df-1600-0000-7814-d4f7200f0000 pid=3872 execve guuid=85fa050b-1700-0000-7814-d4f7de0f0000 pid=4062 /usr/bin/dash guuid=c03369dc-1600-0000-7814-d4f70c0f0000 pid=3852->guuid=85fa050b-1700-0000-7814-d4f7de0f0000 pid=4062 execve guuid=f450173e-1700-0000-7814-d4f7a5100000 pid=4261 /tmp/sample.bin delete-file guuid=c03369dc-1600-0000-7814-d4f70c0f0000 pid=3852->guuid=f450173e-1700-0000-7814-d4f7a5100000 pid=4261 clone guuid=4df7efde-1600-0000-7814-d4f7160f0000 pid=3862 /tmp/sample.bin guuid=10d1e7de-1600-0000-7814-d4f7140f0000 pid=3860->guuid=4df7efde-1600-0000-7814-d4f7160f0000 pid=3862 clone guuid=2c3523df-1600-0000-7814-d4f7180f0000 pid=3864 /tmp/sample.bin guuid=afe8ecde-1600-0000-7814-d4f7150f0000 pid=3861->guuid=2c3523df-1600-0000-7814-d4f7180f0000 pid=3864 clone guuid=fc76f8de-1600-0000-7814-d4f7170f0000 pid=3863 /tmp/sample.bin zombie guuid=4df7efde-1600-0000-7814-d4f7160f0000 pid=3862->guuid=fc76f8de-1600-0000-7814-d4f7170f0000 pid=3863 clone guuid=9c649acd-1700-0000-7814-d4f7d4120000 pid=4820 /usr/bin/dash guuid=fc76f8de-1600-0000-7814-d4f7170f0000 pid=3863->guuid=9c649acd-1700-0000-7814-d4f7d4120000 pid=4820 execve guuid=3166ad72-1900-0000-7814-d4f7b3140000 pid=5299 /usr/bin/dash guuid=fc76f8de-1600-0000-7814-d4f7170f0000 pid=3863->guuid=3166ad72-1900-0000-7814-d4f7b3140000 pid=5299 execve guuid=d618425c-1b00-0000-7814-d4f7cf140000 pid=5327 /usr/bin/dash guuid=fc76f8de-1600-0000-7814-d4f7170f0000 pid=3863->guuid=d618425c-1b00-0000-7814-d4f7cf140000 pid=5327 execve guuid=a6bc01c4-1c00-0000-7814-d4f7d2140000 pid=5330 /usr/bin/dash guuid=fc76f8de-1600-0000-7814-d4f7170f0000 pid=3863->guuid=a6bc01c4-1c00-0000-7814-d4f7d2140000 pid=5330 execve guuid=33c6c5b6-1d00-0000-7814-d4f7d5140000 pid=5333 /usr/bin/dash guuid=fc76f8de-1600-0000-7814-d4f7170f0000 pid=3863->guuid=33c6c5b6-1d00-0000-7814-d4f7d5140000 pid=5333 execve guuid=6f64bb20-1f00-0000-7814-d4f7d8140000 pid=5336 /usr/bin/dash guuid=fc76f8de-1600-0000-7814-d4f7170f0000 pid=3863->guuid=6f64bb20-1f00-0000-7814-d4f7d8140000 pid=5336 execve guuid=30f962c6-2000-0000-7814-d4f7db140000 pid=5339 /usr/bin/dash guuid=fc76f8de-1600-0000-7814-d4f7170f0000 pid=3863->guuid=30f962c6-2000-0000-7814-d4f7db140000 pid=5339 execve guuid=2b55557d-2100-0000-7814-d4f7de140000 pid=5342 /usr/bin/dash guuid=fc76f8de-1600-0000-7814-d4f7170f0000 pid=3863->guuid=2b55557d-2100-0000-7814-d4f7de140000 pid=5342 execve guuid=90bd8bd3-2300-0000-7814-d4f7e1140000 pid=5345 /usr/bin/dash guuid=fc76f8de-1600-0000-7814-d4f7170f0000 pid=3863->guuid=90bd8bd3-2300-0000-7814-d4f7e1140000 pid=5345 execve guuid=9573e84e-2400-0000-7814-d4f7e4140000 pid=5348 /usr/bin/dash guuid=fc76f8de-1600-0000-7814-d4f7170f0000 pid=3863->guuid=9573e84e-2400-0000-7814-d4f7e4140000 pid=5348 execve guuid=e9012ddf-1600-0000-7814-d4f7190f0000 pid=3865 /tmp/sample.bin guuid=2c3523df-1600-0000-7814-d4f7180f0000 pid=3864->guuid=e9012ddf-1600-0000-7814-d4f7190f0000 pid=3865 clone guuid=51ca1fe0-1600-0000-7814-d4f7210f0000 pid=3873 /usr/bin/systemctl guuid=3c1cf5df-1600-0000-7814-d4f7200f0000 pid=3872->guuid=51ca1fe0-1600-0000-7814-d4f7210f0000 pid=3873 execve guuid=357b2c0b-1700-0000-7814-d4f7e00f0000 pid=4064 /usr/bin/systemctl guuid=85fa050b-1700-0000-7814-d4f7de0f0000 pid=4062->guuid=357b2c0b-1700-0000-7814-d4f7e00f0000 pid=4064 execve guuid=2fdaba13-0000-0000-7814-d4f701000000 pid=1 /usr/lib/systemd/systemd guuid=fa62ed3b-1700-0000-7814-d4f798100000 pid=4248 /usr/local/bin/ifconfig_xxs.cfg guuid=2fdaba13-0000-0000-7814-d4f701000000 pid=1->guuid=fa62ed3b-1700-0000-7814-d4f798100000 pid=4248 execve guuid=2f5e514f-1700-0000-7814-d4f705110000 pid=4357 /usr/local/bin/ifconfig_xxs.cfg guuid=2fdaba13-0000-0000-7814-d4f701000000 pid=1->guuid=2f5e514f-1700-0000-7814-d4f705110000 pid=4357 execve guuid=2dc45251-1700-0000-7814-d4f712110000 pid=4370 /usr/local/bin/ifconfig_xxs.cfg guuid=2fdaba13-0000-0000-7814-d4f701000000 pid=1->guuid=2dc45251-1700-0000-7814-d4f712110000 pid=4370 execve guuid=fa841a5e-1700-0000-7814-d4f759110000 pid=4441 /usr/local/bin/ifconfig_xxs.cfg guuid=2fdaba13-0000-0000-7814-d4f701000000 pid=1->guuid=fa841a5e-1700-0000-7814-d4f759110000 pid=4441 execve guuid=41c4c160-1700-0000-7814-d4f763110000 pid=4451 /usr/local/bin/ifconfig_xxs.cfg guuid=2fdaba13-0000-0000-7814-d4f701000000 pid=1->guuid=41c4c160-1700-0000-7814-d4f763110000 pid=4451 execve guuid=2fe4ca68-1700-0000-7814-d4f78c110000 pid=4492 /usr/local/bin/ifconfig_xxs.cfg guuid=2fdaba13-0000-0000-7814-d4f701000000 pid=1->guuid=2fe4ca68-1700-0000-7814-d4f78c110000 pid=4492 execve guuid=9fea517c-1700-0000-7814-d4f7e2110000 pid=4578 /usr/local/bin/ifconfig_xxs.cfg guuid=2fdaba13-0000-0000-7814-d4f701000000 pid=1->guuid=9fea517c-1700-0000-7814-d4f7e2110000 pid=4578 execve guuid=551d593c-1700-0000-7814-d4f79c100000 pid=4252 /usr/local/bin/ifconfig_xxs.cfg guuid=fa62ed3b-1700-0000-7814-d4f798100000 pid=4248->guuid=551d593c-1700-0000-7814-d4f79c100000 pid=4252 clone guuid=a300953c-1700-0000-7814-d4f79d100000 pid=4253 /usr/local/bin/ifconfig_xxs.cfg guuid=551d593c-1700-0000-7814-d4f79c100000 pid=4252->guuid=a300953c-1700-0000-7814-d4f79d100000 pid=4253 clone guuid=ea810251-1700-0000-7814-d4f70f110000 pid=4367 /usr/local/bin/ifconfig_xxs.cfg guuid=2f5e514f-1700-0000-7814-d4f705110000 pid=4357->guuid=ea810251-1700-0000-7814-d4f70f110000 pid=4367 clone guuid=9eec4051-1700-0000-7814-d4f711110000 pid=4369 /usr/local/bin/ifconfig_xxs.cfg guuid=ea810251-1700-0000-7814-d4f70f110000 pid=4367->guuid=9eec4051-1700-0000-7814-d4f711110000 pid=4369 clone guuid=dfac3952-1700-0000-7814-d4f717110000 pid=4375 /usr/local/bin/ifconfig_xxs.cfg guuid=2dc45251-1700-0000-7814-d4f712110000 pid=4370->guuid=dfac3952-1700-0000-7814-d4f717110000 pid=4375 clone guuid=940a3960-1700-0000-7814-d4f760110000 pid=4448 /usr/local/bin/ifconfig_xxs.cfg guuid=fa841a5e-1700-0000-7814-d4f759110000 pid=4441->guuid=940a3960-1700-0000-7814-d4f760110000 pid=4448 clone guuid=2fb26c60-1700-0000-7814-d4f762110000 pid=4450 /usr/local/bin/ifconfig_xxs.cfg guuid=940a3960-1700-0000-7814-d4f760110000 pid=4448->guuid=2fb26c60-1700-0000-7814-d4f762110000 pid=4450 clone guuid=5cca4861-1700-0000-7814-d4f766110000 pid=4454 /usr/local/bin/ifconfig_xxs.cfg guuid=41c4c160-1700-0000-7814-d4f763110000 pid=4451->guuid=5cca4861-1700-0000-7814-d4f766110000 pid=4454 clone guuid=21155361-1700-0000-7814-d4f767110000 pid=4455 /usr/local/bin/ifconfig_xxs.cfg guuid=5cca4861-1700-0000-7814-d4f766110000 pid=4454->guuid=21155361-1700-0000-7814-d4f767110000 pid=4455 clone guuid=634dcc6a-1700-0000-7814-d4f799110000 pid=4505 /usr/local/bin/ifconfig_xxs.cfg guuid=2fe4ca68-1700-0000-7814-d4f78c110000 pid=4492->guuid=634dcc6a-1700-0000-7814-d4f799110000 pid=4505 clone guuid=30bed56a-1700-0000-7814-d4f79b110000 pid=4507 /usr/local/bin/ifconfig_xxs.cfg guuid=634dcc6a-1700-0000-7814-d4f799110000 pid=4505->guuid=30bed56a-1700-0000-7814-d4f79b110000 pid=4507 clone guuid=8949b37e-1700-0000-7814-d4f7ea110000 pid=4586 /usr/local/bin/ifconfig_xxs.cfg guuid=9fea517c-1700-0000-7814-d4f7e2110000 pid=4578->guuid=8949b37e-1700-0000-7814-d4f7ea110000 pid=4586 clone guuid=f11ebe7e-1700-0000-7814-d4f7eb110000 pid=4587 /usr/local/bin/ifconfig_xxs.cfg guuid=8949b37e-1700-0000-7814-d4f7ea110000 pid=4586->guuid=f11ebe7e-1700-0000-7814-d4f7eb110000 pid=4587 clone guuid=4dfcf3cd-1700-0000-7814-d4f7d6120000 pid=4822 /usr/bin/ps guuid=9c649acd-1700-0000-7814-d4f7d4120000 pid=4820->guuid=4dfcf3cd-1700-0000-7814-d4f7d6120000 pid=4822 execve guuid=aa3300ce-1700-0000-7814-d4f7d7120000 pid=4823 /usr/bin/mawk guuid=9c649acd-1700-0000-7814-d4f7d4120000 pid=4820->guuid=aa3300ce-1700-0000-7814-d4f7d7120000 pid=4823 execve guuid=2f023273-1900-0000-7814-d4f7b4140000 pid=5300 /usr/bin/ps guuid=3166ad72-1900-0000-7814-d4f7b3140000 pid=5299->guuid=2f023273-1900-0000-7814-d4f7b4140000 pid=5300 execve guuid=f70f4873-1900-0000-7814-d4f7b5140000 pid=5301 /usr/bin/mawk guuid=3166ad72-1900-0000-7814-d4f7b3140000 pid=5299->guuid=f70f4873-1900-0000-7814-d4f7b5140000 pid=5301 execve guuid=af04775c-1b00-0000-7814-d4f7d0140000 pid=5328 /usr/bin/ps guuid=d618425c-1b00-0000-7814-d4f7cf140000 pid=5327->guuid=af04775c-1b00-0000-7814-d4f7d0140000 pid=5328 execve guuid=b0297c5c-1b00-0000-7814-d4f7d1140000 pid=5329 /usr/bin/mawk guuid=d618425c-1b00-0000-7814-d4f7cf140000 pid=5327->guuid=b0297c5c-1b00-0000-7814-d4f7d1140000 pid=5329 execve guuid=5ae469c4-1c00-0000-7814-d4f7d3140000 pid=5331 /usr/bin/ps guuid=a6bc01c4-1c00-0000-7814-d4f7d2140000 pid=5330->guuid=5ae469c4-1c00-0000-7814-d4f7d3140000 pid=5331 execve guuid=026d75c4-1c00-0000-7814-d4f7d4140000 pid=5332 /usr/bin/mawk guuid=a6bc01c4-1c00-0000-7814-d4f7d2140000 pid=5330->guuid=026d75c4-1c00-0000-7814-d4f7d4140000 pid=5332 execve guuid=34a32bb7-1d00-0000-7814-d4f7d6140000 pid=5334 /usr/bin/ps guuid=33c6c5b6-1d00-0000-7814-d4f7d5140000 pid=5333->guuid=34a32bb7-1d00-0000-7814-d4f7d6140000 pid=5334 execve guuid=3b8337b7-1d00-0000-7814-d4f7d7140000 pid=5335 /usr/bin/mawk guuid=33c6c5b6-1d00-0000-7814-d4f7d5140000 pid=5333->guuid=3b8337b7-1d00-0000-7814-d4f7d7140000 pid=5335 execve guuid=ef152221-1f00-0000-7814-d4f7d9140000 pid=5337 /usr/bin/ps guuid=6f64bb20-1f00-0000-7814-d4f7d8140000 pid=5336->guuid=ef152221-1f00-0000-7814-d4f7d9140000 pid=5337 execve guuid=7b7a3521-1f00-0000-7814-d4f7da140000 pid=5338 /usr/bin/mawk guuid=6f64bb20-1f00-0000-7814-d4f7d8140000 pid=5336->guuid=7b7a3521-1f00-0000-7814-d4f7da140000 pid=5338 execve guuid=d99bd3c6-2000-0000-7814-d4f7dc140000 pid=5340 /usr/bin/ps guuid=30f962c6-2000-0000-7814-d4f7db140000 pid=5339->guuid=d99bd3c6-2000-0000-7814-d4f7dc140000 pid=5340 execve guuid=4ab5dfc6-2000-0000-7814-d4f7dd140000 pid=5341 /usr/bin/mawk guuid=30f962c6-2000-0000-7814-d4f7db140000 pid=5339->guuid=4ab5dfc6-2000-0000-7814-d4f7dd140000 pid=5341 execve guuid=df2e857d-2100-0000-7814-d4f7df140000 pid=5343 /usr/bin/ps guuid=2b55557d-2100-0000-7814-d4f7de140000 pid=5342->guuid=df2e857d-2100-0000-7814-d4f7df140000 pid=5343 execve guuid=7ff58d7d-2100-0000-7814-d4f7e0140000 pid=5344 /usr/bin/mawk guuid=2b55557d-2100-0000-7814-d4f7de140000 pid=5342->guuid=7ff58d7d-2100-0000-7814-d4f7e0140000 pid=5344 execve guuid=dc7efcd3-2300-0000-7814-d4f7e2140000 pid=5346 /usr/bin/ps guuid=90bd8bd3-2300-0000-7814-d4f7e1140000 pid=5345->guuid=dc7efcd3-2300-0000-7814-d4f7e2140000 pid=5346 execve guuid=fffa07d4-2300-0000-7814-d4f7e3140000 pid=5347 /usr/bin/mawk guuid=90bd8bd3-2300-0000-7814-d4f7e1140000 pid=5345->guuid=fffa07d4-2300-0000-7814-d4f7e3140000 pid=5347 execve guuid=ef5b564f-2400-0000-7814-d4f7e5140000 pid=5349 /usr/bin/ps guuid=9573e84e-2400-0000-7814-d4f7e4140000 pid=5348->guuid=ef5b564f-2400-0000-7814-d4f7e5140000 pid=5349 execve guuid=cfa2614f-2400-0000-7814-d4f7e6140000 pid=5350 /usr/bin/mawk guuid=9573e84e-2400-0000-7814-d4f7e4140000 pid=5348->guuid=cfa2614f-2400-0000-7814-d4f7e6140000 pid=5350 execve
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ad0fc96f-e85e-4d49-8c5d-c64e90b058e0
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1857593
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Sample deletes itself
Sample tries to persist itself using System V runlevels
Sample tries to set files in /etc globally writable
Writes identical ELF files to multiple locations
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1857593 Sample: i686.elf Startdate: 26/01/2026 Architecture: LINUX Score: 80 108 xxx.caoxxip.top 198.98.61.207, 2235, 42120, 42122 PONYNETUS United States 2->108 110 109.202.202.202, 80 INIT7CH Switzerland 2->110 112 3 other IPs or domains 2->112 114 Antivirus detection for dropped file 2->114 116 Antivirus / Scanner detection for submitted sample 2->116 118 Multi AV Scanner detection for submitted file 2->118 13 i686.elf 2->13         started        15 systemd ifconfig_xxs.cfg 2->15         started        17 systemd ifconfig_xxs.cfg 2->17         started        19 12 other processes 2->19 signatures3 process4 process5 21 i686.elf 13->21         started        23 ifconfig_xxs.cfg 15->23         started        25 ifconfig_xxs.cfg 17->25         started        27 ifconfig_xxs.cfg 19->27         started        29 ifconfig_xxs.cfg 19->29         started        31 ifconfig_xxs.cfg 19->31         started        33 5 other processes 19->33 process6 35 i686.elf 21->35         started        39 ifconfig_xxs.cfg 23->39         started        41 ifconfig_xxs.cfg 25->41         started        43 ifconfig_xxs.cfg 27->43         started        45 ifconfig_xxs.cfg 29->45         started        47 ifconfig_xxs.cfg 31->47         started        49 ifconfig_xxs.cfg 33->49         started        51 ifconfig_xxs.cfg 33->51         started        53 ifconfig_xxs.cfg 33->53         started        file7 102 /usr/local/bin/ifconfig_xxs.cfg, ELF 35->102 dropped 104 /etc/rc.local, ASCII 35->104 dropped 106 /boot/ifconfig_xxs.cfg, ELF 35->106 dropped 120 Sample tries to set files in /etc globally writable 35->120 122 Writes identical ELF files to multiple locations 35->122 124 Sample tries to persist itself using System V runlevels 35->124 55 i686.elf 35->55         started        57 i686.elf 35->57         started        60 i686.elf sh 35->60         started        62 2 other processes 35->62 signatures8 process9 signatures10 64 i686.elf 55->64         started        126 Sample deletes itself 57->126 66 sh systemctl 60->66         started        68 i686.elf 62->68         started        70 sh systemctl 62->70         started        process11 process12 72 i686.elf 64->72         started        74 i686.elf 68->74         started        process13 76 i686.elf sh 72->76         started        78 i686.elf sh 72->78         started        80 i686.elf sh 72->80         started        82 15 other processes 72->82 process14 84 sh ps 76->84         started        86 sh awk 76->86         started        88 sh ps 78->88         started        90 sh awk 78->90         started        92 sh ps 80->92         started        94 sh awk 80->94         started        96 sh ps 82->96         started        98 sh awk 82->98         started        100 28 other processes 82->100
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/57a8456ad140665dccb2a885c31bbea27223f5d049baafd8a4fd535e5b083c7c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/57a8456ad140665dccb2a885c31bbea27223f5d049baafd8a4fd535e5b083c7c/
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k6uek2wribtf3tfsvcc4gg56ujzch5oqjg5k7wfe7vjv4wyihr6a._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery linux persistence privilege_escalation
Link:
https://tria.ge/reports/260126-qlfjfaax9c/
Behaviour
Reads runtime system information
Changes its process name
Reads CPU attributes
Modifies rc script
Modifies systemd
Write file to user bin folder
Deletes itself
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ELF_Toriilike_persist
Create hunting rule
Author:4r4
Description:Detects Torii IoT Botnet (stealthier Mirai alternative)
Reference:Identified via researched data
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:setsockopt
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for setsockopt() red flags
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf 57a8456ad140665dccb2a885c31bbea27223f5d049baafd8a4fd535e5b083c7c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3764101/
  
Delivery method
Distributed via web download

Comments