MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f2763361a98bdec1ffb3f084d3fac470d0e361ae1cd17e94ac6cdddf7c0e41a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f2763361a98bdec1ffb3f084d3fac470d0e361ae1cd17e94ac6cdddf7c0e41a
SHA3-384 hash: 1feb2e95f7742ffcf7d0a7059863b9fa0668cff3f97d40b8f01d3d03c0d54065d402c1a6d4d52837de75eb36024e6e83
SHA1 hash: 622a917b8280f5a52c899b9649beb668d32e2dc8
MD5 hash: 4b11af277a770b7e974aa58221d31e19
humanhash: solar-florida-yellow-golf
File name:boatnet.x86
Download: download sample
File size:3'918'812 bytes
First seen:2026-06-28 08:11:01 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 98304:9hCJFkX5t9gh/VaOiRYwvPGKzuXs4uPwqi:9GaX5/gh/VaNYwvPhuc4us
TLSH T1EC0633D1138D843FFB57F9B46849920E6B36FA1622217E47083B29EA097BD1F5F601D2
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf UPX
File size (compressed) :3'918'812 bytes
File size (de-compressed) :13'057'672 bytes
Format:linux/amd64
Unpacked file: 115f33a4ba24ed64250f936909948c5f06a6aedc9e0e801998473e88cd4e0094

Intelligence

File Origin
# of uploads :
1
# of downloads :
47
Origin country :
DE DE
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/6237c72f-ea7e-423b-94a5-245104824436/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sends data to a server
Sets a written file as executable
Gains root access
Creating a file in the %temp% directory
Receives data from a server
Changes owner for a file
Deleting a recently created file
Launching a process
Connection attempt
Creating a file
Deletes a file
Changes the time when the file was created, accessed, or modified
Creates or modifies symbolic links
Changes owner for a written file
Creates directories
Changes access rights for a written file
Removes directories
Substitutes an application name
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade packed upx
Link:
https://www.filescan.io/uploads/6a40d72fe858b732262309a7/reports/4cd0c853-4ebd-4bab-9162-5f9f5cc5dd4a/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
UPX
Botnet:
unknown
Number of open files:
8
Number of processes launched:
3
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/6f2763361a98bdec1ffb3f084d3fac470d0e361ae1cd17e94ac6cdddf7c0e41a
Behaviour
Information Gathering
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Clean
File Type:
ELF 64 LE
Link:
https://opentip.kaspersky.com/6f2763361a98bdec1ffb3f084d3fac470d0e361ae1cd17e94ac6cdddf7c0e41a/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/86539346-76ad-455c-8e05-73a7aa48c2df
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1934618
Signature
Manipulation of devices in /dev
Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions
Sample is packed with UPX
Sample tries to access files in /etc/config/ (typical for OpenWRT routers)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1934618 Sample: boatnet.x86.elf Startdate: 28/06/2026 Architecture: LINUX Score: 56 74 85.11.167.200, 34438, 8080 COLOCATEL-INCColocatelNetwork-HighBandwidthDedicatedServersSC Netherlands 2->74 76 Sample is packed with UPX 2->76 10 boatnet.x86.elf 2->10         started        12 python3.8 dpkg 2->12         started        14 gvfsd-fuse 2->14         started        signatures3 process4 process5 16 boatnet.x86.elf sudo 10->16         started        18 boatnet.x86.elf sudo 10->18         started        20 boatnet.x86.elf sudo 10->20         started        22 2 other processes 10->22 process6 24 sudo bash 16->24         started        26 sudo adduser 18->26         started        30 sudo usermod 20->30         started        32 sudo chown 22->32         started        file7 34 bash 24->34         started        36 bash 24->36         started        38 bash rm 24->38         started        41 bash 24->41         started        72 /home/cursinq/.bashrc, ASCII 26->72 dropped 84 Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions 26->84 43 adduser useradd 26->43         started        45 adduser groupadd 26->45         started        47 adduser chfn 26->47         started        49 3 other processes 26->49 51 6 other processes 30->51 signatures8 process9 signatures10 53 bash rm 34->53         started        56 bash find 36->56         started        80 Manipulation of devices in /dev 38->80 82 Sample tries to access files in /etc/config/ (typical for OpenWRT routers) 38->82 58 useradd pam_tally2 43->58         started        66 6 other processes 43->66 60 groupadd 45->60         started        68 4 other processes 45->68 70 5 other processes 47->70 62 sh find 49->62         started        64 sh 49->64         started        process11 signatures12 78 Sample tries to access files in /etc/config/ (typical for OpenWRT routers) 56->78
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/6f2763361a98bdec1ffb3f084d3fac470d0e361ae1cd17e94ac6cdddf7c0e41a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6f2763361a98bdec1ffb3f084d3fac470d0e361ae1cd17e94ac6cdddf7c0e41a/
Verdict:
Susipicious
Link:
https://tip.neiki.dev/file/6f2763361a98bdec1ffb3f084d3fac470d0e361ae1cd17e94ac6cdddf7c0e41a
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n4twgnq2tc66yh73h4ee2p5mi4gq4nq24hgrp2kky3g5356a4qna._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
credential_access defense_evasion discovery execution linux persistence privilege_escalation upx
Link:
https://tria.ge/reports/260628-j3ha2af161/
Behaviour
GoLang User-Agent
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to tmp directory
Changes its process name
Creates .desktop file
Reads CPU attributes
Modifies Bash startup script
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Reads AppArmor ptrace settings
Adds a user to the system
Creates/modifies environment variables
Deletes log files
Enumerates running processes
Reads hardware information
Reads network interface configuration
Deletes Audit logs
Deletes itself
Deletes journal logs
Deletes system logs
OS Credential Dumping
Modifies password files for system users/ groups
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6f2763361a98/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:TH_Generic_MassHunt_Linux_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Linux malware mass-hunt rule - 2026
Reference:https://cyfare.net/
Rule name:upx_packed_elf_v1
Create hunting rule
Author:RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf 6f2763361a98bdec1ffb3f084d3fac470d0e361ae1cd17e94ac6cdddf7c0e41a

(this sample)

elf 115f33a4ba24ed64250f936909948c5f06a6aedc9e0e801998473e88cd4e0094

  
URLhaus
https://urlhaus.abuse.ch/url/3877247/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3877248/
  
URLhaus
https://urlhaus.abuse.ch/url/3877252/
  
URLhaus
https://urlhaus.abuse.ch/url/3877253/
  
URLhaus
https://urlhaus.abuse.ch/url/3877256/
  
URLhaus
https://urlhaus.abuse.ch/url/3877257/
  
URLhaus
https://urlhaus.abuse.ch/url/3877258/
  
URLhaus
https://urlhaus.abuse.ch/url/3877259/
  
URLhaus
https://urlhaus.abuse.ch/url/3877260/
  
URLhaus
https://urlhaus.abuse.ch/url/3877262/
  
URLhaus
https://urlhaus.abuse.ch/url/3877264/
  
URLhaus
https://urlhaus.abuse.ch/url/3877261/
  
URLhaus
https://urlhaus.abuse.ch/url/3877265/
  
URLhaus
https://urlhaus.abuse.ch/url/3877263/
  
URLhaus
https://urlhaus.abuse.ch/url/3877266/
  
URLhaus
https://urlhaus.abuse.ch/url/3877267/
  
URLhaus
https://urlhaus.abuse.ch/url/3877268/
  
URLhaus
https://urlhaus.abuse.ch/url/3877270/
  
URLhaus
https://urlhaus.abuse.ch/url/3877269/
  
URLhaus
https://urlhaus.abuse.ch/url/3877273/
  
URLhaus
https://urlhaus.abuse.ch/url/3877272/
  
URLhaus
https://urlhaus.abuse.ch/url/3877271/
  
URLhaus
https://urlhaus.abuse.ch/url/3877274/
  
URLhaus
https://urlhaus.abuse.ch/url/3877275/
  
URLhaus
https://urlhaus.abuse.ch/url/3877276/
  
URLhaus
https://urlhaus.abuse.ch/url/3877277/
  
URLhaus
https://urlhaus.abuse.ch/url/3877279/
  
URLhaus
https://urlhaus.abuse.ch/url/3877278/
  
URLhaus
https://urlhaus.abuse.ch/url/3877280/
  
URLhaus
https://urlhaus.abuse.ch/url/3877281/
  
URLhaus
https://urlhaus.abuse.ch/url/3877282/
  
URLhaus
https://urlhaus.abuse.ch/url/3877283/
  
URLhaus
https://urlhaus.abuse.ch/url/3877284/
  
URLhaus
https://urlhaus.abuse.ch/url/3877285/
  
URLhaus
https://urlhaus.abuse.ch/url/3877286/
  
URLhaus
https://urlhaus.abuse.ch/url/3877287/
  
URLhaus
https://urlhaus.abuse.ch/url/3877288/
  
URLhaus
https://urlhaus.abuse.ch/url/3877289/
  
URLhaus
https://urlhaus.abuse.ch/url/3877297/
  
URLhaus
https://urlhaus.abuse.ch/url/3877299/
  
URLhaus
https://urlhaus.abuse.ch/url/3877298/
  
URLhaus
https://urlhaus.abuse.ch/url/3877313/
  
URLhaus
https://urlhaus.abuse.ch/url/3877314/
  
URLhaus
https://urlhaus.abuse.ch/url/3877315/
  
URLhaus
https://urlhaus.abuse.ch/url/3877316/
  
URLhaus
https://urlhaus.abuse.ch/url/3877319/
  
URLhaus
https://urlhaus.abuse.ch/url/3877320/
  
URLhaus
https://urlhaus.abuse.ch/url/3877323/
  
URLhaus
https://urlhaus.abuse.ch/url/3877324/
  
URLhaus
https://urlhaus.abuse.ch/url/3877325/
  
URLhaus
https://urlhaus.abuse.ch/url/3877327/
  
URLhaus
https://urlhaus.abuse.ch/url/3877328/
  
URLhaus
https://urlhaus.abuse.ch/url/3877329/
  
URLhaus
https://urlhaus.abuse.ch/url/3877330/
  
URLhaus
https://urlhaus.abuse.ch/url/3877331/
  
URLhaus
https://urlhaus.abuse.ch/url/3877332/
  
URLhaus
https://urlhaus.abuse.ch/url/3877336/
  
URLhaus
https://urlhaus.abuse.ch/url/3877334/
  
URLhaus
https://urlhaus.abuse.ch/url/3877335/
  
URLhaus
https://urlhaus.abuse.ch/url/3877333/
  
URLhaus
https://urlhaus.abuse.ch/url/3877337/
  
URLhaus
https://urlhaus.abuse.ch/url/3877338/
  
URLhaus
https://urlhaus.abuse.ch/url/3877340/
  
URLhaus
https://urlhaus.abuse.ch/url/3877339/
  
URLhaus
https://urlhaus.abuse.ch/url/3877341/
  
URLhaus
https://urlhaus.abuse.ch/url/3877342/
  
URLhaus
https://urlhaus.abuse.ch/url/3877343/
  
URLhaus
https://urlhaus.abuse.ch/url/3877344/
  
URLhaus
https://urlhaus.abuse.ch/url/3877345/
  
URLhaus
https://urlhaus.abuse.ch/url/3877346/
  
URLhaus
https://urlhaus.abuse.ch/url/3877347/
  
URLhaus
https://urlhaus.abuse.ch/url/3877348/
  
URLhaus
https://urlhaus.abuse.ch/url/3877349/
  
URLhaus
https://urlhaus.abuse.ch/url/3877350/
  
URLhaus
https://urlhaus.abuse.ch/url/3877351/
  
URLhaus
https://urlhaus.abuse.ch/url/3877352/
  
URLhaus
https://urlhaus.abuse.ch/url/3877353/
  
URLhaus
https://urlhaus.abuse.ch/url/3877354/
  
URLhaus
https://urlhaus.abuse.ch/url/3877355/
  
URLhaus
https://urlhaus.abuse.ch/url/3877356/
  
URLhaus
https://urlhaus.abuse.ch/url/3877357/
  
URLhaus
https://urlhaus.abuse.ch/url/3877358/
  
URLhaus
https://urlhaus.abuse.ch/url/3877359/
  
URLhaus
https://urlhaus.abuse.ch/url/3877360/
  
URLhaus
https://urlhaus.abuse.ch/url/3877361/
  
URLhaus
https://urlhaus.abuse.ch/url/3877362/
  
URLhaus
https://urlhaus.abuse.ch/url/3877364/
  
URLhaus
https://urlhaus.abuse.ch/url/3877365/
  
URLhaus
https://urlhaus.abuse.ch/url/3877366/
  
URLhaus
https://urlhaus.abuse.ch/url/3877367/
  
URLhaus
https://urlhaus.abuse.ch/url/3877368/
  
URLhaus
https://urlhaus.abuse.ch/url/3877369/
  
URLhaus
https://urlhaus.abuse.ch/url/3877370/
  
URLhaus
https://urlhaus.abuse.ch/url/3877376/
  
URLhaus
https://urlhaus.abuse.ch/url/3877381/
  
URLhaus
https://urlhaus.abuse.ch/url/3877385/
  
URLhaus
https://urlhaus.abuse.ch/url/3877383/
  
URLhaus
https://urlhaus.abuse.ch/url/3877384/
  
URLhaus
https://urlhaus.abuse.ch/url/3877382/
  
URLhaus
https://urlhaus.abuse.ch/url/3877387/
  
URLhaus
https://urlhaus.abuse.ch/url/3877388/
  
URLhaus
https://urlhaus.abuse.ch/url/3877389/
  
URLhaus
https://urlhaus.abuse.ch/url/3877390/
  
URLhaus
https://urlhaus.abuse.ch/url/3877391/
  
URLhaus
https://urlhaus.abuse.ch/url/3877392/
  
URLhaus
https://urlhaus.abuse.ch/url/3877393/
  
URLhaus
https://urlhaus.abuse.ch/url/3877394/
  
URLhaus
https://urlhaus.abuse.ch/url/3877395/
  
URLhaus
https://urlhaus.abuse.ch/url/3877396/
  
URLhaus
https://urlhaus.abuse.ch/url/3877397/
  
URLhaus
https://urlhaus.abuse.ch/url/3877398/
  
URLhaus
https://urlhaus.abuse.ch/url/3877399/
  
URLhaus
https://urlhaus.abuse.ch/url/3877400/
  
URLhaus
https://urlhaus.abuse.ch/url/3877401/
  
URLhaus
https://urlhaus.abuse.ch/url/3877402/
  
URLhaus
https://urlhaus.abuse.ch/url/3877403/
  
URLhaus
https://urlhaus.abuse.ch/url/3877405/
  
URLhaus
https://urlhaus.abuse.ch/url/3877404/
  
URLhaus
https://urlhaus.abuse.ch/url/3877406/
  
Dropping
SHA256 115f33a4ba24ed64250f936909948c5f06a6aedc9e0e801998473e88cd4e0094
  
Dropping
MD5 274431f6d659ede5deaf10ed9952f776
  
URLhaus
https://urlhaus.abuse.ch/url/3877304/

Comments