MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85aa433ad277dee063d59e4aa08108538c4290d4f550122c35eb3b111f4553e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85aa433ad277dee063d59e4aa08108538c4290d4f550122c35eb3b111f4553e1
SHA3-384 hash: 85bdcb5ce379eadd5ae3cfca409e759835a25924f6e3f86dc8de7ef4ac9fa2d080fae16659e441d8317d7672e19361e6
SHA1 hash: 02d4689d05104a7aa928cea1b6ecd9e77f350c10
MD5 hash: f659d0d9d78a4fe96ab409fbac19d67e
humanhash: sodium-blue-bakerloo-burger
File name:shandriscv64
Download: download sample
File size:654'128 bytes
First seen:2026-04-05 02:02:11 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 12288:wiK+zj7b72LT9eGKdt/w7mSplcg46MPw53po/hK+QlcEklU:wiK+37ba9eGutI7ZrJ46MT/QNlJkl
TLSH T15ED4AD29F8447B07C8979274848FE418736AB2851752370A3846E6BD3D83BBDAF1D3D9
telfhash t10ab012e085b4d4c70a73ce910fad4202510be44f9e3a8f012bc8c417651470b33a3c0f
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf

Intelligence

File Origin
# of uploads :
1
# of downloads :
40
Origin country :
DE DE
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.ELF.Flooder-AAH.39378638.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Unknown
File Type:
elf.64.le
Link:
https://opentip.kaspersky.com/85aa433ad277dee063d59e4aa08108538c4290d4f550122c35eb3b111f4553e1/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/9e238320-e3a4-4298-8aa9-eedb22b7df0d
Behavior Graph:
Download SVG
%3 guuid=bda184a7-1a00-0000-94b5-f9bd000b0000 pid=2816 /usr/bin/sudo guuid=cf57cfa9-1a00-0000-94b5-f9bd040b0000 pid=2820 /tmp/sample.bin guuid=bda184a7-1a00-0000-94b5-f9bd000b0000 pid=2816->guuid=cf57cfa9-1a00-0000-94b5-f9bd040b0000 pid=2820 execve
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/6484c62c-9dd4-43b9-af9a-6e76b8cca500
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1893636
Signature
Antivirus / Scanner detection for submitted sample
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1893636 Sample: shandriscv64.elf Startdate: 05/04/2026 Architecture: LINUX Score: 48 12 109.202.202.202, 80 INIT7CH Switzerland 2->12 14 91.189.91.42, 443 CANONICAL-ASGB United Kingdom 2->14 16 2 other IPs or domains 2->16 18 Antivirus / Scanner detection for submitted sample 2->18 6 dash rm 2->6         started        8 dash rm 2->8         started        10 shandriscv64.elf 2->10         started        signatures3 process4
Score:
97%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/85aa433ad277dee063d59e4aa08108538c4290d4f550122c35eb3b111f4553e1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/85aa433ad277dee063d59e4aa08108538c4290d4f550122c35eb3b111f4553e1/
Threat name:
Linux.Hacktool.Flooder
Create hunting rule
Status:
Malicious
First seen:
2026-04-05 02:15:47 UTC
AV detection:
7 of 24 (29.17%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qwvegowso7poay6vtzfkbaiikogefegu6vibelbv5m5rch2fkpqq._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
linux
Link:
https://tria.ge/reports/260405-cge58acz5z/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/85aa433ad277dee063d59e4aa08108538c4290d4f550122c35eb3b111f4553e1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:F01_s1ckrule
Create hunting rule
Author:s1ckb017
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:malwareelf55503
Create hunting rule
Rule name:TH_Generic_MassHunt_Linux_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Linux malware mass-hunt rule - 2026
Reference:https://cyfare.net/
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf 85aa433ad277dee063d59e4aa08108538c4290d4f550122c35eb3b111f4553e1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3811659/
  
Delivery method
Distributed via web download

Comments