MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 98d6535254d30aacf14379005a74f4298c1dea7bd2bd90a97c0aa2ecd667cae9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 98d6535254d30aacf14379005a74f4298c1dea7bd2bd90a97c0aa2ecd667cae9
SHA3-384 hash: e7dc8966d0454c6df9d32a53a0b7d90d8a900790277234ff1b5d1c9c203dc0fb109fd1429adea59e8cd8b4fad28c7edb
SHA1 hash: 166d64f117d568e66e79d1289a343500de5ebf9a
MD5 hash: 47b4a3f0a78d475c4dfc2fd349d72f75
humanhash: jupiter-east-green-oxygen
File name:mpsl
Download: download sample
File size:68'668 bytes
First seen:2025-12-01 00:32:58 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 1536:faxQtS/wkTWAqeQkHxDhFJBul3/Gtx8tVm7XIBtPfjXRo3ZG:fGQtSRUeQkHxDJB+Gtx8tVm74BtPfjRB
TLSH T1CA630264DCEF5B68F212A1BD53E3601E720A17BA0750236718C0C7F61E7B9B26574AC7
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf UPX
File size (compressed) :68'668 bytes
File size (de-compressed) :179'764 bytes
Format:linux/mipsel
Unpacked file: 575af709ba5540a2819c82d51f75b78445c620b2536c977baf76e424a8a6bcf6

Intelligence

File Origin
# of uploads :
1
# of downloads :
59
Origin country :
DE DE
Vendor Threat Intelligence
Details
No details
Result
Verdict:
Clean
Maliciousness:
Result
Gathering data
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/10169b96-b1fb-4a1e-a0de-83c23afe918f
Result
Threat name:
n/a
Detection:
suspicious
Classification:
evad
Score:
22 / 100
Link:
https://www.joesandbox.com/analysis/1823268
Signature
Sample is packed with UPX
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1823268 Sample: mpsl.elf Startdate: 01/12/2025 Architecture: LINUX Score: 22 14 169.254.169.254, 80 USDOSUS Reserved 2->14 16 daisy.ubuntu.com 162.213.35.24, 40394, 40396, 443 CANONICAL-ASGB United States 2->16 18 2 other IPs or domains 2->18 20 Sample is packed with UPX 2->20 6 python3.8 dpkg 2->6         started        8 dash rm 2->8         started        10 dash cat 2->10         started        12 9 other processes 2->12 signatures3 process4
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/98d6535254d30aacf14379005a74f4298c1dea7bd2bd90a97c0aa2ecd667cae9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/98d6535254d30aacf14379005a74f4298c1dea7bd2bd90a97c0aa2ecd667cae9/
Threat name:
Linux.Packed.Gafgyt
Create hunting rule
Status:
Malicious
First seen:
2025-11-30 21:17:31 UTC
File Type:
ELF32 Little (Exe)
AV detection:
2 of 38 (5.26%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tdlfgusu2mfkz4kdpeafu5hufggb32t32k6zbkl4bkrozvthzluq._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery upx
Link:
https://tria.ge/reports/251201-awcbrsdl6y/
Behaviour
Reads runtime system information
Gathering data
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_ELF_LNX_UPX_Compressed_File
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a suspicious ELF binary with UPX compression
Reference:Internal Research
Rule name:upx_packed_elf_v1
Create hunting rule
Author:RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf 98d6535254d30aacf14379005a74f4298c1dea7bd2bd90a97c0aa2ecd667cae9

(this sample)

elf 575af709ba5540a2819c82d51f75b78445c620b2536c977baf76e424a8a6bcf6

  
URLhaus
https://urlhaus.abuse.ch/url/3718929/
  
Delivery method
Distributed via web download
  
Dropping
SHA256 575af709ba5540a2819c82d51f75b78445c620b2536c977baf76e424a8a6bcf6
  
Dropping
MD5 5014ada9673ea785a4757cb1a34e1815

Comments