MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a02eeb92a977c0749f93e6c7959159e68aa3a9e93c77f1fce81dc4b014e7c545. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash: a02eeb92a977c0749f93e6c7959159e68aa3a9e93c77f1fce81dc4b014e7c545
SHA3-384 hash: 420364646d9df4c73a9102d8e0ebd7c54d35af51215ab7db800c1f75ed6467ecbb54a1cb0b390521b390734e241eed82
SHA1 hash: a3aae326109751edac5145ff1b679f8935177ad7
MD5 hash: 9df07b64a28b61e4c7a9f8c8e8d2a801
humanhash: nitrogen-music-dakota-west
File name:file-grey.elf
Download: download sample
File size:53'920 bytes
First seen:2025-01-02 14:57:19 UTC
Last seen:2026-07-02 19:30:07 UTC
File type: elf
MIME type:application/x-sharedlib
ssdeep 1536:9sU7CNr299ggdjVEs3n9DXPtxOnb1Cy4u:yUqr+FdjVT3n9Dt0Cy3
TLSH T17F33B5C0EA808974C1C4D771C8EF6117A8B2FCADC7741B6F1504B53A7D6A2162F2ABB5
telfhash t1e5f04c01b929099b84f58f696c425b7ad4a3d24188715348df89cae2a54a407ff4760f
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter Joker
Tags:elf malware trojan

Intelligence


File Origin
# of uploads :
2
# of downloads :
137
Origin country :
NL NL
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Collects information on the CPU
Opens a port
Launching a process
Creating a file
Creates directories
Creates or modifies symbolic links in /init.d to set up autorun
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
gcc lolbin remote
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
not packed
Botnet:
unknown
Number of open files:
13
Number of processes launched:
1
Processes remaning?
false
Remote TCP ports scanned:
not identified
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj
Score:
56 / 100
Signature
Multi AV Scanner detection for submitted file
Sample and/or dropped files likely contain functionality related to malicious behavior
Sample tries to persist itself using System V runlevels
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1583386 Sample: file-grey.elf Startdate: 02/01/2025 Architecture: LINUX Score: 56 33 109.202.202.202, 80 INIT7CH Switzerland 2->33 35 91.189.91.42, 443 CANONICAL-ASGB United Kingdom 2->35 37 91.189.91.43, 443 CANONICAL-ASGB United Kingdom 2->37 41 Multi AV Scanner detection for submitted file 2->41 43 Sample and/or dropped files likely contain functionality related to malicious behavior 2->43 8 file-grey.elf 2->8         started        signatures3 process4 process5 10 file-grey.elf sh 8->10         started        12 file-grey.elf sh 8->12         started        14 file-grey.elf sh 8->14         started        16 5 other processes 8->16 process6 18 sh ln 10->18         started        21 sh chmod 12->21         started        23 sh chmod 14->23         started        25 sh chmod 16->25         started        27 sh cp 16->27         started        29 sh cp 16->29         started        31 sh cp 16->31         started        signatures7 39 Sample tries to persist itself using System V runlevels 18->39
Threat name:
Win32.Trojan.Generic
Status:
Malicious
First seen:
2020-01-18 19:03:32 UTC
File Type:
ELF64 Little (SO)
AV detection:
16 of 38 (42.11%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery linux
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
System Network Configuration Discovery
Reads CPU attributes
File and Directory Permissions Modification
Verdict:
Suspicious
Tags:
rat
YARA:
sig_71b4dc80275298d11904a082102ed5aee584651370d7c744f20822f9dcb0f79a
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:setsockopt
Author:Tim Brown @timb_machine
Description:Hunts for setsockopt() red flags
Rule name:unixredflags3
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments