MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7a2497ef4bc7fd6366d20c7c41dcb9299654042a65cb673c730cd4ed57545f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a7a2497ef4bc7fd6366d20c7c41dcb9299654042a65cb673c730cd4ed57545f9
SHA3-384 hash: 91c218d00d3c14036da5cf1d30b64f31f6ddbb4cfa7b940f657c2446385dc590511ed527b402925cf54d44bb7b8c1270
SHA1 hash: 3b35af72f0e1ddf413257dfd15e8d2bfc1bbbd3b
MD5 hash: 0ad79be406037d9f4c989afefde15367
humanhash: stairway-eighteen-september-item
File name:untouchable.x86_64
Download: download sample
File size:12'922'152 bytes
First seen:2026-06-24 06:41:00 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 98304:Q+F5EnE6dt5/DFNUom0uhh7sJYlXWKuFxcDxQ0DEH:QAj6d/cRhfSxcKtH
TLSH T1F7D63A63E8D71594C4EEC170C672823BBAA13C5E1B3823D71790F3246B36BD0AAB6755
telfhash t19d8215b05abc34f5a666ca61e3f27474d67718b553e478f10027b891efe0f491caa823
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf upx-dec


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 8d737f5f1739472cf0cf0b688fceb5de206ed73f66301432fbf9fa12f728e9c5
File size (compressed) :3'687'180 bytes
File size (de-compressed) :12'922'152 bytes
Format:linux/amd64
Packed file: 8d737f5f1739472cf0cf0b688fceb5de206ed73f66301432fbf9fa12f728e9c5

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Deleting a recently created file
Creates directories
Changes the time when the file was created, accessed, or modified
Changes access rights for a written file
Creates or modifies symbolic links
Creating a file in the %temp% directory
Sets a written file as executable
Changes owner for a written file
Connection attempt
Gains root access
Launching a process
Substitutes an application name
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6a3b7c1b4dca8c24a59688a9/reports/02944f70-d196-48f4-ae45-68c97bf4cafc/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
not packed
Botnet:
unknown
Number of open files:
8
Number of processes launched:
3
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/a7a2497ef4bc7fd6366d20c7c41dcb9299654042a65cb673c730cd4ed57545f9
Behaviour
Information Gathering
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Clean
File Type:
elf.64.le
Link:
https://opentip.kaspersky.com/a7a2497ef4bc7fd6366d20c7c41dcb9299654042a65cb673c730cd4ed57545f9/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ac95aef3-744d-4671-bdd2-cc53fe55f23c
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1933002
Signature
Manipulation of devices in /dev
Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions
Sample tries to access files in /etc/config/ (typical for OpenWRT routers)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1933002 Sample: untouchable.x86_64.elf Startdate: 24/06/2026 Architecture: LINUX Score: 52 71 109.202.202.202, 80 INIT7CH Switzerland 2->71 73 91.189.91.42, 443 CANONICAL-ASGB United States 2->73 75 3 other IPs or domains 2->75 9 untouchable.x86_64.elf 2->9         started        11 gvfsd-fuse 2->11         started        process3 process4 13 untouchable.x86_64.elf sudo 9->13         started        15 untouchable.x86_64.elf sudo 9->15         started        17 untouchable.x86_64.elf sudo 9->17         started        19 2 other processes 9->19 process5 21 sudo bash 13->21         started        23 sudo adduser 15->23         started        27 sudo usermod 17->27         started        29 sudo chown 19->29         started        file6 31 bash 21->31         started        33 bash 21->33         started        35 bash rm 21->35         started        38 bash 21->38         started        69 /home/cursinq/.bashrc, ASCII 23->69 dropped 85 Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions 23->85 40 adduser useradd 23->40         started        42 adduser groupadd 23->42         started        44 adduser chfn 23->44         started        46 3 other processes 23->46 48 6 other processes 27->48 signatures7 process8 signatures9 50 bash rm 31->50         started        53 bash find 33->53         started        81 Manipulation of devices in /dev 35->81 83 Sample tries to access files in /etc/config/ (typical for OpenWRT routers) 35->83 55 useradd pam_tally2 40->55         started        63 6 other processes 40->63 57 groupadd 42->57         started        65 4 other processes 42->65 67 5 other processes 44->67 59 sh find 46->59         started        61 sh 46->61         started        process10 signatures11 77 Manipulation of devices in /dev 50->77 79 Sample tries to access files in /etc/config/ (typical for OpenWRT routers) 50->79
Score:
95%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/a7a2497ef4bc7fd6366d20c7c41dcb9299654042a65cb673c730cd4ed57545f9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a7a2497ef4bc7fd6366d20c7c41dcb9299654042a65cb673c730cd4ed57545f9/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/a7a2497ef4bc7fd6366d20c7c41dcb9299654042a65cb673c730cd4ed57545f9
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u6res7xuxr75mntnedd4iholskmwkqccuzolm46hgdgu5vlvix4q._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
credential_access defense_evasion discovery execution linux persistence privilege_escalation
Link:
https://tria.ge/reports/260624-hf19ysax3l/
Behaviour
GoLang User-Agent
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to tmp directory
Changes its process name
Creates .desktop file
Reads CPU attributes
Modifies Bash startup script
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Reads AppArmor ptrace settings
Adds a user to the system
Creates/modifies environment variables
Deletes log files
Enumerates running processes
Reads hardware information
Reads network interface configuration
Deletes Audit logs
Deletes itself
Deletes journal logs
Deletes system logs
OS Credential Dumping
Modifies password files for system users/ groups
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a7a2497ef4bc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.12
Link:
https://yomi.yoroi.company/submissions/a7a2497ef4bc7fd6366d20c7c41dcb9299654042a65cb673c730cd4ed57545f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:enterpriseunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise UNIX
Rule name:GoBinTest
Create hunting rule
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:Golang_Find_CSC846_Simple
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:TH_Generic_MassHunt_Linux_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Linux malware mass-hunt rule - 2026
Reference:https://cyfare.net/
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf 8d737f5f1739472cf0cf0b688fceb5de206ed73f66301432fbf9fa12f728e9c5

elf a7a2497ef4bc7fd6366d20c7c41dcb9299654042a65cb673c730cd4ed57545f9

(this sample)

  
Dropped by
SHA256 8d737f5f1739472cf0cf0b688fceb5de206ed73f66301432fbf9fa12f728e9c5
  
URLhaus
https://urlhaus.abuse.ch/url/3875194/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3875195/
  
URLhaus
https://urlhaus.abuse.ch/url/3875199/
  
URLhaus
https://urlhaus.abuse.ch/url/3875201/
  
URLhaus
https://urlhaus.abuse.ch/url/3875200/
  
URLhaus
https://urlhaus.abuse.ch/url/3875205/
  
URLhaus
https://urlhaus.abuse.ch/url/3875202/
  
URLhaus
https://urlhaus.abuse.ch/url/3875206/
  
URLhaus
https://urlhaus.abuse.ch/url/3875204/
  
URLhaus
https://urlhaus.abuse.ch/url/3875203/
  
URLhaus
https://urlhaus.abuse.ch/url/3875207/
  
URLhaus
https://urlhaus.abuse.ch/url/3875208/
  
URLhaus
https://urlhaus.abuse.ch/url/3875209/
  
URLhaus
https://urlhaus.abuse.ch/url/3875210/
  
URLhaus
https://urlhaus.abuse.ch/url/3875211/
  
URLhaus
https://urlhaus.abuse.ch/url/3875212/
  
URLhaus
https://urlhaus.abuse.ch/url/3875213/
  
URLhaus
https://urlhaus.abuse.ch/url/3875215/
  
URLhaus
https://urlhaus.abuse.ch/url/3875217/
  
URLhaus
https://urlhaus.abuse.ch/url/3875218/
  
URLhaus
https://urlhaus.abuse.ch/url/3875216/
  
URLhaus
https://urlhaus.abuse.ch/url/3875219/
  
URLhaus
https://urlhaus.abuse.ch/url/3875220/
  
URLhaus
https://urlhaus.abuse.ch/url/3875221/
  
URLhaus
https://urlhaus.abuse.ch/url/3875222/
  
URLhaus
https://urlhaus.abuse.ch/url/3875224/
  
URLhaus
https://urlhaus.abuse.ch/url/3875225/
  
URLhaus
https://urlhaus.abuse.ch/url/3875223/
  
URLhaus
https://urlhaus.abuse.ch/url/3875228/
  
URLhaus
https://urlhaus.abuse.ch/url/3875226/
  
URLhaus
https://urlhaus.abuse.ch/url/3875227/
  
URLhaus
https://urlhaus.abuse.ch/url/3875229/
  
URLhaus
https://urlhaus.abuse.ch/url/3875230/
  
URLhaus
https://urlhaus.abuse.ch/url/3875233/
  
URLhaus
https://urlhaus.abuse.ch/url/3875234/
  
URLhaus
https://urlhaus.abuse.ch/url/3875236/
  
URLhaus
https://urlhaus.abuse.ch/url/3875235/
  
URLhaus
https://urlhaus.abuse.ch/url/3875237/
  
URLhaus
https://urlhaus.abuse.ch/url/3875238/
  
URLhaus
https://urlhaus.abuse.ch/url/3875240/
  
URLhaus
https://urlhaus.abuse.ch/url/3875239/
  
URLhaus
https://urlhaus.abuse.ch/url/3875241/
  
URLhaus
https://urlhaus.abuse.ch/url/3875243/
  
URLhaus
https://urlhaus.abuse.ch/url/3875242/
  
URLhaus
https://urlhaus.abuse.ch/url/3875244/
  
URLhaus
https://urlhaus.abuse.ch/url/3875245/
  
URLhaus
https://urlhaus.abuse.ch/url/3875247/
  
URLhaus
https://urlhaus.abuse.ch/url/3875246/
  
Dropped by
MD5 b4dc9217a498fe4ead46de389ab1fb77
  
URLhaus
https://urlhaus.abuse.ch/url/3876121/
  
URLhaus
https://urlhaus.abuse.ch/url/3876129/
  
URLhaus
https://urlhaus.abuse.ch/url/3876138/
  
URLhaus
https://urlhaus.abuse.ch/url/3876147/

Comments