MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad1a76fd88fd0758b402fb334d35aed8e44cda06b461aac9d5a77a917e274c5f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad1a76fd88fd0758b402fb334d35aed8e44cda06b461aac9d5a77a917e274c5f
SHA3-384 hash: fe0de283d81fd8cf6dd8a0ec92c93761a70cdeaae27e9f9c49b2ce32fcd999c26e5730e401a7b4cd2f38578e727e60ef
SHA1 hash: d5a9e250024d5a3fbbbf415b9216743bb1826f28
MD5 hash: f054afbb102df6b34647ff0a8905ba82
humanhash: black-kentucky-seven-stairway
File name:ksoftirqd0
Download: download sample
File size:1'846'668 bytes
First seen:2026-05-14 12:00:00 UTC
Last seen:2026-05-15 05:28:29 UTC
File type: elf
MIME type:application/x-executable
ssdeep 49152:Yo+jW+ynFD9TmAtl95sMq0CEb378i9Rzwvr:XH+ynd9TfXIbcr7D8
TLSH T1738533E632C89C9460CE4B3E9A26E677556DF04783D7EE264FE8B1D28643F984309C74
telfhash t166b011038ca2a0a082af8028cc2fc80803022a3020000b0c28320a033bc00eb02a0a0e
Magika elf
Reporter BlinkzSec

Intelligence

File Origin
# of uploads :
3
# of downloads :
34
Origin country :
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Trojan.Linux.GenericKD.79332.23587.1051.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Receives data from a server
Sends data to a server
Creating a file in the %temp% subdirectories
Creating a file
Connection attempt
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
custom
Botnet:
unknown
Number of open files:
51
Number of processes launched:
4
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/ad1a76fd88fd0758b402fb334d35aed8e44cda06b461aac9d5a77a917e274c5f
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Malicious
File Type:
elf.32.le
First seen:
2026-05-14T09:17:00Z UTC
Last seen:
2026-05-16T02:59:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/ad1a76fd88fd0758b402fb334d35aed8e44cda06b461aac9d5a77a917e274c5f/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/8b9ea077-0b4b-422f-a9ab-a9376ffbb735
Behavior Graph:
Download SVG
%3 guuid=dbbab2c2-2300-0000-2881-4312bc0a0000 pid=2748 /usr/bin/sudo guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2755 /tmp/sample.bin dns net send-data write-file guuid=dbbab2c2-2300-0000-2881-4312bc0a0000 pid=2748->guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2755 execve 4f6baed0-9587-596c-82b3-fd721afe4cc1 10.0.2.3:53 guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2755->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 140B b619669b-6add-5aba-88d3-b4e40271df50 speed.cloudflare.com:53 guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2755->b619669b-6add-5aba-88d3-b4e40271df50 con 68be2212-4fc4-5131-93cb-d738da932b65 speed.cloudflare.com:80 guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2755->68be2212-4fc4-5131-93cb-d738da932b65 con 94b84d8d-c95f-5708-8f72-fb812fbbfaa5 cloudflare-dns.com:443 guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2755->94b84d8d-c95f-5708-8f72-fb812fbbfaa5 con 6b6dc7d9-faee-578c-99c3-24818d2a603d dns.google:53 guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2755->6b6dc7d9-faee-578c-99c3-24818d2a603d send: 33B b0abba15-9a34-51cb-a2ff-3008f7e59616 208.67.222.222:53 guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2755->b0abba15-9a34-51cb-a2ff-3008f7e59616 send: 33B 02a890b8-a68c-5beb-8628-5f0f310a181d dns.quad9.net:53 guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2755->02a890b8-a68c-5beb-8628-5f0f310a181d send: 33B 6a6ce952-23cd-5c51-b461-6ca6a8c64225 1.0.0.1:53 guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2755->6a6ce952-23cd-5c51-b461-6ca6a8c64225 send: 33B 384be87f-1879-5290-8bc8-a3f0905ad20a beanman.work.gd:443 guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2755->384be87f-1879-5290-8bc8-a3f0905ad20a con a6d5a8ce-514b-58a4-816d-daa51940c046 dns.google:443 guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2755->a6d5a8ce-514b-58a4-816d-daa51940c046 send: 210B 24031618-cb48-5254-930b-e3552f700114 dns.quad9.net:443 guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2755->24031618-cb48-5254-930b-e3552f700114 send: 213B guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2803 /tmp/sample.bin guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2755->guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2803 clone guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2804 /tmp/sample.bin dns net send-data write-file guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2755->guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2804 clone guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2806 /tmp/sample.bin dns net send-data guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2755->guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2806 clone guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2807 /tmp/sample.bin dns net send-data write-file guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2755->guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2807 clone guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2835 /tmp/sample.bin dns net send-data guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2755->guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2835 clone guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2804->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 86B guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2804->94b84d8d-c95f-5708-8f72-fb812fbbfaa5 send: 1504B guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2806->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 125B guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2806->384be87f-1879-5290-8bc8-a3f0905ad20a con guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2806->a6d5a8ce-514b-58a4-816d-daa51940c046 send: 1496B guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2806->24031618-cb48-5254-930b-e3552f700114 send: 1499B 54d92a3b-1447-55af-b534-047898c60c8d 1.1.1.1:53 guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2806->54d92a3b-1447-55af-b534-047898c60c8d send: 33B guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2807->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 49B guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2807->68be2212-4fc4-5131-93cb-d738da932b65 send: 84B ea7cad1f-cf4e-561e-930e-b0d48bd4f80f cloudflare-dns.com:53 guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2807->ea7cad1f-cf4e-561e-930e-b0d48bd4f80f con guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2835->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 42B guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2835->94b84d8d-c95f-5708-8f72-fb812fbbfaa5 send: 218B guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2835->6b6dc7d9-faee-578c-99c3-24818d2a603d con guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2835->02a890b8-a68c-5beb-8628-5f0f310a181d con guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2835->384be87f-1879-5290-8bc8-a3f0905ad20a con guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2835->a6d5a8ce-514b-58a4-816d-daa51940c046 con guuid=931286c4-2300-0000-2881-4312c30a0000 pid=2835->24031618-cb48-5254-930b-e3552f700114 con
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a91e90cf-b95d-47ee-9654-7109237cf256
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/ad1a76fd88fd0758b402fb334d35aed8e44cda06b461aac9d5a77a917e274c5f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ad1a76fd88fd0758b402fb334d35aed8e44cda06b461aac9d5a77a917e274c5f/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/ad1a76fd88fd0758b402fb334d35aed8e44cda06b461aac9d5a77a917e274c5f
Threat name:
Linux.Backdoor.DarkDDoSer
Create hunting rule
Status:
Suspicious
First seen:
2026-05-14 11:56:53 UTC
File Type:
ELF32 Little (Exe)
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vunhn7mi7udvrnac7mzu2nno3dsezwqgwrq2vsovu55jc7rhjrpq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery linux
Link:
https://tria.ge/reports/260514-n7czbsex4w/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to tmp directory
Enumerates running processes
Unexpected DNS network traffic destination
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:TH_Generic_MassHunt_Linux_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Linux malware mass-hunt rule - 2026
Reference:https://cyfare.net/
Rule name:upx_antiunpack_elf32
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:UPX Anti-Unpacking technique to magic renamed for ELF32

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf ad1a76fd88fd0758b402fb334d35aed8e44cda06b461aac9d5a77a917e274c5f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3846678/
  
Delivery method
Distributed via web download

Comments