MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 afa3fc4bb4f6cdd9ba5ead4cd810586444b79f67303d099f16593952bf5ef8eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: afa3fc4bb4f6cdd9ba5ead4cd810586444b79f67303d099f16593952bf5ef8eb
SHA3-384 hash: 312abe2bcf20de7191efc6ce885376d2ec9b06030ad790696a49069b3982f7adf244dd2962cad767dbc0ec0f99f25bc1
SHA1 hash: 6cd8179c27a1121e71103cd1f7f6b11ebd410e87
MD5 hash: b7db43f666cfad659e1c7eb9850bed23
humanhash: victor-washington-mockingbird-summer
File name:dockerd
Download: download sample
File size:285'544 bytes
First seen:2025-11-18 11:23:52 UTC
Last seen:Never
File type: elf
MIME type:application/x-sharedlib
ssdeep 6144:uQfZRLvDPbbRzC81HORwfgxRZ13lhnGc+05jSC:b/LN+KiJJ3nnj+y/
TLSH T1FC5423E152E9DE5CC1A5FE750EBC2085C327F5313E170C2D4D46AA9AE42A914FF8272B
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter smica83
Tags:elf UPX
File size (compressed) :285'544 bytes
File size (de-compressed) :652'040 bytes
Format:linux/amd64
Unpacked file: cee28e2486888ff12f461e23d5c7265cd54962473fa597539a21a3247ab1314c

Intelligence

File Origin
# of uploads :
1
# of downloads :
33
Origin country :
HU HU
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Runs as daemon
Opens a port
Manages services
Launching a process
Locks files
Collects information on the OS
Sets a written file as executable
Creating a file
Collects information on the CPU
Loading a system driver
Substitutes an application name
Creates or modifies files in /cron to set up autorun
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
packed upx
Link:
https://www.filescan.io/uploads/691c576585424c06c3178bef/reports/0e908643-5cf8-491d-ba61-216532e4ef39/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
UPX
Botnet:
unknown
Number of open files:
43
Number of processes launched:
29
Processes remaning?
true
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/afa3fc4bb4f6cdd9ba5ead4cd810586444b79f67303d099f16593952bf5ef8eb
Behaviour
Persistence
Process Renaming
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Malicious
File Type:
elf.64.le
First seen:
2025-11-04T13:23:00Z UTC
Last seen:
2025-11-19T22:56:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/afa3fc4bb4f6cdd9ba5ead4cd810586444b79f67303d099f16593952bf5ef8eb/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/cccb607d-7a6b-43cd-83c4-924c702e6ccb
Behavior Graph:
Download SVG
%3 guuid=f4a92359-1900-0000-5c29-b652080c0000 pid=3080 /usr/bin/sudo guuid=ce49d05c-1900-0000-5c29-b652130c0000 pid=3091 /tmp/sample.bin write-file guuid=f4a92359-1900-0000-5c29-b652080c0000 pid=3080->guuid=ce49d05c-1900-0000-5c29-b652130c0000 pid=3091 execve guuid=0b12385f-1900-0000-5c29-b652150c0000 pid=3093 /tmp/dockerd net send-data write-config write-file zombie guuid=ce49d05c-1900-0000-5c29-b652130c0000 pid=3091->guuid=0b12385f-1900-0000-5c29-b652150c0000 pid=3093 clone 5ad56c95-acd0-5f58-bd4b-c54f6757cd18 223.5.5.5:80 guuid=0b12385f-1900-0000-5c29-b652150c0000 pid=3093->5ad56c95-acd0-5f58-bd4b-c54f6757cd18 send: 54272B a73cd8b9-1f2f-5409-b0bc-0fead243e99b 5.255.105.69:48996 guuid=0b12385f-1900-0000-5c29-b652150c0000 pid=3093->a73cd8b9-1f2f-5409-b0bc-0fead243e99b con guuid=f0c2455f-1900-0000-5c29-b652160c0000 pid=3094 /tmp/dockerd guuid=0b12385f-1900-0000-5c29-b652150c0000 pid=3093->guuid=f0c2455f-1900-0000-5c29-b652160c0000 pid=3094 clone guuid=609a7d5f-1900-0000-5c29-b652180c0000 pid=3096 /usr/bin/dash guuid=0b12385f-1900-0000-5c29-b652150c0000 pid=3093->guuid=609a7d5f-1900-0000-5c29-b652180c0000 pid=3096 execve guuid=734a06ea-1900-0000-5c29-b652f40c0000 pid=3316 /usr/bin/dash guuid=0b12385f-1900-0000-5c29-b652150c0000 pid=3093->guuid=734a06ea-1900-0000-5c29-b652f40c0000 pid=3316 execve guuid=2196b7ac-1a00-0000-5c29-b652a50e0000 pid=3749 /usr/bin/dash guuid=0b12385f-1900-0000-5c29-b652150c0000 pid=3093->guuid=2196b7ac-1a00-0000-5c29-b652a50e0000 pid=3749 execve guuid=6abb3aad-1a00-0000-5c29-b652a60e0000 pid=3750 /usr/bin/dash write-config guuid=0b12385f-1900-0000-5c29-b652150c0000 pid=3093->guuid=6abb3aad-1a00-0000-5c29-b652a60e0000 pid=3750 execve guuid=c97542ae-1a00-0000-5c29-b652a80e0000 pid=3752 /usr/bin/dash guuid=0b12385f-1900-0000-5c29-b652150c0000 pid=3093->guuid=c97542ae-1a00-0000-5c29-b652a80e0000 pid=3752 execve guuid=4fc9b4af-1a00-0000-5c29-b652aa0e0000 pid=3754 /usr/bin/dash write-file guuid=0b12385f-1900-0000-5c29-b652150c0000 pid=3093->guuid=4fc9b4af-1a00-0000-5c29-b652aa0e0000 pid=3754 execve guuid=275ffeb0-1a00-0000-5c29-b652ab0e0000 pid=3755 /usr/bin/dash write-config guuid=0b12385f-1900-0000-5c29-b652150c0000 pid=3093->guuid=275ffeb0-1a00-0000-5c29-b652ab0e0000 pid=3755 execve guuid=9c8692b1-1a00-0000-5c29-b652ad0e0000 pid=3757 /usr/bin/dash guuid=0b12385f-1900-0000-5c29-b652150c0000 pid=3093->guuid=9c8692b1-1a00-0000-5c29-b652ad0e0000 pid=3757 execve guuid=f65dd8b1-1a00-0000-5c29-b652ae0e0000 pid=3758 /usr/bin/dash guuid=0b12385f-1900-0000-5c29-b652150c0000 pid=3093->guuid=f65dd8b1-1a00-0000-5c29-b652ae0e0000 pid=3758 execve guuid=303e13b2-1a00-0000-5c29-b652b00e0000 pid=3760 /usr/bin/dash guuid=0b12385f-1900-0000-5c29-b652150c0000 pid=3093->guuid=303e13b2-1a00-0000-5c29-b652b00e0000 pid=3760 execve guuid=81a57dbe-1a00-0000-5c29-b652dc0e0000 pid=3804 /usr/bin/dash guuid=0b12385f-1900-0000-5c29-b652150c0000 pid=3093->guuid=81a57dbe-1a00-0000-5c29-b652dc0e0000 pid=3804 execve guuid=407996c0-1a00-0000-5c29-b652e90e0000 pid=3817 /usr/bin/dash guuid=0b12385f-1900-0000-5c29-b652150c0000 pid=3093->guuid=407996c0-1a00-0000-5c29-b652e90e0000 pid=3817 execve guuid=79991bc2-1a00-0000-5c29-b652f80e0000 pid=3832 /usr/bin/dash guuid=0b12385f-1900-0000-5c29-b652150c0000 pid=3093->guuid=79991bc2-1a00-0000-5c29-b652f80e0000 pid=3832 execve guuid=a39ab7c2-1a00-0000-5c29-b652030f0000 pid=3843 /usr/bin/dash guuid=0b12385f-1900-0000-5c29-b652150c0000 pid=3093->guuid=a39ab7c2-1a00-0000-5c29-b652030f0000 pid=3843 execve guuid=8bb623c3-1a00-0000-5c29-b652090f0000 pid=3849 /usr/bin/dash guuid=0b12385f-1900-0000-5c29-b652150c0000 pid=3093->guuid=8bb623c3-1a00-0000-5c29-b652090f0000 pid=3849 execve guuid=290e46ca-1a00-0000-5c29-b652220f0000 pid=3874 /usr/bin/dash guuid=0b12385f-1900-0000-5c29-b652150c0000 pid=3093->guuid=290e46ca-1a00-0000-5c29-b652220f0000 pid=3874 execve guuid=1ebcd2ca-1a00-0000-5c29-b652260f0000 pid=3878 /usr/bin/dash guuid=0b12385f-1900-0000-5c29-b652150c0000 pid=3093->guuid=1ebcd2ca-1a00-0000-5c29-b652260f0000 pid=3878 execve guuid=56353ecb-1a00-0000-5c29-b652290f0000 pid=3881 /usr/bin/dash guuid=0b12385f-1900-0000-5c29-b652150c0000 pid=3093->guuid=56353ecb-1a00-0000-5c29-b652290f0000 pid=3881 execve guuid=2110a6cb-1a00-0000-5c29-b6522e0f0000 pid=3886 /usr/bin/dash guuid=0b12385f-1900-0000-5c29-b652150c0000 pid=3093->guuid=2110a6cb-1a00-0000-5c29-b6522e0f0000 pid=3886 execve guuid=6a8f12cc-1a00-0000-5c29-b652320f0000 pid=3890 /usr/bin/dash guuid=0b12385f-1900-0000-5c29-b652150c0000 pid=3093->guuid=6a8f12cc-1a00-0000-5c29-b652320f0000 pid=3890 execve guuid=1f218fcc-1a00-0000-5c29-b652370f0000 pid=3895 /usr/bin/dash guuid=0b12385f-1900-0000-5c29-b652150c0000 pid=3093->guuid=1f218fcc-1a00-0000-5c29-b652370f0000 pid=3895 execve guuid=6906c0cc-1a00-0000-5c29-b652380f0000 pid=3896 /usr/bin/dash guuid=0b12385f-1900-0000-5c29-b652150c0000 pid=3093->guuid=6906c0cc-1a00-0000-5c29-b652380f0000 pid=3896 execve guuid=05ffeccc-1a00-0000-5c29-b6523a0f0000 pid=3898 /usr/bin/dash guuid=0b12385f-1900-0000-5c29-b652150c0000 pid=3093->guuid=05ffeccc-1a00-0000-5c29-b6523a0f0000 pid=3898 execve guuid=141e5dce-1a00-0000-5c29-b652440f0000 pid=3908 /usr/bin/dash guuid=0b12385f-1900-0000-5c29-b652150c0000 pid=3093->guuid=141e5dce-1a00-0000-5c29-b652440f0000 pid=3908 execve guuid=a0fd1bd5-1a00-0000-5c29-b6526d0f0000 pid=3949 /usr/bin/dash guuid=0b12385f-1900-0000-5c29-b652150c0000 pid=3093->guuid=a0fd1bd5-1a00-0000-5c29-b6526d0f0000 pid=3949 execve guuid=0b12385f-1900-0000-5c29-b652150c0000 pid=3954 /tmp/dockerd net send-data write-file zombie guuid=0b12385f-1900-0000-5c29-b652150c0000 pid=3093->guuid=0b12385f-1900-0000-5c29-b652150c0000 pid=3954 clone guuid=7088a55f-1900-0000-5c29-b652190c0000 pid=3097 /usr/bin/systemctl guuid=609a7d5f-1900-0000-5c29-b652180c0000 pid=3096->guuid=7088a55f-1900-0000-5c29-b652190c0000 pid=3097 execve guuid=8b35ed5f-1900-0000-5c29-b6521b0c0000 pid=3099 /usr/bin/basename guuid=7088a55f-1900-0000-5c29-b652190c0000 pid=3097->guuid=8b35ed5f-1900-0000-5c29-b6521b0c0000 pid=3099 execve guuid=fa14ab60-1900-0000-5c29-b6521d0c0000 pid=3101 /usr/bin/basename guuid=7088a55f-1900-0000-5c29-b652190c0000 pid=3097->guuid=fa14ab60-1900-0000-5c29-b6521d0c0000 pid=3101 execve guuid=6d5af460-1900-0000-5c29-b6521f0c0000 pid=3103 /usr/bin/dash guuid=7088a55f-1900-0000-5c29-b652190c0000 pid=3097->guuid=6d5af460-1900-0000-5c29-b6521f0c0000 pid=3103 clone guuid=f3f9fd60-1900-0000-5c29-b652200c0000 pid=3104 /usr/bin/systemctl guuid=6d5af460-1900-0000-5c29-b6521f0c0000 pid=3103->guuid=f3f9fd60-1900-0000-5c29-b652200c0000 pid=3104 execve guuid=5d230661-1900-0000-5c29-b652220c0000 pid=3106 /usr/bin/sed guuid=6d5af460-1900-0000-5c29-b6521f0c0000 pid=3103->guuid=5d230661-1900-0000-5c29-b652220c0000 pid=3106 execve guuid=fd4c44ea-1900-0000-5c29-b652f60c0000 pid=3318 /usr/bin/systemctl guuid=734a06ea-1900-0000-5c29-b652f40c0000 pid=3316->guuid=fd4c44ea-1900-0000-5c29-b652f60c0000 pid=3318 execve guuid=41de41ec-1900-0000-5c29-b652fc0c0000 pid=3324 /usr/lib/systemd/systemd-sysv-install guuid=fd4c44ea-1900-0000-5c29-b652f60c0000 pid=3318->guuid=41de41ec-1900-0000-5c29-b652fc0c0000 pid=3324 execve guuid=2141a8ec-1900-0000-5c29-b652fe0c0000 pid=3326 /usr/bin/getopt guuid=41de41ec-1900-0000-5c29-b652fc0c0000 pid=3324->guuid=2141a8ec-1900-0000-5c29-b652fe0c0000 pid=3326 execve guuid=f80924ed-1900-0000-5c29-b652000d0000 pid=3328 /usr/sbin/update-rc.d guuid=41de41ec-1900-0000-5c29-b652fc0c0000 pid=3324->guuid=f80924ed-1900-0000-5c29-b652000d0000 pid=3328 execve guuid=55160647-1a00-0000-5c29-b652990d0000 pid=3481 /usr/sbin/update-rc.d guuid=41de41ec-1900-0000-5c29-b652fc0c0000 pid=3324->guuid=55160647-1a00-0000-5c29-b652990d0000 pid=3481 execve guuid=a65db6f1-1900-0000-5c29-b6520a0d0000 pid=3338 /usr/bin/systemctl guuid=f80924ed-1900-0000-5c29-b652000d0000 pid=3328->guuid=a65db6f1-1900-0000-5c29-b6520a0d0000 pid=3338 execve guuid=2f10da48-1a00-0000-5c29-b652a00d0000 pid=3488 /usr/bin/systemctl guuid=55160647-1a00-0000-5c29-b652990d0000 pid=3481->guuid=2f10da48-1a00-0000-5c29-b652a00d0000 pid=3488 execve guuid=a6c771ae-1a00-0000-5c29-b652a90e0000 pid=3753 /usr/sbin/sysctl write-file guuid=c97542ae-1a00-0000-5c29-b652a80e0000 pid=3752->guuid=a6c771ae-1a00-0000-5c29-b652a90e0000 pid=3753 execve guuid=2b5c59b2-1a00-0000-5c29-b652b30e0000 pid=3763 /usr/sbin/xtables-nft-multi guuid=303e13b2-1a00-0000-5c29-b652b00e0000 pid=3760->guuid=2b5c59b2-1a00-0000-5c29-b652b30e0000 pid=3763 execve guuid=ca6fb6be-1a00-0000-5c29-b652dd0e0000 pid=3805 /usr/sbin/xtables-nft-multi guuid=81a57dbe-1a00-0000-5c29-b652dc0e0000 pid=3804->guuid=ca6fb6be-1a00-0000-5c29-b652dd0e0000 pid=3805 execve guuid=cac4c5c0-1a00-0000-5c29-b652eb0e0000 pid=3819 /usr/sbin/xtables-nft-multi guuid=407996c0-1a00-0000-5c29-b652e90e0000 pid=3817->guuid=cac4c5c0-1a00-0000-5c29-b652eb0e0000 pid=3819 execve guuid=94ca57c2-1a00-0000-5c29-b652fc0e0000 pid=3836 /usr/sbin/xtables-nft-multi guuid=79991bc2-1a00-0000-5c29-b652f80e0000 pid=3832->guuid=94ca57c2-1a00-0000-5c29-b652fc0e0000 pid=3836 execve guuid=9d02dec2-1a00-0000-5c29-b652050f0000 pid=3845 /usr/sbin/xtables-nft-multi guuid=a39ab7c2-1a00-0000-5c29-b652030f0000 pid=3843->guuid=9d02dec2-1a00-0000-5c29-b652050f0000 pid=3845 execve guuid=f00246c3-1a00-0000-5c29-b6520b0f0000 pid=3851 /usr/sbin/xtables-nft-multi guuid=8bb623c3-1a00-0000-5c29-b652090f0000 pid=3849->guuid=f00246c3-1a00-0000-5c29-b6520b0f0000 pid=3851 execve guuid=b60584ca-1a00-0000-5c29-b652240f0000 pid=3876 /usr/sbin/xtables-nft-multi guuid=290e46ca-1a00-0000-5c29-b652220f0000 pid=3874->guuid=b60584ca-1a00-0000-5c29-b652240f0000 pid=3876 execve guuid=ce6dfaca-1a00-0000-5c29-b652280f0000 pid=3880 /usr/sbin/xtables-nft-multi guuid=1ebcd2ca-1a00-0000-5c29-b652260f0000 pid=3878->guuid=ce6dfaca-1a00-0000-5c29-b652280f0000 pid=3880 execve guuid=47c362cb-1a00-0000-5c29-b6522b0f0000 pid=3883 /usr/sbin/xtables-nft-multi guuid=56353ecb-1a00-0000-5c29-b652290f0000 pid=3881->guuid=47c362cb-1a00-0000-5c29-b6522b0f0000 pid=3883 execve guuid=9ff0cecb-1a00-0000-5c29-b6522f0f0000 pid=3887 /usr/sbin/xtables-nft-multi guuid=2110a6cb-1a00-0000-5c29-b6522e0f0000 pid=3886->guuid=9ff0cecb-1a00-0000-5c29-b6522f0f0000 pid=3887 execve guuid=507538cc-1a00-0000-5c29-b652340f0000 pid=3892 /usr/sbin/xtables-nft-multi guuid=6a8f12cc-1a00-0000-5c29-b652320f0000 pid=3890->guuid=507538cc-1a00-0000-5c29-b652340f0000 pid=3892 execve guuid=53a398ce-1a00-0000-5c29-b652460f0000 pid=3910 /usr/sbin/xtables-nft-multi guuid=141e5dce-1a00-0000-5c29-b652440f0000 pid=3908->guuid=53a398ce-1a00-0000-5c29-b652460f0000 pid=3910 execve guuid=e77043d5-1a00-0000-5c29-b6526f0f0000 pid=3951 /usr/sbin/xtables-nft-multi guuid=a0fd1bd5-1a00-0000-5c29-b6526d0f0000 pid=3949->guuid=e77043d5-1a00-0000-5c29-b6526f0f0000 pid=3951 execve guuid=0b12385f-1900-0000-5c29-b652150c0000 pid=3954->5ad56c95-acd0-5f58-bd4b-c54f6757cd18 send: 1024B b6afcbe0-6002-583b-bbbd-1c6d055c24c9 195.24.237.73:80 guuid=0b12385f-1900-0000-5c29-b652150c0000 pid=3954->b6afcbe0-6002-583b-bbbd-1c6d055c24c9 send: 54B guuid=c29c0bfd-1a00-0000-5c29-b652db0f0000 pid=4059 /tmp/dockerd guuid=0b12385f-1900-0000-5c29-b652150c0000 pid=3954->guuid=c29c0bfd-1a00-0000-5c29-b652db0f0000 pid=4059 clone
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/360ffc0a-09ae-4ebe-b566-2bceea47f754
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1816014
Signature
Executes the "iptables" command to insert, remove and/or manipulate rules
Sample is packed with UPX
Sample tries to persist itself using cron
Sample tries to persist itself using System V runlevels
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1816014 Sample: dockerd.elf Startdate: 18/11/2025 Architecture: LINUX Score: 56 95 169.254.169.254, 80 USDOSUS Reserved 2->95 97 5.255.105.69, 46104, 46108, 46112 LITESERVERNL Netherlands 2->97 99 3 other IPs or domains 2->99 105 Sample is packed with UPX 2->105 12 dockerd.elf 2->12         started        14 dash rm 2->14         started        16 dash rm 2->16         started        18 4 other processes 2->18 signatures3 process4 process5 20 dockerd.elf 12->20         started        file6 91 /etc/cron.d/systemhelper, ASCII 20->91 dropped 93 /etc/cron.d/syshelper, ASCII 20->93 dropped 109 Sample tries to persist itself using cron 20->109 24 dockerd.elf sh 20->24         started        26 dockerd.elf sh 20->26         started        28 dockerd.elf sh 20->28         started        30 23 other processes 20->30 signatures7 process8 process9 32 sh ufw 24->32         started        34 sh ufw 26->34         started        36 sh ufw 28->36         started        38 sh systemctl 30->38         started        40 sh iptables 30->40         started        43 sh iptables 30->43         started        45 14 other processes 30->45 signatures10 47 ufw ufw-init 32->47         started        49 ufw iptables 32->49         started        51 ufw iptables 34->51         started        54 ufw iptables 34->54         started        56 ufw iptables 34->56         started        60 8 other processes 34->60 62 11 other processes 36->62 58 systemctl systemd-sysv-install 38->58         started        111 Executes the "iptables" command to insert, remove and/or manipulate rules 40->111 64 5 other processes 45->64 process11 signatures12 66 ufw-init iptables 47->66         started        69 ufw-init iptables 47->69         started        71 ufw-init iptables 47->71         started        83 160 other processes 47->83 107 Executes the "iptables" command to insert, remove and/or manipulate rules 51->107 73 systemd-sysv-install update-rc.d 58->73         started        75 systemd-sysv-install update-rc.d 58->75         started        77 systemd-sysv-install getopt 58->77         started        79 service systemctl 64->79         started        81 service sed 64->81         started        process13 signatures14 101 Executes the "iptables" command to insert, remove and/or manipulate rules 66->101 103 Sample tries to persist itself using System V runlevels 73->103 85 update-rc.d systemctl 73->85         started        87 update-rc.d systemctl 75->87         started        89 ip6tables modprobe 83->89         started        process15
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/afa3fc4bb4f6cdd9ba5ead4cd810586444b79f67303d099f16593952bf5ef8eb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/afa3fc4bb4f6cdd9ba5ead4cd810586444b79f67303d099f16593952bf5ef8eb/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v6r7ys5u63g5tos6vvgnqecymrclph3hga6qthywle4vfp267dvq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery execution linux persistence privilege_escalation rootkit upx
Link:
https://tria.ge/reports/251118-nhv4lstnes/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
UPX packed file
Creates/modifies Cron job
Disables AppArmor
Disables SELinux
Enumerates running processes
Write file to user bin folder
Flushes firewall rules
Loads a kernel module
Renames itself
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/709dadf4-49b2-43ca-b116-ec80d36c9d6e
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.92
Link:
https://yomi.yoroi.company/submissions/afa3fc4bb4f6cdd9ba5ead4cd810586444b79f67303d099f16593952bf5ef8eb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_ELF_LNX_UPX_Compressed_File
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a suspicious ELF binary with UPX compression
Reference:Internal Research
Rule name:upx_packed_elf_v1
Create hunting rule
Author:RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

elf afa3fc4bb4f6cdd9ba5ead4cd810586444b79f67303d099f16593952bf5ef8eb

(this sample)

elf cee28e2486888ff12f461e23d5c7265cd54962473fa597539a21a3247ab1314c

  
Dropping
SHA256 cee28e2486888ff12f461e23d5c7265cd54962473fa597539a21a3247ab1314c
  
Dropping
MD5 2eca3e4298eb161edb272854dc9ad74f

Comments