MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0c671fbd0aee71fe1bca46e5c2515aad12e0a2a9739d8741815b8ec7cc8c84c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments

SHA256 hash: b0c671fbd0aee71fe1bca46e5c2515aad12e0a2a9739d8741815b8ec7cc8c84c
SHA3-384 hash: f2f32e5b937d2247c0afaa8fe9a9e5887da5b073099594d4b7593a0b551f14393a962c863860f36271e9ddc5e9f67ab4
SHA1 hash: 12cca0762764f6894239fffbe79658c98f156188
MD5 hash: 87680e46475a7c68a05f3550824b0ab3
humanhash: lion-fruit-texas-jersey
File name:b0c671fbd0aee71fe1bca46e5c2515aad12e0a2a9739d8741815b8ec7cc8c84c
Download: download sample
File size:2'214'902 bytes
First seen:2026-07-02 10:24:48 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 49152:mh0g+/CA6dmRGsyhTT2arZOrbOz8vOIVDlmtjHdibPcJj0n:mh0RqXmPyhG4OHfGIVDo9dzJj4
TLSH T178A5121AE9126479E07360B2534FE37BC8346A34551789CBFF6A2D68A53A3C09F2C357
telfhash t1213287f23e7d0ae8b3c09944d34e2b42ee0a93b7595431f705f3699532e3a419eb6835
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter JAMESWT_WT
Tags:disciplinenahidwin-st elf

Intelligence


File Origin
# of uploads :
1
# of downloads :
48
Origin country :
IT IT
Vendor Threat Intelligence
No detections
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
DNS request
Deleting a recently created file
Changes the time when the file was created, accessed, or modified
Creating a file in the %temp% directory
Changes access rights for a written file
Creating a process from a recently created file
Sets a written file as executable
Connection attempt
Runs as daemon
Launching a process
Creates or modifies files in /cron to set up autorun
Substitutes an application name
Creates or modifies files in /init.d to set up autorun
Deleting of the original file
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
true
Architecture:
x86
Packer:
custom
Botnet:
unknown
Number of open files:
136
Number of processes launched:
13
Processes remaning?
true
Remote TCP ports scanned:
not identified
Behaviour
Anti-VM
Persistence
Process Renaming
Information Gathering
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Malicious
File Type:
elf.32.le
First seen:
2026-06-01T08:12:00Z UTC
Last seen:
2026-06-30T19:18:00Z UTC
Hits:
~10
Status:
terminated
Behavior Graph:
%3 guuid=d42654e3-1a00-0000-fe4f-bf4cfc0a0000 pid=2812 /usr/bin/sudo guuid=bd6136e6-1a00-0000-fe4f-bf4c030b0000 pid=2819 memfd: delete-file write-file guuid=d42654e3-1a00-0000-fe4f-bf4cfc0a0000 pid=2812->guuid=bd6136e6-1a00-0000-fe4f-bf4c030b0000 pid=2819 execve guuid=994797f9-1a00-0000-fe4f-bf4c240b0000 pid=2852 memfd: guuid=bd6136e6-1a00-0000-fe4f-bf4c030b0000 pid=2819->guuid=994797f9-1a00-0000-fe4f-bf4c240b0000 pid=2852 clone guuid=702b9909-1b00-0000-fe4f-bf4c270b0000 pid=2855 memfd: guuid=bd6136e6-1a00-0000-fe4f-bf4c030b0000 pid=2819->guuid=702b9909-1b00-0000-fe4f-bf4c270b0000 pid=2855 clone guuid=6636b509-1b00-0000-fe4f-bf4c280b0000 pid=2856 memfd: guuid=bd6136e6-1a00-0000-fe4f-bf4c030b0000 pid=2819->guuid=6636b509-1b00-0000-fe4f-bf4c280b0000 pid=2856 clone guuid=d06ecb09-1b00-0000-fe4f-bf4c290b0000 pid=2857 memfd: guuid=bd6136e6-1a00-0000-fe4f-bf4c030b0000 pid=2819->guuid=d06ecb09-1b00-0000-fe4f-bf4c290b0000 pid=2857 clone guuid=9840de09-1b00-0000-fe4f-bf4c2a0b0000 pid=2858 memfd: guuid=bd6136e6-1a00-0000-fe4f-bf4c030b0000 pid=2819->guuid=9840de09-1b00-0000-fe4f-bf4c2a0b0000 pid=2858 clone guuid=2d94f009-1b00-0000-fe4f-bf4c2b0b0000 pid=2859 memfd: guuid=bd6136e6-1a00-0000-fe4f-bf4c030b0000 pid=2819->guuid=2d94f009-1b00-0000-fe4f-bf4c2b0b0000 pid=2859 clone guuid=cb60190a-1b00-0000-fe4f-bf4c2c0b0000 pid=2860 memfd: guuid=bd6136e6-1a00-0000-fe4f-bf4c030b0000 pid=2819->guuid=cb60190a-1b00-0000-fe4f-bf4c2c0b0000 pid=2860 clone guuid=5382210a-1b00-0000-fe4f-bf4c2d0b0000 pid=2861 memfd: guuid=cb60190a-1b00-0000-fe4f-bf4c2c0b0000 pid=2860->guuid=5382210a-1b00-0000-fe4f-bf4c2d0b0000 pid=2861 clone guuid=3fcb2a0a-1b00-0000-fe4f-bf4c2e0b0000 pid=2862 memfd: dns net send-data write-file guuid=5382210a-1b00-0000-fe4f-bf4c2d0b0000 pid=2861->guuid=3fcb2a0a-1b00-0000-fe4f-bf4c2e0b0000 pid=2862 clone 46343c6c-697b-59fc-96d3-a409532e01cd disciplinenahidwin.st:1337 guuid=3fcb2a0a-1b00-0000-fe4f-bf4c2e0b0000 pid=2862->46343c6c-697b-59fc-96d3-a409532e01cd con c7409a10-9641-5468-92b0-24a0315bc73b 176.65.139.191:1337 guuid=3fcb2a0a-1b00-0000-fe4f-bf4c2e0b0000 pid=2862->c7409a10-9641-5468-92b0-24a0315bc73b con a0528efd-1018-56b4-b518-221acb0fa7ca 9.9.9.9:53 guuid=3fcb2a0a-1b00-0000-fe4f-bf4c2e0b0000 pid=2862->a0528efd-1018-56b4-b518-221acb0fa7ca send: 174B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=3fcb2a0a-1b00-0000-fe4f-bf4c2e0b0000 pid=2862->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 174B 54d92a3b-1447-55af-b534-047898c60c8d 1.1.1.1:53 guuid=3fcb2a0a-1b00-0000-fe4f-bf4c2e0b0000 pid=2862->54d92a3b-1447-55af-b534-047898c60c8d send: 57B b0abba15-9a34-51cb-a2ff-3008f7e59616 208.67.222.222:53 guuid=3fcb2a0a-1b00-0000-fe4f-bf4c2e0b0000 pid=2862->b0abba15-9a34-51cb-a2ff-3008f7e59616 send: 57B 4f6baed0-9587-596c-82b3-fd721afe4cc1 10.0.2.3:53 guuid=3fcb2a0a-1b00-0000-fe4f-bf4c2e0b0000 pid=2862->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 684B guuid=3fcb2a0a-1b00-0000-fe4f-bf4c2e0b0000 pid=2863 memfd: guuid=3fcb2a0a-1b00-0000-fe4f-bf4c2e0b0000 pid=2862->guuid=3fcb2a0a-1b00-0000-fe4f-bf4c2e0b0000 pid=2863 clone guuid=3fcb2a0a-1b00-0000-fe4f-bf4c2e0b0000 pid=2864 memfd: guuid=3fcb2a0a-1b00-0000-fe4f-bf4c2e0b0000 pid=2862->guuid=3fcb2a0a-1b00-0000-fe4f-bf4c2e0b0000 pid=2864 clone guuid=3fcb2a0a-1b00-0000-fe4f-bf4c2e0b0000 pid=2865 memfd: delete-file write-file guuid=3fcb2a0a-1b00-0000-fe4f-bf4c2e0b0000 pid=2862->guuid=3fcb2a0a-1b00-0000-fe4f-bf4c2e0b0000 pid=2865 clone guuid=567e23ba-2000-0000-fe4f-bf4c52140000 pid=5202 memfd: guuid=3fcb2a0a-1b00-0000-fe4f-bf4c2e0b0000 pid=2865->guuid=567e23ba-2000-0000-fe4f-bf4c52140000 pid=5202 clone guuid=fd60fdbf-2000-0000-fe4f-bf4c53140000 pid=5203 memfd: guuid=3fcb2a0a-1b00-0000-fe4f-bf4c2e0b0000 pid=2865->guuid=fd60fdbf-2000-0000-fe4f-bf4c53140000 pid=5203 clone guuid=4e972bc0-2000-0000-fe4f-bf4c54140000 pid=5204 memfd: guuid=3fcb2a0a-1b00-0000-fe4f-bf4c2e0b0000 pid=2865->guuid=4e972bc0-2000-0000-fe4f-bf4c54140000 pid=5204 clone guuid=284f52c0-2000-0000-fe4f-bf4c55140000 pid=5205 memfd: guuid=3fcb2a0a-1b00-0000-fe4f-bf4c2e0b0000 pid=2865->guuid=284f52c0-2000-0000-fe4f-bf4c55140000 pid=5205 clone guuid=f7b176c0-2000-0000-fe4f-bf4c56140000 pid=5206 memfd: guuid=3fcb2a0a-1b00-0000-fe4f-bf4c2e0b0000 pid=2865->guuid=f7b176c0-2000-0000-fe4f-bf4c56140000 pid=5206 clone guuid=fde39cc0-2000-0000-fe4f-bf4c57140000 pid=5207 memfd: guuid=3fcb2a0a-1b00-0000-fe4f-bf4c2e0b0000 pid=2865->guuid=fde39cc0-2000-0000-fe4f-bf4c57140000 pid=5207 clone guuid=b42ccbc6-2000-0000-fe4f-bf4c5a140000 pid=5210 memfd: guuid=3fcb2a0a-1b00-0000-fe4f-bf4c2e0b0000 pid=2865->guuid=b42ccbc6-2000-0000-fe4f-bf4c5a140000 pid=5210 clone guuid=5475f7c6-2000-0000-fe4f-bf4c5b140000 pid=5211 memfd: guuid=3fcb2a0a-1b00-0000-fe4f-bf4c2e0b0000 pid=2865->guuid=5475f7c6-2000-0000-fe4f-bf4c5b140000 pid=5211 clone guuid=99593ec7-2000-0000-fe4f-bf4c5c140000 pid=5212 memfd: guuid=3fcb2a0a-1b00-0000-fe4f-bf4c2e0b0000 pid=2865->guuid=99593ec7-2000-0000-fe4f-bf4c5c140000 pid=5212 clone guuid=dc275ec7-2000-0000-fe4f-bf4c5e140000 pid=5214 memfd: guuid=3fcb2a0a-1b00-0000-fe4f-bf4c2e0b0000 pid=2865->guuid=dc275ec7-2000-0000-fe4f-bf4c5e140000 pid=5214 clone guuid=9a057fc7-2000-0000-fe4f-bf4c5f140000 pid=5215 memfd: guuid=3fcb2a0a-1b00-0000-fe4f-bf4c2e0b0000 pid=2865->guuid=9a057fc7-2000-0000-fe4f-bf4c5f140000 pid=5215 clone guuid=7cda9dc7-2000-0000-fe4f-bf4c60140000 pid=5216 memfd: guuid=3fcb2a0a-1b00-0000-fe4f-bf4c2e0b0000 pid=2865->guuid=7cda9dc7-2000-0000-fe4f-bf4c60140000 pid=5216 clone
Threat name:
Linux.Trojan.Multiverze
Status:
Malicious
First seen:
2026-06-01 12:55:53 UTC
File Type:
ELF32 Little (Exe)
AV detection:
15 of 38 (39.47%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
credential_access defense_evasion discovery execution linux persistence privilege_escalation
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to tmp directory
Changes its process name
Reads process memory
Creates/modifies Cron job
Enumerates running processes
Modifies init.d
Reads MAC address of network interface
Deletes itself
Runs EXE from memory
Unexpected DNS network traffic destination
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ProgramLanguage_Rust
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:TH_Generic_MassHunt_Linux_Malware_2026_CYFARE
Author:CYFARE
Description:Generic Linux malware mass-hunt rule - 2026
Reference:https://cyfare.net/
Rule name:win_rust_hunt

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments