MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b514a5a8eafbcda97058ae5c1cb674e76a80978ff1102404d52f24bcf5525835. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b514a5a8eafbcda97058ae5c1cb674e76a80978ff1102404d52f24bcf5525835
SHA3-384 hash: 22d17858ae1985ef15f6852ea9cd6a410c7b44680b31647d6501347c7ec4c2bb854305831ca01a3375a3265b1500b525
SHA1 hash: 93c03fafd6dbdb3f9d23a269631ab9588a105959
MD5 hash: fbd9d24779e084c35ee963a8cc8b3546
humanhash: tango-twenty-diet-oscar
File name:bot.armv4l
Download: download sample
File size:82'356 bytes
First seen:2026-05-13 23:14:08 UTC
Last seen:2026-05-14 00:18:33 UTC
File type: elf
MIME type:application/x-executable
ssdeep 1536:E9CnrNjY9Tvj2Qkx3mFMg7L68woSCD8PyKdlQfS7:rqdj293mxG8L857Qq7
TLSH T1D483D692FE81CD52C9D838BAF91F42DC3347036CC3EE75019E129A3566DF5994A3AE44
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf

Intelligence

File Origin
# of uploads :
3
# of downloads :
45
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Linux.DDoS.2637.24365.28975.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
rust
Link:
https://www.filescan.io/uploads/6a0505c3df14f1cb2ad466e5/reports/774e590e-d28e-4baa-8966-4d9c07399c6a/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
arm
Packer:
not packed
Botnet:
unknown
Number of open files:
0
Number of processes launched:
0
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/b514a5a8eafbcda97058ae5c1cb674e76a80978ff1102404d52f24bcf5525835
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Result
Gathering data
Verdict:
Malicious
File Type:
elf.32.le
First seen:
2026-05-13T18:19:00Z UTC
Last seen:
2026-05-13T19:43:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/b514a5a8eafbcda97058ae5c1cb674e76a80978ff1102404d52f24bcf5525835/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/00b85836-e898-475d-b930-aaf27648cf2e
Behavior Graph:
Download SVG
%3 guuid=3fbc39d1-1600-0000-c58c-7038b60c0000 pid=3254 /usr/bin/sudo guuid=527d3ad3-1600-0000-c58c-7038bc0c0000 pid=3260 /tmp/sample.bin guuid=3fbc39d1-1600-0000-c58c-7038b60c0000 pid=3254->guuid=527d3ad3-1600-0000-c58c-7038bc0c0000 pid=3260 execve
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ffe07f45-85ea-4ba3-bcd6-2995cf78cc23
Result
Threat name:
Mirai, Gafgyt
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1913233
Signature
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Detected Mirai
Drops files in suspicious directories
Executes the "crontab" command typically for achieving persistence
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample deletes itself
Sample tries to kill a massive number of system processes
Sample tries to kill multiple processes (SIGKILL)
Sample tries to persist itself using cron
Sample tries to persist itself using System V runlevels
Sample tries to set files in /etc globally writable
Suricata IDS alerts for network traffic
Uses dynamic DNS services
Yara detected Gafgyt
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1913233 Sample: bot.armv4l.elf Startdate: 14/05/2026 Architecture: LINUX Score: 100 154 faggotcnc.duckdns.org 2->154 156 11.5.141.19, 10001, 23, 2323 LEVEL3US United States 2->156 158 9 other IPs or domains 2->158 160 Suricata IDS alerts for network traffic 2->160 162 Found malware configuration 2->162 164 Malicious sample detected (through community Yara rule) 2->164 168 5 other signatures 2->168 15 bot.armv4l.elf 2->15         started        17 systemd sh 2->17         started        19 systemd sh 2->19         started        21 28 other processes 2->21 signatures3 166 Uses dynamic DNS services 154->166 process4 process5 23 bot.armv4l.elf 15->23         started        25 bot.armv4l.elf 15->25         started        27 sh sh 17->27         started        29 sh wget 17->29         started        31 sh curl 17->31         started        33 sh chmod 17->33         started        35 sh chmod 19->35         started        37 sh sh 19->37         started        39 2 other processes 19->39 process6 41 bot.armv4l.elf 23->41         started        44 sh wget 27->44         started        signatures7 170 Sample tries to kill a massive number of system processes 41->170 172 Sample tries to kill multiple processes (SIGKILL) 41->172 174 Sample tries to set files in /etc globally writable 41->174 176 3 other signatures 41->176 46 bot.armv4l.elf sh 41->46         started        48 bot.armv4l.elf sh 41->48         started        50 bot.armv4l.elf sh 41->50         started        52 5 other processes 41->52 process8 process9 54 sh system048 46->54         started        56 sh crontab 48->56         started        60 sh 48->60         started        62 sh crontab 50->62         started        64 sh 50->64         started        66 sh update-rc.d 52->66         started        68 sh systemctl 52->68         started        70 sh systemctl 52->70         started        72 sh systemctl 52->72         started        file10 74 system048 sh 54->74         started        76 system048 wget 54->76         started        91 2 other processes 54->91 138 /var/spool/cron/crontabs/tmp.C80TeN, ASCII 56->138 dropped 178 Sample tries to persist itself using cron 56->178 180 Executes the "crontab" command typically for achieving persistence 56->180 78 sh crontab 60->78         started        81 sh grep 60->81         started        140 /var/spool/cron/crontabs/tmp.iZu0Gr, ASCII 62->140 dropped 83 sh crontab 64->83         started        85 sh grep 64->85         started        182 Sample tries to persist itself using System V runlevels 66->182 87 update-rc.d systemctl 66->87         started        89 systemctl systemd-sysv-install 68->89         started        signatures11 process12 signatures13 93 sh bot.powerpc 74->93         started        95 sh bot.mips 74->95         started        97 sh bot.mipsr 74->97         started        105 39 other processes 74->105 184 Executes the "crontab" command typically for achieving persistence 78->184 99 systemd-sysv-install update-rc.d 89->99         started        101 systemd-sysv-install update-rc.d 89->101         started        103 systemd-sysv-install getopt 89->103         started        process14 file15 108 bot.powerpc 93->108         started        110 bot.powerpc 93->110         started        112 bot.mips 95->112         started        114 bot.mips 95->114         started        116 bot.mipsr 97->116         started        118 bot.mipsr 97->118         started        120 update-rc.d systemctl 99->120         started        122 update-rc.d systemctl 101->122         started        142 /tmp/bot.x86_64, ELF 105->142 dropped 144 /tmp/bot.sh4, ELF 105->144 dropped 146 /tmp/bot.powerpc, ELF 105->146 dropped 148 11 other malicious files 105->148 dropped 124 2 other processes 105->124 process16 process17 126 bot.powerpc 108->126         started        130 bot.mips 112->130         started        132 bot.mipsr 116->132         started        134 bot.m68k 124->134         started        file18 150 /etc/rc.local, ASCII 126->150 dropped 152 /etc/init.d/system048, POSIX 126->152 dropped 186 Sample tries to kill a massive number of system processes 126->186 188 Sample tries to kill multiple processes (SIGKILL) 126->188 190 Sample tries to set files in /etc globally writable 126->190 192 Drops files in suspicious directories 130->192 194 Sample deletes itself 130->194 196 Sample tries to persist itself using System V runlevels 130->196 136 bot.m68k sh 134->136         started        signatures19 process20
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/b514a5a8eafbcda97058ae5c1cb674e76a80978ff1102404d52f24bcf5525835
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b514a5a8eafbcda97058ae5c1cb674e76a80978ff1102404d52f24bcf5525835/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wukklkhk7pg2s4cyvzobzntu45vibf4p6eicibgvf4slz5ksla2q._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
antivm defense_evasion discovery execution persistence privilege_escalation
Link:
https://tria.ge/reports/260513-2733eabz8r/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Checks CPU configuration
Creates/modifies Cron job
Enumerates running processes
Modifies init.d
Modifies rc script
Modifies systemd
File and Directory Permissions Modification
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/b514a5a8eafbcda97058ae5c1cb674e76a80978ff1102404d52f24bcf5525835

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ELF_IoT_Persistence_Hunt
Create hunting rule
Author:4r4
Description:Hunts for ELF files with persistence and download capabilities
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:TH_Generic_MassHunt_Linux_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Linux malware mass-hunt rule - 2026
Reference:https://cyfare.net/
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf b514a5a8eafbcda97058ae5c1cb674e76a80978ff1102404d52f24bcf5525835

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3844832/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3846350/

Comments