MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b814be65fb39f770520cf4c411a7bbf24cdb62c9d72ea49f6a0d7036d835cffa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments 1

SHA256 hash: b814be65fb39f770520cf4c411a7bbf24cdb62c9d72ea49f6a0d7036d835cffa
SHA3-384 hash: b9cde166be907de01294c3b03ba3dea7ba6e543a24d7f3b887a8ad130befced2ba0c102863c2a1e16565ccf5aff8f3ab
SHA1 hash: 88855157e994363712bbccf8656d6bafc195ae0d
MD5 hash: 6d849ce3474d79f69d4d7064016e2fec
humanhash: delta-monkey-zebra-wolfram
File name:b814be65fb39f770520cf4c411a7bbf24cdb62c9d72ea49f6a0d7036d835cffa.elf
Download: download sample
File size:35'200 bytes
First seen:2026-06-24 14:28:47 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 768:GfI4zlmuIruFUZ+47HU49oc2UIFCPI1St0N:ABEZ57049bI8PGQ2
TLSH T124F2E144BE7482CBCD84DC3E1E9C1735E6BE9A11BE05803083E45275DBB3DA1DAB3295
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter kejult
Tags:elf UPX


Avatar
Kejult
Found on Honeypot on 24.06.2026

Intelligence


File Origin
# of uploads :
1
# of downloads :
79
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Result
Verdict:
Malware
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
mips
Packer:
UPX
Botnet:
unknown
Number of open files:
0
Number of processes launched:
1
Processes remaning?
false
Remote TCP ports scanned:
not identified
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Status:
terminated
Behavior Graph:
%3 guuid=2268fe4b-1900-0000-f095-d4fa2e140000 pid=5166 /usr/bin/sudo guuid=0be7204f-1900-0000-f095-d4fa2f140000 pid=5167 /tmp/sample.bin guuid=2268fe4b-1900-0000-f095-d4fa2e140000 pid=5166->guuid=0be7204f-1900-0000-f095-d4fa2f140000 pid=5167 execve
Threat name:
Linux.Trojan.Egairtigado
Status:
Malicious
First seen:
2026-06-24 14:25:38 UTC
File Type:
ELF32 Big (Exe)
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Packer_Patched_UPX_62e11c64
Author:Elastic Security
Reference:https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/
Rule name:TH_Generic_MassHunt_Linux_Malware_2026_CYFARE
Author:CYFARE
Description:Generic Linux malware mass-hunt rule - 2026
Reference:https://cyfare.net/

File information


The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments



Avatar
commented on 2026-06-24 14:44:34 UTC

Captured by T-Pot honeypot. Linux MIPS big-endian ELF, UPX/modified UPX packed. Public sandboxes show limited dynamic behavior, but AV/static detections indicate generic IoT botnet / Backdoor / Mirai-like malware. Family attribution not fully confirmed. It is 100% Malware.