MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cce39443ca963b283dc95b1cb6b1286d19c0f6705f48755a3b6a442f16f2e40b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cce39443ca963b283dc95b1cb6b1286d19c0f6705f48755a3b6a442f16f2e40b
SHA3-384 hash: 7588e44ce55170a1d98ce4d8db60fbf36e39dc87ec67189ff2558d1b46d869fc5732f14e8fb9c6751d3b206ddd89aa61
SHA1 hash: 46a89a20a5b0d1c5e8609cfb2e33c226717cd1cf
MD5 hash: 6ada6aaa8e380fc78e69a0ddbea880a5
humanhash: quiet-washington-island-delaware
File name:x6.pdf
Download: download sample
File size:54'464 bytes
First seen:2026-01-25 06:46:46 UTC
Last seen:2026-01-25 11:23:21 UTC
File type: elf
MIME type:application/x-executable
ssdeep 768:MIHlRwJ4vtvaSyedC8pkxpYgrSghD73OoUEr+4:M2laJ4vh1LQ8expxB7OOr+
TLSH T19B330B07A59360FDC29FD474876B96376D32B89503343F7B2B98ED311E60E612AADB10
telfhash t119114cb156a638e1f29bd921a71df030c975297350d03af1ebb5bee4ef21f801a91c15
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf

Intelligence

File Origin
# of uploads :
3
# of downloads :
46
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Linux.Siggen.11457.20706.27614.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm gcc masquerade
Link:
https://www.filescan.io/uploads/6975bc79f3c1b7b1fbdc3368/reports/e56e57e4-353a-481e-9e2c-e417530f8772/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
not packed
Botnet:
unknown
Number of open files:
12
Number of processes launched:
6
Processes remaning?
true
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/cce39443ca963b283dc95b1cb6b1286d19c0f6705f48755a3b6a442f16f2e40b
Behaviour
Persistence
Process Renaming
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Result
Gathering data
Verdict:
Unknown
File Type:
elf.64.le
First seen:
2026-01-25T00:32:00Z UTC
Last seen:
2026-01-25T00:38:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/cce39443ca963b283dc95b1cb6b1286d19c0f6705f48755a3b6a442f16f2e40b/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/8e69e20b-0424-4141-a578-261203cf9f54
Behavior Graph:
Download SVG
%3 guuid=f8f0dcad-1600-0000-69c0-f3ea8f0c0000 pid=3215 /usr/bin/sudo guuid=413640b0-1600-0000-69c0-f3ea940c0000 pid=3220 /tmp/sample.bin write-file guuid=f8f0dcad-1600-0000-69c0-f3ea8f0c0000 pid=3215->guuid=413640b0-1600-0000-69c0-f3ea940c0000 pid=3220 execve guuid=3ad663b0-1600-0000-69c0-f3ea950c0000 pid=3221 /usr/bin/dash guuid=413640b0-1600-0000-69c0-f3ea940c0000 pid=3220->guuid=3ad663b0-1600-0000-69c0-f3ea950c0000 pid=3221 execve guuid=90a727b1-1600-0000-69c0-f3ea9c0c0000 pid=3228 /usr/bin/dash guuid=413640b0-1600-0000-69c0-f3ea940c0000 pid=3220->guuid=90a727b1-1600-0000-69c0-f3ea9c0c0000 pid=3228 execve guuid=3f763fb2-1600-0000-69c0-f3ea9e0c0000 pid=3230 /usr/bin/dash write-file guuid=413640b0-1600-0000-69c0-f3ea940c0000 pid=3220->guuid=3f763fb2-1600-0000-69c0-f3ea9e0c0000 pid=3230 execve guuid=6e2597b2-1600-0000-69c0-f3ea9f0c0000 pid=3231 /usr/bin/dash write-file guuid=413640b0-1600-0000-69c0-f3ea940c0000 pid=3220->guuid=6e2597b2-1600-0000-69c0-f3ea9f0c0000 pid=3231 execve guuid=e186eeb2-1600-0000-69c0-f3eaa00c0000 pid=3232 /usr/bin/dash guuid=413640b0-1600-0000-69c0-f3ea940c0000 pid=3220->guuid=e186eeb2-1600-0000-69c0-f3eaa00c0000 pid=3232 execve guuid=9309bbb5-1600-0000-69c0-f3eaa20c0000 pid=3234 /tmp/sample.bin write-file zombie guuid=413640b0-1600-0000-69c0-f3ea940c0000 pid=3220->guuid=9309bbb5-1600-0000-69c0-f3eaa20c0000 pid=3234 clone guuid=d64292b0-1600-0000-69c0-f3ea970c0000 pid=3223 /usr/bin/dash guuid=3ad663b0-1600-0000-69c0-f3ea950c0000 pid=3221->guuid=d64292b0-1600-0000-69c0-f3ea970c0000 pid=3223 clone guuid=619a9cb0-1600-0000-69c0-f3ea980c0000 pid=3224 /usr/bin/dash guuid=3ad663b0-1600-0000-69c0-f3ea950c0000 pid=3221->guuid=619a9cb0-1600-0000-69c0-f3ea980c0000 pid=3224 clone guuid=6f29a0b0-1600-0000-69c0-f3ea990c0000 pid=3225 /usr/bin/dash guuid=d64292b0-1600-0000-69c0-f3ea970c0000 pid=3223->guuid=6f29a0b0-1600-0000-69c0-f3ea990c0000 pid=3225 clone guuid=729ea5b0-1600-0000-69c0-f3ea9a0c0000 pid=3226 /usr/bin/grep guuid=d64292b0-1600-0000-69c0-f3ea970c0000 pid=3223->guuid=729ea5b0-1600-0000-69c0-f3ea9a0c0000 pid=3226 execve guuid=44125fb1-1600-0000-69c0-f3ea9d0c0000 pid=3229 /usr/bin/mkdir guuid=90a727b1-1600-0000-69c0-f3ea9c0c0000 pid=3228->guuid=44125fb1-1600-0000-69c0-f3ea9d0c0000 pid=3229 execve guuid=93af2db3-1600-0000-69c0-f3eaa10c0000 pid=3233 /usr/bin/systemctl write-file guuid=e186eeb2-1600-0000-69c0-f3eaa00c0000 pid=3232->guuid=93af2db3-1600-0000-69c0-f3eaa10c0000 pid=3233 execve guuid=6801c8b5-1600-0000-69c0-f3eaa30c0000 pid=3235 memfd:udevr mprotect-exec write-file guuid=9309bbb5-1600-0000-69c0-f3eaa20c0000 pid=3234->guuid=6801c8b5-1600-0000-69c0-f3eaa30c0000 pid=3235 execve guuid=025fdab5-1600-0000-69c0-f3eaa40c0000 pid=3236 /usr/bin/dash guuid=6801c8b5-1600-0000-69c0-f3eaa30c0000 pid=3235->guuid=025fdab5-1600-0000-69c0-f3eaa40c0000 pid=3236 execve guuid=9d857eb6-1600-0000-69c0-f3eaa90c0000 pid=3241 /usr/bin/dash guuid=6801c8b5-1600-0000-69c0-f3eaa30c0000 pid=3235->guuid=9d857eb6-1600-0000-69c0-f3eaa90c0000 pid=3241 execve guuid=f83e06b7-1600-0000-69c0-f3eaab0c0000 pid=3243 /usr/bin/dash write-file guuid=6801c8b5-1600-0000-69c0-f3eaa30c0000 pid=3235->guuid=f83e06b7-1600-0000-69c0-f3eaab0c0000 pid=3243 execve guuid=59023ab7-1600-0000-69c0-f3eaad0c0000 pid=3245 /usr/bin/dash write-file guuid=6801c8b5-1600-0000-69c0-f3eaa30c0000 pid=3235->guuid=59023ab7-1600-0000-69c0-f3eaad0c0000 pid=3245 execve guuid=c9ce67b7-1600-0000-69c0-f3eaae0c0000 pid=3246 /usr/bin/dash guuid=6801c8b5-1600-0000-69c0-f3eaa30c0000 pid=3235->guuid=c9ce67b7-1600-0000-69c0-f3eaae0c0000 pid=3246 execve guuid=2b8da6b8-1600-0000-69c0-f3eab10c0000 pid=3249 /usr/bin/dash guuid=6801c8b5-1600-0000-69c0-f3eaa30c0000 pid=3235->guuid=2b8da6b8-1600-0000-69c0-f3eab10c0000 pid=3249 execve guuid=dcd50fb9-1600-0000-69c0-f3eab50c0000 pid=3253 /usr/bin/dash guuid=6801c8b5-1600-0000-69c0-f3eaa30c0000 pid=3235->guuid=dcd50fb9-1600-0000-69c0-f3eab50c0000 pid=3253 execve guuid=717236b9-1600-0000-69c0-f3eab60c0000 pid=3254 /usr/bin/dash guuid=6801c8b5-1600-0000-69c0-f3eaa30c0000 pid=3235->guuid=717236b9-1600-0000-69c0-f3eab60c0000 pid=3254 execve guuid=397f42f3-1600-0000-69c0-f3ea110d0000 pid=3345 memfd:udevr net send-data zombie guuid=6801c8b5-1600-0000-69c0-f3eaa30c0000 pid=3235->guuid=397f42f3-1600-0000-69c0-f3ea110d0000 pid=3345 clone guuid=1d0c07b6-1600-0000-69c0-f3eaa50c0000 pid=3237 /usr/bin/dash guuid=025fdab5-1600-0000-69c0-f3eaa40c0000 pid=3236->guuid=1d0c07b6-1600-0000-69c0-f3eaa50c0000 pid=3237 clone guuid=bcd70bb6-1600-0000-69c0-f3eaa60c0000 pid=3238 /usr/bin/dash guuid=025fdab5-1600-0000-69c0-f3eaa40c0000 pid=3236->guuid=bcd70bb6-1600-0000-69c0-f3eaa60c0000 pid=3238 clone guuid=920010b6-1600-0000-69c0-f3eaa70c0000 pid=3239 /usr/bin/dash guuid=1d0c07b6-1600-0000-69c0-f3eaa50c0000 pid=3237->guuid=920010b6-1600-0000-69c0-f3eaa70c0000 pid=3239 clone guuid=7c1218b6-1600-0000-69c0-f3eaa80c0000 pid=3240 /usr/bin/grep guuid=1d0c07b6-1600-0000-69c0-f3eaa50c0000 pid=3237->guuid=7c1218b6-1600-0000-69c0-f3eaa80c0000 pid=3240 execve guuid=f825acb6-1600-0000-69c0-f3eaaa0c0000 pid=3242 /usr/bin/mkdir guuid=9d857eb6-1600-0000-69c0-f3eaa90c0000 pid=3241->guuid=f825acb6-1600-0000-69c0-f3eaaa0c0000 pid=3242 execve guuid=399597b7-1600-0000-69c0-f3eaaf0c0000 pid=3247 /usr/bin/systemctl write-file guuid=c9ce67b7-1600-0000-69c0-f3eaae0c0000 pid=3246->guuid=399597b7-1600-0000-69c0-f3eaaf0c0000 pid=3247 execve guuid=963ccbb8-1600-0000-69c0-f3eab20c0000 pid=3250 /usr/bin/grep guuid=2b8da6b8-1600-0000-69c0-f3eab10c0000 pid=3249->guuid=963ccbb8-1600-0000-69c0-f3eab20c0000 pid=3250 execve guuid=47e35bb9-1600-0000-69c0-f3eab80c0000 pid=3256 /usr/bin/curl net send-data guuid=717236b9-1600-0000-69c0-f3eab60c0000 pid=3254->guuid=47e35bb9-1600-0000-69c0-f3eab80c0000 pid=3256 execve 48626d9b-63c6-5d07-91e3-915918183433 77.90.185.76:80 guuid=47e35bb9-1600-0000-69c0-f3eab80c0000 pid=3256->48626d9b-63c6-5d07-91e3-915918183433 send: 83B 4b397a50-21d7-5ba4-b357-b4f7fe214512 77.90.185.76:110 guuid=397f42f3-1600-0000-69c0-f3ea110d0000 pid=3345->4b397a50-21d7-5ba4-b357-b4f7fe214512 send: 3164B guuid=397f42f3-1600-0000-69c0-f3ea110d0000 pid=3347 memfd:udevr guuid=397f42f3-1600-0000-69c0-f3ea110d0000 pid=3345->guuid=397f42f3-1600-0000-69c0-f3ea110d0000 pid=3347 clone guuid=397f42f3-1600-0000-69c0-f3ea110d0000 pid=3348 memfd:udevr zombie guuid=397f42f3-1600-0000-69c0-f3ea110d0000 pid=3345->guuid=397f42f3-1600-0000-69c0-f3ea110d0000 pid=3348 clone guuid=397f42f3-1600-0000-69c0-f3ea110d0000 pid=3349 memfd:udevr zombie guuid=397f42f3-1600-0000-69c0-f3ea110d0000 pid=3345->guuid=397f42f3-1600-0000-69c0-f3ea110d0000 pid=3349 clone guuid=397f42f3-1600-0000-69c0-f3ea110d0000 pid=3350 memfd:udevr zombie guuid=397f42f3-1600-0000-69c0-f3ea110d0000 pid=3345->guuid=397f42f3-1600-0000-69c0-f3ea110d0000 pid=3350 clone guuid=397f42f3-1600-0000-69c0-f3ea110d0000 pid=3351 memfd:udevr zombie guuid=397f42f3-1600-0000-69c0-f3ea110d0000 pid=3345->guuid=397f42f3-1600-0000-69c0-f3ea110d0000 pid=3351 clone
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/707baa8a-b026-4762-8f30-29a6fb2a8e88
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1857089
Signature
Executes the "crontab" command typically for achieving persistence
Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions
Sample tries to persist itself using cron
Searches for VM related strings in files or piped streams (probably for evasion)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1857089 Sample: x6.pdf.elf Startdate: 25/01/2026 Architecture: LINUX Score: 56 113 109.202.202.202, 80 INIT7CH Switzerland 2->113 115 91.189.91.42, 443 CANONICAL-ASGB United Kingdom 2->115 117 2 other IPs or domains 2->117 10 x6.pdf.elf 2->10         started        13 dash rm 2->13         started        15 dash rm 2->15         started        17 python3.8 dpkg 2->17         started        process3 signatures4 127 Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions 10->127 19 x6.pdf.elf 10->19         started        21 x6.pdf.elf sh 10->21         started        23 x6.pdf.elf sh 10->23         started        25 3 other processes 10->25 process5 process6 27 x6.pdf.elf exe exe exe exe exe exe exe exe exe exe exe exe exe exe exe exe exe 19->27         started        31 sh crontab 21->31         started        33 sh 21->33         started        35 sh mkdir 23->35         started        37 sh systemctl 25->37         started        file7 109 /root/.bashrc, ASCII 27->109 dropped 129 Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions 27->129 39 exe sh 27->39         started        41 exe sh 27->41         started        43 exe sh 27->43         started        50 99 other processes 27->50 111 /var/spool/cron/crontabs/tmp.VDjksi, ASCII 31->111 dropped 131 Sample tries to persist itself using cron 31->131 133 Executes the "crontab" command typically for achieving persistence 31->133 45 sh crontab 33->45         started        48 sh grep 33->48         started        signatures8 process9 signatures10 52 sh crontab 39->52         started        56 sh 39->56         started        58 sh crontab 41->58         started        60 sh 41->60         started        62 sh crontab 43->62         started        64 sh 43->64         started        135 Executes the "crontab" command typically for achieving persistence 45->135 66 sh crontab 50->66         started        68 sh crontab 50->68         started        70 77 other processes 50->70 process11 file12 91 /var/spool/cron/crontabs/tmp.509H7k, ASCII 52->91 dropped 119 Sample tries to persist itself using cron 52->119 121 Executes the "crontab" command typically for achieving persistence 52->121 72 sh crontab 56->72         started        75 sh grep 56->75         started        93 /var/spool/cron/crontabs/tmp.TrBM4F, ASCII 58->93 dropped 77 sh crontab 60->77         started        79 sh grep 60->79         started        95 /var/spool/cron/crontabs/tmp.YScdUQ, ASCII 62->95 dropped 81 sh crontab 64->81         started        83 sh grep 64->83         started        97 /var/spool/cron/crontabs/tmp.0pGvJ6, ASCII 66->97 dropped 99 /var/spool/cron/crontabs/tmp.jSHIi6, ASCII 68->99 dropped 101 /var/spool/cron/crontabs/tmp.znzxzl, ASCII 70->101 dropped 103 /var/spool/cron/crontabs/tmp.rIjGgZ, ASCII 70->103 dropped 105 /var/spool/cron/crontabs/tmp.oWYBD3, ASCII 70->105 dropped 107 9 other malicious files 70->107 dropped 123 Searches for VM related strings in files or piped streams (probably for evasion) 70->123 85 sh crontab 70->85         started        87 sh crontab 70->87         started        89 26 other processes 70->89 signatures13 process14 signatures15 125 Executes the "crontab" command typically for achieving persistence 72->125
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/cce39443ca963b283dc95b1cb6b1286d19c0f6705f48755a3b6a442f16f2e40b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cce39443ca963b283dc95b1cb6b1286d19c0f6705f48755a3b6a442f16f2e40b/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ztrziq6ksy5sqpojlmolnmjinum4b5tql5ehkwr3njcc6fxs4qfq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
antivm discovery execution linux persistence privilege_escalation
Link:
https://tria.ge/reports/260125-hkddpaaz9f/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Checks CPU configuration
Reads CPU attributes
Checks hardware identifiers (DMI)
Creates/modifies Cron job
Reads hardware information
Runs EXE from memory
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cce39443ca96/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf cce39443ca963b283dc95b1cb6b1286d19c0f6705f48755a3b6a442f16f2e40b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3763432/
  
Delivery method
Distributed via web download

Comments