MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cef5d8528b5f37d224c259e41875edc3ab0eb784fc0d46c84c7e6beec0f31815. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 18 File information Comments

SHA256 hash: cef5d8528b5f37d224c259e41875edc3ab0eb784fc0d46c84c7e6beec0f31815
SHA3-384 hash: 13c513adfe6775962544c489a46beec589783a951d970982fc6479b2ab67b9898882a5e0f8d4981d35bd0f2826c516c1
SHA1 hash: 50b74718a84467b8c40e6ee015db65eb96d60bee
MD5 hash: 8d9735698d33f9f807fcb2d9e934106b
humanhash: magnesium-blue-utah-michigan
File name:rcuop_0
Download: download sample
File size:5'898'388 bytes
First seen:2026-06-21 06:07:32 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 49152:vynU3m2mKUSHomoqy77yNMLzteF1vyejWPcMN35Ey:vmU3m2k8voqq7yN6zti93MzEy
TLSH T111567B55BC1D7462DAC976752F7652843239BC484F82C7232A18BB7CAAF235CCF63261
gimphash e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf upx-dec


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 e3fcaaaeb43db8c988923d49758d85d8c2a06aa5da548c1251a793ee6db34d43
File size (compressed) :1'727'128 bytes
File size (de-compressed) :5'898'388 bytes
Format:linux/arm64
Packed file: e3fcaaaeb43db8c988923d49758d85d8c2a06aa5da548c1251a793ee6db34d43

Intelligence


File Origin
# of uploads :
1
# of downloads :
60
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Runs as daemon
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
base64 crypto expand golang lolbin reconnaissance
Verdict:
Malicious
File Type:
elf.64.le
First seen:
2026-06-21T04:31:00Z UTC
Last seen:
2026-06-21T04:45:00Z UTC
Hits:
~10
Status:
terminated
Behavior Graph:
%3 guuid=e6b4414b-2400-0000-59f9-499f3d140000 pid=5181 /usr/bin/sudo guuid=58e9604f-2400-0000-59f9-499f3e140000 pid=5182 /tmp/sample.bin guuid=e6b4414b-2400-0000-59f9-499f3d140000 pid=5181->guuid=58e9604f-2400-0000-59f9-499f3e140000 pid=5182 execve
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj
Score:
48 / 100
Signature
Executes the "crontab" command typically for achieving persistence
Sample tries to persist itself using cron
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1931430 Sample: rcuop_0.elf Startdate: 21/06/2026 Architecture: LINUX Score: 48 29 speed.cloudflare.com 162.159.140.220, 59268, 80 CLOUDFLARENET-CloudflareIncUS Canada 2->29 31 85.192.40.43, 38198, 38200, 38202 AEZA-ASRU Netherlands 2->31 9 rcuop_0.elf 2->9         started        process3 process4 11 rcuop_0.elf rcuop_0.elf 9->11         started        process5 13 rcuop_0.elf bash 11->13         started        15 rcuop_0.elf crontab 11->15         started        signatures6 18 bash crontab 13->18         started        22 bash 13->22         started        39 Executes the "crontab" command typically for achieving persistence 15->39 process7 file8 27 /var/spool/cron/crontabs/tmp.nz59bD, ASCII 18->27 dropped 33 Sample tries to persist itself using cron 18->33 35 Executes the "crontab" command typically for achieving persistence 18->35 24 bash crontab 22->24         started        signatures9 process10 signatures11 37 Executes the "crontab" command typically for achieving persistence 24->37
Threat name:
Linux.Trojan.Multiverze
Status:
Malicious
First seen:
2026-06-21 06:12:29 UTC
File Type:
ELF64 Little (Exe)
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  1/10
Tags:
linux
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:DetectGoMethodSignatures
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:enterpriseapps2
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:F01_s1ckrule
Author:s1ckb017
Rule name:GoBinTest
Rule name:golang
Rule name:golang_binary_string
Description:Golang strings present
Rule name:Golang_Find_CSC846
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:Golang_Find_CSC846_Simple
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:identity_golang
Author:Eric Yocam
Description:find Golang malware
Rule name:ProgramLanguage_Golang
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:RANSOMWARE
Author:ToroGuitar
Rule name:setsockopt
Author:Tim Brown @timb_machine
Description:Hunts for setsockopt() red flags
Rule name:SHA512_Constants
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:TH_Generic_MassHunt_Linux_Malware_2026_CYFARE
Author:CYFARE
Description:Generic Linux malware mass-hunt rule - 2026
Reference:https://cyfare.net/
Rule name:unixredflags3
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf cef5d8528b5f37d224c259e41875edc3ab0eb784fc0d46c84c7e6beec0f31815

(this sample)

  
Delivery method
Distributed via web download

Comments