MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0b25d94a4ce13959db8529e67fa22ae4c60a923e7dfc5a96954f971c80f9760. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DDoSAgent


Vendor detections: 5


Intelligence 5 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0b25d94a4ce13959db8529e67fa22ae4c60a923e7dfc5a96954f971c80f9760
SHA3-384 hash: a1e620df6fa9b0a5abe2c2ad5a1f891121a64223728d53f9171e28dde33e257c5b048f963bdf7e56b037b912963b0969
SHA1 hash: d6565d831b270431378c83d5a5d258827752b715
MD5 hash: d909902e646f1a38c67b1a4fd51c56bf
humanhash: five-wisconsin-west-maryland
File name:aarch64-linux-gnu
Download: download sample
Signature DDoSAgent
Create hunting rule
File size:664'432 bytes
First seen:2026-01-16 17:16:40 UTC
Last seen:2026-01-16 18:41:06 UTC
File type: elf
MIME type:application/x-executable
ssdeep 12288:InYSXsOUlk8qldM/TOMU8yeEaGaH/2tarIfeMEy5Fv3C:eYSXsfkddUH/Emf2Qia
TLSH T16EE49E58BB8E7D43D3C7F33DDF4A86B1322BB5E9D322C2A27401521DD4C29A9CEA1651
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:DDOSAgent elf

Intelligence

File Origin
# of uploads :
2
# of downloads :
78
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.ELF.DDOSAgent-DP.62524166.UNOFFICIAL
Create hunting rule

Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
gcc rust
Link:
https://www.filescan.io/uploads/696a72a83dd9d20950575ec3/reports/36c4b328-4b2a-416f-b01a-939723e51d14/overview
Verdict:
Unknown
File Type:
elf.64.le
First seen:
2026-01-16T14:35:00Z UTC
Last seen:
2026-01-16T14:38:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/d0b25d94a4ce13959db8529e67fa22ae4c60a923e7dfc5a96954f971c80f9760/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/60b6a184-0f45-4f2c-9d2b-2f4f843f8e7a
Behavior Graph:
Download SVG
%3 guuid=422f825e-1600-0000-8cbe-c45b620c0000 pid=3170 /usr/bin/sudo guuid=19bbe660-1600-0000-8cbe-c45b660c0000 pid=3174 /tmp/sample.bin guuid=422f825e-1600-0000-8cbe-c45b620c0000 pid=3170->guuid=19bbe660-1600-0000-8cbe-c45b660c0000 pid=3174 execve
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3ded4138-f951-4822-943e-615679ff2924
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1852232
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Sample deletes itself
Sample tries to persist itself using System V runlevels
Sample tries to set files in /etc globally writable
Writes identical ELF files to multiple locations
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1852232 Sample: aarch64-linux-gnu.elf Startdate: 16/01/2026 Architecture: LINUX Score: 80 107 Malicious sample detected (through community Yara rule) 2->107 109 Antivirus detection for dropped file 2->109 111 Antivirus / Scanner detection for submitted sample 2->111 12 aarch64-linux-gnu.elf 2->12         started        14 systemd ifconfig_xxs.cfg 2->14         started        16 systemd ifconfig_xxs.cfg 2->16         started        18 15 other processes 2->18 process3 process4 20 aarch64-linux-gnu.elf 12->20         started        22 ifconfig_xxs.cfg 14->22         started        24 ifconfig_xxs.cfg 16->24         started        26 ifconfig_xxs.cfg 18->26         started        28 ifconfig_xxs.cfg 18->28         started        30 ifconfig_xxs.cfg 18->30         started        32 10 other processes 18->32 process5 34 aarch64-linux-gnu.elf 20->34         started        38 ifconfig_xxs.cfg 22->38         started        40 ifconfig_xxs.cfg 24->40         started        42 ifconfig_xxs.cfg 26->42         started        44 ifconfig_xxs.cfg 28->44         started        46 ifconfig_xxs.cfg 30->46         started        48 ifconfig_xxs.cfg 32->48         started        50 ifconfig_xxs.cfg 32->50         started        52 6 other processes 32->52 file6 101 /usr/local/bin/ifconfig_xxs.cfg, ELF 34->101 dropped 103 /etc/rc.local, ASCII 34->103 dropped 105 /boot/ifconfig_xxs.cfg, ELF 34->105 dropped 113 Sample tries to set files in /etc globally writable 34->113 115 Writes identical ELF files to multiple locations 34->115 117 Sample tries to persist itself using System V runlevels 34->117 54 aarch64-linux-gnu.elf 34->54         started        56 aarch64-linux-gnu.elf 34->56         started        59 aarch64-linux-gnu.elf sh 34->59         started        61 2 other processes 34->61 signatures7 process8 signatures9 63 aarch64-linux-gnu.elf 54->63         started        119 Sample deletes itself 56->119 65 sh systemctl 59->65         started        67 aarch64-linux-gnu.elf 61->67         started        69 sh systemctl 61->69         started        process10 process11 71 aarch64-linux-gnu.elf 63->71         started        73 aarch64-linux-gnu.elf 67->73         started        process12 75 aarch64-linux-gnu.elf sh 71->75         started        77 aarch64-linux-gnu.elf sh 71->77         started        79 aarch64-linux-gnu.elf sh 71->79         started        81 13 other processes 71->81 process13 83 sh ps 75->83         started        85 sh awk 75->85         started        87 sh ps 77->87         started        89 sh awk 77->89         started        91 sh ps 79->91         started        93 sh awk 79->93         started        95 sh ps 81->95         started        97 sh awk 81->97         started        99 24 other processes 81->99
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/d0b25d94a4ce13959db8529e67fa22ae4c60a923e7dfc5a96954f971c80f9760
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d0b25d94a4ce13959db8529e67fa22ae4c60a923e7dfc5a96954f971c80f9760/
Threat name:
Linux.Trojan.DDOSAgent
Create hunting rule
Status:
Malicious
First seen:
2026-01-16 17:17:29 UTC
File Type:
ELF64 Little (Exe)
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2czf3ffezyjzlhnykkpgp6rcvzggbkjd47p4lkljkt4xdsaps5qa._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
linux
Link:
https://tria.ge/reports/260116-vtxvxabx3a/
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/285ea78b-ec30-4957-96a1-f83ea682ca65
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/d0b25d94a4ce13959db8529e67fa22ae4c60a923e7dfc5a96954f971c80f9760

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:F01_s1ckrule
Create hunting rule
Author:s1ckb017
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:malwareelf55503
Create hunting rule
Rule name:setsockopt
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for setsockopt() red flags
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DDoSAgent

elf d0b25d94a4ce13959db8529e67fa22ae4c60a923e7dfc5a96954f971c80f9760

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3759085/
  
Delivery method
Distributed via web download

Comments