MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dcf5df996a112e892bae324b5e3c0664ad4d4f9f473494bcaad1cac3adedb512. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dcf5df996a112e892bae324b5e3c0664ad4d4f9f473494bcaad1cac3adedb512
SHA3-384 hash: 970fc54ce518b40562f079927b27f96de8a43326200ddffdae2cf6aeea276d26f55d309b19246d8c3bdaaae052bac3d9
SHA1 hash: a722e38c9037a5987879f466ed5a1072da09dedf
MD5 hash: ac31366e73452db51ad3ae296ac12add
humanhash: princess-yankee-johnny-muppet
File name:linux_amd64
Download: download sample
File size:1'987'020 bytes
First seen:2026-03-20 07:29:48 UTC
Last seen:2026-03-23 01:50:19 UTC
File type: elf
MIME type:application/x-executable
ssdeep 49152:GmroGOaGwi/EpVep0RDT0MF7uuwC0XGJiYr7r2YN:GmDhGwiA0MFVwJwiYrf2YN
TLSH T1119533A6BD460DB0F44D188F5D7DC94611F32592DAA0B3641EA3CFEAB0B8ADB8374147
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf UPX
File size (compressed) :1'987'020 bytes
File size (de-compressed) :5'259'264 bytes
Format:linux/amd64
Unpacked file: 48bb77a7a55300ad0acdac1e8d80f3afd68e143cd5bb6512c7e6f71a554544bf

Intelligence

File Origin
# of uploads :
4
# of downloads :
93
Origin country :
DE DE
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/5d98dfbd-9b0f-40a8-bdc8-e17802188c72/
Detection(s):
SecuriteInfo.com.Linux.Siggen.11939.16041.26569.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Deleting a recently created file
Launching a process
Creating a file in the %temp% directory
Manages services
Creating a file
Runs as daemon
Creating a process from a recently created file
Changes the time when the file was created, accessed, or modified
Deletes a system binary file
Writes files to system directory
Creates or modifies files in /init.d to set up autorun
Creates or modifies symbolic links in /init.d to set up autorun
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm crypto expand lolbin obfuscated packed upx
Link:
https://www.filescan.io/uploads/69bcf7952000fc76c3f0262f/reports/eee896b9-89e8-4abc-bdc0-57230367c889/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
UPX
Botnet:
unknown
Number of open files:
1
Number of processes launched:
4
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/dcf5df996a112e892bae324b5e3c0664ad4d4f9f473494bcaad1cac3adedb512
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Unknown
File Type:
elf.64.le
Link:
https://opentip.kaspersky.com/dcf5df996a112e892bae324b5e3c0664ad4d4f9f473494bcaad1cac3adedb512/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/4888a569-1e85-4cb3-bb2f-c99bed9d2e39
Behavior Graph:
Download SVG
%3 guuid=1ecfa4fe-1600-0000-b9d5-ebb7500d0000 pid=3408 /usr/bin/sudo guuid=9b20b201-1700-0000-b9d5-ebb75a0d0000 pid=3418 /tmp/sample.bin mprotect-exec guuid=1ecfa4fe-1600-0000-b9d5-ebb7500d0000 pid=3408->guuid=9b20b201-1700-0000-b9d5-ebb75a0d0000 pid=3418 execve guuid=9b20b201-1700-0000-b9d5-ebb75a0d0000 pid=3460 /tmp/sample.bin guuid=9b20b201-1700-0000-b9d5-ebb75a0d0000 pid=3418->guuid=9b20b201-1700-0000-b9d5-ebb75a0d0000 pid=3460 clone guuid=9b20b201-1700-0000-b9d5-ebb75a0d0000 pid=3461 /tmp/sample.bin guuid=9b20b201-1700-0000-b9d5-ebb75a0d0000 pid=3418->guuid=9b20b201-1700-0000-b9d5-ebb75a0d0000 pid=3461 clone guuid=9b20b201-1700-0000-b9d5-ebb75a0d0000 pid=3463 /tmp/sample.bin guuid=9b20b201-1700-0000-b9d5-ebb75a0d0000 pid=3418->guuid=9b20b201-1700-0000-b9d5-ebb75a0d0000 pid=3463 clone guuid=9b20b201-1700-0000-b9d5-ebb75a0d0000 pid=3464 /tmp/sample.bin guuid=9b20b201-1700-0000-b9d5-ebb75a0d0000 pid=3418->guuid=9b20b201-1700-0000-b9d5-ebb75a0d0000 pid=3464 clone guuid=02595910-1700-0000-b9d5-ebb7890d0000 pid=3465 /tmp/sample.bin delete-file mprotect-exec write-config write-file zombie guuid=9b20b201-1700-0000-b9d5-ebb75a0d0000 pid=3418->guuid=02595910-1700-0000-b9d5-ebb7890d0000 pid=3465 execve guuid=02595910-1700-0000-b9d5-ebb7890d0000 pid=3490 /tmp/sample.bin zombie guuid=02595910-1700-0000-b9d5-ebb7890d0000 pid=3465->guuid=02595910-1700-0000-b9d5-ebb7890d0000 pid=3490 clone guuid=02595910-1700-0000-b9d5-ebb7890d0000 pid=3491 /tmp/sample.bin guuid=02595910-1700-0000-b9d5-ebb7890d0000 pid=3465->guuid=02595910-1700-0000-b9d5-ebb7890d0000 pid=3491 clone guuid=02595910-1700-0000-b9d5-ebb7890d0000 pid=3492 /tmp/sample.bin guuid=02595910-1700-0000-b9d5-ebb7890d0000 pid=3465->guuid=02595910-1700-0000-b9d5-ebb7890d0000 pid=3492 clone guuid=02595910-1700-0000-b9d5-ebb7890d0000 pid=3493 /tmp/sample.bin guuid=02595910-1700-0000-b9d5-ebb7890d0000 pid=3465->guuid=02595910-1700-0000-b9d5-ebb7890d0000 pid=3493 clone guuid=b809411c-1700-0000-b9d5-ebb7a60d0000 pid=3494 /usr/bin/dash guuid=02595910-1700-0000-b9d5-ebb7890d0000 pid=3465->guuid=b809411c-1700-0000-b9d5-ebb7a60d0000 pid=3494 execve guuid=df96aa1c-1700-0000-b9d5-ebb7a80d0000 pid=3496 /usr/bin/systemctl guuid=02595910-1700-0000-b9d5-ebb7890d0000 pid=3465->guuid=df96aa1c-1700-0000-b9d5-ebb7a80d0000 pid=3496 execve guuid=cfbe3e3e-1700-0000-b9d5-ebb72c0e0000 pid=3628 /usr/bin/systemctl guuid=02595910-1700-0000-b9d5-ebb7890d0000 pid=3465->guuid=cfbe3e3e-1700-0000-b9d5-ebb72c0e0000 pid=3628 execve guuid=4d168869-1700-0000-b9d5-ebb7d10e0000 pid=3793 /usr/bin/systemctl guuid=02595910-1700-0000-b9d5-ebb7890d0000 pid=3465->guuid=4d168869-1700-0000-b9d5-ebb7d10e0000 pid=3793 execve guuid=77558b7d-1700-0000-b9d5-ebb7220f0000 pid=3874 /usr/sbin/update-rc.d guuid=02595910-1700-0000-b9d5-ebb7890d0000 pid=3465->guuid=77558b7d-1700-0000-b9d5-ebb7220f0000 pid=3874 execve guuid=0780e6bb-1700-0000-b9d5-ebb7d60f0000 pid=4054 /usr/sbin/update-rc.d guuid=02595910-1700-0000-b9d5-ebb7890d0000 pid=3465->guuid=0780e6bb-1700-0000-b9d5-ebb7d60f0000 pid=4054 execve guuid=4da49a03-1800-0000-b9d5-ebb710110000 pid=4368 /etc/init.d/systemd-logind guuid=02595910-1700-0000-b9d5-ebb7890d0000 pid=3465->guuid=4da49a03-1800-0000-b9d5-ebb710110000 pid=4368 execve guuid=df3d8c1c-1700-0000-b9d5-ebb7a70d0000 pid=3495 /boot/System zombie guuid=b809411c-1700-0000-b9d5-ebb7a60d0000 pid=3494->guuid=df3d8c1c-1700-0000-b9d5-ebb7a70d0000 pid=3495 execve guuid=6c1dbf1c-1700-0000-b9d5-ebb7a90d0000 pid=3497 /usr/bin/sleep guuid=df3d8c1c-1700-0000-b9d5-ebb7a70d0000 pid=3495->guuid=6c1dbf1c-1700-0000-b9d5-ebb7a90d0000 pid=3497 execve guuid=d723686d-2000-0000-b9d5-ebb773150000 pid=5491 /boot/System.img-6.8.0-8 delete-file mprotect-exec write-file guuid=df3d8c1c-1700-0000-b9d5-ebb7a70d0000 pid=3495->guuid=d723686d-2000-0000-b9d5-ebb773150000 pid=5491 execve guuid=f8876573-2000-0000-b9d5-ebb778150000 pid=5496 /usr/bin/sleep guuid=df3d8c1c-1700-0000-b9d5-ebb7a70d0000 pid=3495->guuid=f8876573-2000-0000-b9d5-ebb778150000 pid=5496 execve guuid=2fdaba13-0000-0000-b9d5-ebb701000000 pid=1 /usr/lib/systemd/systemd guuid=717d216b-1700-0000-b9d5-ebb7d80e0000 pid=3800 /boot/System.img-6.8.0-8 mprotect-exec guuid=2fdaba13-0000-0000-b9d5-ebb701000000 pid=1->guuid=717d216b-1700-0000-b9d5-ebb7d80e0000 pid=3800 execve guuid=717d216b-1700-0000-b9d5-ebb7d80e0000 pid=3868 /boot/System.img-6.8.0-8 guuid=717d216b-1700-0000-b9d5-ebb7d80e0000 pid=3800->guuid=717d216b-1700-0000-b9d5-ebb7d80e0000 pid=3868 clone guuid=717d216b-1700-0000-b9d5-ebb7d80e0000 pid=3869 /boot/System.img-6.8.0-8 guuid=717d216b-1700-0000-b9d5-ebb7d80e0000 pid=3800->guuid=717d216b-1700-0000-b9d5-ebb7d80e0000 pid=3869 clone guuid=717d216b-1700-0000-b9d5-ebb7d80e0000 pid=3870 /boot/System.img-6.8.0-8 guuid=717d216b-1700-0000-b9d5-ebb7d80e0000 pid=3800->guuid=717d216b-1700-0000-b9d5-ebb7d80e0000 pid=3870 clone guuid=717d216b-1700-0000-b9d5-ebb7d80e0000 pid=3871 /boot/System.img-6.8.0-8 guuid=717d216b-1700-0000-b9d5-ebb7d80e0000 pid=3800->guuid=717d216b-1700-0000-b9d5-ebb7d80e0000 pid=3871 clone guuid=717d216b-1700-0000-b9d5-ebb7d80e0000 pid=3872 /boot/System.img-6.8.0-8 guuid=717d216b-1700-0000-b9d5-ebb7d80e0000 pid=3800->guuid=717d216b-1700-0000-b9d5-ebb7d80e0000 pid=3872 clone guuid=598da27c-1700-0000-b9d5-ebb7210f0000 pid=3873 /boot/System.img-6.8.0-8 delete-file dns mprotect-exec net send-data write-config write-file zombie guuid=717d216b-1700-0000-b9d5-ebb7d80e0000 pid=3800->guuid=598da27c-1700-0000-b9d5-ebb7210f0000 pid=3873 execve 6c5d1b18-0ba2-50d1-953e-64e339f197d1 scan.504.su:56999 guuid=598da27c-1700-0000-b9d5-ebb7210f0000 pid=3873->6c5d1b18-0ba2-50d1-953e-64e339f197d1 send: 261B 4f6baed0-9587-596c-82b3-fd721afe4cc1 10.0.2.3:53 guuid=598da27c-1700-0000-b9d5-ebb7210f0000 pid=3873->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 40B guuid=598da27c-1700-0000-b9d5-ebb7210f0000 pid=3895 /boot/System.img-6.8.0-8 zombie guuid=598da27c-1700-0000-b9d5-ebb7210f0000 pid=3873->guuid=598da27c-1700-0000-b9d5-ebb7210f0000 pid=3895 clone guuid=598da27c-1700-0000-b9d5-ebb7210f0000 pid=3896 /boot/System.img-6.8.0-8 net send-data zombie guuid=598da27c-1700-0000-b9d5-ebb7210f0000 pid=3873->guuid=598da27c-1700-0000-b9d5-ebb7210f0000 pid=3896 clone guuid=598da27c-1700-0000-b9d5-ebb7210f0000 pid=3898 /boot/System.img-6.8.0-8 dns net send-data zombie guuid=598da27c-1700-0000-b9d5-ebb7210f0000 pid=3873->guuid=598da27c-1700-0000-b9d5-ebb7210f0000 pid=3898 clone guuid=598da27c-1700-0000-b9d5-ebb7210f0000 pid=3899 /boot/System.img-6.8.0-8 net send-data zombie guuid=598da27c-1700-0000-b9d5-ebb7210f0000 pid=3873->guuid=598da27c-1700-0000-b9d5-ebb7210f0000 pid=3899 clone guuid=598da27c-1700-0000-b9d5-ebb7210f0000 pid=3900 /boot/System.img-6.8.0-8 dns net send-data zombie guuid=598da27c-1700-0000-b9d5-ebb7210f0000 pid=3873->guuid=598da27c-1700-0000-b9d5-ebb7210f0000 pid=3900 clone guuid=127cf793-1700-0000-b9d5-ebb7520f0000 pid=3922 /usr/bin/dash guuid=598da27c-1700-0000-b9d5-ebb7210f0000 pid=3873->guuid=127cf793-1700-0000-b9d5-ebb7520f0000 pid=3922 execve guuid=598da27c-1700-0000-b9d5-ebb7210f0000 pid=3928 /boot/System.img-6.8.0-8 send-data zombie guuid=598da27c-1700-0000-b9d5-ebb7210f0000 pid=3873->guuid=598da27c-1700-0000-b9d5-ebb7210f0000 pid=3928 clone guuid=fc41fc9d-1700-0000-b9d5-ebb75d0f0000 pid=3933 /usr/bin/dash guuid=598da27c-1700-0000-b9d5-ebb7210f0000 pid=3873->guuid=fc41fc9d-1700-0000-b9d5-ebb75d0f0000 pid=3933 execve guuid=455ae1a1-1700-0000-b9d5-ebb76b0f0000 pid=3947 /usr/bin/dash guuid=598da27c-1700-0000-b9d5-ebb7210f0000 pid=3873->guuid=455ae1a1-1700-0000-b9d5-ebb76b0f0000 pid=3947 execve guuid=7bf476a2-1700-0000-b9d5-ebb7710f0000 pid=3953 /usr/sbin/update-rc.d guuid=598da27c-1700-0000-b9d5-ebb7210f0000 pid=3873->guuid=7bf476a2-1700-0000-b9d5-ebb7710f0000 pid=3953 execve guuid=684995dd-1700-0000-b9d5-ebb772100000 pid=4210 /usr/sbin/update-rc.d guuid=598da27c-1700-0000-b9d5-ebb7210f0000 pid=3873->guuid=684995dd-1700-0000-b9d5-ebb772100000 pid=4210 execve guuid=8fa17539-1800-0000-b9d5-ebb7dd110000 pid=4573 /etc/init.d/network-manger guuid=598da27c-1700-0000-b9d5-ebb7210f0000 pid=3873->guuid=8fa17539-1800-0000-b9d5-ebb7dd110000 pid=4573 execve guuid=53d1d83d-1800-0000-b9d5-ebb7f3110000 pid=4595 /usr/sbin/update-rc.d guuid=598da27c-1700-0000-b9d5-ebb7210f0000 pid=3873->guuid=53d1d83d-1800-0000-b9d5-ebb7f3110000 pid=4595 execve guuid=1a6ad962-1800-0000-b9d5-ebb7ae120000 pid=4782 /usr/sbin/update-rc.d guuid=598da27c-1700-0000-b9d5-ebb7210f0000 pid=3873->guuid=1a6ad962-1800-0000-b9d5-ebb7ae120000 pid=4782 execve guuid=5131d388-1800-0000-b9d5-ebb759130000 pid=4953 /etc/init.d/udev-teriger-net guuid=598da27c-1700-0000-b9d5-ebb7210f0000 pid=3873->guuid=5131d388-1800-0000-b9d5-ebb759130000 pid=4953 execve guuid=9e03c07f-1700-0000-b9d5-ebb72a0f0000 pid=3882 /usr/bin/systemctl guuid=77558b7d-1700-0000-b9d5-ebb7220f0000 pid=3874->guuid=9e03c07f-1700-0000-b9d5-ebb72a0f0000 pid=3882 execve guuid=598da27c-1700-0000-b9d5-ebb7210f0000 pid=3896->6c5d1b18-0ba2-50d1-953e-64e339f197d1 send: 715B guuid=598da27c-1700-0000-b9d5-ebb7210f0000 pid=3896->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 120B guuid=598da27c-1700-0000-b9d5-ebb7210f0000 pid=3898->6c5d1b18-0ba2-50d1-953e-64e339f197d1 send: 716B guuid=598da27c-1700-0000-b9d5-ebb7210f0000 pid=3898->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 40B guuid=598da27c-1700-0000-b9d5-ebb7210f0000 pid=3899->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 80B guuid=8db69d8e-1700-0000-b9d5-ebb74f0f0000 pid=3919 /usr/bin/uname guuid=598da27c-1700-0000-b9d5-ebb7210f0000 pid=3899->guuid=8db69d8e-1700-0000-b9d5-ebb74f0f0000 pid=3919 execve guuid=598da27c-1700-0000-b9d5-ebb7210f0000 pid=3900->6c5d1b18-0ba2-50d1-953e-64e339f197d1 send: 287B guuid=598da27c-1700-0000-b9d5-ebb7210f0000 pid=3900->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 40B guuid=3b909994-1700-0000-b9d5-ebb7530f0000 pid=3923 /usr/bin/killai zombie guuid=127cf793-1700-0000-b9d5-ebb7520f0000 pid=3922->guuid=3b909994-1700-0000-b9d5-ebb7530f0000 pid=3923 execve guuid=5ee18c9a-1700-0000-b9d5-ebb7570f0000 pid=3927 /usr/bin/sleep guuid=3b909994-1700-0000-b9d5-ebb7530f0000 pid=3923->guuid=5ee18c9a-1700-0000-b9d5-ebb7570f0000 pid=3927 execve guuid=ab1b6d3f-2300-0000-b9d5-ebb779150000 pid=5497 /usr/local/sbin/nginx-1 delete-file mprotect-exec write-file guuid=3b909994-1700-0000-b9d5-ebb7530f0000 pid=3923->guuid=ab1b6d3f-2300-0000-b9d5-ebb779150000 pid=5497 execve guuid=cacbc04f-2300-0000-b9d5-ebb77e150000 pid=5502 /usr/bin/sleep guuid=3b909994-1700-0000-b9d5-ebb7530f0000 pid=3923->guuid=cacbc04f-2300-0000-b9d5-ebb77e150000 pid=5502 execve guuid=598da27c-1700-0000-b9d5-ebb7210f0000 pid=3928->6c5d1b18-0ba2-50d1-953e-64e339f197d1 send: 64B guuid=b9ea269e-1700-0000-b9d5-ebb75f0f0000 pid=3935 /usr/sbin/.at.atloy zombie guuid=fc41fc9d-1700-0000-b9d5-ebb75d0f0000 pid=3933->guuid=b9ea269e-1700-0000-b9d5-ebb75f0f0000 pid=3935 execve guuid=0a4c549e-1700-0000-b9d5-ebb7610f0000 pid=3937 /usr/bin/sleep guuid=b9ea269e-1700-0000-b9d5-ebb75f0f0000 pid=3935->guuid=0a4c549e-1700-0000-b9d5-ebb7610f0000 pid=3937 execve guuid=9ae044a2-1700-0000-b9d5-ebb76e0f0000 pid=3950 /tmp/.font-unix-helpver zombie guuid=455ae1a1-1700-0000-b9d5-ebb76b0f0000 pid=3947->guuid=9ae044a2-1700-0000-b9d5-ebb76e0f0000 pid=3950 execve guuid=14c276a2-1700-0000-b9d5-ebb7700f0000 pid=3952 /usr/bin/sleep guuid=9ae044a2-1700-0000-b9d5-ebb76e0f0000 pid=3950->guuid=14c276a2-1700-0000-b9d5-ebb7700f0000 pid=3952 execve guuid=98cecfa3-1700-0000-b9d5-ebb7770f0000 pid=3959 /usr/bin/systemctl guuid=7bf476a2-1700-0000-b9d5-ebb7710f0000 pid=3953->guuid=98cecfa3-1700-0000-b9d5-ebb7770f0000 pid=3959 execve guuid=3d6341be-1700-0000-b9d5-ebb7e20f0000 pid=4066 /usr/bin/systemctl guuid=0780e6bb-1700-0000-b9d5-ebb7d60f0000 pid=4054->guuid=3d6341be-1700-0000-b9d5-ebb7e20f0000 pid=4066 execve guuid=22d44ebf-1700-0000-b9d5-ebb7e90f0000 pid=4073 /usr/bin/systemctl guuid=0780e6bb-1700-0000-b9d5-ebb7d60f0000 pid=4054->guuid=22d44ebf-1700-0000-b9d5-ebb7e90f0000 pid=4073 execve guuid=377178df-1700-0000-b9d5-ebb77b100000 pid=4219 /usr/bin/systemctl guuid=684995dd-1700-0000-b9d5-ebb772100000 pid=4210->guuid=377178df-1700-0000-b9d5-ebb77b100000 pid=4219 execve guuid=bc295de0-1700-0000-b9d5-ebb780100000 pid=4224 /usr/bin/systemctl guuid=684995dd-1700-0000-b9d5-ebb772100000 pid=4210->guuid=bc295de0-1700-0000-b9d5-ebb780100000 pid=4224 execve guuid=8c9f7204-1800-0000-b9d5-ebb714110000 pid=4372 /boot/System.img-6.8.0-8 delete-file mprotect-exec write-file guuid=4da49a03-1800-0000-b9d5-ebb710110000 pid=4368->guuid=8c9f7204-1800-0000-b9d5-ebb714110000 pid=4372 execve guuid=8c9f7204-1800-0000-b9d5-ebb714110000 pid=4425 /boot/System.img-6.8.0-8 guuid=8c9f7204-1800-0000-b9d5-ebb714110000 pid=4372->guuid=8c9f7204-1800-0000-b9d5-ebb714110000 pid=4425 clone guuid=8c9f7204-1800-0000-b9d5-ebb714110000 pid=4426 /boot/System.img-6.8.0-8 guuid=8c9f7204-1800-0000-b9d5-ebb714110000 pid=4372->guuid=8c9f7204-1800-0000-b9d5-ebb714110000 pid=4426 clone guuid=8c9f7204-1800-0000-b9d5-ebb714110000 pid=4427 /boot/System.img-6.8.0-8 guuid=8c9f7204-1800-0000-b9d5-ebb714110000 pid=4372->guuid=8c9f7204-1800-0000-b9d5-ebb714110000 pid=4427 clone guuid=8c9f7204-1800-0000-b9d5-ebb714110000 pid=4428 /boot/System.img-6.8.0-8 guuid=8c9f7204-1800-0000-b9d5-ebb714110000 pid=4372->guuid=8c9f7204-1800-0000-b9d5-ebb714110000 pid=4428 clone guuid=0cbfdb39-1800-0000-b9d5-ebb7e1110000 pid=4577 /usr/local/sbin/nginx-1 delete-file mprotect-exec write-file guuid=8fa17539-1800-0000-b9d5-ebb7dd110000 pid=4573->guuid=0cbfdb39-1800-0000-b9d5-ebb7e1110000 pid=4577 execve guuid=0cbfdb39-1800-0000-b9d5-ebb7e1110000 pid=4588 /usr/local/sbin/nginx-1 guuid=0cbfdb39-1800-0000-b9d5-ebb7e1110000 pid=4577->guuid=0cbfdb39-1800-0000-b9d5-ebb7e1110000 pid=4588 clone guuid=0cbfdb39-1800-0000-b9d5-ebb7e1110000 pid=4589 /usr/local/sbin/nginx-1 guuid=0cbfdb39-1800-0000-b9d5-ebb7e1110000 pid=4577->guuid=0cbfdb39-1800-0000-b9d5-ebb7e1110000 pid=4589 clone guuid=0cbfdb39-1800-0000-b9d5-ebb7e1110000 pid=4590 /usr/local/sbin/nginx-1 guuid=0cbfdb39-1800-0000-b9d5-ebb7e1110000 pid=4577->guuid=0cbfdb39-1800-0000-b9d5-ebb7e1110000 pid=4590 clone guuid=0cbfdb39-1800-0000-b9d5-ebb7e1110000 pid=4591 /usr/local/sbin/nginx-1 guuid=0cbfdb39-1800-0000-b9d5-ebb7e1110000 pid=4577->guuid=0cbfdb39-1800-0000-b9d5-ebb7e1110000 pid=4591 clone guuid=147a153f-1800-0000-b9d5-ebb7fd110000 pid=4605 /usr/bin/systemctl guuid=53d1d83d-1800-0000-b9d5-ebb7f3110000 pid=4595->guuid=147a153f-1800-0000-b9d5-ebb7fd110000 pid=4605 execve guuid=4e57ff63-1800-0000-b9d5-ebb7b7120000 pid=4791 /usr/bin/systemctl guuid=1a6ad962-1800-0000-b9d5-ebb7ae120000 pid=4782->guuid=4e57ff63-1800-0000-b9d5-ebb7b7120000 pid=4791 execve guuid=c187e064-1800-0000-b9d5-ebb7ba120000 pid=4794 /usr/bin/systemctl guuid=1a6ad962-1800-0000-b9d5-ebb7ae120000 pid=4782->guuid=c187e064-1800-0000-b9d5-ebb7ba120000 pid=4794 execve guuid=36be1189-1800-0000-b9d5-ebb75a130000 pid=4954 /usr/lib/id.sericer.conf delete-file mprotect-exec write-file guuid=5131d388-1800-0000-b9d5-ebb759130000 pid=4953->guuid=36be1189-1800-0000-b9d5-ebb75a130000 pid=4954 execve guuid=36be1189-1800-0000-b9d5-ebb75a130000 pid=4968 /usr/lib/id.sericer.conf guuid=36be1189-1800-0000-b9d5-ebb75a130000 pid=4954->guuid=36be1189-1800-0000-b9d5-ebb75a130000 pid=4968 clone guuid=36be1189-1800-0000-b9d5-ebb75a130000 pid=4969 /usr/lib/id.sericer.conf guuid=36be1189-1800-0000-b9d5-ebb75a130000 pid=4954->guuid=36be1189-1800-0000-b9d5-ebb75a130000 pid=4969 clone guuid=36be1189-1800-0000-b9d5-ebb75a130000 pid=4971 /usr/lib/id.sericer.conf guuid=36be1189-1800-0000-b9d5-ebb75a130000 pid=4954->guuid=36be1189-1800-0000-b9d5-ebb75a130000 pid=4971 clone guuid=36be1189-1800-0000-b9d5-ebb75a130000 pid=4972 /usr/lib/id.sericer.conf guuid=36be1189-1800-0000-b9d5-ebb75a130000 pid=4954->guuid=36be1189-1800-0000-b9d5-ebb75a130000 pid=4972 clone guuid=d723686d-2000-0000-b9d5-ebb773150000 pid=5492 /boot/System.img-6.8.0-8 guuid=d723686d-2000-0000-b9d5-ebb773150000 pid=5491->guuid=d723686d-2000-0000-b9d5-ebb773150000 pid=5492 clone guuid=d723686d-2000-0000-b9d5-ebb773150000 pid=5493 /boot/System.img-6.8.0-8 guuid=d723686d-2000-0000-b9d5-ebb773150000 pid=5491->guuid=d723686d-2000-0000-b9d5-ebb773150000 pid=5493 clone guuid=d723686d-2000-0000-b9d5-ebb773150000 pid=5494 /boot/System.img-6.8.0-8 guuid=d723686d-2000-0000-b9d5-ebb773150000 pid=5491->guuid=d723686d-2000-0000-b9d5-ebb773150000 pid=5494 clone guuid=d723686d-2000-0000-b9d5-ebb773150000 pid=5495 /boot/System.img-6.8.0-8 guuid=d723686d-2000-0000-b9d5-ebb773150000 pid=5491->guuid=d723686d-2000-0000-b9d5-ebb773150000 pid=5495 clone guuid=ab1b6d3f-2300-0000-b9d5-ebb779150000 pid=5498 /usr/local/sbin/nginx-1 guuid=ab1b6d3f-2300-0000-b9d5-ebb779150000 pid=5497->guuid=ab1b6d3f-2300-0000-b9d5-ebb779150000 pid=5498 clone guuid=ab1b6d3f-2300-0000-b9d5-ebb779150000 pid=5499 /usr/local/sbin/nginx-1 guuid=ab1b6d3f-2300-0000-b9d5-ebb779150000 pid=5497->guuid=ab1b6d3f-2300-0000-b9d5-ebb779150000 pid=5499 clone guuid=ab1b6d3f-2300-0000-b9d5-ebb779150000 pid=5500 /usr/local/sbin/nginx-1 guuid=ab1b6d3f-2300-0000-b9d5-ebb779150000 pid=5497->guuid=ab1b6d3f-2300-0000-b9d5-ebb779150000 pid=5500 clone guuid=ab1b6d3f-2300-0000-b9d5-ebb779150000 pid=5501 /usr/local/sbin/nginx-1 guuid=ab1b6d3f-2300-0000-b9d5-ebb779150000 pid=5497->guuid=ab1b6d3f-2300-0000-b9d5-ebb779150000 pid=5501 clone
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/7bbd93c2-688c-4aa6-a1fd-c406394fa1a7
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1886741
Signature
Drops files in suspicious directories
Drops invisible ELF files
Executes the "crontab" command typically for achieving persistence
Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions
Sample is packed with UPX
Sample tries to persist itself using /etc/profile
Sample tries to persist itself using cron
Sample tries to persist itself using System V runlevels
Writes ELF files to hidden directories
Writes identical ELF files to multiple locations
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1886741 Sample: linux_amd64.elf Startdate: 20/03/2026 Architecture: LINUX Score: 80 98 scan.504.su 199.48.247.167, 40312, 56999 GIGANEWSUS United States 2->98 100 Sample is packed with UPX 2->100 10 systemd System.img-6.8.0-8 2->10         started        12 linux_amd64.elf 2->12         started        14 systemd snapd-env-generator 2->14         started        16 8 other processes 2->16 signatures3 process4 process5 18 System.img-6.8.0-8 System.img-6.8.0-8 10->18         started        22 linux_amd64.elf linux_amd64.elf 12->22         started        file6 78 /usr/sbin/.write_test_onzd, ASCII 18->78 dropped 80 /usr/sbin/.write_test_k9z8, ASCII 18->80 dropped 82 /usr/sbin/.write_test_j9s2, ASCII 18->82 dropped 90 39 other files (38 malicious) 18->90 dropped 102 Writes ELF files to hidden directories 18->102 104 Writes identical ELF files to multiple locations 18->104 106 Sample tries to persist itself using /etc/profile 18->106 112 3 other signatures 18->112 24 System.img-6.8.0-8 crontab 18->24         started        28 System.img-6.8.0-8 crontab 18->28         started        30 System.img-6.8.0-8 update-rc.d 18->30         started        38 17 other processes 18->38 84 /etc/init.d/systemd-logind.tmp_y1orq, POSIX 22->84 dropped 86 /etc/init.d/.write_test_vy57, ASCII 22->86 dropped 88 /boot/System.img-6.8.0-8.tmp_ai5ve, ELF 22->88 dropped 92 2 other files (none is malicious) 22->92 dropped 108 Drops files in suspicious directories 22->108 110 Sample tries to persist itself using System V runlevels 22->110 32 linux_amd64.elf sh 22->32         started        34 linux_amd64.elf update-rc.d 22->34         started        36 linux_amd64.elf update-rc.d 22->36         started        40 4 other processes 22->40 signatures7 process8 file9 94 /var/spool/cron/crontabs/tmp.aSLINi, ASCII 24->94 dropped 114 Sample tries to persist itself using cron 24->114 116 Executes the "crontab" command typically for achieving persistence 24->116 96 /var/spool/cron/crontabs/tmp.2NmMUr, ASCII 28->96 dropped 42 update-rc.d systemctl 30->42         started        44 sh System 32->44         started        118 Sample tries to persist itself using System V runlevels 34->118 46 update-rc.d systemctl 34->46         started        56 2 other processes 36->56 48 sh killai 38->48         started        50 sh .at.atloy 38->50         started        52 sh .font-unix-helpver 38->52         started        58 7 other processes 38->58 54 systemd-logind System.img-6.8.0-8 40->54         started        signatures10 process11 process12 60 System sleep 44->60         started        62 System System.img-6.8.0-8 44->62         started        70 5 other processes 44->70 64 killai sleep 48->64         started        72 4 other processes 48->72 66 .at.atloy sleep 50->66         started        74 2 other processes 50->74 68 .font-unix-helpver sleep 52->68         started        76 2 other processes 52->76
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/dcf5df996a112e892bae324b5e3c0664ad4d4f9f473494bcaad1cac3adedb512
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dcf5df996a112e892bae324b5e3c0664ad4d4f9f473494bcaad1cac3adedb512/
Threat name:
Linux.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-03-20 07:30:35 UTC
File Type:
ELF64 Little (Exe)
AV detection:
8 of 38 (21.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3t257glkcexisk5ogjfv4pagmswu2t47i42jjpfk2hfmhlpnwuja._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
defense_evasion discovery linux persistence privilege_escalation upx
Link:
https://tria.ge/reports/260320-jb4d7acs2j/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to tmp directory
Modifies Bash startup script
UPX packed file
Creates/modifies environment variables
Modifies init.d
Modifies rc script
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.20
Link:
https://yomi.yoroi.company/submissions/dcf5df996a112e892bae324b5e3c0664ad4d4f9f473494bcaad1cac3adedb512

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:GoBinTest
Create hunting rule
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:SUSP_ELF_LNX_UPX_Compressed_File
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a suspicious ELF binary with UPX compression
Reference:Internal Research
Rule name:TH_Generic_MassHunt_Linux_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Linux malware mass-hunt rule - 2026
Reference:https://cyfare.net/
Rule name:upx_packed_elf_v1
Create hunting rule
Author:RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf dcf5df996a112e892bae324b5e3c0664ad4d4f9f473494bcaad1cac3adedb512

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3800100/
  
Delivery method
Distributed via web download

Comments