MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dda48f848e61cdb3cbe480e5808c3573a0d5c49c034fd5f95b8fbf39f50226b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



BillGates


Vendor detections: 8


Intelligence 8 IOCs YARA 22 File information Comments

SHA256 hash: dda48f848e61cdb3cbe480e5808c3573a0d5c49c034fd5f95b8fbf39f50226b9
SHA3-384 hash: a447f1efb04841b50091b6688350dc4960ca43a093993e06d8ea958e8b8cf2114b4dd0ff97217f0cbee133d8e30c5708
SHA1 hash: c0057f9bac18d814c34a7d30aecb3b48c070d643
MD5 hash: 45e55aea0a12696f193d29ed1d5319b5
humanhash: twenty-ack-fourteen-edward
File name:kal32
Download: download sample
Signature BillGates
File size:2'744'472 bytes
First seen:2026-02-24 08:24:59 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 49152:ES2xjAKkR45vRVJKGtSA0VWeoZu9puiKMl:12xjbkaRVJK0SzVWXu9pxKI
TLSH T1D3C56D11FDC68CF2D4071A71005FA27B52319E1A5B26DA87EA48FE38FB375815A3632D
telfhash t15e4249b3297598f877f04901826b7120ca36e03b26e0397119f3a491e7b2f539b76d78
gimphash e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter juroots
Tags:BillGates elf

Intelligence


File Origin
# of uploads :
1
# of downloads :
77
Origin country :
US US
Vendor Threat Intelligence
No detections
Result
Verdict:
Malware
Maliciousness:

Behaviour
Collects information on the OS
Deleting a recently created file
Sends data to a server
Collects information on the RAM
Launching a process
Connection attempt
Creates directories in a system directory
DNS request
Sets a written file as executable
Collects information on the CPU
Collects information on the network activity
Runs as daemon
Creating a process from a recently created file
Creating a file in the %temp% directory
Locks files
Writes files to system directory
Replaces system binary files
Writes files to system subdirectory
Creates or modifies files in /init.d to set up autorun
Creates or modifies symbolic links in /init.d to set up autorun
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
not packed
Botnet:
unknown
Number of open files:
1
Number of processes launched:
4
Processes remaning?
false
Remote TCP ports scanned:
not identified
Behaviour
Persistence
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Result
Gathering data
Status:
terminated
Behavior Graph:
%3 guuid=fccfe67a-1a00-0000-1177-cb52550b0000 pid=2901 /usr/bin/sudo guuid=eeb3617d-1a00-0000-1177-cb525a0b0000 pid=2906 /tmp/sample.bin write-file guuid=fccfe67a-1a00-0000-1177-cb52550b0000 pid=2901->guuid=eeb3617d-1a00-0000-1177-cb525a0b0000 pid=2906 execve guuid=eeb3617d-1a00-0000-1177-cb525a0b0000 pid=2911 /tmp/sample.bin guuid=eeb3617d-1a00-0000-1177-cb525a0b0000 pid=2906->guuid=eeb3617d-1a00-0000-1177-cb525a0b0000 pid=2911 clone guuid=eeb3617d-1a00-0000-1177-cb525a0b0000 pid=2912 /tmp/sample.bin guuid=eeb3617d-1a00-0000-1177-cb525a0b0000 pid=2906->guuid=eeb3617d-1a00-0000-1177-cb525a0b0000 pid=2912 clone guuid=eeb3617d-1a00-0000-1177-cb525a0b0000 pid=2913 /tmp/sample.bin guuid=eeb3617d-1a00-0000-1177-cb525a0b0000 pid=2906->guuid=eeb3617d-1a00-0000-1177-cb525a0b0000 pid=2913 clone guuid=eeb3617d-1a00-0000-1177-cb525a0b0000 pid=2914 /tmp/sample.bin guuid=eeb3617d-1a00-0000-1177-cb525a0b0000 pid=2906->guuid=eeb3617d-1a00-0000-1177-cb525a0b0000 pid=2914 clone guuid=b3d76e84-1a00-0000-1177-cb52670b0000 pid=2919 /usr/lib/systemd/system/kswpad guuid=eeb3617d-1a00-0000-1177-cb525a0b0000 pid=2906->guuid=b3d76e84-1a00-0000-1177-cb52670b0000 pid=2919 execve guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=2950 /usr/lib/systemd/system/kswpad write-config write-file zombie guuid=b3d76e84-1a00-0000-1177-cb52670b0000 pid=2919->guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=2950 clone guuid=393f284e-1b00-0000-1177-cb52bc0c0000 pid=3260 /usr/bin/dash guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=2950->guuid=393f284e-1b00-0000-1177-cb52bc0c0000 pid=3260 execve guuid=2f50374f-1b00-0000-1177-cb52be0c0000 pid=3262 /usr/bin/dash guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=2950->guuid=2f50374f-1b00-0000-1177-cb52be0c0000 pid=3262 execve guuid=f5a6eb4f-1b00-0000-1177-cb52c00c0000 pid=3264 /usr/bin/dash guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=2950->guuid=f5a6eb4f-1b00-0000-1177-cb52c00c0000 pid=3264 execve guuid=19b4a350-1b00-0000-1177-cb52c30c0000 pid=3267 /usr/bin/dash guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=2950->guuid=19b4a350-1b00-0000-1177-cb52c30c0000 pid=3267 execve guuid=ebbb3051-1b00-0000-1177-cb52c70c0000 pid=3271 /usr/bin/dash guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=2950->guuid=ebbb3051-1b00-0000-1177-cb52c70c0000 pid=3271 execve guuid=92981ec9-1b00-0000-1177-cb52ca0d0000 pid=3530 /usr/bin/dash guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=2950->guuid=92981ec9-1b00-0000-1177-cb52ca0d0000 pid=3530 execve guuid=ae3dc2c9-1b00-0000-1177-cb52cc0d0000 pid=3532 /usr/bin/dash guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=2950->guuid=ae3dc2c9-1b00-0000-1177-cb52cc0d0000 pid=3532 execve guuid=977cdbca-1b00-0000-1177-cb52d20d0000 pid=3538 /usr/bin/dash guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=2950->guuid=977cdbca-1b00-0000-1177-cb52d20d0000 pid=3538 execve guuid=2e67f007-1c00-0000-1177-cb52690e0000 pid=3689 /usr/lib/systemd/system/kswpad guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=2950->guuid=2e67f007-1c00-0000-1177-cb52690e0000 pid=3689 clone guuid=29c10b1c-1c00-0000-1177-cb52a00e0000 pid=3744 /usr/bin/dash guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=2950->guuid=29c10b1c-1c00-0000-1177-cb52a00e0000 pid=3744 execve guuid=3099dd1c-1c00-0000-1177-cb52a50e0000 pid=3749 /usr/bin/dash guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=2950->guuid=3099dd1c-1c00-0000-1177-cb52a50e0000 pid=3749 execve guuid=56f88b1d-1c00-0000-1177-cb52a90e0000 pid=3753 /usr/bin/dash guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=2950->guuid=56f88b1d-1c00-0000-1177-cb52a90e0000 pid=3753 execve guuid=b8afd35c-1c00-0000-1177-cb528a0f0000 pid=3978 /usr/lib/systemd/system/kswpad guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=2950->guuid=b8afd35c-1c00-0000-1177-cb528a0f0000 pid=3978 clone guuid=34187ae5-1c00-0000-1177-cb528d100000 pid=4237 /usr/bin/dash guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=2950->guuid=34187ae5-1c00-0000-1177-cb528d100000 pid=4237 execve guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=4240 /usr/lib/systemd/system/kswpad guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=2950->guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=4240 clone guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=4241 /usr/lib/systemd/system/kswpad guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=2950->guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=4241 clone guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=4243 /usr/lib/systemd/system/kswpad guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=2950->guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=4243 clone guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=4244 /usr/lib/systemd/system/kswpad guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=2950->guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=4244 clone guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=4245 /usr/lib/systemd/system/kswpad guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=2950->guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=4245 clone guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=4246 /usr/lib/systemd/system/kswpad guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=2950->guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=4246 clone guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=4256 /usr/lib/systemd/system/kswpad guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=2950->guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=4256 clone guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=4261 /usr/lib/systemd/system/kswpad guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=2950->guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=4261 clone guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=4277 /usr/lib/systemd/system/kswpad dns net send-data write-file zombie guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=2950->guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=4277 clone guuid=79d4934e-1b00-0000-1177-cb52bd0c0000 pid=3261 /usr/bin/ln guuid=393f284e-1b00-0000-1177-cb52bc0c0000 pid=3260->guuid=79d4934e-1b00-0000-1177-cb52bd0c0000 pid=3261 execve guuid=da256a4f-1b00-0000-1177-cb52bf0c0000 pid=3263 /usr/bin/ln guuid=2f50374f-1b00-0000-1177-cb52be0c0000 pid=3262->guuid=da256a4f-1b00-0000-1177-cb52bf0c0000 pid=3263 execve guuid=61e01e50-1b00-0000-1177-cb52c10c0000 pid=3265 /usr/bin/ln guuid=f5a6eb4f-1b00-0000-1177-cb52c00c0000 pid=3264->guuid=61e01e50-1b00-0000-1177-cb52c10c0000 pid=3265 execve guuid=e0efd650-1b00-0000-1177-cb52c50c0000 pid=3269 /usr/bin/ln guuid=19b4a350-1b00-0000-1177-cb52c30c0000 pid=3267->guuid=e0efd650-1b00-0000-1177-cb52c50c0000 pid=3269 execve guuid=57ae6751-1b00-0000-1177-cb52c90c0000 pid=3273 /usr/bin/ln guuid=ebbb3051-1b00-0000-1177-cb52c70c0000 pid=3271->guuid=57ae6751-1b00-0000-1177-cb52c90c0000 pid=3273 execve guuid=a87356c9-1b00-0000-1177-cb52cb0d0000 pid=3531 /usr/bin/mkdir guuid=92981ec9-1b00-0000-1177-cb52ca0d0000 pid=3530->guuid=a87356c9-1b00-0000-1177-cb52cb0d0000 pid=3531 execve guuid=ee060cca-1b00-0000-1177-cb52ce0d0000 pid=3534 /usr/bin/mkdir guuid=ae3dc2c9-1b00-0000-1177-cb52cc0d0000 pid=3532->guuid=ee060cca-1b00-0000-1177-cb52ce0d0000 pid=3534 execve guuid=9ce932cb-1b00-0000-1177-cb52d30d0000 pid=3539 /usr/bin/cp guuid=977cdbca-1b00-0000-1177-cb52d20d0000 pid=3538->guuid=9ce932cb-1b00-0000-1177-cb52d30d0000 pid=3539 execve guuid=18b7ff07-1c00-0000-1177-cb526b0e0000 pid=3691 /usr/bin/dash guuid=2e67f007-1c00-0000-1177-cb52690e0000 pid=3689->guuid=18b7ff07-1c00-0000-1177-cb526b0e0000 pid=3691 execve guuid=f22b3f08-1c00-0000-1177-cb526c0e0000 pid=3692 /usr/bin/bsd-port/getty guuid=18b7ff07-1c00-0000-1177-cb526b0e0000 pid=3691->guuid=f22b3f08-1c00-0000-1177-cb526c0e0000 pid=3692 execve guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=3743 /usr/bin/bsd-port/getty write-config write-file zombie guuid=f22b3f08-1c00-0000-1177-cb526c0e0000 pid=3692->guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=3743 clone guuid=889fc657-1c00-0000-1177-cb52680f0000 pid=3944 /usr/bin/dash guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=3743->guuid=889fc657-1c00-0000-1177-cb52680f0000 pid=3944 execve guuid=1051d058-1c00-0000-1177-cb526d0f0000 pid=3949 /usr/bin/dash guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=3743->guuid=1051d058-1c00-0000-1177-cb526d0f0000 pid=3949 execve guuid=db35ae59-1c00-0000-1177-cb52740f0000 pid=3956 /usr/bin/dash guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=3743->guuid=db35ae59-1c00-0000-1177-cb52740f0000 pid=3956 execve guuid=43de4e5a-1c00-0000-1177-cb52790f0000 pid=3961 /usr/bin/dash guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=3743->guuid=43de4e5a-1c00-0000-1177-cb52790f0000 pid=3961 execve guuid=8319e95a-1c00-0000-1177-cb527c0f0000 pid=3964 /usr/bin/dash guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=3743->guuid=8319e95a-1c00-0000-1177-cb527c0f0000 pid=3964 execve guuid=a553785b-1c00-0000-1177-cb52800f0000 pid=3968 /usr/bin/dash guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=3743->guuid=a553785b-1c00-0000-1177-cb52800f0000 pid=3968 execve guuid=4eb7295c-1c00-0000-1177-cb52840f0000 pid=3972 /usr/bin/dash guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=3743->guuid=4eb7295c-1c00-0000-1177-cb52840f0000 pid=3972 execve guuid=ec77665d-1c00-0000-1177-cb528e0f0000 pid=3982 /usr/bin/dash guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=3743->guuid=ec77665d-1c00-0000-1177-cb528e0f0000 pid=3982 execve guuid=e4f6265e-1c00-0000-1177-cb52920f0000 pid=3986 /usr/bin/dash guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=3743->guuid=e4f6265e-1c00-0000-1177-cb52920f0000 pid=3986 execve guuid=2405aa5e-1c00-0000-1177-cb52950f0000 pid=3989 /usr/bin/dash guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=3743->guuid=2405aa5e-1c00-0000-1177-cb52950f0000 pid=3989 execve guuid=1aa5d961-1c00-0000-1177-cb529d0f0000 pid=3997 /usr/bin/dash guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=3743->guuid=1aa5d961-1c00-0000-1177-cb529d0f0000 pid=3997 execve guuid=a0e96a62-1c00-0000-1177-cb529f0f0000 pid=3999 /usr/bin/dash guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=3743->guuid=a0e96a62-1c00-0000-1177-cb529f0f0000 pid=3999 execve guuid=9a7b7165-1c00-0000-1177-cb52a60f0000 pid=4006 /usr/bin/dash guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=3743->guuid=9a7b7165-1c00-0000-1177-cb52a60f0000 pid=4006 execve guuid=2e26d066-1c00-0000-1177-cb52ac0f0000 pid=4012 /usr/bin/dash guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=3743->guuid=2e26d066-1c00-0000-1177-cb52ac0f0000 pid=4012 execve guuid=6cbe4167-1c00-0000-1177-cb52b20f0000 pid=4018 /usr/bin/dash guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=3743->guuid=6cbe4167-1c00-0000-1177-cb52b20f0000 pid=4018 execve guuid=a1813d6a-1c00-0000-1177-cb52be0f0000 pid=4030 /usr/bin/dash guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=3743->guuid=a1813d6a-1c00-0000-1177-cb52be0f0000 pid=4030 execve guuid=0e49aa6a-1c00-0000-1177-cb52c30f0000 pid=4035 /usr/bin/dash guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=3743->guuid=0e49aa6a-1c00-0000-1177-cb52c30f0000 pid=4035 execve guuid=7523226b-1c00-0000-1177-cb52c80f0000 pid=4040 /usr/bin/dash guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=3743->guuid=7523226b-1c00-0000-1177-cb52c80f0000 pid=4040 execve guuid=efd1936b-1c00-0000-1177-cb52cc0f0000 pid=4044 /usr/bin/dash guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=3743->guuid=efd1936b-1c00-0000-1177-cb52cc0f0000 pid=4044 execve guuid=fd23486c-1c00-0000-1177-cb52d10f0000 pid=4049 /usr/bin/dash guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=3743->guuid=fd23486c-1c00-0000-1177-cb52d10f0000 pid=4049 execve guuid=62a9b66c-1c00-0000-1177-cb52d50f0000 pid=4053 /usr/bin/dash guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=3743->guuid=62a9b66c-1c00-0000-1177-cb52d50f0000 pid=4053 execve guuid=19882c6d-1c00-0000-1177-cb52d80f0000 pid=4056 /usr/bin/dash guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=3743->guuid=19882c6d-1c00-0000-1177-cb52d80f0000 pid=4056 execve guuid=e813a76d-1c00-0000-1177-cb52dd0f0000 pid=4061 /usr/bin/dash guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=3743->guuid=e813a76d-1c00-0000-1177-cb52dd0f0000 pid=4061 execve guuid=3ccc7c6e-1c00-0000-1177-cb52e60f0000 pid=4070 /usr/bin/dash guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=3743->guuid=3ccc7c6e-1c00-0000-1177-cb52e60f0000 pid=4070 execve guuid=6b6781e6-1c00-0000-1177-cb528f100000 pid=4239 /usr/bin/dash guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=3743->guuid=6b6781e6-1c00-0000-1177-cb528f100000 pid=4239 execve guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=4247 /usr/bin/bsd-port/getty guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=3743->guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=4247 clone guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=4248 /usr/bin/bsd-port/getty guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=3743->guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=4248 clone guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=4249 /usr/bin/bsd-port/getty guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=3743->guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=4249 clone guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=4250 /usr/bin/bsd-port/getty guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=3743->guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=4250 clone guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=4251 /usr/bin/bsd-port/getty guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=3743->guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=4251 clone guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=4252 /usr/bin/bsd-port/getty guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=3743->guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=4252 clone guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=4253 /usr/bin/bsd-port/getty guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=3743->guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=4253 clone guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=4254 /usr/bin/bsd-port/getty guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=3743->guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=4254 clone guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=4255 /usr/bin/bsd-port/getty dns send-data zombie guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=3743->guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=4255 clone guuid=960f5d1c-1c00-0000-1177-cb52a10e0000 pid=3745 /usr/bin/mkdir guuid=29c10b1c-1c00-0000-1177-cb52a00e0000 pid=3744->guuid=960f5d1c-1c00-0000-1177-cb52a10e0000 pid=3745 execve guuid=de922f1d-1c00-0000-1177-cb52a70e0000 pid=3751 /usr/bin/mkdir guuid=3099dd1c-1c00-0000-1177-cb52a50e0000 pid=3749->guuid=de922f1d-1c00-0000-1177-cb52a70e0000 pid=3751 execve guuid=aadbb71d-1c00-0000-1177-cb52aa0e0000 pid=3754 /usr/bin/cp guuid=56f88b1d-1c00-0000-1177-cb52a90e0000 pid=3753->guuid=aadbb71d-1c00-0000-1177-cb52aa0e0000 pid=3754 execve guuid=30183558-1c00-0000-1177-cb526a0f0000 pid=3946 /usr/bin/ln guuid=889fc657-1c00-0000-1177-cb52680f0000 pid=3944->guuid=30183558-1c00-0000-1177-cb526a0f0000 pid=3946 execve guuid=e9430359-1c00-0000-1177-cb52700f0000 pid=3952 /usr/bin/ln guuid=1051d058-1c00-0000-1177-cb526d0f0000 pid=3949->guuid=e9430359-1c00-0000-1177-cb52700f0000 pid=3952 execve guuid=6385e259-1c00-0000-1177-cb52750f0000 pid=3957 /usr/bin/ln guuid=db35ae59-1c00-0000-1177-cb52740f0000 pid=3956->guuid=6385e259-1c00-0000-1177-cb52750f0000 pid=3957 execve guuid=1783835a-1c00-0000-1177-cb527a0f0000 pid=3962 /usr/bin/ln guuid=43de4e5a-1c00-0000-1177-cb52790f0000 pid=3961->guuid=1783835a-1c00-0000-1177-cb527a0f0000 pid=3962 execve guuid=630f2d5b-1c00-0000-1177-cb527e0f0000 pid=3966 /usr/bin/ln guuid=8319e95a-1c00-0000-1177-cb527c0f0000 pid=3964->guuid=630f2d5b-1c00-0000-1177-cb527e0f0000 pid=3966 execve guuid=492ebd5b-1c00-0000-1177-cb52830f0000 pid=3971 /usr/bin/mkdir guuid=a553785b-1c00-0000-1177-cb52800f0000 pid=3968->guuid=492ebd5b-1c00-0000-1177-cb52830f0000 pid=3971 execve guuid=e3836e5c-1c00-0000-1177-cb52880f0000 pid=3976 /usr/bin/cp guuid=4eb7295c-1c00-0000-1177-cb52840f0000 pid=3972->guuid=e3836e5c-1c00-0000-1177-cb52880f0000 pid=3976 execve guuid=a2d9df5c-1c00-0000-1177-cb528b0f0000 pid=3979 /usr/bin/dash guuid=b8afd35c-1c00-0000-1177-cb528a0f0000 pid=3978->guuid=a2d9df5c-1c00-0000-1177-cb528b0f0000 pid=3979 execve guuid=b5aa325d-1c00-0000-1177-cb528d0f0000 pid=3981 /usr/bin/.sshd guuid=a2d9df5c-1c00-0000-1177-cb528b0f0000 pid=3979->guuid=b5aa325d-1c00-0000-1177-cb528d0f0000 pid=3981 execve guuid=4391d46d-1c00-0000-1177-cb52e20f0000 pid=4066 /usr/bin/.sshd delete-file write-file zombie guuid=b5aa325d-1c00-0000-1177-cb528d0f0000 pid=3981->guuid=4391d46d-1c00-0000-1177-cb52e20f0000 pid=4066 clone guuid=707ca95d-1c00-0000-1177-cb528f0f0000 pid=3983 /usr/bin/mkdir guuid=ec77665d-1c00-0000-1177-cb528e0f0000 pid=3982->guuid=707ca95d-1c00-0000-1177-cb528f0f0000 pid=3983 execve guuid=b70e645e-1c00-0000-1177-cb52940f0000 pid=3988 /usr/bin/mkdir guuid=e4f6265e-1c00-0000-1177-cb52920f0000 pid=3986->guuid=b70e645e-1c00-0000-1177-cb52940f0000 pid=3988 execve guuid=b477d45e-1c00-0000-1177-cb52970f0000 pid=3991 /usr/bin/cp guuid=2405aa5e-1c00-0000-1177-cb52950f0000 pid=3989->guuid=b477d45e-1c00-0000-1177-cb52970f0000 pid=3991 execve guuid=d3612262-1c00-0000-1177-cb529e0f0000 pid=3998 /usr/bin/chmod guuid=1aa5d961-1c00-0000-1177-cb529d0f0000 pid=3997->guuid=d3612262-1c00-0000-1177-cb529e0f0000 pid=3998 execve guuid=331b9d62-1c00-0000-1177-cb52a00f0000 pid=4000 /usr/bin/cp guuid=a0e96a62-1c00-0000-1177-cb529f0f0000 pid=3999->guuid=331b9d62-1c00-0000-1177-cb52a00f0000 pid=4000 execve guuid=0097e665-1c00-0000-1177-cb52aa0f0000 pid=4010 /usr/bin/mkdir guuid=9a7b7165-1c00-0000-1177-cb52a60f0000 pid=4006->guuid=0097e665-1c00-0000-1177-cb52aa0f0000 pid=4010 execve guuid=50fdf866-1c00-0000-1177-cb52b00f0000 pid=4016 /usr/bin/mkdir guuid=2e26d066-1c00-0000-1177-cb52ac0f0000 pid=4012->guuid=50fdf866-1c00-0000-1177-cb52b00f0000 pid=4016 execve guuid=82f16a67-1c00-0000-1177-cb52b50f0000 pid=4021 /usr/bin/cp guuid=6cbe4167-1c00-0000-1177-cb52b20f0000 pid=4018->guuid=82f16a67-1c00-0000-1177-cb52b50f0000 pid=4021 execve guuid=31286b6a-1c00-0000-1177-cb52bf0f0000 pid=4031 /usr/bin/chmod guuid=a1813d6a-1c00-0000-1177-cb52be0f0000 pid=4030->guuid=31286b6a-1c00-0000-1177-cb52bf0f0000 pid=4031 execve guuid=4195d06a-1c00-0000-1177-cb52c40f0000 pid=4036 /usr/bin/mkdir guuid=0e49aa6a-1c00-0000-1177-cb52c30f0000 pid=4035->guuid=4195d06a-1c00-0000-1177-cb52c40f0000 pid=4036 execve guuid=e7f24a6b-1c00-0000-1177-cb52ca0f0000 pid=4042 /usr/bin/mkdir guuid=7523226b-1c00-0000-1177-cb52c80f0000 pid=4040->guuid=e7f24a6b-1c00-0000-1177-cb52ca0f0000 pid=4042 execve guuid=ab72bd6b-1c00-0000-1177-cb52ce0f0000 pid=4046 /usr/bin/cp guuid=efd1936b-1c00-0000-1177-cb52cc0f0000 pid=4044->guuid=ab72bd6b-1c00-0000-1177-cb52ce0f0000 pid=4046 execve guuid=56b5766c-1c00-0000-1177-cb52d30f0000 pid=4051 /usr/bin/chmod guuid=fd23486c-1c00-0000-1177-cb52d10f0000 pid=4049->guuid=56b5766c-1c00-0000-1177-cb52d30f0000 pid=4051 execve guuid=5b1ee36c-1c00-0000-1177-cb52d60f0000 pid=4054 /usr/bin/mkdir guuid=62a9b66c-1c00-0000-1177-cb52d50f0000 pid=4053->guuid=5b1ee36c-1c00-0000-1177-cb52d60f0000 pid=4054 execve guuid=602b5a6d-1c00-0000-1177-cb52dc0f0000 pid=4060 /usr/bin/mkdir guuid=19882c6d-1c00-0000-1177-cb52d80f0000 pid=4056->guuid=602b5a6d-1c00-0000-1177-cb52dc0f0000 pid=4060 execve guuid=ec7ed16d-1c00-0000-1177-cb52e10f0000 pid=4065 /usr/bin/cp guuid=e813a76d-1c00-0000-1177-cb52dd0f0000 pid=4061->guuid=ec7ed16d-1c00-0000-1177-cb52e10f0000 pid=4065 execve guuid=4391d46d-1c00-0000-1177-cb52e20f0000 pid=4067 /usr/bin/.sshd guuid=4391d46d-1c00-0000-1177-cb52e20f0000 pid=4066->guuid=4391d46d-1c00-0000-1177-cb52e20f0000 pid=4067 clone guuid=b81fad6e-1c00-0000-1177-cb52e70f0000 pid=4071 /usr/bin/chmod guuid=3ccc7c6e-1c00-0000-1177-cb52e60f0000 pid=4070->guuid=b81fad6e-1c00-0000-1177-cb52e70f0000 pid=4071 execve guuid=4204aee5-1c00-0000-1177-cb528e100000 pid=4238 /usr/bin/kmod guuid=34187ae5-1c00-0000-1177-cb528d100000 pid=4237->guuid=4204aee5-1c00-0000-1177-cb528e100000 pid=4238 execve guuid=3194ede6-1c00-0000-1177-cb5292100000 pid=4242 /usr/bin/kmod guuid=6b6781e6-1c00-0000-1177-cb528f100000 pid=4239->guuid=3194ede6-1c00-0000-1177-cb5292100000 pid=4242 execve 4f6baed0-9587-596c-82b3-fd721afe4cc1 10.0.2.3:53 guuid=3f77e21b-1c00-0000-1177-cb529f0e0000 pid=4255->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 1500B guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=4277->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 30B 372bf73b-5e20-5087-b3b0-7c2b8aab8bbf path.fu78.ru:6001 guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=4277->372bf73b-5e20-5087-b3b0-7c2b8aab8bbf con ec2cfece-76b1-58fb-b398-29a45929310e 127.0.0.1:6001 guuid=9581f59a-1a00-0000-1177-cb52860b0000 pid=4277->ec2cfece-76b1-58fb-b398-29a45929310e send: 557056B
Threat name:
Linux.Trojan.Elknot
Status:
Malicious
First seen:
2026-02-22 08:58:35 UTC
File Type:
ELF32 Little (Exe)
AV detection:
10 of 36 (27.78%)
Threat level:
  5/5
Result
Malware family:
billgates
Score:
  10/10
Tags:
family:billgates botnet discovery linux
Behaviour
Enumerates kernel/hardware configuration
Executes dropped EXE
BillGates
Billgates family
Detects BillGates payload
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DetectGoMethodSignatures
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:Detect_PowerShell_Obfuscation
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:F01_s1ckrule
Author:s1ckb017
Rule name:GoBinTest
Rule name:golang
Rule name:golang_binary_string
Description:Golang strings present
Rule name:Golang_Find_CSC846
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:Golang_Find_CSC846_Simple
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:identity_golang
Author:Eric Yocam
Description:find Golang malware
Rule name:ldpreload
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:LinuxBillGates
Rule name:Linux_Trojan_Ganiw_b9f045aa
Author:Elastic Security
Rule name:Linux_Trojan_Setag_01e2f79b
Author:Elastic Security
Rule name:Linux_Trojan_Setag_351eeb76
Author:Elastic Security
Rule name:ProgramLanguage_Golang
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:Rooter
Author:Seth Hardy
Description:Rooter
Rule name:RooterStrings
Author:Seth Hardy
Description:Rooter Identifying Strings
Rule name:setsockopt
Author:Tim Brown @timb_machine
Description:Hunts for setsockopt() red flags
Rule name:telebot_framework
Author:vietdx.mb
Rule name:unixredflags3
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BillGates

elf dda48f848e61cdb3cbe480e5808c3573a0d5c49c034fd5f95b8fbf39f50226b9

(this sample)

  
Delivery method
Distributed via web download

Comments