MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ded179f127ffc2cc8c7d720af6fd6a302033cefa430944ecae470248e004645f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments

SHA256 hash: ded179f127ffc2cc8c7d720af6fd6a302033cefa430944ecae470248e004645f
SHA3-384 hash: 6681c2b7bee76be84e7aaa14d5535f27c9d9a23af7eb826d6f5253fc4ab7012bc6b045954c06e9b99622c436c170575a
SHA1 hash: b2c4f693b8c0aedd259972ec08a636c2d816c015
MD5 hash: a7374883c2628f7e6ecf71abf7d2f593
humanhash: fruit-table-sierra-london
File name:ded179f127ffc2cc8c7d720af6fd6a302033cefa430944ecae470248e004645f
Download: download sample
File size:2'214'902 bytes
First seen:2026-07-02 10:25:40 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 49152:mh0g+/CA6dm9csOsYiACa75UXgNNaRRY/ADf/QwUQ/hrkeo6kjcQ:mh0RqXmVOfiAr5C3R3DfQGrmPr
TLSH T1C8A5121AE941A4B4E473A0B2530FD336DC246B31916788CBFF191D69E27A2D09F2D35B
telfhash t1213287f23e7d0ae8b3c09944d34e2b42ee0a93b7595431f705f3699532e3a419eb6835
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter JAMESWT_WT
Tags:disciplinenahidwin-st elf

Intelligence


File Origin
# of uploads :
1
# of downloads :
50
Origin country :
IT IT
Vendor Threat Intelligence
No detections
Result
Verdict:
Malware
Maliciousness:

Behaviour
Runs as daemon
Sets a written file as executable
Creating a file in the %temp% directory
Deleting a recently created file
Launching a process
Creating a process from a recently created file
Connection attempt
Creating a file
Changes the time when the file was created, accessed, or modified
Changes access rights for a written file
DNS request
Substitutes an application name
Creates or modifies files in /cron to set up autorun
Creates or modifies files in /init.d to set up autorun
Deleting of the original file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
expand lolbin mirai rust
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
true
Architecture:
x86
Packer:
custom
Botnet:
unknown
Number of open files:
101
Number of processes launched:
13
Processes remaning?
true
Remote TCP ports scanned:
not identified
Behaviour
Anti-VM
Persistence
Process Renaming
Information Gathering
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Malicious
File Type:
elf.32.le
First seen:
2026-06-01T08:12:00Z UTC
Last seen:
2026-06-30T19:18:00Z UTC
Hits:
~10
Status:
terminated
Behavior Graph:
%3 guuid=cf7ba27b-2300-0000-0641-506dfe0d0000 pid=3582 /usr/bin/sudo guuid=6a1c6d7e-2300-0000-0641-506d0a0e0000 pid=3594 memfd: delete-file write-file guuid=cf7ba27b-2300-0000-0641-506dfe0d0000 pid=3582->guuid=6a1c6d7e-2300-0000-0641-506d0a0e0000 pid=3594 execve guuid=cb54378c-2300-0000-0641-506d1c0e0000 pid=3612 memfd: guuid=6a1c6d7e-2300-0000-0641-506d0a0e0000 pid=3594->guuid=cb54378c-2300-0000-0641-506d1c0e0000 pid=3612 clone guuid=ba61628c-2300-0000-0641-506d1d0e0000 pid=3613 memfd: guuid=6a1c6d7e-2300-0000-0641-506d0a0e0000 pid=3594->guuid=ba61628c-2300-0000-0641-506d1d0e0000 pid=3613 clone guuid=47d4898c-2300-0000-0641-506d1e0e0000 pid=3614 memfd: guuid=6a1c6d7e-2300-0000-0641-506d0a0e0000 pid=3594->guuid=47d4898c-2300-0000-0641-506d1e0e0000 pid=3614 clone guuid=4a3ea08c-2300-0000-0641-506d1f0e0000 pid=3615 memfd: guuid=6a1c6d7e-2300-0000-0641-506d0a0e0000 pid=3594->guuid=4a3ea08c-2300-0000-0641-506d1f0e0000 pid=3615 clone guuid=32cfc78c-2300-0000-0641-506d200e0000 pid=3616 memfd: guuid=6a1c6d7e-2300-0000-0641-506d0a0e0000 pid=3594->guuid=32cfc78c-2300-0000-0641-506d200e0000 pid=3616 clone guuid=e245f48c-2300-0000-0641-506d210e0000 pid=3617 memfd: guuid=6a1c6d7e-2300-0000-0641-506d0a0e0000 pid=3594->guuid=e245f48c-2300-0000-0641-506d210e0000 pid=3617 clone guuid=a901238d-2300-0000-0641-506d220e0000 pid=3618 memfd: guuid=6a1c6d7e-2300-0000-0641-506d0a0e0000 pid=3594->guuid=a901238d-2300-0000-0641-506d220e0000 pid=3618 clone guuid=fb444c8d-2300-0000-0641-506d260e0000 pid=3622 memfd: guuid=a901238d-2300-0000-0641-506d220e0000 pid=3618->guuid=fb444c8d-2300-0000-0641-506d260e0000 pid=3622 clone guuid=f070538d-2300-0000-0641-506d270e0000 pid=3623 memfd: dns net send-data write-file guuid=fb444c8d-2300-0000-0641-506d260e0000 pid=3622->guuid=f070538d-2300-0000-0641-506d270e0000 pid=3623 clone 46343c6c-697b-59fc-96d3-a409532e01cd disciplinenahidwin.st:1337 guuid=f070538d-2300-0000-0641-506d270e0000 pid=3623->46343c6c-697b-59fc-96d3-a409532e01cd con c7409a10-9641-5468-92b0-24a0315bc73b 176.65.139.191:1337 guuid=f070538d-2300-0000-0641-506d270e0000 pid=3623->c7409a10-9641-5468-92b0-24a0315bc73b con a0528efd-1018-56b4-b518-221acb0fa7ca 9.9.9.9:53 guuid=f070538d-2300-0000-0641-506d270e0000 pid=3623->a0528efd-1018-56b4-b518-221acb0fa7ca send: 174B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=f070538d-2300-0000-0641-506d270e0000 pid=3623->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 174B 54d92a3b-1447-55af-b534-047898c60c8d 1.1.1.1:53 guuid=f070538d-2300-0000-0641-506d270e0000 pid=3623->54d92a3b-1447-55af-b534-047898c60c8d send: 57B b0abba15-9a34-51cb-a2ff-3008f7e59616 208.67.222.222:53 guuid=f070538d-2300-0000-0641-506d270e0000 pid=3623->b0abba15-9a34-51cb-a2ff-3008f7e59616 send: 57B 4f6baed0-9587-596c-82b3-fd721afe4cc1 10.0.2.3:53 guuid=f070538d-2300-0000-0641-506d270e0000 pid=3623->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 684B guuid=f070538d-2300-0000-0641-506d270e0000 pid=3624 memfd: guuid=f070538d-2300-0000-0641-506d270e0000 pid=3623->guuid=f070538d-2300-0000-0641-506d270e0000 pid=3624 clone guuid=f070538d-2300-0000-0641-506d270e0000 pid=3625 memfd: guuid=f070538d-2300-0000-0641-506d270e0000 pid=3623->guuid=f070538d-2300-0000-0641-506d270e0000 pid=3625 clone guuid=f070538d-2300-0000-0641-506d270e0000 pid=3626 memfd: delete-file write-file guuid=f070538d-2300-0000-0641-506d270e0000 pid=3623->guuid=f070538d-2300-0000-0641-506d270e0000 pid=3626 clone guuid=3f33cb30-2800-0000-0641-506d52140000 pid=5202 memfd: guuid=f070538d-2300-0000-0641-506d270e0000 pid=3626->guuid=3f33cb30-2800-0000-0641-506d52140000 pid=5202 clone guuid=92f3dc39-2800-0000-0641-506d53140000 pid=5203 memfd: guuid=f070538d-2300-0000-0641-506d270e0000 pid=3626->guuid=92f3dc39-2800-0000-0641-506d53140000 pid=5203 clone guuid=74e7093a-2800-0000-0641-506d54140000 pid=5204 memfd: guuid=f070538d-2300-0000-0641-506d270e0000 pid=3626->guuid=74e7093a-2800-0000-0641-506d54140000 pid=5204 clone guuid=d2211e3a-2800-0000-0641-506d55140000 pid=5205 memfd: guuid=f070538d-2300-0000-0641-506d270e0000 pid=3626->guuid=d2211e3a-2800-0000-0641-506d55140000 pid=5205 clone guuid=ebff383a-2800-0000-0641-506d56140000 pid=5206 memfd: guuid=f070538d-2300-0000-0641-506d270e0000 pid=3626->guuid=ebff383a-2800-0000-0641-506d56140000 pid=5206 clone guuid=f2d4513a-2800-0000-0641-506d57140000 pid=5207 memfd: guuid=f070538d-2300-0000-0641-506d270e0000 pid=3626->guuid=f2d4513a-2800-0000-0641-506d57140000 pid=5207 clone guuid=c5fc6d40-2800-0000-0641-506d5f140000 pid=5215 memfd: guuid=f070538d-2300-0000-0641-506d270e0000 pid=3626->guuid=c5fc6d40-2800-0000-0641-506d5f140000 pid=5215 clone guuid=d00e7a4c-2800-0000-0641-506d60140000 pid=5216 memfd: guuid=f070538d-2300-0000-0641-506d270e0000 pid=3626->guuid=d00e7a4c-2800-0000-0641-506d60140000 pid=5216 clone guuid=eb66bb4c-2800-0000-0641-506d61140000 pid=5217 memfd: guuid=f070538d-2300-0000-0641-506d270e0000 pid=3626->guuid=eb66bb4c-2800-0000-0641-506d61140000 pid=5217 clone guuid=7850d64c-2800-0000-0641-506d62140000 pid=5218 memfd: guuid=f070538d-2300-0000-0641-506d270e0000 pid=3626->guuid=7850d64c-2800-0000-0641-506d62140000 pid=5218 clone guuid=de2bf74c-2800-0000-0641-506d63140000 pid=5219 memfd: guuid=f070538d-2300-0000-0641-506d270e0000 pid=3626->guuid=de2bf74c-2800-0000-0641-506d63140000 pid=5219 clone guuid=5ffd0d4d-2800-0000-0641-506d64140000 pid=5220 memfd: guuid=f070538d-2300-0000-0641-506d270e0000 pid=3626->guuid=5ffd0d4d-2800-0000-0641-506d64140000 pid=5220 clone
Threat name:
Linux.Trojan.Generic
Status:
Suspicious
First seen:
2026-06-01 12:55:54 UTC
File Type:
ELF32 Little (Exe)
AV detection:
13 of 36 (36.11%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
credential_access defense_evasion discovery execution linux persistence privilege_escalation
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to tmp directory
Changes its process name
Reads process memory
Creates/modifies Cron job
Enumerates running processes
Modifies init.d
Reads MAC address of network interface
Deletes itself
Runs EXE from memory
Unexpected DNS network traffic destination
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ProgramLanguage_Rust
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:TH_Generic_MassHunt_Linux_Malware_2026_CYFARE
Author:CYFARE
Description:Generic Linux malware mass-hunt rule - 2026
Reference:https://cyfare.net/
Rule name:win_rust_hunt

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments