MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df1765629fd2968e5dab6530712477ed728a56a59310ad225d25eb046fdf357c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df1765629fd2968e5dab6530712477ed728a56a59310ad225d25eb046fdf357c
SHA3-384 hash: 349c2983bffacf445e6e4e52647c886fecbb27b64cc16f0812cdbb82967a4a56abf35bf56111ec4924d38c32ee0dd6d0
SHA1 hash: e037a6e5f2e010f396932a0496549322f8d6ec3a
MD5 hash: b8a04bd450a0e75ef46c11ba49a5f354
humanhash: nevada-juliet-april-jupiter
File name:x86_64
Download: download sample
File size:2'450'924 bytes
First seen:2026-02-25 16:12:05 UTC
Last seen:2026-02-25 16:24:09 UTC
File type: elf
MIME type:application/x-executable
ssdeep 49152:kvPZwgMyltjd0cxCGz3vq9QceT7UbsDxFdrs6+RGz:kvqgTTjNkyTHDxbr9rz
TLSH T199B533341E0131ABEF3F704A6A2E86DA7A45FEC3345CAA38484317AF5105B914ED5FB2
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf UPX
File size (compressed) :2'450'924 bytes
File size (de-compressed) :8'443'816 bytes
Format:linux/amd64
Unpacked file: 28beeb84738834b6c91be39dceee8a0d7e68e9c84d0e66ed4b77e0e84baa4a28

Intelligence

File Origin
# of uploads :
2
# of downloads :
67
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.ELF.Agent-EDA.38159857.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Changes access rights for a written file
Sends data to a server
Launching a process
Creating a file in the %temp% directory
Collects information on the CPU
Receives data from a server
Creating a file
Collects information on the OS
Runs as daemon
Creating a process from a recently created file
Changes the time when the file was created, accessed, or modified
Creates or modifies files in /cron to set up autorun
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
UPX
Botnet:
unknown
Number of open files:
63
Number of processes launched:
13
Processes remaning?
true
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/df1765629fd2968e5dab6530712477ed728a56a59310ad225d25eb046fdf357c
Behaviour
Process Renaming
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Malicious
File Type:
elf.64.le
Link:
https://opentip.kaspersky.com/df1765629fd2968e5dab6530712477ed728a56a59310ad225d25eb046fdf357c/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/030962de-b0ee-4bfe-b813-75f46e927384
Behavior Graph:
Download SVG
%3 guuid=1939c336-1c00-0000-d557-7412640a0000 pid=2660 /usr/bin/sudo guuid=4e60243a-1c00-0000-d557-74126f0a0000 pid=2671 /tmp/sample.bin mprotect-exec guuid=1939c336-1c00-0000-d557-7412640a0000 pid=2660->guuid=4e60243a-1c00-0000-d557-74126f0a0000 pid=2671 execve guuid=4e60243a-1c00-0000-d557-74126f0a0000 pid=2768 /tmp/sample.bin guuid=4e60243a-1c00-0000-d557-74126f0a0000 pid=2671->guuid=4e60243a-1c00-0000-d557-74126f0a0000 pid=2768 clone guuid=4e60243a-1c00-0000-d557-74126f0a0000 pid=2769 /tmp/sample.bin guuid=4e60243a-1c00-0000-d557-74126f0a0000 pid=2671->guuid=4e60243a-1c00-0000-d557-74126f0a0000 pid=2769 clone guuid=4e60243a-1c00-0000-d557-74126f0a0000 pid=2777 /tmp/sample.bin guuid=4e60243a-1c00-0000-d557-74126f0a0000 pid=2671->guuid=4e60243a-1c00-0000-d557-74126f0a0000 pid=2777 clone guuid=4e60243a-1c00-0000-d557-74126f0a0000 pid=2778 /tmp/sample.bin guuid=4e60243a-1c00-0000-d557-74126f0a0000 pid=2671->guuid=4e60243a-1c00-0000-d557-74126f0a0000 pid=2778 clone guuid=4e60243a-1c00-0000-d557-74126f0a0000 pid=2779 /tmp/sample.bin guuid=4e60243a-1c00-0000-d557-74126f0a0000 pid=2671->guuid=4e60243a-1c00-0000-d557-74126f0a0000 pid=2779 clone guuid=84722176-1c00-0000-d557-7412e60a0000 pid=2790 /tmp/sample.bin mprotect-exec zombie guuid=4e60243a-1c00-0000-d557-74126f0a0000 pid=2671->guuid=84722176-1c00-0000-d557-7412e60a0000 pid=2790 execve guuid=84722176-1c00-0000-d557-7412e60a0000 pid=2841 /tmp/sample.bin zombie guuid=84722176-1c00-0000-d557-7412e60a0000 pid=2790->guuid=84722176-1c00-0000-d557-7412e60a0000 pid=2841 clone guuid=84722176-1c00-0000-d557-7412e60a0000 pid=2842 /tmp/sample.bin guuid=84722176-1c00-0000-d557-7412e60a0000 pid=2790->guuid=84722176-1c00-0000-d557-7412e60a0000 pid=2842 clone guuid=84722176-1c00-0000-d557-7412e60a0000 pid=2843 /tmp/sample.bin guuid=84722176-1c00-0000-d557-7412e60a0000 pid=2790->guuid=84722176-1c00-0000-d557-7412e60a0000 pid=2843 clone guuid=84722176-1c00-0000-d557-7412e60a0000 pid=2848 /tmp/sample.bin guuid=84722176-1c00-0000-d557-7412e60a0000 pid=2790->guuid=84722176-1c00-0000-d557-7412e60a0000 pid=2848 clone guuid=84722176-1c00-0000-d557-7412e60a0000 pid=2849 /tmp/sample.bin guuid=84722176-1c00-0000-d557-7412e60a0000 pid=2790->guuid=84722176-1c00-0000-d557-7412e60a0000 pid=2849 clone guuid=84722176-1c00-0000-d557-7412e60a0000 pid=2855 /tmp/sample.bin write-file zombie guuid=84722176-1c00-0000-d557-7412e60a0000 pid=2790->guuid=84722176-1c00-0000-d557-7412e60a0000 pid=2855 clone guuid=84722176-1c00-0000-d557-7412e60a0000 pid=2856 /tmp/sample.bin guuid=84722176-1c00-0000-d557-7412e60a0000 pid=2790->guuid=84722176-1c00-0000-d557-7412e60a0000 pid=2856 clone guuid=67f7ab9c-1c00-0000-d557-74122a0b0000 pid=2858 /tmp/sample.bin guuid=84722176-1c00-0000-d557-7412e60a0000 pid=2855->guuid=67f7ab9c-1c00-0000-d557-74122a0b0000 pid=2858 clone guuid=902bc59c-1c00-0000-d557-74122b0b0000 pid=2859 /usr/bin/pgrep guuid=84722176-1c00-0000-d557-7412e60a0000 pid=2855->guuid=902bc59c-1c00-0000-d557-74122b0b0000 pid=2859 execve
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/cbd74536-1451-4269-bbbd-ea7d38ac9845
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1874836
Signature
Executes the "crontab" command typically for achieving persistence
Multi AV Scanner detection for submitted file
Sample tries to persist itself using cron
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1874836 Sample: x86_64.elf Startdate: 25/02/2026 Architecture: LINUX Score: 56 34 5.59.248.236, 443, 59716 METRO-SET-ASMetrosetAutonomousSystemRU Czech Republic 2->34 36 speed.cloudflare.com 172.66.0.218, 48160, 80 CLOUDFLARENETUS United States 2->36 40 Multi AV Scanner detection for submitted file 2->40 10 x86_64.elf 2->10         started        signatures3 process4 process5 12 x86_64.elf x86_64.elf 10->12         started        process6 14 x86_64.elf bash 12->14         started        16 x86_64.elf crontab 12->16         started        19 x86_64.elf pgrep 12->19         started        21 7 other processes 12->21 signatures7 23 bash crontab 14->23         started        27 bash 14->27         started        38 Executes the "crontab" command typically for achieving persistence 16->38 process8 file9 32 /var/spool/cron/crontabs/tmp.GsM1tg, ASCII 23->32 dropped 42 Sample tries to persist itself using cron 23->42 44 Executes the "crontab" command typically for achieving persistence 23->44 29 bash crontab 27->29         started        signatures10 process11 signatures12 46 Executes the "crontab" command typically for achieving persistence 29->46
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/df1765629fd2968e5dab6530712477ed728a56a59310ad225d25eb046fdf357c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/df1765629fd2968e5dab6530712477ed728a56a59310ad225d25eb046fdf357c/
Threat name:
Linux.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-02-25 16:12:43 UTC
File Type:
ELF64 Little (Exe)
AV detection:
3 of 36 (8.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=34lwkyu72kli4xnlmuyhcjdx5vziuvvfsmik2is5exvqi367gv6a._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery execution linux persistence privilege_escalation upx
Link:
https://tria.ge/reports/260225-tnrk9scy7d/
Behaviour
GoLang User-Agent
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to tmp directory
Reads CPU attributes
Creates/modifies Cron job
Enumerates running processes
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.29
Link:
https://yomi.yoroi.company/submissions/df1765629fd2968e5dab6530712477ed728a56a59310ad225d25eb046fdf357c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf df1765629fd2968e5dab6530712477ed728a56a59310ad225d25eb046fdf357c

(this sample)

elf 28beeb84738834b6c91be39dceee8a0d7e68e9c84d0e66ed4b77e0e84baa4a28

  
URLhaus
https://urlhaus.abuse.ch/url/3785551/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3785560/
  
Dropping
SHA256 28beeb84738834b6c91be39dceee8a0d7e68e9c84d0e66ed4b77e0e84baa4a28
  
Dropping
MD5 c19571c8f3ce3fb160829515b760b21f

Comments