MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e00d92ca28a2cfd75e96f71fc0408747f04942657fcab0f2a25ce79bc3ad23a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e00d92ca28a2cfd75e96f71fc0408747f04942657fcab0f2a25ce79bc3ad23a8
SHA3-384 hash: 42776b683d807865a01af81f06222dea35953e00c14216d7a3eebfff4beb5020ecffac20088a74df5a71d6c3f55cf99e
SHA1 hash: fbd618a6932d4b586b8f07f3819229e52c20ed1a
MD5 hash: 85e2c18dbb454c7651b76dd52259ddbd
humanhash: coffee-hydrogen-jersey-island
File name:bot.x86_64
Download: download sample
File size:844'240 bytes
First seen:2026-06-21 10:35:48 UTC
Last seen:2026-06-21 14:31:55 UTC
File type: elf
MIME type:application/x-executable
ssdeep 12288:/d80rE7bvYQFAi5FfQEPKpuVBQmy+kQ7mYYm5k:/y0robjAi5FfQ6Kp+VK
TLSH T1DA057D5AF2B330FCC067C030835BDB62A835F46511226E7B25C4DA352DA6E711B29FB6
telfhash t1448155708bfa7a74a2d7c615a366f4a2ba37682336f135a456662d84df14f900c72423
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf

Intelligence

File Origin
# of uploads :
3
# of downloads :
82
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sends data to a server
Connection attempt
Receives data from a server
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
not packed
Botnet:
unknown
Number of open files:
1
Number of processes launched:
2
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/e00d92ca28a2cfd75e96f71fc0408747f04942657fcab0f2a25ce79bc3ad23a8
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Malicious
File Type:
elf.64.le
First seen:
2026-06-21T03:37:00Z UTC
Last seen:
2026-06-21T05:47:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/e00d92ca28a2cfd75e96f71fc0408747f04942657fcab0f2a25ce79bc3ad23a8/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/8917f9b2-1928-4f7d-8084-29f776ef42bc
Behavior Graph:
Download SVG
%3 guuid=de6d95c5-1e00-0000-3d6b-cca637140000 pid=5175 /usr/bin/sudo guuid=9ccb98c7-1e00-0000-3d6b-cca638140000 pid=5176 /tmp/sample.bin guuid=de6d95c5-1e00-0000-3d6b-cca637140000 pid=5175->guuid=9ccb98c7-1e00-0000-3d6b-cca638140000 pid=5176 execve guuid=c6a01ac8-1e00-0000-3d6b-cca639140000 pid=5177 /tmp/sample.bin net send-data zombie guuid=9ccb98c7-1e00-0000-3d6b-cca638140000 pid=5176->guuid=c6a01ac8-1e00-0000-3d6b-cca639140000 pid=5177 clone 0960bdb4-4ad1-590c-81e9-8fd9d5aae7c5 184.174.96.191:1337 guuid=c6a01ac8-1e00-0000-3d6b-cca639140000 pid=5177->0960bdb4-4ad1-590c-81e9-8fd9d5aae7c5 send: 296B
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/568592b6-3cbb-44bf-a20a-76805e2b8317
Result
Threat name:
n/a
Detection:
clean
Classification:
n/a
Score:
1 / 100
Link:
https://www.joesandbox.com/analysis/1931463
Behaviour
Behavior Graph:
n/a
Score:
96%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/e00d92ca28a2cfd75e96f71fc0408747f04942657fcab0f2a25ce79bc3ad23a8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e00d92ca28a2cfd75e96f71fc0408747f04942657fcab0f2a25ce79bc3ad23a8/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4agzfsriulh5oxuw64p4aqehi7yesqtfp7flb4vclttzxq5neoua._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
linux
Link:
https://tria.ge/reports/260621-mnhj2adw9w/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:F01_s1ckrule
Create hunting rule
Author:s1ckb017
Rule name:jackskid_ddos_botnet
Create hunting rule
Author:Nokia Deepfield ERT
Description:Jackskid/RCtea DDoS botnet - all variants
Reference:https://blog.xlab.qianxin.com/analysis-of-rctea-botnet/
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:malwareelf55503
Create hunting rule
Rule name:TH_Generic_MassHunt_Linux_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Linux malware mass-hunt rule - 2026
Reference:https://cyfare.net/
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf e00d92ca28a2cfd75e96f71fc0408747f04942657fcab0f2a25ce79bc3ad23a8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3868689/
  
Delivery method
Distributed via web download

Comments