MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e07eace65a2dde744a0cc3f2d69abe929a3c75a4847f63cbcb71d9e2c52341b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e07eace65a2dde744a0cc3f2d69abe929a3c75a4847f63cbcb71d9e2c52341b6
SHA3-384 hash: 672e56894e97a55503da85ff299fba7bb7aac0176ac30e7769c46d5250551052588b3cc671daaafbffc0be00e9fd7ddf
SHA1 hash: dca7412a76d1639e243556a792e3b70a89c40d98
MD5 hash: 35ab15ee258a0852fb3dc0acc8b3bfbf
humanhash: arkansas-blossom-ceiling-mockingbird
File name:bot.mips
Download: download sample
File size:117'308 bytes
First seen:2026-05-13 19:16:42 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 3072:hqSs2wE/LGqf+Z+77py9Uc7nCbCBdulHmN:hm2wE/L5fXpYUc7oG
TLSH T1DBB31866FA14EB3FC40E83306873C75056D52CB12E925ABE3264EB9C7E3415B1E5B9E0
Magika elf
Reporter abuse_ch
Tags:elf

Intelligence

File Origin
# of uploads :
1
# of downloads :
58
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Linux.DDoS.2637.6397.9084.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade
Link:
https://www.filescan.io/uploads/6a04ce39792fe2d217b235c8/reports/441fd1af-c9d3-4aca-abf5-2da7112ea5e3/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
mips
Packer:
not packed
Botnet:
unknown
Number of open files:
119
Number of processes launched:
68
Processes remaning?
true
Remote TCP ports scanned:
23,2323,10001,2601
Full report:
https://elfdigest.com/brief/e07eace65a2dde744a0cc3f2d69abe929a3c75a4847f63cbcb71d9e2c52341b6
Behaviour
Persistence
Process Renaming
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Result
Gathering data
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/f35b37ee-0e93-4d52-b3eb-c4d5df191c11
Behavior Graph:
Download SVG
%3 guuid=0ee04369-1700-0000-c362-f2ec890b0000 pid=2953 /usr/bin/sudo guuid=f248696b-1700-0000-c362-f2ec8b0b0000 pid=2955 /tmp/sample.bin guuid=0ee04369-1700-0000-c362-f2ec890b0000 pid=2953->guuid=f248696b-1700-0000-c362-f2ec8b0b0000 pid=2955 execve
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/b0ba0062-0f95-4c36-80a1-a6b77669f2e4
Result
Threat name:
Gafgyt
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1913130
Signature
Antivirus detection for dropped file
Drops files in suspicious directories
Executes the "crontab" command typically for achieving persistence
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample tries to persist itself using cron
Sample tries to persist itself using System V runlevels
Sample tries to set files in /etc globally writable
Yara detected Gafgyt
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1913130 Sample: bot.mips.elf Startdate: 13/05/2026 Architecture: LINUX Score: 100 144 load.sh 31.31.79.16, 80 WEDOSCZ Czech Republic 2->144 146 176.65.139.177, 58536, 58538, 58542 PALTEL-ASPALTELAutonomousSystemPS Germany 2->146 148 2 other IPs or domains 2->148 150 Found malware configuration 2->150 152 Malicious sample detected (through community Yara rule) 2->152 154 Antivirus detection for dropped file 2->154 156 2 other signatures 2->156 15 bot.mips.elf 2->15         started        17 systemd snapd-env-generator 2->17         started        19 systemd snapd-env-generator 2->19         started        21 44 other processes 2->21 signatures3 process4 process5 23 bot.mips.elf 15->23         started        25 bot.mips.elf 15->25         started        process6 27 bot.mips.elf 23->27         started        signatures7 164 Sample tries to set files in /etc globally writable 27->164 166 Drops files in suspicious directories 27->166 168 Sample tries to persist itself using System V runlevels 27->168 30 bot.mips.elf sh 27->30         started        32 bot.mips.elf sh 27->32         started        34 bot.mips.elf sh 27->34         started        36 5 other processes 27->36 process8 process9 38 sh system048 30->38         started        40 sh crontab 32->40         started        44 sh 32->44         started        46 sh crontab 34->46         started        48 sh 34->48         started        50 sh update-rc.d 36->50         started        52 sh systemctl 36->52         started        54 sh systemctl 36->54         started        file10 56 system048 sh 38->56         started        58 system048 wget 38->58         started        73 2 other processes 38->73 136 /var/spool/cron/crontabs/tmp.4G1T8F, ASCII 40->136 dropped 158 Sample tries to persist itself using cron 40->158 160 Executes the "crontab" command typically for achieving persistence 40->160 60 sh crontab 44->60         started        63 sh grep 44->63         started        138 /var/spool/cron/crontabs/tmp.E48Rf9, ASCII 46->138 dropped 65 sh crontab 48->65         started        67 sh grep 48->67         started        162 Sample tries to persist itself using System V runlevels 50->162 69 update-rc.d systemctl 50->69         started        71 systemctl systemd-sysv-install 52->71         started        signatures11 process12 signatures13 75 sh bot.armv4l 56->75         started        77 sh bot.x86_64 56->77         started        79 sh bot.aarch64 56->79         started        87 39 other processes 56->87 170 Executes the "crontab" command typically for achieving persistence 60->170 81 systemd-sysv-install update-rc.d 71->81         started        83 systemd-sysv-install update-rc.d 71->83         started        85 systemd-sysv-install getopt 71->85         started        process14 file15 90 bot.armv4l 75->90         started        92 bot.armv4l 75->92         started        104 2 other processes 77->104 94 bot.aarch64 79->94         started        96 bot.aarch64 79->96         started        98 update-rc.d systemctl 81->98         started        100 update-rc.d systemctl 83->100         started        128 /tmp/bot.x86_64, ELF 87->128 dropped 130 /tmp/bot.sh4, ELF 87->130 dropped 132 /tmp/bot.powerpc, ELF 87->132 dropped 134 11 other malicious files 87->134 dropped 102 bot.mipsel 87->102         started        106 11 other processes 87->106 process16 process17 108 bot.armv4l 90->108         started        111 bot.aarch64 94->111         started        113 bot.mipsel 102->113         started        115 bot.x86_64 104->115         started        117 bot.sh4 106->117         started        119 bot.armv5l 106->119         started        121 bot.i486 106->121         started        123 2 other processes 106->123 file18 172 Sample tries to set files in /etc globally writable 108->172 174 Drops files in suspicious directories 108->174 176 Sample tries to persist itself using System V runlevels 108->176 126 bot.x86_64 sh 115->126         started        140 /etc/rc.local, ASCII 123->140 dropped 142 /etc/init.d/system048, POSIX 123->142 dropped signatures19 process20
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/e07eace65a2dde744a0cc3f2d69abe929a3c75a4847f63cbcb71d9e2c52341b6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e07eace65a2dde744a0cc3f2d69abe929a3c75a4847f63cbcb71d9e2c52341b6/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4b7kzzs2fxphisqmypznngv6skndy5neqr7whs6lohm6frjdig3a._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
credential_access defense_evasion discovery execution persistence privilege_escalation
Link:
https://tria.ge/reports/260513-xzhpaahy4m/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Reads process memory
Creates/modifies Cron job
Enumerates running processes
Modifies init.d
Modifies rc script
Modifies systemd
File and Directory Permissions Modification
Deletes itself
Executes dropped EXE
Unexpected DNS network traffic destination
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/e07eace65a2dde744a0cc3f2d69abe929a3c75a4847f63cbcb71d9e2c52341b6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ELF_IoT_Persistence_Hunt
Create hunting rule
Author:4r4
Description:Hunts for ELF files with persistence and download capabilities
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:TH_Generic_MassHunt_Linux_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Linux malware mass-hunt rule - 2026
Reference:https://cyfare.net/
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf e07eace65a2dde744a0cc3f2d69abe929a3c75a4847f63cbcb71d9e2c52341b6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3844826/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3846352/

Comments