MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb2db389d64987855fa5db905bbcb7b100f9d6c1699eaf5d846a98680feae1df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 26 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb2db389d64987855fa5db905bbcb7b100f9d6c1699eaf5d846a98680feae1df
SHA3-384 hash: 318c78d47bf0ce1cd15f4c3e57bcd4613985db3045e1bc90be6f4183fa4f760b7c2ec663f89e95943f57e036e412d442
SHA1 hash: cddcc7b67306e73f320c89200b75cc3af980211a
MD5 hash: a5beb02fba945f117570d7c00ed05d60
humanhash: idaho-friend-venus-sierra
File name:svc
Download: download sample
File size:8'405'154 bytes
First seen:2026-04-01 22:32:59 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 49152:V8M+q/H2c6MeLqLNLuXG+w7i4lnHW6sgWAUpvqkHZD8WetxQVe52yakUsZ+9NQP5:V8Mjv2P0eDZDEuZHkOeXj3gRBQUHEn
TLSH T175864A57EDA555E8C0ADD13189B39613BB717C490B3023D32B60FA283F76BD06ABA354
telfhash t10c628771497d35b5a2a6da11f3a3b4f495372cb163f438b01023e995efc1e805caa87b
gimphash e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter smica83
Tags:elf

Intelligence

File Origin
# of uploads :
1
# of downloads :
43
Origin country :
HU HU
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creates directories
Receives data from a server
Manages services
Launching a process
Sends data to a server
Creates directories in a temporary directory
Creating a file
Deleting a recently created file
Connection attempt
Creates or modifies files in /init.d to set up autorun
Verdict:
Malicious
Uses P2P?:
true
Uses anti-vm?:
false
Architecture:
x86
Packer:
not packed
Botnet:
unknown
Number of open files:
18
Number of processes launched:
18
Processes remaning?
true
Remote TCP ports scanned:
23
Full report:
https://elfdigest.com/brief/eb2db389d64987855fa5db905bbcb7b100f9d6c1699eaf5d846a98680feae1df
Behaviour
Persistence
Process Renaming
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Result
Gathering data
Verdict:
Clean
File Type:
elf.64.le
First seen:
2026-04-01T08:26:00Z UTC
Last seen:
2026-04-01T14:02:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/eb2db389d64987855fa5db905bbcb7b100f9d6c1699eaf5d846a98680feae1df/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/ef4cfdb8-b8c4-4be6-a759-eea4f236a332
Behavior Graph:
Download SVG
%3 guuid=6936860e-1700-0000-1d92-9d6ed00f0000 pid=4048 /usr/bin/sudo guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4058 /tmp/sample.bin net guuid=6936860e-1700-0000-1d92-9d6ed00f0000 pid=4048->guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4058 execve 51475a40-5531-5652-88be-7dda12342b64 8.8.8.8:80 guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4058->51475a40-5531-5652-88be-7dda12342b64 con guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4073 /tmp/sample.bin guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4058->guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4073 clone guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4074 /tmp/sample.bin net send-data guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4058->guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4074 clone guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4075 /tmp/sample.bin net guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4058->guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4075 clone guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4076 /tmp/sample.bin net send-data write-config write-file guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4058->guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4076 clone guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4080 /tmp/sample.bin net guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4058->guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4080 clone guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=5316 /tmp/sample.bin guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4058->guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=5316 clone d8be1f00-e1f2-500c-a4f5-abd0b972dd0d 103.79.79.21:8899 guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4074->d8be1f00-e1f2-500c-a4f5-abd0b972dd0d send: 229B 7245d297-96dc-5786-9a0c-97410f1518a5 10.0.63.198:80 guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4074->7245d297-96dc-5786-9a0c-97410f1518a5 con guuid=bde1921c-1700-0000-1d92-9d6ef60f0000 pid=4086 /tmp/sample.bin guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4074->guuid=bde1921c-1700-0000-1d92-9d6ef60f0000 pid=4086 clone guuid=2311a41c-1700-0000-1d92-9d6ef80f0000 pid=4088 /usr/bin/which.debianutils guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4074->guuid=2311a41c-1700-0000-1d92-9d6ef80f0000 pid=4088 execve guuid=a789d61e-1700-0000-1d92-9d6efe0f0000 pid=4094 /usr/bin/which.debianutils guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4074->guuid=a789d61e-1700-0000-1d92-9d6efe0f0000 pid=4094 execve dd27b6f0-0b21-5584-a643-c7e946c88d37 10.0.198.161:80 guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4075->dd27b6f0-0b21-5584-a643-c7e946c88d37 con 3dfefb35-b492-5e56-be5d-ba930f6dc982 10.0.198.161:8080 guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4075->3dfefb35-b492-5e56-be5d-ba930f6dc982 con a22dbccd-61c4-590d-a1ac-6dc9438d37bf 10.0.198.161:8888 guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4075->a22dbccd-61c4-590d-a1ac-6dc9438d37bf con f627ae33-8e44-5728-8a78-2d90412bb55f 103.79.79.21:4444 guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4075->f627ae33-8e44-5728-8a78-2d90412bb55f con a4d9a7ae-87b0-5e56-8e3f-b0d1de3895cf 10.0.63.198:443 guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4075->a4d9a7ae-87b0-5e56-8e3f-b0d1de3895cf con da8043d2-efac-5137-b951-65e97c985a07 10.0.63.198:8443 guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4075->da8043d2-efac-5137-b951-65e97c985a07 con c14e82ea-d77f-5d01-8b29-c88c05509f3b 10.0.164.232:443 guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4075->c14e82ea-d77f-5d01-8b29-c88c05509f3b con 4ee5f331-39db-5521-a9bb-e1aa3f0c2e06 10.0.164.232:8443 guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4075->4ee5f331-39db-5521-a9bb-e1aa3f0c2e06 con guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4076->d8be1f00-e1f2-500c-a4f5-abd0b972dd0d send: 116B guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4076->f627ae33-8e44-5728-8a78-2d90412bb55f con d5e18b3d-b66e-5b23-97e3-96032c541642 10.0.198.161:443 guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4076->d5e18b3d-b66e-5b23-97e3-96032c541642 con 41882dcb-0025-5a42-a3bc-e78467014d60 10.0.198.161:8443 guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4076->41882dcb-0025-5a42-a3bc-e78467014d60 con f874c4bd-4418-551e-87db-d839d2572870 10.0.63.198:8080 guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4076->f874c4bd-4418-551e-87db-d839d2572870 con 93463c73-9a63-5366-bf32-de05021f4a1b 10.0.63.198:8888 guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4076->93463c73-9a63-5366-bf32-de05021f4a1b con 056b5aeb-dbce-532c-85a8-dde593859b82 10.0.164.232:80 guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4076->056b5aeb-dbce-532c-85a8-dde593859b82 con f1ecbd07-a884-5815-a37c-b2ae0f501f68 10.0.164.232:8080 guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4076->f1ecbd07-a884-5815-a37c-b2ae0f501f68 con 803c917f-6f59-5065-bae9-3055d90804ad 10.0.164.232:8888 guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4076->803c917f-6f59-5065-bae9-3055d90804ad con guuid=2db52d1f-1700-0000-1d92-9d6eff0f0000 pid=4095 /usr/bin/which.debianutils guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4076->guuid=2db52d1f-1700-0000-1d92-9d6eff0f0000 pid=4095 execve guuid=1df8871b-1e00-0000-1d92-9d6e97140000 pid=5271 /usr/bin/systemctl guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4076->guuid=1df8871b-1e00-0000-1d92-9d6e97140000 pid=5271 execve guuid=a9900f3d-1e00-0000-1d92-9d6eac140000 pid=5292 /usr/bin/systemctl guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4076->guuid=a9900f3d-1e00-0000-1d92-9d6eac140000 pid=5292 execve guuid=f9e36958-1e00-0000-1d92-9d6ec5140000 pid=5317 /usr/bin/systemctl guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4076->guuid=f9e36958-1e00-0000-1d92-9d6ec5140000 pid=5317 execve guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4080->f627ae33-8e44-5728-8a78-2d90412bb55f con guuid=f5606754-1e00-0000-1d92-9d6ec1140000 pid=5313 /usr/bin/which.debianutils guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4080->guuid=f5606754-1e00-0000-1d92-9d6ec1140000 pid=5313 execve guuid=7478b054-1e00-0000-1d92-9d6ec2140000 pid=5314 /usr/bin/which.debianutils guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4080->guuid=7478b054-1e00-0000-1d92-9d6ec2140000 pid=5314 execve guuid=4a22ee54-1e00-0000-1d92-9d6ec3140000 pid=5315 /usr/bin/which.debianutils guuid=6e28f010-1700-0000-1d92-9d6eda0f0000 pid=4080->guuid=4a22ee54-1e00-0000-1d92-9d6ec3140000 pid=5315 execve guuid=2fdaba13-0000-0000-1d92-9d6e01000000 pid=1 /usr/lib/systemd/systemd guuid=3bce525b-1e00-0000-1d92-9d6ec6140000 pid=5318 /usr/local/bin/.apt-task net guuid=2fdaba13-0000-0000-1d92-9d6e01000000 pid=1->guuid=3bce525b-1e00-0000-1d92-9d6ec6140000 pid=5318 execve guuid=3bce525b-1e00-0000-1d92-9d6ec6140000 pid=5318->51475a40-5531-5652-88be-7dda12342b64 con guuid=3bce525b-1e00-0000-1d92-9d6ec6140000 pid=5319 /usr/local/bin/.apt-task guuid=3bce525b-1e00-0000-1d92-9d6ec6140000 pid=5318->guuid=3bce525b-1e00-0000-1d92-9d6ec6140000 pid=5319 clone guuid=3bce525b-1e00-0000-1d92-9d6ec6140000 pid=5320 /usr/local/bin/.apt-task guuid=3bce525b-1e00-0000-1d92-9d6ec6140000 pid=5318->guuid=3bce525b-1e00-0000-1d92-9d6ec6140000 pid=5320 clone guuid=3bce525b-1e00-0000-1d92-9d6ec6140000 pid=5322 /usr/local/bin/.apt-task guuid=3bce525b-1e00-0000-1d92-9d6ec6140000 pid=5318->guuid=3bce525b-1e00-0000-1d92-9d6ec6140000 pid=5322 clone guuid=3bce525b-1e00-0000-1d92-9d6ec6140000 pid=5321 /usr/local/bin/.apt-task guuid=3bce525b-1e00-0000-1d92-9d6ec6140000 pid=5318->guuid=3bce525b-1e00-0000-1d92-9d6ec6140000 pid=5321 clone guuid=3bce525b-1e00-0000-1d92-9d6ec6140000 pid=5325 /usr/local/bin/.apt-task guuid=3bce525b-1e00-0000-1d92-9d6ec6140000 pid=5318->guuid=3bce525b-1e00-0000-1d92-9d6ec6140000 pid=5325 clone guuid=3bce525b-1e00-0000-1d92-9d6ec6140000 pid=5326 /usr/local/bin/.apt-task guuid=3bce525b-1e00-0000-1d92-9d6ec6140000 pid=5318->guuid=3bce525b-1e00-0000-1d92-9d6ec6140000 pid=5326 clone guuid=bbad485f-1e00-0000-1d92-9d6ecb140000 pid=5323 /usr/local/bin/.apt-task guuid=3bce525b-1e00-0000-1d92-9d6ec6140000 pid=5322->guuid=bbad485f-1e00-0000-1d92-9d6ecb140000 pid=5323 clone guuid=54fe4c5f-1e00-0000-1d92-9d6ecc140000 pid=5324 /usr/bin/which.debianutils guuid=3bce525b-1e00-0000-1d92-9d6ec6140000 pid=5322->guuid=54fe4c5f-1e00-0000-1d92-9d6ecc140000 pid=5324 execve guuid=7a07815f-1e00-0000-1d92-9d6ecf140000 pid=5327 /usr/bin/which.debianutils guuid=3bce525b-1e00-0000-1d92-9d6ec6140000 pid=5321->guuid=7a07815f-1e00-0000-1d92-9d6ecf140000 pid=5327 execve
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/9f7e0375-4fe0-47ff-9cc9-4f0e1d232fd7
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1892525
Signature
Connects to many ports of the same IP (likely port scanning)
Drops invisible ELF files
Executes the "crontab" command typically for achieving persistence
Sample tries to persist itself using cron
Sample tries to persist itself using System V runlevels
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1892525 Sample: svc.elf Startdate: 02/04/2026 Architecture: LINUX Score: 64 83 15.160.70.48, 42094, 42108, 443 HP-INTERNET-ASUS United States 2->83 85 104.131.103.78, 34636, 443, 47650 DIGITALOCEAN-ASNUS United States 2->85 87 99 other IPs or domains 2->87 89 Connects to many ports of the same IP (likely port scanning) 2->89 91 Uses known network protocols on non-standard ports 2->91 9 svc.elf 2->9         started        13 systemd .apt-task 2->13         started        15 systemd .apt-task 2->15         started        17 5 other processes 2->17 signatures3 process4 file5 79 /usr/local/bin/.apt-task, ELF 9->79 dropped 81 /etc/rc.local, POSIX 9->81 dropped 97 Drops invisible ELF files 9->97 99 Sample tries to persist itself using System V runlevels 9->99 19 svc.elf crontab 9->19         started        23 svc.elf crontab 9->23         started        25 svc.elf timeout 9->25         started        35 21 other processes 9->35 27 .apt-task crontab 13->27         started        29 .apt-task crontab 13->29         started        31 .apt-task timeout 13->31         started        37 21 other processes 13->37 33 .apt-task 15->33         started        signatures6 process7 file8 75 /var/spool/cron/crontabs/tmp.WJTpu0, ASCII 19->75 dropped 93 Sample tries to persist itself using cron 19->93 95 Executes the "crontab" command typically for achieving persistence 19->95 39 timeout bash 25->39         started        77 /var/spool/cron/crontabs/tmp.9eLqg2, ASCII 27->77 dropped 41 timeout bash 31->41         started        43 timeout bash 35->43         started        45 timeout bash 35->45         started        47 timeout bash 35->47         started        53 8 other processes 35->53 49 timeout bash 37->49         started        51 timeout bash 37->51         started        55 9 other processes 37->55 signatures9 process10 process11 57 2 other processes 39->57 59 2 other processes 41->59 61 2 other processes 43->61 63 2 other processes 45->63 65 2 other processes 47->65 67 2 other processes 49->67 69 2 other processes 51->69 71 16 other processes 53->71 73 18 other processes 55->73
Score:
7%
Verdict:
Benign
File Type:
ELF
Link:
https://malprob.io/report/eb2db389d64987855fa5db905bbcb7b100f9d6c1699eaf5d846a98680feae1df
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eb2db389d64987855fa5db905bbcb7b100f9d6c1699eaf5d846a98680feae1df/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5mw3hcowjgdykx5f3oifxpfxweaptvwbngpk6xmenkmgqd7k4hpq._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery execution linux persistence privilege_escalation
Link:
https://tria.ge/reports/260401-2gn6kacs9t/
Behaviour
GoLang User-Agent
Enumerates kernel/hardware configuration
Reads runtime system information
Creates/modifies Cron job
Modifies rc script
Modifies systemd
Write file to user bin folder
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_Bitter_ZxxZ_Downloader
Create hunting rule
Author:SECUINFRA Falcon Team (@SI_FalconTeam)
Description:Detects Bitter (T-APT-17) ZxxZ Downloader
Reference:https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh
Rule name:Capability_Embedded_Lua
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects embedded Lua engines by looking for multiple Lua API symbols or env-var hooks
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:F01_s1ckrule
Create hunting rule
Author:s1ckb017
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:Golang_Find_CSC846
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:Golang_Find_CSC846_Simple
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:setsockopt
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for setsockopt() red flags
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Suspicious_Golang_Binary
Create hunting rule
Author:Tim Machac
Description:Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)
Rule name:TH_Generic_MassHunt_Linux_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Linux malware mass-hunt rule - 2026
Reference:https://cyfare.net/
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WIN_WebSocket_Base64_C2_20250726
Create hunting rule
Author:dogsafetyforeverone
Description:Detects configuration strings used by malware to specify WebSocket command-and-control endpoints inside Base64-encoded data. It looks for prefixes such as '#ws://' or '#wss://' that were found in QuasarRAT configuration data.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments