MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec12b5ee023ece253d4dbb0fd7fb45f8f5b21918ec7a550a203300265d3adfe1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DDoSAgent


Vendor detections: 9


Intelligence 9 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ec12b5ee023ece253d4dbb0fd7fb45f8f5b21918ec7a550a203300265d3adfe1
SHA3-384 hash: f2b83d29091561573907c0793bb54f7fc9830a7b3d0f32034766adb2f7bf1e2bf3cfa15679c5a2a7992e29eea9ae13d0
SHA1 hash: 7acfe7cf3ab1973002896ebff1d974ee2052967b
MD5 hash: a25455618bc6a19b91aed30c64e2afa2
humanhash: king-golf-mobile-juliet
File name:x86_64
Download: download sample
Signature DDoSAgent
Create hunting rule
File size:172'008 bytes
First seen:2026-01-16 16:32:05 UTC
Last seen:2026-01-24 13:21:06 UTC
File type: elf
MIME type:application/x-executable
ssdeep 3072:2DNpZ6taj9mUU4Ywd1C1NxfnEte9oKMPIr5woSjb5Nm5BMOOOOOOOOOOOOOOOkOY:TB9AMHfE77PIu45BMOOOOOOOOOOOOOOx
TLSH T134F3380779C1CAFBC897D1F44BEBA521D931F82E1935715E27E0BE961B4CEE02A5D220
telfhash t12b71fc343c9a3968b2f7fb16b34ad91aec720a6008e130d9ee732de59e567850d75062
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:DDOSAgent elf

Intelligence

File Origin
# of uploads :
2
# of downloads :
37
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Unix.Dropper.Mirai-7540662-0
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
gcc
Link:
https://www.filescan.io/uploads/696a6826fdafd7624aaf2a2d/reports/3c40af69-f6d7-498b-80f9-246027435455/overview
Verdict:
Malicious
File Type:
elf.64.le
First seen:
2026-01-16T13:49:00Z UTC
Last seen:
2026-01-17T19:18:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/ec12b5ee023ece253d4dbb0fd7fb45f8f5b21918ec7a550a203300265d3adfe1/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/cc657690-1640-4a61-b1d7-707652165405
Behavior Graph:
Download SVG
%3 guuid=89992224-1a00-0000-7f9c-b509df080000 pid=2271 /usr/bin/sudo guuid=d45d9e26-1a00-0000-7f9c-b509e6080000 pid=2278 /tmp/sample.bin guuid=89992224-1a00-0000-7f9c-b509df080000 pid=2271->guuid=d45d9e26-1a00-0000-7f9c-b509e6080000 pid=2278 execve guuid=9891c726-1a00-0000-7f9c-b509e8080000 pid=2280 /tmp/sample.bin zombie guuid=d45d9e26-1a00-0000-7f9c-b509e6080000 pid=2278->guuid=9891c726-1a00-0000-7f9c-b509e8080000 pid=2280 clone guuid=2cbad226-1a00-0000-7f9c-b509e9080000 pid=2281 /tmp/sample.bin dns net send-data write-config write-file zombie guuid=9891c726-1a00-0000-7f9c-b509e8080000 pid=2280->guuid=2cbad226-1a00-0000-7f9c-b509e9080000 pid=2281 clone 4f6baed0-9587-596c-82b3-fd721afe4cc1 10.0.2.3:53 guuid=2cbad226-1a00-0000-7f9c-b509e9080000 pid=2281->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 33B da51d428-a92c-5ff5-8f30-f64b2fae81ba xxx.caoxxip.top:2235 guuid=2cbad226-1a00-0000-7f9c-b509e9080000 pid=2281->da51d428-a92c-5ff5-8f30-f64b2fae81ba send: 113B guuid=bce11627-1a00-0000-7f9c-b509ea080000 pid=2282 /tmp/sample.bin guuid=2cbad226-1a00-0000-7f9c-b509e9080000 pid=2281->guuid=bce11627-1a00-0000-7f9c-b509ea080000 pid=2282 clone guuid=91721a27-1a00-0000-7f9c-b509eb080000 pid=2283 /tmp/sample.bin guuid=2cbad226-1a00-0000-7f9c-b509e9080000 pid=2281->guuid=91721a27-1a00-0000-7f9c-b509eb080000 pid=2283 clone guuid=4b238127-1a00-0000-7f9c-b509f1080000 pid=2289 /usr/bin/dash guuid=2cbad226-1a00-0000-7f9c-b509e9080000 pid=2281->guuid=4b238127-1a00-0000-7f9c-b509f1080000 pid=2289 execve guuid=cc33516f-1a00-0000-7f9c-b50964090000 pid=2404 /usr/bin/dash guuid=2cbad226-1a00-0000-7f9c-b509e9080000 pid=2281->guuid=cc33516f-1a00-0000-7f9c-b50964090000 pid=2404 execve guuid=2514f7a4-1a00-0000-7f9c-b509d5090000 pid=2517 /tmp/sample.bin delete-file guuid=2cbad226-1a00-0000-7f9c-b509e9080000 pid=2281->guuid=2514f7a4-1a00-0000-7f9c-b509d5090000 pid=2517 clone guuid=2e2f2427-1a00-0000-7f9c-b509ec080000 pid=2284 /tmp/sample.bin zombie guuid=bce11627-1a00-0000-7f9c-b509ea080000 pid=2282->guuid=2e2f2427-1a00-0000-7f9c-b509ec080000 pid=2284 clone guuid=748c6227-1a00-0000-7f9c-b509ee080000 pid=2286 /tmp/sample.bin zombie guuid=91721a27-1a00-0000-7f9c-b509eb080000 pid=2283->guuid=748c6227-1a00-0000-7f9c-b509ee080000 pid=2286 clone guuid=e7a03c27-1a00-0000-7f9c-b509ed080000 pid=2285 /tmp/sample.bin zombie guuid=2e2f2427-1a00-0000-7f9c-b509ec080000 pid=2284->guuid=e7a03c27-1a00-0000-7f9c-b509ed080000 pid=2285 clone guuid=81d2c615-1b00-0000-7f9c-b509d40a0000 pid=2772 /usr/bin/dash guuid=e7a03c27-1a00-0000-7f9c-b509ed080000 pid=2285->guuid=81d2c615-1b00-0000-7f9c-b509d40a0000 pid=2772 execve guuid=c5ab59c0-1c00-0000-7f9c-b509800d0000 pid=3456 /usr/bin/dash guuid=e7a03c27-1a00-0000-7f9c-b509ed080000 pid=2285->guuid=c5ab59c0-1c00-0000-7f9c-b509800d0000 pid=3456 execve guuid=9e66dda4-1e00-0000-7f9c-b50971120000 pid=4721 /usr/bin/dash guuid=e7a03c27-1a00-0000-7f9c-b509ed080000 pid=2285->guuid=9e66dda4-1e00-0000-7f9c-b50971120000 pid=4721 execve guuid=669f5f14-2000-0000-7f9c-b509b2140000 pid=5298 /usr/bin/dash guuid=e7a03c27-1a00-0000-7f9c-b509ed080000 pid=2285->guuid=669f5f14-2000-0000-7f9c-b509b2140000 pid=5298 execve guuid=9ba51514-2100-0000-7f9c-b509ce140000 pid=5326 /usr/bin/dash guuid=e7a03c27-1a00-0000-7f9c-b509ed080000 pid=2285->guuid=9ba51514-2100-0000-7f9c-b509ce140000 pid=5326 execve guuid=5204a17d-2200-0000-7f9c-b509d1140000 pid=5329 /usr/bin/dash guuid=e7a03c27-1a00-0000-7f9c-b509ed080000 pid=2285->guuid=5204a17d-2200-0000-7f9c-b509d1140000 pid=5329 execve guuid=882fe922-2400-0000-7f9c-b509d4140000 pid=5332 /usr/bin/dash guuid=e7a03c27-1a00-0000-7f9c-b509ed080000 pid=2285->guuid=882fe922-2400-0000-7f9c-b509d4140000 pid=5332 execve guuid=c8f85ad9-2400-0000-7f9c-b509d7140000 pid=5335 /usr/bin/dash guuid=e7a03c27-1a00-0000-7f9c-b509ed080000 pid=2285->guuid=c8f85ad9-2400-0000-7f9c-b509d7140000 pid=5335 execve guuid=36c66735-2700-0000-7f9c-b509da140000 pid=5338 /usr/bin/dash guuid=e7a03c27-1a00-0000-7f9c-b509ed080000 pid=2285->guuid=36c66735-2700-0000-7f9c-b509da140000 pid=5338 execve guuid=f0f29eb0-2700-0000-7f9c-b509dd140000 pid=5341 /usr/bin/dash guuid=e7a03c27-1a00-0000-7f9c-b509ed080000 pid=2285->guuid=f0f29eb0-2700-0000-7f9c-b509dd140000 pid=5341 execve guuid=c9a36927-1a00-0000-7f9c-b509ef080000 pid=2287 /tmp/sample.bin zombie guuid=748c6227-1a00-0000-7f9c-b509ee080000 pid=2286->guuid=c9a36927-1a00-0000-7f9c-b509ef080000 pid=2287 clone guuid=4cbeaf27-1a00-0000-7f9c-b509f2080000 pid=2290 /usr/bin/systemctl guuid=4b238127-1a00-0000-7f9c-b509f1080000 pid=2289->guuid=4cbeaf27-1a00-0000-7f9c-b509f2080000 pid=2290 execve guuid=89fda16f-1a00-0000-7f9c-b50966090000 pid=2406 /usr/bin/systemctl guuid=cc33516f-1a00-0000-7f9c-b50964090000 pid=2404->guuid=89fda16f-1a00-0000-7f9c-b50966090000 pid=2406 execve guuid=2fdaba13-0000-0000-7f9c-b50901000000 pid=1 /usr/lib/systemd/systemd guuid=6068e7a1-1a00-0000-7f9c-b509cb090000 pid=2507 /usr/local/bin/ifconfig_xxs.cfg guuid=2fdaba13-0000-0000-7f9c-b50901000000 pid=1->guuid=6068e7a1-1a00-0000-7f9c-b509cb090000 pid=2507 execve guuid=ea288caf-1a00-0000-7f9c-b509f5090000 pid=2549 /usr/local/bin/ifconfig_xxs.cfg guuid=2fdaba13-0000-0000-7f9c-b50901000000 pid=1->guuid=ea288caf-1a00-0000-7f9c-b509f5090000 pid=2549 execve guuid=fdd7aebe-1a00-0000-7f9c-b509170a0000 pid=2583 /usr/local/bin/ifconfig_xxs.cfg guuid=2fdaba13-0000-0000-7f9c-b50901000000 pid=1->guuid=fdd7aebe-1a00-0000-7f9c-b509170a0000 pid=2583 execve guuid=e1d5aecd-1a00-0000-7f9c-b5093d0a0000 pid=2621 /usr/local/bin/ifconfig_xxs.cfg guuid=2fdaba13-0000-0000-7f9c-b50901000000 pid=1->guuid=e1d5aecd-1a00-0000-7f9c-b5093d0a0000 pid=2621 execve guuid=e573eddc-1a00-0000-7f9c-b509640a0000 pid=2660 /usr/local/bin/ifconfig_xxs.cfg guuid=2fdaba13-0000-0000-7f9c-b50901000000 pid=1->guuid=e573eddc-1a00-0000-7f9c-b509640a0000 pid=2660 execve guuid=78ad1ba4-1a00-0000-7f9c-b509d0090000 pid=2512 /usr/local/bin/ifconfig_xxs.cfg zombie guuid=6068e7a1-1a00-0000-7f9c-b509cb090000 pid=2507->guuid=78ad1ba4-1a00-0000-7f9c-b509d0090000 pid=2512 clone guuid=82f522a4-1a00-0000-7f9c-b509d1090000 pid=2513 /usr/local/bin/ifconfig_xxs.cfg zombie guuid=78ad1ba4-1a00-0000-7f9c-b509d0090000 pid=2512->guuid=82f522a4-1a00-0000-7f9c-b509d1090000 pid=2513 clone guuid=2a29e3b0-1a00-0000-7f9c-b509f8090000 pid=2552 /usr/local/bin/ifconfig_xxs.cfg zombie guuid=ea288caf-1a00-0000-7f9c-b509f5090000 pid=2549->guuid=2a29e3b0-1a00-0000-7f9c-b509f8090000 pid=2552 clone guuid=4eebefb0-1a00-0000-7f9c-b509f9090000 pid=2553 /usr/local/bin/ifconfig_xxs.cfg zombie guuid=2a29e3b0-1a00-0000-7f9c-b509f8090000 pid=2552->guuid=4eebefb0-1a00-0000-7f9c-b509f9090000 pid=2553 clone guuid=c210f5bf-1a00-0000-7f9c-b5091a0a0000 pid=2586 /usr/local/bin/ifconfig_xxs.cfg zombie guuid=fdd7aebe-1a00-0000-7f9c-b509170a0000 pid=2583->guuid=c210f5bf-1a00-0000-7f9c-b5091a0a0000 pid=2586 clone guuid=2a6600c0-1a00-0000-7f9c-b5091b0a0000 pid=2587 /usr/local/bin/ifconfig_xxs.cfg zombie guuid=c210f5bf-1a00-0000-7f9c-b5091a0a0000 pid=2586->guuid=2a6600c0-1a00-0000-7f9c-b5091b0a0000 pid=2587 clone guuid=67f480cf-1a00-0000-7f9c-b509430a0000 pid=2627 /usr/local/bin/ifconfig_xxs.cfg zombie guuid=e1d5aecd-1a00-0000-7f9c-b5093d0a0000 pid=2621->guuid=67f480cf-1a00-0000-7f9c-b509430a0000 pid=2627 clone guuid=bfe087cf-1a00-0000-7f9c-b509440a0000 pid=2628 /usr/local/bin/ifconfig_xxs.cfg zombie guuid=67f480cf-1a00-0000-7f9c-b509430a0000 pid=2627->guuid=bfe087cf-1a00-0000-7f9c-b509440a0000 pid=2628 clone guuid=8d0222e0-1a00-0000-7f9c-b5096c0a0000 pid=2668 /usr/local/bin/ifconfig_xxs.cfg zombie guuid=e573eddc-1a00-0000-7f9c-b509640a0000 pid=2660->guuid=8d0222e0-1a00-0000-7f9c-b5096c0a0000 pid=2668 clone guuid=c2862de0-1a00-0000-7f9c-b5096d0a0000 pid=2669 /usr/local/bin/ifconfig_xxs.cfg zombie guuid=8d0222e0-1a00-0000-7f9c-b5096c0a0000 pid=2668->guuid=c2862de0-1a00-0000-7f9c-b5096d0a0000 pid=2669 clone guuid=91cd0116-1b00-0000-7f9c-b509d60a0000 pid=2774 /usr/bin/ps guuid=81d2c615-1b00-0000-7f9c-b509d40a0000 pid=2772->guuid=91cd0116-1b00-0000-7f9c-b509d60a0000 pid=2774 execve guuid=c5390716-1b00-0000-7f9c-b509d70a0000 pid=2775 /usr/bin/mawk guuid=81d2c615-1b00-0000-7f9c-b509d40a0000 pid=2772->guuid=c5390716-1b00-0000-7f9c-b509d70a0000 pid=2775 execve guuid=89b9acc0-1c00-0000-7f9c-b509810d0000 pid=3457 /usr/bin/ps guuid=c5ab59c0-1c00-0000-7f9c-b509800d0000 pid=3456->guuid=89b9acc0-1c00-0000-7f9c-b509810d0000 pid=3457 execve guuid=7b91b5c0-1c00-0000-7f9c-b509820d0000 pid=3458 /usr/bin/mawk guuid=c5ab59c0-1c00-0000-7f9c-b509800d0000 pid=3456->guuid=7b91b5c0-1c00-0000-7f9c-b509820d0000 pid=3458 execve guuid=29c10aa5-1e00-0000-7f9c-b50973120000 pid=4723 /usr/bin/ps guuid=9e66dda4-1e00-0000-7f9c-b50971120000 pid=4721->guuid=29c10aa5-1e00-0000-7f9c-b50973120000 pid=4723 execve guuid=6d310fa5-1e00-0000-7f9c-b50974120000 pid=4724 /usr/bin/mawk guuid=9e66dda4-1e00-0000-7f9c-b50971120000 pid=4721->guuid=6d310fa5-1e00-0000-7f9c-b50974120000 pid=4724 execve guuid=22899b14-2000-0000-7f9c-b509b3140000 pid=5299 /usr/bin/ps guuid=669f5f14-2000-0000-7f9c-b509b2140000 pid=5298->guuid=22899b14-2000-0000-7f9c-b509b3140000 pid=5299 execve guuid=efd0a114-2000-0000-7f9c-b509b4140000 pid=5300 /usr/bin/mawk guuid=669f5f14-2000-0000-7f9c-b509b2140000 pid=5298->guuid=efd0a114-2000-0000-7f9c-b509b4140000 pid=5300 execve guuid=f4eb6714-2100-0000-7f9c-b509cf140000 pid=5327 /usr/bin/ps guuid=9ba51514-2100-0000-7f9c-b509ce140000 pid=5326->guuid=f4eb6714-2100-0000-7f9c-b509cf140000 pid=5327 execve guuid=2f137014-2100-0000-7f9c-b509d0140000 pid=5328 /usr/bin/mawk guuid=9ba51514-2100-0000-7f9c-b509ce140000 pid=5326->guuid=2f137014-2100-0000-7f9c-b509d0140000 pid=5328 execve guuid=942cfe7d-2200-0000-7f9c-b509d2140000 pid=5330 /usr/bin/ps guuid=5204a17d-2200-0000-7f9c-b509d1140000 pid=5329->guuid=942cfe7d-2200-0000-7f9c-b509d2140000 pid=5330 execve guuid=b4c4097e-2200-0000-7f9c-b509d3140000 pid=5331 /usr/bin/mawk guuid=5204a17d-2200-0000-7f9c-b509d1140000 pid=5329->guuid=b4c4097e-2200-0000-7f9c-b509d3140000 pid=5331 execve guuid=a1134d23-2400-0000-7f9c-b509d5140000 pid=5333 /usr/bin/ps guuid=882fe922-2400-0000-7f9c-b509d4140000 pid=5332->guuid=a1134d23-2400-0000-7f9c-b509d5140000 pid=5333 execve guuid=60e85623-2400-0000-7f9c-b509d6140000 pid=5334 /usr/bin/mawk guuid=882fe922-2400-0000-7f9c-b509d4140000 pid=5332->guuid=60e85623-2400-0000-7f9c-b509d6140000 pid=5334 execve guuid=68b48dd9-2400-0000-7f9c-b509d8140000 pid=5336 /usr/bin/ps guuid=c8f85ad9-2400-0000-7f9c-b509d7140000 pid=5335->guuid=68b48dd9-2400-0000-7f9c-b509d8140000 pid=5336 execve guuid=c0f593d9-2400-0000-7f9c-b509d9140000 pid=5337 /usr/bin/mawk guuid=c8f85ad9-2400-0000-7f9c-b509d7140000 pid=5335->guuid=c0f593d9-2400-0000-7f9c-b509d9140000 pid=5337 execve guuid=a938ce35-2700-0000-7f9c-b509db140000 pid=5339 /usr/bin/ps guuid=36c66735-2700-0000-7f9c-b509da140000 pid=5338->guuid=a938ce35-2700-0000-7f9c-b509db140000 pid=5339 execve guuid=d760d935-2700-0000-7f9c-b509dc140000 pid=5340 /usr/bin/mawk guuid=36c66735-2700-0000-7f9c-b509da140000 pid=5338->guuid=d760d935-2700-0000-7f9c-b509dc140000 pid=5340 execve guuid=26ca11b1-2700-0000-7f9c-b509de140000 pid=5342 /usr/bin/ps guuid=f0f29eb0-2700-0000-7f9c-b509dd140000 pid=5341->guuid=26ca11b1-2700-0000-7f9c-b509de140000 pid=5342 execve guuid=6f9b1db1-2700-0000-7f9c-b509df140000 pid=5343 /usr/bin/mawk guuid=f0f29eb0-2700-0000-7f9c-b509dd140000 pid=5341->guuid=6f9b1db1-2700-0000-7f9c-b509df140000 pid=5343 execve
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f9c64a31-a6ed-4997-9639-cc9fc3ca4c01
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1852228
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample deletes itself
Sample tries to persist itself using System V runlevels
Sample tries to set files in /etc globally writable
Writes identical ELF files to multiple locations
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1852228 Sample: x86_64.elf Startdate: 16/01/2026 Architecture: LINUX Score: 88 108 xxx.caoxxip.top 46.246.92.170, 2235, 51040 PORTLANEwwwportlanecomSE Sweden 2->108 110 109.202.202.202, 80 INIT7CH Switzerland 2->110 112 3 other IPs or domains 2->112 114 Malicious sample detected (through community Yara rule) 2->114 116 Antivirus detection for dropped file 2->116 118 Antivirus / Scanner detection for submitted sample 2->118 120 Multi AV Scanner detection for submitted file 2->120 13 x86_64.elf 2->13         started        15 systemd ifconfig_xxs.cfg 2->15         started        17 systemd ifconfig_xxs.cfg 2->17         started        19 11 other processes 2->19 signatures3 process4 process5 21 x86_64.elf 13->21         started        23 ifconfig_xxs.cfg 15->23         started        25 ifconfig_xxs.cfg 17->25         started        27 ifconfig_xxs.cfg 19->27         started        29 ifconfig_xxs.cfg 19->29         started        31 ifconfig_xxs.cfg 19->31         started        33 4 other processes 19->33 process6 35 x86_64.elf 21->35         started        39 ifconfig_xxs.cfg 23->39         started        41 ifconfig_xxs.cfg 25->41         started        43 ifconfig_xxs.cfg 27->43         started        45 ifconfig_xxs.cfg 29->45         started        47 ifconfig_xxs.cfg 31->47         started        49 ifconfig_xxs.cfg 33->49         started        51 ifconfig_xxs.cfg 33->51         started        53 2 other processes 33->53 file7 102 /usr/local/bin/ifconfig_xxs.cfg, ELF 35->102 dropped 104 /etc/rc.local, ASCII 35->104 dropped 106 /boot/ifconfig_xxs.cfg, ELF 35->106 dropped 122 Sample tries to set files in /etc globally writable 35->122 124 Writes identical ELF files to multiple locations 35->124 126 Sample tries to persist itself using System V runlevels 35->126 55 x86_64.elf 35->55         started        57 x86_64.elf 35->57         started        60 x86_64.elf sh 35->60         started        62 2 other processes 35->62 signatures8 process9 signatures10 64 x86_64.elf 55->64         started        128 Sample deletes itself 57->128 66 sh systemctl 60->66         started        68 x86_64.elf 62->68         started        70 sh systemctl 62->70         started        process11 process12 72 x86_64.elf 64->72         started        74 x86_64.elf 68->74         started        process13 76 x86_64.elf sh 72->76         started        78 x86_64.elf sh 72->78         started        80 x86_64.elf sh 72->80         started        82 15 other processes 72->82 process14 84 sh ps 76->84         started        86 sh awk 76->86         started        88 sh ps 78->88         started        90 sh awk 78->90         started        92 sh ps 80->92         started        94 sh awk 80->94         started        96 sh ps 82->96         started        98 sh awk 82->98         started        100 28 other processes 82->100
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/ec12b5ee023ece253d4dbb0fd7fb45f8f5b21918ec7a550a203300265d3adfe1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ec12b5ee023ece253d4dbb0fd7fb45f8f5b21918ec7a550a203300265d3adfe1/
Threat name:
Linux.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2026-01-16 16:32:43 UTC
File Type:
ELF64 Little (Exe)
AV detection:
13 of 38 (34.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5qjll3qch3hckpknxmh5p62f7d23egiy5r5fkcragmacmxj237qq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery linux persistence privilege_escalation
Link:
https://tria.ge/reports/260116-t15zesat6a/
Behaviour
Reads runtime system information
Changes its process name
Reads CPU attributes
Modifies rc script
Modifies systemd
Write file to user bin folder
Deletes itself
Verdict:
Malicious
Tags:
trojan gafgyt Unix.Dropper.Mirai-7540662-0
YARA:
Linux_Trojan_Gafgyt_9e9530a7 Linux_Trojan_Gafgyt_807911a2 Linux_Trojan_Gafgyt_d4227dbf Linux_Trojan_Gafgyt_d996d335 Linux_Trojan_Gafgyt_d0c57a2e Linux_Trojan_Gafgyt_620087b9 Linux_Trojan_Gafgyt_0cd591cd Linux_Trojan_Gafgyt_33b4111a Linux_Trojan_Gafgyt_a33a8363
Link:
https://app.threat.zone/submission/52c22e7b-8a72-4e98-a8fb-ddccc74f8b0c
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.84
Link:
https://yomi.yoroi.company/submissions/ec12b5ee023ece253d4dbb0fd7fb45f8f5b21918ec7a550a203300265d3adfe1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ELF_Toriilike_persist
Create hunting rule
Author:4r4
Description:Detects Torii IoT Botnet (stealthier Mirai alternative)
Reference:Identified via researched data
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Linux_Trojan_Gafgyt_0cd591cd
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_33b4111a
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_620087b9
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_807911a2
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_9e9530a7
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_a33a8363
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_d0c57a2e
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_d4227dbf
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_d996d335
Create hunting rule
Author:Elastic Security
Rule name:setsockopt
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for setsockopt() red flags
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DDoSAgent

elf ec12b5ee023ece253d4dbb0fd7fb45f8f5b21918ec7a550a203300265d3adfe1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3759042/
  
Delivery method
Distributed via web download

Comments