MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eff0db0b8e5df6de9ed8eeda5788cd0dbe3930bf0e318770aedd3aacfb3b09d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eff0db0b8e5df6de9ed8eeda5788cd0dbe3930bf0e318770aedd3aacfb3b09d8
SHA3-384 hash: a4ba7566beff9812976b101dd6c1e400d165304c81cea80b194f324e45039977c3029404d0d1830197de55fa9e24f36a
SHA1 hash: 32a1f4e76d884f45f3fbea20d7668bad9456f7b5
MD5 hash: 45f5d9dfe38c7e5b5b9c2d896ad91b7f
humanhash: don-july-saturn-white
File name:bot.x86
Download: download sample
File size:928'780 bytes
First seen:2026-02-07 07:34:44 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 24576:Syq30UVhTrh8UvXW+qPiIsNWRR0xvESaYmtWwTRp5J:SvhTrhpvG+qXCWRax8bkwV7
TLSH T199157C99E786E0E0F16300F1125EDBF30934A5365053EAF6FB862A6674327526F1732E
telfhash t1ebd1277325a668e877e04412c25a7220de1ae4372ae039730de364e1b733e535376db9
Magika elf
Reporter abuse_ch
Tags:elf

Intelligence

File Origin
# of uploads :
1
# of downloads :
28
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Unix.Trojan.Mirai-10058922-0
Create hunting rule

Unix.Trojan.Mirai-10059005-0
Create hunting rule

Unix.Trojan.Mirai-10059006-0
Create hunting rule

Unix.Trojan.Mirai-10059216-0
Create hunting rule

Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
gcc masquerade rust
Link:
https://www.filescan.io/uploads/6986eb38930564ff3c90bf34/reports/7b32f714-1a78-43a2-a161-1520e363e6cf/overview
Result
Gathering data
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/2361d230-dcb6-4113-a0d8-cd96c29941b4
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1865133
Signature
Drops files in suspicious directories
Sample deletes itself
Sample tries to kill multiple processes (SIGKILL)
Sample tries to persist itself using System V runlevels
Sample tries to set files in /etc globally writable
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1865133 Sample: bot.x86.elf Startdate: 07/02/2026 Architecture: LINUX Score: 60 97 83.142.209.229, 19191, 49278, 49280 PL-METROINTERNETPL Ukraine 2->97 99 34.254.182.186, 443, 59330 AMAZON-02US United States 2->99 101 2 other IPs or domains 2->101 10 bot.x86.elf 2->10         started        12 dash rm 2->12         started        14 dash rm 2->14         started        process3 process4 16 bot.x86.elf 10->16         started        18 bot.x86.elf 10->18         started        20 bot.x86.elf 10->20         started        22 81 other processes 10->22 process5 24 bot.x86.elf 16->24         started        26 bot.x86.elf 18->26         started        28 bot.x86.elf 20->28         started        30 bot.x86.elf 22->30         started        32 bot.x86.elf 22->32         started        34 bot.x86.elf 22->34         started        36 78 other processes 22->36 process6 38 bot.x86.elf 24->38         started        41 bot.x86.elf 26->41         started        43 bot.x86.elf 28->43         started        45 bot.x86.elf 30->45         started        47 bot.x86.elf 32->47         started        49 bot.x86.elf 34->49         started        51 bot.x86.elf 36->51         started        53 bot.x86.elf 36->53         started        56 76 other processes 36->56 file7 103 Sample tries to set files in /etc globally writable 38->103 105 Drops files in suspicious directories 38->105 107 Sample deletes itself 38->107 60 2 other processes 38->60 62 2 other processes 41->62 109 Sample tries to persist itself using System V runlevels 43->109 64 2 other processes 43->64 66 2 other processes 45->66 68 2 other processes 47->68 70 2 other processes 49->70 72 2 other processes 51->72 95 /etc/init.d/sysd, POSIX 53->95 dropped 58 bot.x86.elf sh 53->58         started        74 99 other processes 56->74 signatures8 process9 process10 76 sh cp 58->76         started        78 3 other processes 60->78 81 3 other processes 62->81 83 3 other processes 64->83 85 3 other processes 66->85 87 3 other processes 68->87 89 3 other processes 70->89 91 3 other processes 72->91 93 120 other processes 74->93 signatures11 111 Sample tries to kill multiple processes (SIGKILL) 91->111
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/eff0db0b8e5df6de9ed8eeda5788cd0dbe3930bf0e318770aedd3aacfb3b09d8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eff0db0b8e5df6de9ed8eeda5788cd0dbe3930bf0e318770aedd3aacfb3b09d8/
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=57ynwc4olx3n5hwy53nfpcgnbw7dsmf7byyyo4fo3u5kz6z3bhma._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
credential_access defense_evasion discovery linux persistence
Link:
https://tria.ge/reports/260207-jesf4agz5g/
Behaviour
Reads runtime system information
Changes its process name
Reads system network configuration
Reads process memory
Enumerates active TCP sockets
Enumerates running processes
Modifies init.d
Modifies rc script
Deletes Audit logs
Deletes itself
Deletes journal logs
Deletes system logs
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.29
Link:
https://yomi.yoroi.company/submissions/eff0db0b8e5df6de9ed8eeda5788cd0dbe3930bf0e318770aedd3aacfb3b09d8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:F01_s1ckrule
Create hunting rule
Author:s1ckb017
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf eff0db0b8e5df6de9ed8eeda5788cd0dbe3930bf0e318770aedd3aacfb3b09d8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3773490/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3773858/

Comments