MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f02a038797f449d63d32d2eae14ddab662c6f14e9e279ef1eaa01a400fdbefb0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DDoSAgent


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f02a038797f449d63d32d2eae14ddab662c6f14e9e279ef1eaa01a400fdbefb0
SHA3-384 hash: b0e20f2b2397417bf20e77923c4cdd00230fa55398252a59d26d1eea30e07fc7990231c7abd6565d8b1eee5f57d67a19
SHA1 hash: aed1dbd8009b6574a88c170fc2d296acdd018266
MD5 hash: dfe902da14be352fa54595f430cf17f6
humanhash: ohio-winter-sodium-nine
File name:data.x86_64
Download: download sample
Signature DDoSAgent
Create hunting rule
File size:898'760 bytes
First seen:2026-03-15 02:22:39 UTC
Last seen:2026-03-15 22:00:23 UTC
File type: elf
MIME type:application/x-executable
ssdeep 12288:hQM7I2RvcLp4spHD/zmkxgw2hAI+voaFvBfmt3jLSxqjGLHqn9f7/8dzuFbFJy1K:hhII04sAkxbiawEpfmt3jLSxB2fgJG3
TLSH T1E9157D5BB2B374FCC057C43043ABDAB2A935B42542226E7B65C8D7303E17E741B1AB66
telfhash t11ec138b44bfa2570a2cbd610a326f1f5897a28335aed35b456327d48ef85f810d77823
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:DDOSAgent elf mirai

Intelligence

File Origin
# of uploads :
2
# of downloads :
65
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Linux.Mirai-31.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bash gcc lolbin mirai
Link:
https://www.filescan.io/uploads/69b618154ec2f522cc49b35e/reports/2e1514c1-9c49-4e85-9065-ae2107eb0495/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
not packed
Botnet:
unknown
Number of open files:
1
Number of processes launched:
1
Processes remaning?
true
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/f02a038797f449d63d32d2eae14ddab662c6f14e9e279ef1eaa01a400fdbefb0
Behaviour
Process Renaming
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Malicious
File Type:
elf.64.le
Link:
https://opentip.kaspersky.com/f02a038797f449d63d32d2eae14ddab662c6f14e9e279ef1eaa01a400fdbefb0/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/d6195381-0466-4976-a9a5-81c8496632c0
Behavior Graph:
Download SVG
%3 guuid=791fc6b8-1700-0000-0141-e859760a0000 pid=2678 /usr/bin/sudo guuid=9578a5ba-1700-0000-0141-e8597e0a0000 pid=2686 /tmp/sample.bin net guuid=791fc6b8-1700-0000-0141-e859760a0000 pid=2678->guuid=9578a5ba-1700-0000-0141-e8597e0a0000 pid=2686 execve 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=9578a5ba-1700-0000-0141-e8597e0a0000 pid=2686->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=8733cfba-1700-0000-0141-e859800a0000 pid=2688 /tmp/sample.bin zombie guuid=9578a5ba-1700-0000-0141-e8597e0a0000 pid=2686->guuid=8733cfba-1700-0000-0141-e859800a0000 pid=2688 clone guuid=3181dbba-1700-0000-0141-e859810a0000 pid=2689 /tmp/sample.bin write-file zombie guuid=8733cfba-1700-0000-0141-e859800a0000 pid=2688->guuid=3181dbba-1700-0000-0141-e859810a0000 pid=2689 clone guuid=ec4850bb-1700-0000-0141-e859840a0000 pid=2692 /tmp/sample.bin net send-data zombie guuid=3181dbba-1700-0000-0141-e859810a0000 pid=2689->guuid=ec4850bb-1700-0000-0141-e859840a0000 pid=2692 clone guuid=ec4850bb-1700-0000-0141-e859840a0000 pid=2692->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 105B 79330709-4ba7-5769-b683-21ef3c41191a 45.131.65.74:8082 guuid=ec4850bb-1700-0000-0141-e859840a0000 pid=2692->79330709-4ba7-5769-b683-21ef3c41191a send: 14B guuid=ec4850bb-1700-0000-0141-e859840a0000 pid=2693 /tmp/sample.bin send-data zombie guuid=ec4850bb-1700-0000-0141-e859840a0000 pid=2692->guuid=ec4850bb-1700-0000-0141-e859840a0000 pid=2693 clone guuid=527e5abb-1700-0000-0141-e859860a0000 pid=2694 /tmp/sample.bin net send-data write-file guuid=ec4850bb-1700-0000-0141-e859840a0000 pid=2692->guuid=527e5abb-1700-0000-0141-e859860a0000 pid=2694 clone guuid=574cb7bc-1700-0000-0141-e8598c0a0000 pid=2700 /usr/bin/dash guuid=ec4850bb-1700-0000-0141-e859840a0000 pid=2692->guuid=574cb7bc-1700-0000-0141-e8598c0a0000 pid=2700 execve guuid=66ce95c5-1700-0000-0141-e859ae0a0000 pid=2734 /usr/bin/dash guuid=ec4850bb-1700-0000-0141-e859840a0000 pid=2692->guuid=66ce95c5-1700-0000-0141-e859ae0a0000 pid=2734 execve guuid=22d861c6-1e00-0000-0141-e85981140000 pid=5249 /usr/bin/dash guuid=ec4850bb-1700-0000-0141-e859840a0000 pid=2692->guuid=22d861c6-1e00-0000-0141-e85981140000 pid=5249 execve guuid=a3ca23c7-1e00-0000-0141-e85983140000 pid=5251 /usr/bin/dash guuid=ec4850bb-1700-0000-0141-e859840a0000 pid=2692->guuid=a3ca23c7-1e00-0000-0141-e85983140000 pid=5251 execve guuid=445058c6-2500-0000-0141-e8599f140000 pid=5279 /usr/bin/dash guuid=ec4850bb-1700-0000-0141-e859840a0000 pid=2692->guuid=445058c6-2500-0000-0141-e8599f140000 pid=5279 execve guuid=495a03c9-2500-0000-0141-e859a1140000 pid=5281 /usr/bin/dash guuid=ec4850bb-1700-0000-0141-e859840a0000 pid=2692->guuid=495a03c9-2500-0000-0141-e859a1140000 pid=5281 execve 5a1eed8a-85fe-5cc9-b13b-21dc70289ae4 0.0.0.0:0 guuid=ec4850bb-1700-0000-0141-e859840a0000 pid=2693->5a1eed8a-85fe-5cc9-b13b-21dc70289ae4 send: 97B a15c7036-706e-5ee9-888f-734cbb9e72e7 127.0.0.1:30565 guuid=527e5abb-1700-0000-0141-e859860a0000 pid=2694->a15c7036-706e-5ee9-888f-734cbb9e72e7 send: 97B guuid=95d7e8bc-1700-0000-0141-e8598e0a0000 pid=2702 /usr/sbin/xtables-nft-multi guuid=574cb7bc-1700-0000-0141-e8598c0a0000 pid=2700->guuid=95d7e8bc-1700-0000-0141-e8598e0a0000 pid=2702 execve guuid=99f7bbc5-1700-0000-0141-e859b00a0000 pid=2736 /usr/sbin/xtables-nft-multi guuid=66ce95c5-1700-0000-0141-e859ae0a0000 pid=2734->guuid=99f7bbc5-1700-0000-0141-e859b00a0000 pid=2736 execve guuid=9c2ea4c6-1e00-0000-0141-e85982140000 pid=5250 /usr/sbin/xtables-nft-multi guuid=22d861c6-1e00-0000-0141-e85981140000 pid=5249->guuid=9c2ea4c6-1e00-0000-0141-e85982140000 pid=5250 execve guuid=9f9f64c7-1e00-0000-0141-e85984140000 pid=5252 /usr/sbin/xtables-nft-multi guuid=a3ca23c7-1e00-0000-0141-e85983140000 pid=5251->guuid=9f9f64c7-1e00-0000-0141-e85984140000 pid=5252 execve guuid=1b89d8c6-2500-0000-0141-e859a0140000 pid=5280 /usr/sbin/xtables-nft-multi guuid=445058c6-2500-0000-0141-e8599f140000 pid=5279->guuid=1b89d8c6-2500-0000-0141-e859a0140000 pid=5280 execve guuid=115550c9-2500-0000-0141-e859a2140000 pid=5282 /usr/sbin/xtables-nft-multi guuid=495a03c9-2500-0000-0141-e859a1140000 pid=5281->guuid=115550c9-2500-0000-0141-e859a2140000 pid=5282 execve
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/5280273f-7ba8-4bfb-b6ad-6d42e7389458
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1883912
Signature
Executes the "iptables" command to insert, remove and/or manipulate rules
Multi AV Scanner detection for submitted file
Performs DNS TXT record lookups
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1883912 Sample: data.x86_64.elf Startdate: 15/03/2026 Architecture: LINUX Score: 56 34 datasurge-bot.com 2->34 36 45.131.65.74, 48250, 8082 LOVESERVERSGB Germany 2->36 38 4 other IPs or domains 2->38 40 Multi AV Scanner detection for submitted file 2->40 11 data.x86_64.elf 2->11         started        13 dash rm 2->13         started        15 dash rm 2->15         started        signatures3 42 Performs DNS TXT record lookups 34->42 process4 process5 17 data.x86_64.elf 11->17         started        process6 19 data.x86_64.elf 17->19         started        process7 21 data.x86_64.elf 19->21         started        process8 23 data.x86_64.elf sh 21->23         started        25 data.x86_64.elf sh 21->25         started        27 data.x86_64.elf 21->27         started        process9 29 sh iptables 23->29         started        32 sh iptables 25->32         started        signatures10 44 Executes the "iptables" command to insert, remove and/or manipulate rules 29->44
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/f02a038797f449d63d32d2eae14ddab662c6f14e9e279ef1eaa01a400fdbefb0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f02a038797f449d63d32d2eae14ddab662c6f14e9e279ef1eaa01a400fdbefb0/
Threat name:
Linux.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2026-03-13 05:28:22 UTC
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6avahb4x6re5mpjs2lvocto2wzrmn4kotytz54pkuanead6356ya._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
credential_access discovery linux
Link:
https://tria.ge/reports/260315-ct9wcsf14s/
Behaviour
Reads runtime system information
Writes file to tmp directory
Changes its process name
Reads system network configuration
Reads process memory
Enumerates active TCP sockets
Enumerates running processes
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.20
Link:
https://yomi.yoroi.company/submissions/f02a038797f449d63d32d2eae14ddab662c6f14e9e279ef1eaa01a400fdbefb0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:ELF_Mirai
Create hunting rule
Author:NDA0E
Description:Detects multiple Mirai variants
Rule name:F01_s1ckrule
Create hunting rule
Author:s1ckb017
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:malwareelf55503
Create hunting rule
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DDoSAgent

elf f02a038797f449d63d32d2eae14ddab662c6f14e9e279ef1eaa01a400fdbefb0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3796013/
  
Delivery method
Distributed via web download

Comments