MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3cd46be32a3eabcedecceab101b2b42e85bb52590153d43139b4b2adb17a246. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 18 File information Comments

SHA256 hash: f3cd46be32a3eabcedecceab101b2b42e85bb52590153d43139b4b2adb17a246
SHA3-384 hash: ffb81dea743085d83cfcfabd404a9a25e15772cb770a8f0bfbd6558e9ba08572d3af534605cc2562f7f53250e0b42bce
SHA1 hash: 3eda0c466ec49f00592c0568208e96b0ce60e1a3
MD5 hash: 56d63cdb7037b4e8744f5d4f6f775cd7
humanhash: alabama-apart-table-september
File name:n4d_agent_jul17.elf
Download: download sample
File size:20'070'526 bytes
First seen:2026-07-18 17:24:56 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 98304:EfBB0hJ+qr3kqo7q10a3CrOQoo+3QaFYeeYiLNnbj6ZF9ZgrCWR9PQ/mPlai7qj6:EbaDr27eZCrOQoo+eYs9fQ0RRhQMIJO
TLSH T199171963E8D21694C5AAC170D773816BBB61384E1B7913E70790F3246F33BE0A6B6B51
telfhash t1df42ce7049bd34b1a2a7d920f3b37874a53728b56be838b11026e991efd1ec51ca5c37
gimphash e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf upx-dec


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 4676bcd66adef10310c42e6c812e9dfe5a6a2de497cbec0cb95b5d1b8b3f66c9
File size (compressed) :7'659'332 bytes
File size (de-compressed) :20'070'526 bytes
Format:linux/amd64
Packed file: 4676bcd66adef10310c42e6c812e9dfe5a6a2de497cbec0cb95b5d1b8b3f66c9

Intelligence


File Origin
# of uploads :
1
# of downloads :
82
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Sends data to a server
Receives data from a server
Creating a file in the %temp% directory
Locks files
Collects information on the RAM
Creates directories
Connection attempt
Accesses SSH
Creates or modifies files in /cron to set up autorun
Creates or modifies files to set up autorun
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
golang
Verdict:
Malicious
File Type:
elf.64.le
First seen:
2026-07-18T15:59:00Z UTC
Last seen:
2026-07-19T01:45:00Z UTC
Hits:
~1000
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj.evad
Score:
92 / 100
Signature
Connects to many ports of the same IP (likely port scanning)
Drops invisible ELF files
Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions
Sample scans a subnet
Sample tries to access files in /etc/config/ (typical for OpenWRT routers)
Sample tries to persist itself using /etc/profile
Sample tries to persist itself using cron
Suricata IDS alerts for network traffic
Tries to read the AWS credentials file
Tries to read the SSH private key file
Uses known network protocols on non-standard ports
Writes identical ELF files to multiple locations
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1944636 Sample: n4d_agent_jul17.elf Startdate: 18/07/2026 Architecture: LINUX Score: 92 46 57.129.138.0, 10250, 22, 2375 OVHFR United Kingdom 2->46 48 57.129.138.1, 10250, 22, 2375 OVHFR United Kingdom 2->48 50 19 other IPs or domains 2->50 52 Suricata IDS alerts for network traffic 2->52 54 Connects to many ports of the same IP (likely port scanning) 2->54 56 Sample scans a subnet 2->56 58 Uses known network protocols on non-standard ports 2->58 8 n4d_agent_jul17.elf 2->8         started        12 systemd snapd-env-generator 2->12         started        14 systemd snapd-env-generator 2->14         started        16 27 other processes 2->16 signatures3 process4 file5 38 /var/tmp/.a, ELF 8->38 dropped 40 /var/spool/cron/root, ASCII 8->40 dropped 42 /var/spool/cron/crontabs/root, ASCII 8->42 dropped 44 10 other files (5 malicious) 8->44 dropped 60 Tries to read the AWS credentials file 8->60 62 Tries to read the SSH private key file 8->62 64 Writes identical ELF files to multiple locations 8->64 66 5 other signatures 8->66 18 n4d_agent_jul17.elf sh 8->18         started        20 n4d_agent_jul17.elf sh 8->20         started        22 n4d_agent_jul17.elf sh 8->22         started        24 n4d_agent_jul17.elf 8->24         started        signatures6 process7 process8 26 sh systemctl 18->26         started        28 sh systemctl 18->28         started        30 sh systemctl 18->30         started        32 sh curl 20->32         started        34 sh chmod 20->34         started        36 sh setsid sh 22->36         started       
Gathering data
Result
Malware family:
n/a
Score:
  8/10
Tags:
antivm defense_evasion discovery execution linux persistence privilege_escalation
Behaviour
GoLang User-Agent
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to shm directory
Writes file to tmp directory
Checks CPU configuration
Reads system network configuration
Modifies Bash startup script
Creates/modifies Cron job
Creates/modifies environment variables
Enumerates running processes
Looks up external IP address via web service
Modifies systemd
Reads system routing table
Write file to user bin folder
File and Directory Permissions Modification
Executes dropped EXE
Adds new SSH keys
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:DetectGoMethodSignatures
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:enterpriseapps2
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:enterpriseunix2
Author:Tim Brown @timb_machine
Description:Enterprise UNIX
Rule name:GoBinTest
Rule name:golang_binary_string
Description:Golang strings present
Rule name:Golang_Find_CSC846
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:Golang_Find_CSC846_Simple
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:MD5_Constants
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:ProgramLanguage_Golang
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:RANSOMWARE
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:TH_Generic_MassHunt_Linux_Malware_2026_CYFARE
Author:CYFARE
Description:Generic Linux malware mass-hunt rule - 2026
Reference:https://cyfare.net/
Rule name:unixredflags3
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information


The table below shows additional information about this malware sample such as delivery method and external references.

elf f3cd46be32a3eabcedecceab101b2b42e85bb52590153d43139b4b2adb17a246

(this sample)

Comments