MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4efa9279ff58c03e75631fca5293c64d25f5eab9584a820dfefd6244b433bb6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Prometei


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments

SHA256 hash: f4efa9279ff58c03e75631fca5293c64d25f5eab9584a820dfefd6244b433bb6
SHA3-384 hash: e79aa80479d41e3cf859c69a1693dedc154dd0b499fa71d3c051808ffa17e7bf2042ff06dc60db85508473de45d295e0
SHA1 hash: 51ffa90bcfe8254d78b6b0f0457d4fe71baa95b0
MD5 hash: 99bd60fe2d8ff59fe22a7be5de1cae8e
humanhash: kentucky-oscar-triple-five
File name:f4efa9279ff58c03e75631fca5293c64d25f5eab9584a820dfefd6244b433bb6
Download: download sample
Signature Prometei
File size:847'312 bytes
First seen:2026-07-02 13:29:47 UTC
Last seen:2026-07-02 13:32:53 UTC
File type: elf
MIME type:application/x-executable
ssdeep 12288:22eLlEqcQ+XPF5ilvI+X7mFSq2mQNj4GV8:klSldQGAmFc/V
TLSH T10305290BB7B668BDC6DAC4748A5BD5F2AC3078141222393B75C5E9312E26E204F6DF71
telfhash t1cfe02b03e6664db5b9e214296c1073dcc95de013e4a8da11deddc4c0850524ba825c5c
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter c2hunter
Tags:elf Prometei wraith

Intelligence


File Origin
# of uploads :
2
# of downloads :
70
Origin country :
US US
Vendor Threat Intelligence
No detections
Result
Verdict:
Clean
Maliciousness:

Behaviour
Collects information on the CPU
Launching a process
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
gcc golang rootkit
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
true
Architecture:
x86
Packer:
not packed
Botnet:
unknown
Number of open files:
25
Number of processes launched:
20
Processes remaning?
true
Remote TCP ports scanned:
not identified
Behaviour
Anti-VM
Process Renaming
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Status:
terminated
Behavior Graph:
%3 guuid=b44f6449-1900-0000-e1ad-b08c2d140000 pid=5165 /usr/bin/sudo guuid=10219d4c-1900-0000-e1ad-b08c2e140000 pid=5166 /tmp/sample.bin guuid=b44f6449-1900-0000-e1ad-b08c2d140000 pid=5165->guuid=10219d4c-1900-0000-e1ad-b08c2e140000 pid=5166 execve guuid=5ab6e84c-1900-0000-e1ad-b08c2f140000 pid=5167 /usr/bin/dash guuid=10219d4c-1900-0000-e1ad-b08c2e140000 pid=5166->guuid=5ab6e84c-1900-0000-e1ad-b08c2f140000 pid=5167 execve guuid=8f952e5b-1900-0000-e1ad-b08c32140000 pid=5170 /usr/bin/dash guuid=10219d4c-1900-0000-e1ad-b08c2e140000 pid=5166->guuid=8f952e5b-1900-0000-e1ad-b08c32140000 pid=5170 execve guuid=bc586060-1900-0000-e1ad-b08c35140000 pid=5173 /usr/bin/dash guuid=10219d4c-1900-0000-e1ad-b08c2e140000 pid=5166->guuid=bc586060-1900-0000-e1ad-b08c35140000 pid=5173 execve guuid=5c120361-1900-0000-e1ad-b08c38140000 pid=5176 /usr/bin/dash guuid=10219d4c-1900-0000-e1ad-b08c2e140000 pid=5166->guuid=5c120361-1900-0000-e1ad-b08c38140000 pid=5176 execve guuid=08b99d61-1900-0000-e1ad-b08c3b140000 pid=5179 /usr/bin/dash guuid=10219d4c-1900-0000-e1ad-b08c2e140000 pid=5166->guuid=08b99d61-1900-0000-e1ad-b08c3b140000 pid=5179 execve guuid=cd755362-1900-0000-e1ad-b08c3d140000 pid=5181 /usr/bin/dash guuid=10219d4c-1900-0000-e1ad-b08c2e140000 pid=5166->guuid=cd755362-1900-0000-e1ad-b08c3d140000 pid=5181 execve guuid=f2a98e4d-1900-0000-e1ad-b08c30140000 pid=5168 /usr/bin/lspci guuid=5ab6e84c-1900-0000-e1ad-b08c2f140000 pid=5167->guuid=f2a98e4d-1900-0000-e1ad-b08c30140000 pid=5168 execve guuid=b0a49b4d-1900-0000-e1ad-b08c31140000 pid=5169 /usr/bin/grep guuid=5ab6e84c-1900-0000-e1ad-b08c2f140000 pid=5167->guuid=b0a49b4d-1900-0000-e1ad-b08c31140000 pid=5169 execve guuid=8f10685b-1900-0000-e1ad-b08c33140000 pid=5171 /usr/bin/lspci guuid=8f952e5b-1900-0000-e1ad-b08c32140000 pid=5170->guuid=8f10685b-1900-0000-e1ad-b08c33140000 pid=5171 execve guuid=b4d96f5b-1900-0000-e1ad-b08c34140000 pid=5172 /usr/bin/grep guuid=8f952e5b-1900-0000-e1ad-b08c32140000 pid=5170->guuid=b4d96f5b-1900-0000-e1ad-b08c34140000 pid=5172 execve guuid=f7a09860-1900-0000-e1ad-b08c36140000 pid=5174 /usr/bin/busybox guuid=bc586060-1900-0000-e1ad-b08c35140000 pid=5173->guuid=f7a09860-1900-0000-e1ad-b08c36140000 pid=5174 execve guuid=2bffa060-1900-0000-e1ad-b08c37140000 pid=5175 /usr/bin/grep guuid=bc586060-1900-0000-e1ad-b08c35140000 pid=5173->guuid=2bffa060-1900-0000-e1ad-b08c37140000 pid=5175 execve guuid=b5b93861-1900-0000-e1ad-b08c39140000 pid=5177 /usr/bin/busybox guuid=5c120361-1900-0000-e1ad-b08c38140000 pid=5176->guuid=b5b93861-1900-0000-e1ad-b08c39140000 pid=5177 execve guuid=72c03f61-1900-0000-e1ad-b08c3a140000 pid=5178 /usr/bin/grep guuid=5c120361-1900-0000-e1ad-b08c38140000 pid=5176->guuid=72c03f61-1900-0000-e1ad-b08c3a140000 pid=5178 execve guuid=c4edd161-1900-0000-e1ad-b08c3c140000 pid=5180 /usr/bin/last guuid=08b99d61-1900-0000-e1ad-b08c3b140000 pid=5179->guuid=c4edd161-1900-0000-e1ad-b08c3c140000 pid=5180 execve guuid=d9c98662-1900-0000-e1ad-b08c3e140000 pid=5182 /usr/bin/dash guuid=cd755362-1900-0000-e1ad-b08c3d140000 pid=5181->guuid=d9c98662-1900-0000-e1ad-b08c3e140000 pid=5182 clone guuid=31458e62-1900-0000-e1ad-b08c40140000 pid=5184 /usr/bin/head guuid=cd755362-1900-0000-e1ad-b08c3d140000 pid=5181->guuid=31458e62-1900-0000-e1ad-b08c40140000 pid=5184 execve guuid=319df762-1900-0000-e1ad-b08c41140000 pid=5185 /usr/bin/dash guuid=cd755362-1900-0000-e1ad-b08c3d140000 pid=5181->guuid=319df762-1900-0000-e1ad-b08c41140000 pid=5185 clone guuid=92b6fd62-1900-0000-e1ad-b08c42140000 pid=5186 /usr/bin/head guuid=cd755362-1900-0000-e1ad-b08c3d140000 pid=5181->guuid=92b6fd62-1900-0000-e1ad-b08c42140000 pid=5186 execve guuid=a30c8e62-1900-0000-e1ad-b08c3f140000 pid=5183 /usr/bin/dash guuid=d9c98662-1900-0000-e1ad-b08c3e140000 pid=5182->guuid=a30c8e62-1900-0000-e1ad-b08c3f140000 pid=5183 clone
Result
Malware family:
n/a
Score:
  4/10
Tags:
discovery linux
Behaviour
Enumerates kernel/hardware configuration
Peripheral Device Discovery
Reads runtime system information
Reads CPU attributes
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:TH_Generic_MassHunt_Linux_Malware_2026_CYFARE
Author:CYFARE
Description:Generic Linux malware mass-hunt rule - 2026
Reference:https://cyfare.net/
Rule name:unixredflags3
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments