MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ffe04bc05a56f78b1273876cf17ded8df1aa3da5a15deb17dce99a3e206eb705. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 7 File information Comments

SHA256 hash: ffe04bc05a56f78b1273876cf17ded8df1aa3da5a15deb17dce99a3e206eb705
SHA3-384 hash: 3299ac6f15fe69787605e038679b4ad5dd813727c0b5d56e32fcba219d3f13bd3f948f145141217c323803dbf0833346
SHA1 hash: cc64bd95e150dd5ba9b9fc5fe49092b9d5445c50
MD5 hash: 2aac605dc8f0a94211d699d0d62b5382
humanhash: two-iowa-seventeen-july
File name:diicot
Download: download sample
File size:885'324 bytes
First seen:2026-07-16 01:03:51 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 24576:BQwdeRylP146ElPOtWoEQzLGahNR2ER89ynytwvt:BBgRylPW6oPOwzQzLj2hMn2wvt
TLSH T1521533C7B76EF5CA58BCD37725DE778CB09020BBD448A0172AD7E6A1C832D21A14A11F
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter sigsec
Tags:diicot elf linux Loader Mexals


Avatar
sigsec
Diicot loader binary dropped during lab detonation of the captured packed loader.

Intelligence


File Origin
# of uploads :
1
# of downloads :
8
Origin country :
US US
Vendor Threat Intelligence
Verdict:
Malicious
File Type:
elf.64.le
First seen:
2026-07-09T05:43:00Z UTC
Last seen:
2026-07-09T05:56:00Z UTC
Hits:
~10
Status:
terminated
Behavior Graph:
%3 guuid=45f96eec-1e00-0000-910e-d9c63f140000 pid=5183 /usr/bin/sudo guuid=d601c8f0-1e00-0000-910e-d9c640140000 pid=5184 /tmp/sample.bin mprotect-exec write-file guuid=45f96eec-1e00-0000-910e-d9c63f140000 pid=5183->guuid=d601c8f0-1e00-0000-910e-d9c640140000 pid=5184 execve guuid=d601c8f0-1e00-0000-910e-d9c640140000 pid=5185 /tmp/sample.bin guuid=d601c8f0-1e00-0000-910e-d9c640140000 pid=5184->guuid=d601c8f0-1e00-0000-910e-d9c640140000 pid=5185 clone guuid=d601c8f0-1e00-0000-910e-d9c640140000 pid=5186 /tmp/sample.bin guuid=d601c8f0-1e00-0000-910e-d9c640140000 pid=5184->guuid=d601c8f0-1e00-0000-910e-d9c640140000 pid=5186 clone guuid=d601c8f0-1e00-0000-910e-d9c640140000 pid=5187 /tmp/sample.bin guuid=d601c8f0-1e00-0000-910e-d9c640140000 pid=5184->guuid=d601c8f0-1e00-0000-910e-d9c640140000 pid=5187 clone guuid=d601c8f0-1e00-0000-910e-d9c640140000 pid=5188 /tmp/sample.bin guuid=d601c8f0-1e00-0000-910e-d9c640140000 pid=5184->guuid=d601c8f0-1e00-0000-910e-d9c640140000 pid=5188 clone guuid=d601c8f0-1e00-0000-910e-d9c640140000 pid=5189 /aafa9d2b/sample.bin delete-file write-file guuid=d601c8f0-1e00-0000-910e-d9c640140000 pid=5184->guuid=d601c8f0-1e00-0000-910e-d9c640140000 pid=5189 clone guuid=88ae8e0b-1f00-0000-910e-d9c646140000 pid=5190 /usr/bin/pgrep guuid=d601c8f0-1e00-0000-910e-d9c640140000 pid=5184->guuid=88ae8e0b-1f00-0000-910e-d9c646140000 pid=5190 execve guuid=c342b11a-1f00-0000-910e-d9c647140000 pid=5191 /usr/bin/pgrep guuid=d601c8f0-1e00-0000-910e-d9c640140000 pid=5184->guuid=c342b11a-1f00-0000-910e-d9c647140000 pid=5191 execve guuid=29ab0d2b-1f00-0000-910e-d9c648140000 pid=5192 /aafa9d2b/7f7a69df mprotect-exec write-file guuid=d601c8f0-1e00-0000-910e-d9c640140000 pid=5184->guuid=29ab0d2b-1f00-0000-910e-d9c648140000 pid=5192 execve guuid=4b77442b-1f00-0000-910e-d9c649140000 pid=5193 /usr/bin/pgrep guuid=d601c8f0-1e00-0000-910e-d9c640140000 pid=5184->guuid=4b77442b-1f00-0000-910e-d9c649140000 pid=5193 execve guuid=24c9de5a-1f00-0000-910e-d9c651140000 pid=5201 /usr/bin/whoami guuid=d601c8f0-1e00-0000-910e-d9c640140000 pid=5187->guuid=24c9de5a-1f00-0000-910e-d9c651140000 pid=5201 execve guuid=bd99965b-1f00-0000-910e-d9c652140000 pid=5202 /usr/bin/bash guuid=d601c8f0-1e00-0000-910e-d9c640140000 pid=5187->guuid=bd99965b-1f00-0000-910e-d9c652140000 pid=5202 execve guuid=c398ba7a-1f00-0000-910e-d9c659140000 pid=5209 /var/tmp/.test_exec.sh guuid=d601c8f0-1e00-0000-910e-d9c640140000 pid=5189->guuid=c398ba7a-1f00-0000-910e-d9c659140000 pid=5209 execve guuid=6ec6e499-1f00-0000-910e-d9c65b140000 pid=5211 /d6183348/7f7a69df guuid=d601c8f0-1e00-0000-910e-d9c640140000 pid=5189->guuid=6ec6e499-1f00-0000-910e-d9c65b140000 pid=5211 clone guuid=29ab0d2b-1f00-0000-910e-d9c648140000 pid=5194 /aafa9d2b/7f7a69df zombie guuid=29ab0d2b-1f00-0000-910e-d9c648140000 pid=5192->guuid=29ab0d2b-1f00-0000-910e-d9c648140000 pid=5194 clone guuid=29ab0d2b-1f00-0000-910e-d9c648140000 pid=5195 /aafa9d2b/7f7a69df guuid=29ab0d2b-1f00-0000-910e-d9c648140000 pid=5192->guuid=29ab0d2b-1f00-0000-910e-d9c648140000 pid=5195 clone guuid=29ab0d2b-1f00-0000-910e-d9c648140000 pid=5196 /aafa9d2b/7f7a69df guuid=29ab0d2b-1f00-0000-910e-d9c648140000 pid=5192->guuid=29ab0d2b-1f00-0000-910e-d9c648140000 pid=5196 clone guuid=29ab0d2b-1f00-0000-910e-d9c648140000 pid=5197 /aafa9d2b/7f7a69df delete-file write-file zombie guuid=29ab0d2b-1f00-0000-910e-d9c648140000 pid=5192->guuid=29ab0d2b-1f00-0000-910e-d9c648140000 pid=5197 clone guuid=29ab0d2b-1f00-0000-910e-d9c648140000 pid=5198 /aafa9d2b/7f7a69df guuid=29ab0d2b-1f00-0000-910e-d9c648140000 pid=5192->guuid=29ab0d2b-1f00-0000-910e-d9c648140000 pid=5198 clone guuid=94eb9e3d-1f00-0000-910e-d9c64f140000 pid=5199 /usr/bin/pgrep guuid=29ab0d2b-1f00-0000-910e-d9c648140000 pid=5192->guuid=94eb9e3d-1f00-0000-910e-d9c64f140000 pid=5199 execve guuid=a11ce047-1f00-0000-910e-d9c650140000 pid=5200 /usr/bin/pgrep guuid=29ab0d2b-1f00-0000-910e-d9c648140000 pid=5192->guuid=a11ce047-1f00-0000-910e-d9c650140000 pid=5200 execve guuid=484a7b6d-1f00-0000-910e-d9c655140000 pid=5205 /usr/bin/whoami guuid=29ab0d2b-1f00-0000-910e-d9c648140000 pid=5197->guuid=484a7b6d-1f00-0000-910e-d9c655140000 pid=5205 execve guuid=a20f166e-1f00-0000-910e-d9c656140000 pid=5206 /usr/bin/bash guuid=29ab0d2b-1f00-0000-910e-d9c648140000 pid=5197->guuid=a20f166e-1f00-0000-910e-d9c656140000 pid=5206 execve guuid=c3b2a78d-1f00-0000-910e-d9c65a140000 pid=5210 /var/tmp/.test_exec.sh guuid=29ab0d2b-1f00-0000-910e-d9c648140000 pid=5197->guuid=c3b2a78d-1f00-0000-910e-d9c65a140000 pid=5210 execve guuid=2b331fad-1f00-0000-910e-d9c65c140000 pid=5212 /d6183348/7f7a69df guuid=29ab0d2b-1f00-0000-910e-d9c648140000 pid=5197->guuid=2b331fad-1f00-0000-910e-d9c65c140000 pid=5212 clone guuid=3852335c-1f00-0000-910e-d9c653140000 pid=5203 /usr/bin/bash guuid=bd99965b-1f00-0000-910e-d9c652140000 pid=5202->guuid=3852335c-1f00-0000-910e-d9c653140000 pid=5203 clone guuid=bd1d3c5c-1f00-0000-910e-d9c654140000 pid=5204 /usr/bin/bash guuid=bd99965b-1f00-0000-910e-d9c652140000 pid=5202->guuid=bd1d3c5c-1f00-0000-910e-d9c654140000 pid=5204 clone guuid=d943796f-1f00-0000-910e-d9c657140000 pid=5207 /usr/bin/bash guuid=a20f166e-1f00-0000-910e-d9c656140000 pid=5206->guuid=d943796f-1f00-0000-910e-d9c657140000 pid=5207 clone guuid=360a856f-1f00-0000-910e-d9c658140000 pid=5208 /usr/bin/bash guuid=a20f166e-1f00-0000-910e-d9c656140000 pid=5206->guuid=360a856f-1f00-0000-910e-d9c658140000 pid=5208 clone
Gathering data
Threat name:
Linux.PUA.Maltiverza
Status:
Malicious
First seen:
2026-05-11 17:32:09 UTC
File Type:
ELF64 Little (Exe)
AV detection:
9 of 36 (25.00%)
Threat level:
  1/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery execution linux persistence privilege_escalation upx
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to tmp directory
Reads CPU attributes
Creates/modifies Cron job
Enumerates running processes
Write file to user bin folder
Executes dropped EXE
Renames itself
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:GoBinTest
Rule name:golang_binary_string
Description:Golang strings present
Rule name:linux_generic_ipv6_catcher
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:ProgramLanguage_Golang
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:SUSP_ELF_LNX_UPX_Compressed_File
Author:Florian Roth (Nextron Systems)
Description:Detects a suspicious ELF binary with UPX compression
Reference:Internal Research
Rule name:TH_Generic_MassHunt_Linux_Malware_2026_CYFARE
Author:CYFARE
Description:Generic Linux malware mass-hunt rule - 2026
Reference:https://cyfare.net/
Rule name:upx_packed_elf_v1
Author:RandomMalware

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments