MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 004548173dbdf52d5efc61fd0b4b1a7c14261bc2339873b638a52e8d37ba9924. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 004548173dbdf52d5efc61fd0b4b1a7c14261bc2339873b638a52e8d37ba9924
SHA3-384 hash: a82d94cb0fcdf62bf9dbe55e8ac704593edc80fb7c5cbc7377062ce0e484c62d18bc44490ada2a1176ca15c5b0750254
SHA1 hash: 66c7ac9ac3098314ff2c88456cab8f7406496542
MD5 hash: 50e8bdbc8f9e83ab567a6fd2012d9680
humanhash: fanta-blue-maryland-autumn
File name:arm926t
Download: download sample
File size:480'792 bytes
First seen:2025-06-11 03:01:50 UTC
Last seen:2025-06-11 13:12:01 UTC
File type: elf
MIME type:application/x-executable
ssdeep 12288:ndLGtVtlmIHk6Rtx02O6R+9X8C5SGEzf:pGntlzJx02O6E9X8XG
TLSH T1D2A41294E9819B62C2C801BFFF0F45BC77A31F65E1EA71068D16EB1662D745A4F7E800
telfhash t186c08c8c0fd401beba7d72a203bef2bf61a072f0be0224920404eb6f074c584028144c
Magika elf
Reporter abuse_ch
Tags:elf

Intelligence

File Origin
# of uploads :
2
# of downloads :
76
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Linux.Siggen.9148.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.32055.LX.BOT.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.32057.LX.BOT.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.32058.LX.BOT.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
82.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6848f1be8bd5d68a12e79d30linux22vpnfull_triage
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process from a recently created file
Runs as daemon
Connection attempt
Collects information on the CPU
Changes access rights for a written file
Receives data from a server
Locks files
DNS request
Opens a port
Sends data to a server
Launching a process
Changes the time when the file was created, accessed, or modified
Creating a file in the %temp% directory
Creating a file
Creates directories
Creates or modifies files in /cron to set up autorun
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
exploit gcc lolbin remote
Link:
https://www.filescan.io/uploads/6848f1bd985349514e6224e4/reports/18f1b9a2-7134-4d0c-8be2-01a65be38b4c/overview
Verdict:
Malicious
Uses P2P?:
true
Uses anti-vm?:
true
Architecture:
arm
Packer:
custom
Botnet:
unknown
Number of open files:
103
Number of processes launched:
10
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/004548173dbdf52d5efc61fd0b4b1a7c14261bc2339873b638a52e8d37ba9924
Behaviour
Anti-VM
Persistence
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
type: 162.159.200.1:123
type: 130.239.18.158:6881
type: 67.215.246.10:6881
type: 188.42.55.92:6881
type: 89.207.71.47:6881
type: 44.200.85.28:6881
type: 86.179.75.131:6881
type: 91.225.20.2:6881
type: 109.229.252.8:6881
type: 37.247.18.101:6881
type: 136.169.56.156:6881
type: 89.142.65.101:6881
type: 78.81.167.158:6881
type: 18.221.7.72:6881
type: 94.181.120.57:6881
type: 87.119.114.120:6881
type: 84.147.74.154:6881
type: 95.47.148.241:6881
type: 98.178.140.108:6881
type: 94.23.5.50:6881
type: 79.31.173.61:6881
type: 24.68.12.61:6881
type: 98.188.186.31:6881
type: 45.238.109.17:6881
type: 168.138.187.232:6881
type: 119.77.172.46:6881
type: 217.85.208.159:6881
type: 59.61.184.51:6881
type: 81.90.118.64:6881
type: 113.69.26.204:6881
type: 46.147.156.192:6881
type: 222.64.108.243:6881
type: 102.35.142.94:6881
type: 92.98.36.52:6881
type: 78.80.218.165:6881
type: 84.171.43.196:6881
type: 114.129.184.136:6881
type: 75.71.13.42:6881
type: 78.10.183.3:6881
type: 177.236.76.5:6881
type: 111.99.249.214:6881
type: 13.58.27.33:6881
type: 54.214.62.31:6881
type: 107.173.127.249:6881
type: 148.135.106.206:6881
type: 54.214.62.55:6881
type: 176.78.117.7:6881
type: 123.51.21.223:6881
type: 89.143.175.86:6881
type: 1.243.49.89:6881
type: 24.125.217.45:6881
type: 138.219.250.24:6881
type: 178.162.173.231:28001
type: 178.162.173.160:28013
type: 213.227.151.25:28013
type: 178.162.174.241:28013
type: 130.239.18.158:8539
type: 15.235.82.46:47265
type: 5.196.7.57:50722
type: 85.225.150.203:12361
type: 45.203.151.81:6880
type: 69.164.203.179:6880
type: 45.203.206.54:6880
type: 45.203.211.8:6880
type: 45.203.154.94:6880
type: 195.154.233.74:6880
type: 173.230.130.111:6880
type: 52.71.188.191:6880
type: 45.128.27.34:52278
type: 76.68.232.28:53592
type: 178.162.174.178:28003
type: 178.162.174.236:28003
type: 178.162.173.91:28003
type: 178.162.174.233:28003
type: 213.198.29.150:51413
type: 185.158.114.210:51413
type: 85.17.121.208:51413
type: 37.187.19.231:51413
type: 185.107.44.197:51413
type: 37.112.167.204:51413
type: 103.139.49.10:51413
type: 5.39.86.93:51413
type: 51.158.148.75:51413
type: 46.38.240.121:51413
type: 75.158.108.182:51413
type: 89.133.143.78:51413
type: 103.67.31.217:51413
type: 84.203.73.139:51413
type: 50.39.222.167:51413
type: 82.66.63.134:51413
type: 209.209.8.172:51413
type: 95.168.175.9:51413
type: 130.239.18.158:8513
type: 46.232.211.96:29809
type: 46.232.211.237:64332
type: 95.211.198.7:28009
type: 69.50.95.40:10092
type: 91.166.145.85:54440
type: 146.212.14.158:23657
type: 212.7.200.87:31261
type: 185.203.56.59:27492
type: 47.253.133.113:60020
type: 77.91.87.169:32000
type: 112.91.94.70:6882
type: 45.153.188.161:6882
type: 94.23.215.83:6882
type: 54.194.137.170:6882
type: 69.21.112.232:6882
type: 201.253.139.64:6882
type: 178.162.173.222:28002
type: 95.211.216.167:28002
type: 178.162.174.82:28002
type: 178.162.174.227:28002
type: 178.162.173.228:28005
type: 178.162.173.203:28005
type: 178.162.173.226:28005
type: 89.143.139.62:34618
type: 217.23.1.103:6889
type: 59.125.64.244:6889
type: 176.128.145.98:6889
type: 188.153.165.122:6889
type: 83.21.21.28:6889
type: 84.74.59.127:6889
type: 69.127.85.1:25628
type: 185.21.217.9:59151
type: 37.27.113.233:56580
type: 116.46.125.132:40854
type: 93.91.116.123:17446
type: 51.112.110.177:20895
type: 23.158.56.120:12069
type: 118.208.238.76:53448
type: 23.162.56.55:10022
type: 178.162.173.138:28008
type: 185.145.245.151:8671
type: 188.150.96.200:12242
type: 84.216.186.189:2792
type: 83.149.98.185:28012
type: 172.111.38.128:26045
type: 178.162.173.164:28007
type: 95.211.209.139:28007
type: 37.46.16.67:51327
type: 185.250.204.85:33291
type: 46.232.210.43:59944
type: 45.87.251.132:28215
type: 212.7.202.40:28030
type: 37.27.120.51:50000
type: 78.108.197.122:63609
type: 45.87.251.132:28156
type: 86.18.36.149:24461
type: 67.220.85.41:11907
type: 45.87.251.11:28097
type: 104.244.225.128:47567
type: 90.188.36.125:49001
type: 213.128.9.45:49001
type: 94.28.132.21:49001
type: 77.51.1.233:49001
type: 87.225.40.3:49001
type: 5.79.112.147:46572
type: 130.239.18.158:8516
type: 130.239.18.158:8561
type: 185.21.216.160:57286
type: 130.239.18.158:8580
type: 130.239.18.158:8537
type: 46.232.210.167:12859
type: 37.98.252.176:6884
type: 78.81.151.163:23726
type: 69.50.95.40:10035
type: 95.211.210.75:28017
type: 81.171.17.184:21136
type: 95.211.138.114:28011
type: 178.162.173.109:28011
type: 163.172.96.194:49229
type: 95.211.136.213:57087
type: 5.228.112.40:4144
type: 207.153.38.231:46012
type: 72.21.17.12:10181
type: 107.5.161.55:21922
type: 198.204.234.234:56881
type: 158.62.26.226:2404
type: 45.85.138.136:45632
type: 176.63.17.58:4327
type: 112.185.166.156:41034
type: 136.169.53.7:39296
type: 184.14.165.122:57798
type: 88.89.243.34:50739
type: 58.87.193.180:63219
type: 45.229.89.91:9203
type: 219.79.107.225:11487
type: 131.72.84.91:47428
type: 70.50.120.176:32376
type: 213.137.18.9:47365
type: 95.60.130.149:8621
type: 80.47.177.251:8621
type: 109.153.63.62:8621
type: 45.137.83.149:55935
type: 188.37.88.244:51770
type: 14.199.94.24:14627
type: 62.210.209.154:30725
type: 88.132.31.177:49457
type: 178.253.255.185:56876
type: 176.25.149.11:42555
type: 49.191.252.214:37321
type: 179.105.47.40:37321
type: 208.96.134.3:12143
type: 61.213.26.240:21540
type: 14.63.3.41:32880
type: 177.37.185.72:26504
type: 199.247.199.118:14082
type: 193.168.178.165:22611
type: 109.186.50.134:36975
type: 213.82.70.199:64266
type: 193.23.249.49:35422
type: 185.201.121.170:32401
type: 213.28.225.120:5048
type: 37.63.18.150:63520
type: 189.63.225.115:2835
type: 14.39.202.222:8010
type: 68.235.35.124:5548
type: 150.9.186.60:36001
type: 86.169.112.83:54347
type: 200.181.154.23:44379
type: 112.168.172.73:63868
type: 109.160.19.86:61584
type: 181.177.132.47:53030
type: 188.247.198.3:5334
type: 2.155.238.127:62535
type: 179.52.11.55:14613
type: 144.76.175.153:55961
type: 121.133.110.100:32888
type: 49.12.86.202:6883
type: 51.15.19.75:10563
type: 158.69.127.91:51405
type: 95.154.86.51:50773
type: 106.168.226.119:18421
type: 91.234.40.172:35213
type: 123.1.238.207:21726
type: 200.192.101.192:7181
type: 153.179.206.103:26856
type: 211.226.43.45:40847
type: 59.8.130.250:52413
type: 121.182.160.79:62651
type: 178.162.174.1:28004
type: 95.24.66.125:64061
type: 81.23.183.174:2158
type: 45.91.92.120:31856
type: 77.51.203.143:36069
type: 189.28.76.5:43690
type: 73.97.113.183:32861
type: 169.224.12.139:24141
type: 197.43.113.5:63387
type: 194.29.101.83:10240
type: 54.39.107.165:16481
type: 37.187.151.6:38073
type: 5.135.138.216:24180
type: 188.165.198.46:53305
type: 167.250.74.210:44636
type: 181.197.127.1:46557
type: 54.39.52.64:13832
type: 212.7.200.65:49974
type: 86.61.2.78:53784
type: 218.158.255.4:40853
type: 46.232.211.245:64287
type: 185.162.184.33:61010
type: 77.77.26.140:65534
type: 169.150.223.219:64072
type: 176.48.41.128:54462
type: 81.171.10.66:54744
type: 185.203.56.56:26780
type: 178.162.173.48:28015
type: 130.239.18.158:8592
type: 93.103.163.107:34888
type: 221.140.172.122:37941
type: 193.124.205.33:19701
type: 195.24.207.207:4000
type: 49.109.24.25:36734
type: 178.162.149.243:57788
type: 13.114.205.93:6892
type: 35.171.49.86:6892
type: 14.63.97.78:40966
type: 186.22.18.74:17630
type: 45.131.79.43:64078
type: 209.121.27.242:36798
type: 65.108.143.34:41562
type: 95.168.168.159:54367
type: 185.203.56.51:65085
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ae0515a5-28e4-420c-bebc-06e345949186
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1711807
Signature
Executes the "crontab" command typically for achieving persistence
Multi AV Scanner detection for submitted file
Opens /sys/class/net/* files useful for querying network interface information
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to persist itself using cron
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1711807 Sample: arm926t.elf Startdate: 11/06/2025 Architecture: LINUX Score: 64 42 68.235.189.168, 47221 VIANET-NOCA Canada 2->42 44 201.253.139.64, 6881, 6882 TelecomArgentinaSAAR Argentina 2->44 46 102 other IPs or domains 2->46 54 Multi AV Scanner detection for submitted file 2->54 10 arm926t.elf configuration 2->10         started        12 dash rm 2->12         started        14 dash rm 2->14         started        signatures3 process4 process5 16 arm926t.elf sh 10->16         started        18 configuration 10->18         started        21 arm926t.elf sh 10->21         started        signatures6 23 sh crontab 16->23         started        27 sh 16->27         started        50 Opens /sys/class/net/* files useful for querying network interface information 18->50 52 Sample reads /proc/mounts (often used for finding a writable filesystem) 18->52 29 configuration 18->29         started        31 sh crontab 21->31         started        process7 file8 40 /var/spool/cron/crontabs/tmp.m9dKpB, ASCII 23->40 dropped 56 Sample tries to persist itself using cron 23->56 58 Executes the "crontab" command typically for achieving persistence 23->58 33 sh crontab 27->33         started        36 configuration 29->36         started        signatures9 process10 signatures11 48 Executes the "crontab" command typically for achieving persistence 33->48 38 configuration 36->38         started        process12
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/004548173dbdf52d5efc61fd0b4b1a7c14261bc2339873b638a52e8d37ba9924
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/004548173dbdf52d5efc61fd0b4b1a7c14261bc2339873b638a52e8d37ba9924/
Threat name:
Linux.Trojan.SAgnt
Create hunting rule
Status:
Malicious
First seen:
2025-06-11 03:02:22 UTC
File Type:
ELF32 Little (Exe)
AV detection:
13 of 36 (36.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=abcuqfz5xx2s2xx4mh6qwsy2pqkcmg6cgomhhnryuuxi2n52tesa._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
antivm defense_evasion discovery execution persistence privilege_escalation
Link:
https://tria.ge/reports/250611-djlw8axzhy/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to tmp directory
Checks CPU configuration
Checks hardware identifiers (DMI)
Creates/modifies Cron job
Enumerates running processes
Reads MAC address of network interface
Reads hardware information
Renames itself
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/004548173dbdf52d5efc61fd0b4b1a7c14261bc2339873b638a52e8d37ba9924

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf 004548173dbdf52d5efc61fd0b4b1a7c14261bc2339873b638a52e8d37ba9924

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3558478/
  
Delivery method
Distributed via web download

Comments