MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12f72da07ec2ec6e9d6483ef6ac3dfb955d04f066271c186f60c4f3b34741b22. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 8

Intelligence 8 IOCs YARA 5 File information Comments

SHA256 hash:	12f72da07ec2ec6e9d6483ef6ac3dfb955d04f066271c186f60c4f3b34741b22
SHA3-384 hash:	59ad254ffb77cd4b7278f4a2e2801eb265df51bec547e85793d5f66c79a2673d99bc5a17b9d342d19c30ee3662b7a55e
SHA1 hash:	1a14298818b5c7257244f6c4337e39c3c9d644e3
MD5 hash:	bfb816e6fa7270ab6d070fff580b028e
humanhash:	green-harry-neptune-winter
File name:	amd64
Download:	download sample
File size:	482'032 bytes
First seen:	2025-06-20 11:12:42 UTC
Last seen:	Never
File type:	elf
MIME type:	application/x-executable
ssdeep	12288:iD6LPBCvMk0O9na1M80cLt9i5aIaTtpc4W:2+QGO9naz0Szi5anTtR
TLSH	T1DFA41212E290D8FEC4DAC070469FD27BFD7A7C544234BC6B6198F7322B3AE601B16A55
TrID	50.1% (.) ELF Executable and Linkable format (Linux) (4022/12) 49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika	elf
Reporter	abuse_ch
Tags:	elf

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Linux.Siggen.9080.UNOFFICIAL

Sanesecurity.Malware.32058.LX.BOT.UNOFFICIAL

Sanesecurity.Malware.31951.LX.BOT.UNOFFICIAL

Verdict:

Clean

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6855426e38813cf1bf1b1602linux22vpnfull_triage

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creates directories

Verdict:

Unknown

Threat level:

2.5/10

Confidence:

100%

Tags:

exploit gcc lolbin remote

Link:

https://www.filescan.io/uploads/6855426d3faf8fcd7d383686/reports/084a243d-df7c-497e-a75f-2795564d1214/overview

Verdict:

Malicious

Uses P2P?:

true

Uses anti-vm?:

true

Architecture:

x86

Packer:

custom

Botnet:

unknown

Number of open files:

Number of processes launched:

Processes remaning?

false

Remote TCP ports scanned:

60104

Full report:

https://elfdigest.com/brief/12f72da07ec2ec6e9d6483ef6ac3dfb955d04f066271c186f60c4f3b34741b22

Behaviour

Anti-VM

Botnet C2s

TCP botnet C2(s):

not identified

UDP botnet C2(s):

type: 162.159.200.123:123
type: 130.239.18.158:6881
type: 67.215.246.10:6881
type: 89.222.148.44:6881
type: 73.208.41.226:6881
type: 84.41.76.253:6881
type: 88.98.93.170:6881
type: 112.173.3.91:6881
type: 178.69.209.93:6881
type: 112.118.59.9:6881
type: 195.138.67.124:6881
type: 78.150.109.28:6881
type: 70.51.53.103:6881
type: 54.70.28.180:6881
type: 18.221.7.72:6881
type: 124.171.68.17:6881
type: 140.82.46.150:6881
type: 176.221.7.168:6881
type: 88.207.4.148:6881
type: 218.40.234.102:6881
type: 92.159.139.30:6881
type: 112.148.175.218:6881
type: 46.72.201.135:6881
type: 85.15.107.13:6881
type: 169.150.223.223:6881
type: 116.86.8.213:6881
type: 186.229.166.164:6881
type: 178.38.165.4:6881
type: 91.138.73.63:6881
type: 97.115.90.68:6881
type: 93.62.159.187:6881
type: 194.5.60.172:6881
type: 83.33.142.189:6881
type: 13.58.27.33:6881
type: 116.15.85.107:6881
type: 35.167.186.212:6881
type: 75.119.138.164:6881
type: 192.227.221.84:6881
type: 18.218.241.3:6881
type: 18.190.61.127:6881
type: 45.92.156.113:6881
type: 54.70.174.84:6881
type: 37.77.130.194:6881
type: 144.217.72.98:6881
type: 188.124.126.47:6881
type: 188.90.169.20:51413
type: 5.128.41.100:51413
type: 167.71.57.202:51413
type: 5.135.155.133:51413
type: 75.82.168.34:51413
type: 37.187.17.173:51413
type: 95.79.163.212:51413
type: 51.158.148.75:51413
type: 77.81.174.65:51413
type: 51.77.151.41:51413
type: 95.31.9.189:51413
type: 95.220.123.207:51413
type: 115.39.77.108:51413
type: 76.136.208.255:51413
type: 87.239.143.139:51413
type: 178.254.54.227:51413
type: 90.8.237.26:51413
type: 88.97.78.67:51413
type: 67.220.85.41:11866
type: 42.2.200.246:21286
type: 126.79.120.14:6889
type: 95.221.175.249:6889
type: 78.83.64.26:17703
type: 130.239.18.158:8508
type: 130.239.18.158:8521
type: 217.121.231.94:59625
type: 142.202.48.88:14065
type: 70.53.117.132:22182
type: 178.162.173.91:28003
type: 178.162.173.56:28003
type: 178.162.173.74:28003
type: 130.239.18.158:8537
type: 62.210.201.217:8642
type: 95.211.127.54:28011
type: 178.162.174.43:28004
type: 178.162.174.40:28004
type: 130.239.18.158:8524
type: 130.239.18.158:8575
type: 51.159.139.207:49001
type: 188.32.180.95:49001
type: 95.221.247.11:49001
type: 77.234.25.120:49001
type: 5.20.158.155:49001
type: 5.143.3.132:49001
type: 149.18.25.11:8999
type: 178.162.174.84:28000
type: 57.129.45.81:8643
type: 178.162.174.76:28007
type: 178.162.173.139:28007
type: 178.162.173.24:28007
type: 178.162.174.227:28001
type: 45.87.251.6:28001
type: 81.171.22.205:28013
type: 178.162.173.220:28013
type: 108.181.88.65:23271
type: 47.201.123.125:58017
type: 60.67.86.96:25148
type: 71.89.14.180:64514
type: 14.45.175.146:14359
type: 51.195.223.60:8661
type: 69.50.95.40:12020
type: 142.161.92.214:63987
type: 5.12.118.142:45597
type: 72.21.17.97:60386
type: 185.203.56.53:25320
type: 51.159.104.61:8940
type: 5.79.80.223:28014
type: 178.162.174.224:28014
type: 178.162.174.222:28014
type: 178.162.173.3:28010
type: 178.162.173.141:28010
type: 130.239.18.158:8547
type: 37.59.61.17:52295
type: 130.239.18.158:8510
type: 46.232.210.29:63353
type: 46.232.210.119:64100
type: 135.181.227.244:50000
type: 135.181.238.57:50000
type: 130.239.18.158:8515
type: 185.149.91.131:51065
type: 185.21.216.190:54634
type: 89.149.200.92:28020
type: 130.239.18.158:8500
type: 195.154.233.74:6880
type: 52.20.184.242:6880
type: 18.217.35.30:6880
type: 130.239.18.158:8507
type: 89.10.146.93:11709
type: 59.148.82.131:25743
type: 119.247.152.111:46438
type: 50.85.209.39:58888
type: 89.149.235.158:15151
type: 45.179.28.218:32095
type: 103.181.40.13:23342
type: 188.165.238.27:59918
type: 184.162.175.135:60836
type: 130.239.18.158:8580
type: 130.239.18.158:8516
type: 130.239.18.158:8513
type: 23.158.56.120:16004
type: 23.158.56.119:10009
type: 73.166.21.30:45182
type: 5.51.14.27:61271
type: 162.251.63.120:10015
type: 185.132.134.245:6884
type: 69.50.95.40:10063
type: 172.111.38.128:26059
type: 185.21.216.131:61247
type: 87.243.107.99:26354
type: 112.82.166.46:6882
type: 93.172.7.100:6882
type: 212.105.153.142:27588
type: 94.61.80.135:26536
type: 123.205.19.130:19222
type: 222.117.124.230:32861
type: 176.111.179.23:8193
type: 14.35.133.100:32769
type: 176.26.54.247:22707
type: 5.79.66.11:54337
type: 185.203.56.9:54923
type: 59.25.108.3:17462
type: 152.165.67.193:24235
type: 50.47.91.242:57325
type: 78.22.194.103:39844
type: 185.21.217.9:60661
type: 185.203.56.12:18410
type: 212.58.120.94:3922
type: 46.232.211.203:64066
type: 221.160.228.25:7813
type: 185.21.216.183:60590
type: 72.252.105.67:39330
type: 146.70.194.103:55549
type: 70.49.158.26:24285
type: 188.26.25.50:51415
type: 61.24.69.193:37385
type: 95.170.181.77:4451
type: 78.21.137.60:46931
type: 51.159.104.59:7227
type: 210.178.108.209:40964
type: 86.188.41.166:19616
type: 37.48.88.155:21190
type: 27.95.245.15:26442
type: 35.171.49.86:6892
type: 220.124.88.98:8084
type: 183.108.219.56:41009
type: 95.211.19.97:3766
type: 112.161.176.55:33095
type: 110.225.46.169:1254
type: 49.204.23.20:27526
type: 195.154.185.217:27841
type: 178.162.173.153:28002
type: 178.162.173.9:28002
type: 186.77.132.61:29422
type: 188.190.72.38:51243
type: 121.129.109.210:40715
type: 172.103.161.42:50739
type: 113.211.211.59:48025
type: 173.93.114.161:52926
type: 61.21.198.224:59015
type: 176.29.155.225:2679
type: 31.135.153.133:17620
type: 54.77.218.23:6992
type: 54.194.135.233:6992
type: 5.107.231.122:40730
type: 121.171.103.122:31352
type: 45.242.212.126:40619
type: 5.79.86.177:55770
type: 78.142.231.133:6767
type: 194.29.101.83:10240
type: 152.53.104.128:10240
type: 152.53.52.107:10240
type: 45.172.69.135:18460
type: 144.76.175.153:56338
type: 176.133.53.168:54411
type: 83.149.84.236:53828
type: 178.162.144.2:4556
type: 37.27.113.233:56919
type: 208.87.240.21:11158
type: 62.73.73.180:54247
type: 220.87.199.26:41217
type: 188.163.40.234:61767
type: 69.50.95.40:10069
type: 23.158.56.119:10068
type: 195.154.178.118:8646
type: 123.255.47.39:18283
type: 79.202.39.141:24791
type: 5.107.87.139:51792
type: 189.215.120.9:40820
type: 148.153.196.6:60020
type: 89.149.202.17:28056
type: 135.19.136.148:43972
type: 61.10.208.92:34357
type: 103.69.224.65:41956
type: 77.250.119.114:58369
type: 58.226.30.78:41037
type: 125.140.170.53:40969
type: 221.149.188.203:40200
type: 93.44.187.77:1239
type: 114.129.190.9:7018
type: 112.72.143.121:50873
type: 86.190.135.7:10180

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/8dc5568e-0b77-4b85-98e5-79a1417230e6

Behavior Graph:

Download SVG

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/3faa7aaf-0673-4bdc-b5eb-97f14918d666

Score:

100%

Verdict:

Malware

File Type:

ELF

Link:

https://malprob.io/report/12f72da07ec2ec6e9d6483ef6ac3dfb955d04f066271c186f60c4f3b34741b22

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/12f72da07ec2ec6e9d6483ef6ac3dfb955d04f066271c186f60c4f3b34741b22/

Threat name:

Linux.Trojan.Multiverze

Status:

Malicious

First seen:

2025-06-20 11:13:35 UTC

File Type:

ELF64 Little (Exe)

AV detection:

14 of 24 (58.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cl3s3id6ylwg5hleqpxwvq67xfk5atygmjy4dbxwbrhtwndudmra._file

Result

Malware family:

n/a

Score:

6/10

Tags:

antivm defense_evasion discovery execution linux persistence privilege_escalation

Link:

https://tria.ge/reports/250620-nbl75agk81/

Behaviour

Enumerates kernel/hardware configuration

Reads runtime system information

Writes file to tmp directory

Checks CPU configuration

Checks hardware identifiers (DMI)

Creates/modifies Cron job

Enumerates running processes

Reads MAC address of network interface

Reads hardware information

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/6fb092da-b930-40aa-8966-931dc94aec91

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.20

Link:

https://yomi.yoroi.company/submissions/12f72da07ec2ec6e9d6483ef6ac3dfb955d04f066271c186f60c4f3b34741b22

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	enterpriseapps2 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Enterprise apps

Rule name:	enterpriseunix2 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Enterprise UNIX

Rule name:	linux_generic_ipv6_catcher Create hunting rule
Author:	@_lubiedo
Description:	ELF samples using IPv6 addresses

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	unixredflags3 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf 12f72da07ec2ec6e9d6483ef6ac3dfb955d04f066271c186f60c4f3b34741b22

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3550686/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample