MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 15082619f1f2fc0d34de15cf4da69f0f9f33d9c9820d4a53d5bfce9b7c8deec1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Tsunami


Vendor detections: 3


Intelligence 3 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 15082619f1f2fc0d34de15cf4da69f0f9f33d9c9820d4a53d5bfce9b7c8deec1
SHA3-384 hash: 473578d1a4a41dd6d0276f7a1749a3dcbbda68898dd7893ac00cae7a885799351cd13e0b5f2789a6b1a4f4b2856e7623
SHA1 hash: 767ecc993a8ca964ea8ec244f53cdb42f977c036
MD5 hash: a67b3bdfa98779f99a5d86dc7d03d2a3
humanhash: spaghetti-football-colorado-triple
File name:a67b3bdfa98779f99a5d86dc7d03d2a3
Download: download sample
Signature Tsunami
Create hunting rule
File size:54'868 bytes
First seen:2022-04-16 21:41:06 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 768:CIb3LSIDvF3UjlsKpIIdqc7HaJojZHv3gc1cfaakOt/wPlm4C8cKMI:CISIJ3rKpIIdl76Ojh3fEwP9C8XM
TLSH T1B8336CA3D8252E35C6399975B030AA386763D49481471FBE74AEC23D9343F8DF6463B8
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Reporter zbetcheckin
Tags:32 elf renesas Tsunami

Intelligence

File Origin
# of uploads :
1
# of downloads :
393
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Trojan.Tsunami-5
Create hunting rule

Unix.Dropper.Mirai-7136288-0
Create hunting rule

Unix.Trojan.Tsunami-7644569-0
Create hunting rule

Unix.Trojan.Tsunami-7644790-0
Create hunting rule

Unix.Trojan.Tsunami-7645187-0
Create hunting rule

Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
anti-debug remote.exe
Link:
https://www.filescan.io/uploads/625b382aeab80a7a6c291355/reports/edc76aa7-735a-4cd5-9a77-2e8a0aa14ae3/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/63505c57-aa84-476c-b4a1-a144bfdf983c
Result
Threat name:
Muhstik Tsunami
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/977742
Signature
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses IRC for communication with a C&C
Yara detected Muhstik
Yara detected Tsunami
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 610229 Sample: zqvTYrc324 Startdate: 16/04/2022 Architecture: LINUX Score: 84 45 45.95.55.24, 38660, 6667 LUMASERVLUMASERVSystemsDE Germany 2->45 47 109.202.202.202, 80 INIT7CH Switzerland 2->47 49 2 other IPs or domains 2->49 51 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 3 other signatures 2->57 9 systemd logrotate 2->9         started        11 zqvTYrc324 2->11         started        13 systemd install 2->13         started        15 2 other processes 2->15 signatures3 process4 process5 17 logrotate sh 9->17         started        19 logrotate sh 9->19         started        21 logrotate sh 9->21         started        25 4 other processes 9->25 23 zqvTYrc324 11->23         started        process6 27 sh invoke-rc.d 17->27         started        29 sh rsyslog-rotate 19->29         started        31 sh rsyslog-rotate 21->31         started        process7 33 invoke-rc.d runlevel 27->33         started        35 invoke-rc.d systemctl 27->35         started        37 invoke-rc.d ls 27->37         started        39 invoke-rc.d systemctl 27->39         started        41 rsyslog-rotate systemctl 29->41         started        43 rsyslog-rotate systemctl 31->43         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/15082619f1f2fc0d34de15cf4da69f0f9f33d9c9820d4a53d5bfce9b7c8deec1/
Threat name:
Linux.Backdoor.Tsunami
Create hunting rule
Status:
Malicious
First seen:
2022-04-16 21:42:04 UTC
File Type:
ELF32 Little (Exe)
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/15082619f1f2fc0d34de15cf4da69f0f9f33d9c9820d4a53d5bfce9b7c8deec1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_irc_catcher
Create hunting rule
Author:@_lubiedo
Description:Find new ELF IRC samples
Rule name:Tsunami_Backdoor
Create hunting rule
Author:@is_henderson
Description:Tsunami Backdoor

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Tsunami

elf 15082619f1f2fc0d34de15cf4da69f0f9f33d9c9820d4a53d5bfce9b7c8deec1

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2150787/

Comments


Avatar
zbet commented on 2022-04-16 21:41:09 UTC

url : hxxp://45.95.55.24/bins/meow.sh4