MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e8fc3f996ff4dc824caf96d0d640dd58df6e2b3d18da5066fb258a14ec8b73c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e8fc3f996ff4dc824caf96d0d640dd58df6e2b3d18da5066fb258a14ec8b73c
SHA3-384 hash: 13c9bac5069d35682461aec90e0e7bf62d8d9fe4480e6a69ae7a875fbe7b1fcb6820b72ebe4435cc3630a023f1c6be9c
SHA1 hash: 2b8dbbd358dd10681901698c5f837f89e86d913b
MD5 hash: e460167d19ecd72dfca7aeb44abfa617
humanhash: five-snake-stream-cold
File name:i686
Download: download sample
File size:587'764 bytes
First seen:2025-06-26 22:07:51 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 12288:5D+Azf/CVCW3ISw+hRNb3W/aTyA9VV/cZWLnR98V+:5D+AznCVNIZ+vNbG/WYWrR98V
TLSH T112C42241EAB7C0F2F65349320103E7BF8F33C9099165D2A6D742F661EDB1B424A9E66C
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.32058.LX.BOT.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.31951.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Siggen.9095.24420.25853.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=685dc4dd32ed47a3a8d7a80blinux22vpnfull_triage
Tags:
shellcode
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a file in the %temp% directory
Creates directories
Sends data to a server
Creating a process from a recently created file
Changes the time when the file was created, accessed, or modified
Locks files
Collects information on the CPU
Connection attempt
Changes access rights for a written file
Launching a process
Opens a port
Runs as daemon
Receives data from a server
DNS request
Creates or modifies files in /cron to set up autorun
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
exploit gcc lolbin remote
Link:
https://www.filescan.io/uploads/685dc4d845e80b29f8a067e6/reports/2d394c3f-e437-4ee9-aa8c-412b75034e71/overview
Verdict:
Malicious
Uses P2P?:
true
Uses anti-vm?:
true
Architecture:
x86
Packer:
custom
Botnet:
unknown
Number of open files:
72
Number of processes launched:
10
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/1e8fc3f996ff4dc824caf96d0d640dd58df6e2b3d18da5066fb258a14ec8b73c
Behaviour
Anti-VM
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
type: 162.159.200.1:123
type: 130.239.18.158:6881
type: 67.215.246.10:6881
type: 23.118.129.219:6881
type: 37.19.41.151:6881
type: 91.121.30.157:6881
type: 63.247.211.162:6881
type: 5.101.194.86:6881
type: 73.208.41.226:6881
type: 84.52.237.206:6881
type: 178.32.223.198:6881
type: 117.190.128.246:6881
type: 54.193.33.181:6881
type: 77.43.142.150:6881
type: 178.69.209.93:6881
type: 91.121.148.35:6881
type: 174.174.89.108:6881
type: 88.97.249.185:6881
type: 92.255.198.199:6881
type: 188.127.179.72:6881
type: 92.248.233.90:6881
type: 176.147.239.160:6881
type: 51.191.80.252:6881
type: 46.159.197.66:6881
type: 98.14.145.138:6881
type: 109.157.118.122:6881
type: 68.53.120.202:6881
type: 36.230.159.52:6881
type: 89.139.1.89:6881
type: 24.202.156.164:6881
type: 18.190.61.127:6881
type: 54.194.137.170:6881
type: 13.58.27.33:6881
type: 92.170.30.21:6881
type: 200.80.68.150:6881
type: 51.15.117.118:6881
type: 207.211.188.57:6881
type: 75.119.138.164:6881
type: 46.117.212.38:6881
type: 176.31.100.32:6881
type: 58.177.42.211:6881
type: 175.197.212.86:6881
type: 54.214.105.212:6881
type: 18.221.7.72:6881
type: 142.171.125.191:6881
type: 90.104.225.56:6881
type: 192.227.221.84:6881
type: 204.12.208.37:6881
type: 118.93.38.66:6881
type: 54.214.62.31:6881
type: 91.199.149.77:6881
type: 118.14.79.231:6881
type: 54.70.174.84:6881
type: 115.87.198.20:6881
type: 178.236.141.23:6881
type: 93.160.7.43:6881
type: 222.153.22.153:6881
type: 217.21.151.65:6881
type: 85.253.146.167:6881
type: 178.162.174.222:28014
type: 178.162.174.208:28014
type: 178.162.173.226:28014
type: 178.162.174.77:28014
type: 52.21.231.83:6880
type: 195.154.233.74:6880
type: 18.117.46.179:6880
type: 192.210.231.24:6880
type: 45.203.205.61:6880
type: 18.118.77.23:6880
type: 34.235.218.124:6880
type: 46.232.210.157:64170
type: 50.47.114.112:49001
type: 69.1.41.210:49001
type: 95.188.94.159:49001
type: 95.72.148.231:49001
type: 94.159.218.75:49001
type: 77.220.53.123:49001
type: 176.49.118.89:49001
type: 5.9.41.13:53504
type: 65.108.143.34:53504
type: 79.106.231.163:1434
type: 64.226.83.235:1434
type: 178.162.174.169:28003
type: 178.162.173.91:28003
type: 135.181.238.57:50000
type: 65.21.125.186:50000
type: 37.27.103.248:50000
type: 65.21.128.240:50000
type: 65.21.196.126:50000
type: 95.216.13.168:50000
type: 37.27.119.182:50000
type: 135.181.227.244:50000
type: 144.76.223.148:50000
type: 37.27.119.121:50000
type: 144.76.72.91:50000
type: 65.21.128.243:50000
type: 37.27.107.60:50000
type: 65.21.128.210:50000
type: 130.239.18.158:8524
type: 178.162.174.43:28004
type: 178.162.174.228:28004
type: 84.73.104.233:6889
type: 91.125.249.74:6889
type: 82.172.167.161:6889
type: 114.230.238.17:6889
type: 142.181.103.140:6889
type: 80.94.28.110:6889
type: 84.247.173.42:8081
type: 89.149.202.3:28034
type: 130.239.18.158:8515
type: 216.39.248.235:6960
type: 178.162.174.228:28007
type: 178.162.173.120:28007
type: 195.201.179.130:16309
type: 138.19.32.236:20005
type: 217.121.231.94:59625
type: 67.220.85.98:46975
type: 130.239.18.158:8580
type: 178.162.174.46:28013
type: 178.162.174.132:28013
type: 185.203.56.68:62927
type: 188.166.98.93:51413
type: 78.23.146.12:51413
type: 95.211.81.107:51413
type: 188.90.169.20:51413
type: 141.224.215.245:51413
type: 185.243.216.143:51413
type: 163.172.109.27:51413
type: 66.151.41.90:51413
type: 107.170.209.225:51413
type: 5.135.185.18:51413
type: 37.59.39.41:51413
type: 213.193.146.198:51413
type: 45.55.167.33:51413
type: 95.211.216.153:51413
type: 46.231.72.59:51413
type: 66.96.230.29:51413
type: 97.179.28.29:51413
type: 79.117.124.82:51413
type: 5.249.24.43:51413
type: 46.228.205.6:51413
type: 83.149.84.32:28008
type: 178.162.174.120:28008
type: 178.162.174.143:28000
type: 178.162.174.221:28000
type: 178.162.173.141:28000
type: 178.162.174.45:28015
type: 178.79.124.85:46405
type: 62.217.234.106:21644
type: 72.21.17.44:31745
type: 178.162.174.224:28002
type: 45.87.251.186:51467
type: 51.159.104.85:8410
type: 36.255.6.81:54316
type: 78.153.41.77:13995
type: 89.134.3.205:50843
type: 169.150.223.193:12209
type: 45.87.251.11:28077
type: 155.4.86.173:62305
type: 178.162.174.178:28001
type: 178.162.173.13:28001
type: 178.162.174.147:28001
type: 130.239.18.158:8508
type: 130.239.18.158:8500
type: 130.239.18.158:8516
type: 130.239.18.158:8513
type: 45.87.251.11:28127
type: 130.239.18.158:8521
type: 37.48.118.83:8999
type: 202.129.235.210:8999
type: 172.96.121.2:6884
type: 178.162.174.222:28011
type: 95.211.218.207:28011
type: 45.91.208.243:51936
type: 37.48.89.181:48531
type: 185.107.71.103:44737
type: 185.132.134.202:6883
type: 102.221.29.54:6883
type: 174.109.142.220:22222
type: 195.112.110.176:10003
type: 5.39.85.155:54500
type: 179.5.94.250:2529
type: 57.128.101.96:47019
type: 23.162.56.55:10096
type: 81.20.241.229:32308
type: 31.210.173.50:27520
type: 163.172.10.195:32912
type: 164.132.162.3:51885
type: 173.238.56.173:6882
type: 36.85.223.158:25876
type: 45.87.251.132:28090
type: 45.177.208.98:24915
type: 181.84.132.148:50735
type: 86.81.228.132:16881
type: 185.145.245.151:8678
type: 81.171.25.242:54759
type: 62.73.73.145:57030
type: 178.162.174.50:28010
type: 210.179.24.9:31248
type: 188.163.73.230:50750
type: 176.63.25.62:8285
type: 188.165.244.171:50599
type: 178.162.173.22:28005
type: 46.232.210.235:64025
type: 165.22.118.183:7063
type: 93.123.253.245:34946
type: 5.39.85.217:51529
type: 91.153.29.108:48633
type: 116.202.208.168:56814
type: 46.232.211.150:18759
type: 123.195.47.41:4741
type: 60.132.78.51:41605
type: 141.95.53.34:8664
type: 51.159.52.37:52853
type: 95.68.116.6:53909
type: 133.32.129.172:1276
type: 77.101.238.106:16390
type: 82.196.111.47:25055
type: 95.211.195.151:26790
type: 175.201.218.250:63621
type: 81.171.7.124:59266
type: 138.94.176.37:37371
type: 89.134.28.199:12013
type: 27.0.17.42:7637
type: 190.213.169.119:36100
type: 90.218.190.135:10073
type: 106.222.190.162:19853
type: 188.250.153.147:47548
type: 46.190.22.72:45238
type: 91.106.19.53:7080
type: 110.145.18.60:27032
type: 106.216.225.56:46804
type: 144.76.175.153:54196
type: 188.163.109.17:55828
type: 208.87.240.21:11158
type: 198.48.149.121:11616
type: 78.142.231.133:6767
type: 93.41.49.93:55675
type: 185.203.56.68:55675
type: 94.52.86.60:48937
type: 178.162.173.110:28012
type: 90.141.29.54:42575
type: 90.253.221.54:18156
type: 181.118.47.41:53055
type: 195.170.172.38:10240
type: 194.29.101.83:10240
type: 54.36.168.18:46075
type: 5.248.27.121:36739
type: 47.89.251.173:9999
type: 82.172.155.6:59565
type: 23.158.56.120:12055
type: 23.162.56.55:22070
type: 69.50.95.40:10089
type: 178.162.173.15:28006
type: 162.251.63.120:10017
type: 54.39.52.64:13832
type: 137.74.200.136:47003
type: 94.31.108.181:49829
type: 95.214.53.172:1688
type: 65.108.143.34:53570
type: 195.154.171.187:31263
type: 81.111.159.219:57362
type: 46.232.210.70:21409
type: 181.4.161.163:60624
type: 176.44.114.11:56540
type: 174.24.126.144:63840
type: 47.89.251.173:7777
type: 37.48.89.194:59359
type: 1.64.114.3:19942
type: 46.232.210.235:64016
type: 195.154.170.120:38856
type: 94.248.245.210:54320
type: 62.210.201.115:36936
type: 185.200.116.131:22025
type: 46.232.211.49:64008
type: 5.252.55.8:58729
type: 203.12.8.93:37350
type: 73.208.231.192:28073
type: 38.9.230.38:10830
type: 184.148.187.73:28083
type: 24.169.17.255:43545
type: 190.229.41.37:61819
type: 92.236.203.206:12684
type: 155.93.228.115:40881
type: 37.27.113.233:37186
type: 169.150.223.217:4157
type: 70.184.222.161:35587
type: 211.2.96.41:27646
type: 188.167.117.151:50001
type: 107.205.240.192:7884
type: 47.146.124.99:33512
type: 201.71.164.38:45762
type: 5.135.178.12:54525
type: 162.202.129.218:54085
type: 178.132.4.27:6890
type: 178.132.4.27:6891
type: 212.7.200.6:28702
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/f7059a77-213e-4504-a896-f8e11264f508
Behavior Graph:
Download SVG
%3 guuid=1ac46a48-1600-0000-4e6a-4cec5c0c0000 pid=3164 /usr/bin/sudo guuid=fad36c4a-1600-0000-4e6a-4cec5d0c0000 pid=3165 /root/.sys/configuration guuid=1ac46a48-1600-0000-4e6a-4cec5c0c0000 pid=3164->guuid=fad36c4a-1600-0000-4e6a-4cec5d0c0000 pid=3165 execve guuid=223b974a-1600-0000-4e6a-4cec5e0c0000 pid=3166 /usr/bin/dash guuid=fad36c4a-1600-0000-4e6a-4cec5d0c0000 pid=3165->guuid=223b974a-1600-0000-4e6a-4cec5e0c0000 pid=3166 execve guuid=5ced1d4b-1600-0000-4e6a-4cec5f0c0000 pid=3167 /usr/bin/dash guuid=fad36c4a-1600-0000-4e6a-4cec5d0c0000 pid=3165->guuid=5ced1d4b-1600-0000-4e6a-4cec5f0c0000 pid=3167 execve guuid=5106bd4b-1600-0000-4e6a-4cec620c0000 pid=3170 /root/.sys/configuration zombie guuid=fad36c4a-1600-0000-4e6a-4cec5d0c0000 pid=3165->guuid=5106bd4b-1600-0000-4e6a-4cec620c0000 pid=3170 clone guuid=179c674b-1600-0000-4e6a-4cec600c0000 pid=3168 /usr/bin/dash guuid=5ced1d4b-1600-0000-4e6a-4cec5f0c0000 pid=3167->guuid=179c674b-1600-0000-4e6a-4cec600c0000 pid=3168 clone guuid=4924764b-1600-0000-4e6a-4cec610c0000 pid=3169 /usr/bin/dash guuid=5ced1d4b-1600-0000-4e6a-4cec5f0c0000 pid=3167->guuid=4924764b-1600-0000-4e6a-4cec610c0000 pid=3169 clone guuid=e1399456-1600-0000-4e6a-4cec630c0000 pid=3171 /root/.sys/configuration guuid=5106bd4b-1600-0000-4e6a-4cec620c0000 pid=3170->guuid=e1399456-1600-0000-4e6a-4cec630c0000 pid=3171 clone guuid=a131bd56-1600-0000-4e6a-4cec640c0000 pid=3172 /root/.sys/configuration guuid=e1399456-1600-0000-4e6a-4cec630c0000 pid=3171->guuid=a131bd56-1600-0000-4e6a-4cec640c0000 pid=3172 clone guuid=e1baed56-1600-0000-4e6a-4cec650c0000 pid=3173 /root/.sys/configuration dns net net-scan send-data guuid=a131bd56-1600-0000-4e6a-4cec640c0000 pid=3172->guuid=e1baed56-1600-0000-4e6a-4cec650c0000 pid=3173 clone d316b2ae-0a7e-5b43-8de6-745900c90c54 127.0.0.1:65535 guuid=e1baed56-1600-0000-4e6a-4cec650c0000 pid=3173->d316b2ae-0a7e-5b43-8de6-745900c90c54 con 38a4910e-6f05-5afe-a8e3-398c2eb18329 time.cloudflare.com:123 guuid=e1baed56-1600-0000-4e6a-4cec650c0000 pid=3173->38a4910e-6f05-5afe-a8e3-398c2eb18329 send: 48B dd085fdd-4815-5018-bd66-a274b994c9e9 195.154.182.247:31836 guuid=e1baed56-1600-0000-4e6a-4cec650c0000 pid=3173->dd085fdd-4815-5018-bd66-a274b994c9e9 con df7b1dc0-e2dd-544e-8bec-a84f82e9a927 31.200.249.130:31836 guuid=e1baed56-1600-0000-4e6a-4cec650c0000 pid=3173->df7b1dc0-e2dd-544e-8bec-a84f82e9a927 send: 68B d770c3d5-34cc-50ed-bb39-df0e79a18720 84.239.5.171:31715 guuid=e1baed56-1600-0000-4e6a-4cec650c0000 pid=3173->d770c3d5-34cc-50ed-bb39-df0e79a18720 send: 68B b27ba972-b8aa-504c-a87a-6bd6c9d9c17b 84.239.5.171:58418 guuid=e1baed56-1600-0000-4e6a-4cec650c0000 pid=3173->b27ba972-b8aa-504c-a87a-6bd6c9d9c17b send: 68B e2fae09f-0166-519b-a78b-9ddfd153007c 190.106.222.114:42113 guuid=e1baed56-1600-0000-4e6a-4cec650c0000 pid=3173->e2fae09f-0166-519b-a78b-9ddfd153007c con guuid=e1baed56-1600-0000-4e6a-4cec650c0000 pid=3173|send-data send-data to 248 IP addresses review logs to see them all guuid=e1baed56-1600-0000-4e6a-4cec650c0000 pid=3173->guuid=e1baed56-1600-0000-4e6a-4cec650c0000 pid=3173|send-data send
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/69699977-0631-44ff-9984-fb3e92646bba
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1723829
Signature
Connects to many ports of the same IP (likely port scanning)
Executes the "crontab" command typically for achieving persistence
Multi AV Scanner detection for submitted file
Opens /sys/class/net/* files useful for querying network interface information
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to persist itself using cron
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1723829 Sample: i686.elf Startdate: 27/06/2025 Architecture: LINUX Score: 68 38 2.60.164.10, 43578 ROSTELECOM-ASRU Russian Federation 2->38 40 102.142.28.77, 43578 GVA-CanalboxBJ Gabon 2->40 42 102 other IPs or domains 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Connects to many ports of the same IP (likely port scanning) 2->46 10 i686.elf configuration 2->10         started        signatures3 process4 process5 12 i686.elf sh 10->12         started        14 configuration 10->14         started        17 i686.elf sh 10->17         started        signatures6 19 sh crontab 12->19         started        23 sh 12->23         started        54 Opens /sys/class/net/* files useful for querying network interface information 14->54 56 Sample reads /proc/mounts (often used for finding a writable filesystem) 14->56 25 configuration 14->25         started        27 sh crontab 17->27         started        process7 file8 36 /var/spool/cron/crontabs/tmp.Nbfeja, ASCII 19->36 dropped 48 Sample tries to persist itself using cron 19->48 50 Executes the "crontab" command typically for achieving persistence 19->50 29 sh crontab 23->29         started        32 configuration 25->32         started        signatures9 process10 signatures11 52 Executes the "crontab" command typically for achieving persistence 29->52 34 configuration 32->34         started        process12
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/1e8fc3f996ff4dc824caf96d0d640dd58df6e2b3d18da5066fb258a14ec8b73c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1e8fc3f996ff4dc824caf96d0d640dd58df6e2b3d18da5066fb258a14ec8b73c/
Threat name:
Linux.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2025-06-26 22:08:27 UTC
File Type:
ELF32 Little (Exe)
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d2h4h6mw75g4qjgk7fwq2zan2wg7nyvt2gg2kbtpwjmkctwiw46a._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
execution linux persistence privilege_escalation rootkit
Link:
https://tria.ge/reports/250626-12bkjaen4y/
Behaviour
Creates/modifies Cron job
Loads a kernel module
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7b115ecb-dd22-4e99-af3d-3bb20f9fac0e
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1e8fc3f996ff4dc824caf96d0d640dd58df6e2b3d18da5066fb258a14ec8b73c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf 1e8fc3f996ff4dc824caf96d0d640dd58df6e2b3d18da5066fb258a14ec8b73c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3558166/
  
Delivery method
Distributed via web download

Comments