MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3656781384f3a2002a60212eb46cdac53a760fde20681e221c56f96cdfe9824d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 3


Intelligence 3 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3656781384f3a2002a60212eb46cdac53a760fde20681e221c56f96cdfe9824d
SHA3-384 hash: ab18ca1c233847155e5e1b234bc3da9542145e21b518040e3fffeff8bc4aad2dd6d5d3813195e4196b29358876fc7697
SHA1 hash: 0de04fdbf625ca669ff57d19ae62b15398633b9b
MD5 hash: 69d9e02beca7c945bd9b7070e3b51dc0
humanhash: thirteen-mango-utah-chicken
File name:liblunm.so
Download: download sample
File size:2'960'384 bytes
First seen:2026-03-17 17:40:08 UTC
Last seen:Never
File type: elf
MIME type:application/x-sharedlib
ssdeep 24576:Dwmp5yyeMV8mrEbJ6nYF9TXzQGKrwP57wD338zwu8EQsOWtNKn:D1alCW9XdWEftN
TLSH T1C4D5C133F4062A27D6CAE034F92717D57724265813E5A3146A1FE026FE525DECA27EC3
telfhash t1a2a4ae3a7e717769f7a7220710bf06a997fc15921642aeb1641403861c1fb33ab7b07e
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter johnk3r
Tags:banker BeatBanker elf


Avatar
johnk3r
------------------------------------------------------------
Base: 0x003d3988
Claves: 95
Descifrado: "android.getPackageManager...............()Landroid/co.tent/pm/PackageManager;...........android/content/SharedPreference.p..:.Y.!.@......A...+%"
------------------------------------------------------------
Base: 0x003d3b00
Claves: 195
Descifrado: "t/Context;)V....android/os/Build....CPU_ABI.....Ljava/lang/String;..x86.equals..(Ljava/lang/Object;)Z...x86_64..SUPPORTED_ABIS..loadClass.......java/lang/Object................Ljava/lang/Object;..............(Ljava/lang/Throwable;)V....MANUFACTU"
------------------------------------------------------------
Base: 0x003d3d00
Claves: 202
Descifrado: "own.generic.....com.example.virusscanbypassbootstrapper.DexLoader...............java/lang/ClassLoader...loadDex.com.msyw.rstkaz.eHXCuRg.........(Ljava/lang/String;)Ljava/lang.Class;...Pvhmg6whhhi.............getSharedPreferences............(Ljava/lang/"
------------------------------------------------------------
Base: 0x003d3e00
Claves: 195
Descifrado: "ng;I)Landroid/content/SharedPreferences;....v...getBoolean......(Ljava/lang/String;Z)Z..getAssets...............()Landroid/content/res/AssetManager;............puxutcvicmo0re9s................android/content/res/AssetManager....open........(Ljav"
------------------------------------------------------------
Base: 0x003d3f00
Claves: 203
Descifrado: "ng;)Ljava/io/InputStream;.......java/io/InputStream.available...()I.............java/lang/NegativeArraySizeException............negative array size.read....close...()V.........fmxpj0gxrzhp4bf44tcdzjau.ahg1wijduvhq5oi3f177jk.u6jhkjivcmjhb7sm....getBytes"
------------------------------------------------------------
Base: 0x003d4000
Claves: 228
Descifrado: "(Ljava/nio/charset/Charset;)[B..java/lang/ArithmeticException...divide by zero..java/nio/ByteBuffer.wrap........([B)Ljava/nio/ByteBuffer;...getClassLoader......()Ljava/lang/ClassLoader;.......dalvik/system/InMemoryDexClassLoader....<init>..(Ljava/nio/ByteB..5..C#..0....9Ljz"
------------------------------------------------------------
Base: 0x003d4100
Claves: 214
Descifrado: "uffer;Ljava/lang/ClassLoader;)V.java/lang/Class.Ljava/lang/Class;...getMethod...(Ljava/lang/String;[Ljava/lang/Class;)Ljava/lang/reflect/Method;................hhxhqmiqmgckcwpl/0jbdd60g.......java/lang/reflect/Method....invoke..............(Ljava/lang/Objec.~"
------------------------------------------------------------

Intelligence

File Origin
# of uploads :
1
# of downloads :
50
Origin country :
CH CH
Vendor Threat Intelligence
No detections
Result
Verdict:
Clean
Maliciousness:
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
gcc masquerade
Link:
https://www.filescan.io/uploads/69b992054678eefbc7ad91ef/reports/ca589108-0187-4bb4-afbd-f1444f2dead1/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
arm
Packer:
not packed
Botnet:
unknown
Number of open files:
0
Number of processes launched:
0
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/3656781384f3a2002a60212eb46cdac53a760fde20681e221c56f96cdfe9824d
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Unknown
File Type:
elf.64.le
Link:
https://opentip.kaspersky.com/3656781384f3a2002a60212eb46cdac53a760fde20681e221c56f96cdfe9824d/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/21c0e57f-2492-4546-ba61-ab1388e8caf4
Behavior Graph:
Download SVG
%3 guuid=4747e692-1600-0000-d3c7-5c414c0f0000 pid=3916 /usr/bin/sudo guuid=5257b194-1600-0000-d3c7-5c41580f0000 pid=3928 /tmp/sample.bin guuid=4747e692-1600-0000-d3c7-5c414c0f0000 pid=3916->guuid=5257b194-1600-0000-d3c7-5c41580f0000 pid=3928 execve
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/92777ee5-66f8-42ef-8fb7-0cc7dd47c0f0
Result
Threat name:
n/a
Detection:
clean
Classification:
n/a
Score:
1 / 100
Link:
https://www.joesandbox.com/analysis/1885084
Behaviour
Behavior Graph:
n/a
Score:
26%
Verdict:
Benign
File Type:
ELF
Link:
https://malprob.io/report/3656781384f3a2002a60212eb46cdac53a760fde20681e221c56f96cdfe9824d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3656781384f3a2002a60212eb46cdac53a760fde20681e221c56f96cdfe9824d/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gzlhqe4e6oraaktaeexli3g2yu5hmd66ebub4iq4k34wzx7jqjgq._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
linux
Link:
https://tria.ge/reports/260317-v82gmscx7k/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/3656781384f3a2002a60212eb46cdac53a760fde20681e221c56f96cdfe9824d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:enterpriseunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise UNIX
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

apk 51b187d9941dff77a25d26fc6d33c2eea533ff6d1e590e3e4c872685933c1e1d

elf 3656781384f3a2002a60212eb46cdac53a760fde20681e221c56f96cdfe9824d

(this sample)

  
X
https://x.com/johnk3r/status/2033631773704241613
  
Dropped by
SHA256 51b187d9941dff77a25d26fc6d33c2eea533ff6d1e590e3e4c872685933c1e1d
  
Dropped by
MD5 5983bbc22e2adb48f432b54307e5828f

Comments