MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d6d244bc5fef56f70cc864debbb0ec76d561749d08f745ef8bd6da683ddc3b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4d6d244bc5fef56f70cc864debbb0ec76d561749d08f745ef8bd6da683ddc3b8
SHA3-384 hash: dd57694e2517e416c305cb642134625c2536da42d48a28590ea7e4d7b443b46ee2171f75a6d040a3f19d980fa5390548
SHA1 hash: c5f693959153af1677ba68b54efb13b7e397924f
MD5 hash: 5103f2ec115aabf3b14f7a6201baefd2
humanhash: video-video-bacon-papa
File name:arm926t
Download: download sample
File size:480'792 bytes
First seen:2025-06-22 17:21:30 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 12288:ndLGtVtlmIHk6Rtx02O6R+9X8C5SGEzf:pGntlzJx02O6E9X8XG
TLSH T121A41294E9819B62C2C801BFFF0F45BC77A31F65E1EA71068D16EB2662D745A4F7E400
telfhash t186c08c8c0fd401beba7d72a203bef2bf61a072f0be0224920404eb6f074c584028144c
Magika elf
Reporter abuse_ch
Tags:elf

Intelligence

File Origin
# of uploads :
1
# of downloads :
55
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Linux.Siggen.9148.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.32055.LX.BOT.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.32057.LX.BOT.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.32058.LX.BOT.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68583c6bb06783b9ebd6a1delinux22vpnfull_triage
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a file in the %temp% directory
Creates directories
Sends data to a server
Creating a process from a recently created file
Changes the time when the file was created, accessed, or modified
Locks files
Collects information on the CPU
Connection attempt
Changes access rights for a written file
Launching a process
Opens a port
Runs as daemon
Receives data from a server
DNS request
Creates or modifies files in /cron to set up autorun
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
exploit gcc lolbin remote
Link:
https://www.filescan.io/uploads/68583c31f8f8abe4f8b7a557/reports/fe802900-d310-4b9e-967b-6cfdac71459b/overview
Verdict:
Malicious
Uses P2P?:
true
Uses anti-vm?:
true
Architecture:
arm
Packer:
custom
Botnet:
unknown
Number of open files:
103
Number of processes launched:
10
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/4d6d244bc5fef56f70cc864debbb0ec76d561749d08f745ef8bd6da683ddc3b8
Behaviour
Anti-VM
Persistence
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
type: 162.159.200.1:123
type: 130.239.18.158:6881
type: 67.215.246.10:6881
type: 178.69.209.93:6881
type: 91.203.188.18:6881
type: 63.247.211.162:6881
type: 95.66.217.20:6881
type: 79.148.92.59:6881
type: 101.58.40.131:6881
type: 77.78.35.133:6881
type: 116.202.197.51:6881
type: 91.180.76.236:6881
type: 91.226.144.239:6881
type: 51.255.81.113:6881
type: 91.228.43.132:6881
type: 37.79.226.39:6881
type: 81.228.53.183:6881
type: 188.83.111.55:6881
type: 101.177.66.36:6881
type: 183.48.32.216:6881
type: 217.94.150.202:6881
type: 65.184.197.118:6881
type: 91.107.31.181:6881
type: 5.58.139.252:6881
type: 88.97.255.29:6881
type: 51.15.20.12:6881
type: 51.15.117.118:6881
type: 5.178.168.203:6881
type: 18.223.137.220:6881
type: 45.21.217.25:6881
type: 96.51.153.150:6881
type: 109.229.111.50:6881
type: 176.57.78.139:6881
type: 222.152.176.154:6881
type: 139.162.168.10:6881
type: 75.119.138.164:6881
type: 86.38.200.129:6881
type: 178.162.174.222:28014
type: 88.198.230.221:49668
type: 185.21.216.185:60731
type: 130.239.18.158:8515
type: 213.227.151.25:28013
type: 178.162.174.46:28013
type: 178.162.174.132:28013
type: 95.211.247.101:28013
type: 178.162.174.45:28013
type: 178.162.174.43:28004
type: 130.239.18.158:8524
type: 135.181.238.57:50000
type: 135.181.227.244:50000
type: 37.27.117.57:50000
type: 37.27.117.56:50000
type: 37.27.117.117:50000
type: 37.27.107.114:50000
type: 37.27.107.119:50000
type: 37.27.119.182:50000
type: 37.27.107.121:50000
type: 135.181.7.104:50000
type: 37.27.119.190:50000
type: 65.21.129.56:50000
type: 135.181.238.118:50000
type: 65.21.125.174:50000
type: 37.27.117.248:50000
type: 135.181.223.104:50000
type: 65.21.33.212:50000
type: 37.27.120.54:50000
type: 95.216.11.144:50000
type: 37.27.117.181:50000
type: 162.55.84.208:50000
type: 188.163.4.121:29397
type: 5.158.13.181:56009
type: 178.162.174.45:28015
type: 195.201.179.130:16489
type: 185.203.56.20:11200
type: 45.154.86.160:51413
type: 178.70.30.2:51413
type: 77.37.202.165:51413
type: 213.178.38.41:51413
type: 193.105.124.4:51413
type: 5.39.95.146:51413
type: 5.135.158.154:51413
type: 5.9.21.93:51413
type: 188.166.98.93:51413
type: 5.39.29.70:51413
type: 188.165.192.75:51413
type: 51.68.121.222:51413
type: 81.169.246.204:51413
type: 185.100.232.154:51413
type: 195.201.179.130:16309
type: 130.239.18.158:8500
type: 195.154.233.74:6880
type: 3.141.159.213:6880
type: 3.12.65.135:6880
type: 148.153.170.2:6880
type: 45.203.151.67:6880
type: 45.203.212.2:6880
type: 45.203.155.80:6880
type: 50.17.19.6:6880
type: 44.208.219.89:6880
type: 130.239.18.158:8580
type: 130.239.18.158:8516
type: 178.162.173.91:28003
type: 178.162.173.105:28003
type: 95.211.209.139:28003
type: 178.162.173.70:28003
type: 130.239.18.158:8513
type: 95.211.110.228:28012
type: 178.162.174.163:28012
type: 89.149.202.13:28035
type: 5.39.94.219:45467
type: 142.202.48.88:10099
type: 213.227.151.231:24536
type: 168.70.118.129:21239
type: 91.199.227.114:11696
type: 198.98.53.161:58061
type: 112.120.184.182:27688
type: 181.197.31.14:11186
type: 89.149.202.17:28018
type: 185.132.178.224:6886
type: 118.39.177.186:57253
type: 69.159.163.68:35407
type: 172.111.38.128:26042
type: 46.232.211.130:16609
type: 46.232.211.211:58145
type: 95.168.168.234:52277
type: 178.162.174.102:28009
type: 185.203.56.70:55836
type: 46.232.211.211:64183
type: 80.99.1.146:37235
type: 81.9.135.5:33333
type: 178.162.173.232:28000
type: 178.162.174.143:28000
type: 178.162.174.28:28000
type: 76.50.4.52:11934
type: 65.108.11.21:54305
type: 195.154.172.179:22734
type: 99.30.155.57:55593
type: 70.72.188.117:56264
type: 5.50.130.108:52821
type: 185.203.56.69:62518
type: 185.203.56.68:62927
type: 83.149.84.32:28008
type: 172.96.121.2:6884
type: 185.203.56.38:61855
type: 187.188.191.206:8081
type: 190.32.161.86:26085
type: 212.7.200.93:23999
type: 178.162.173.89:28007
type: 178.162.173.167:28007
type: 5.135.165.33:6331
type: 89.115.161.132:10772
type: 93.159.22.170:11283
type: 185.21.217.9:63904
type: 178.162.174.93:28001
type: 93.37.112.206:32944
type: 208.72.84.204:49162
type: 174.160.86.190:51465
type: 207.68.242.166:50321
type: 213.168.178.121:7881
type: 83.51.144.137:6889
type: 126.91.19.190:6889
type: 222.231.100.162:6889
type: 178.162.174.35:28005
type: 79.143.18.210:60559
type: 121.106.217.237:10179
type: 188.165.231.77:52072
type: 185.203.56.49:57535
type: 220.119.153.51:41205
type: 192.99.62.203:45362
type: 24.53.253.197:51515
type: 14.47.224.234:32451
type: 126.200.151.228:38018
type: 120.156.25.156:57960
type: 95.168.168.200:42240
type: 46.9.28.235:56006
type: 218.158.78.117:33068
type: 217.178.232.203:3053
type: 147.235.230.234:16381
type: 57.129.45.81:8657
type: 3.125.33.61:20965
type: 120.88.22.178:12356
type: 84.15.222.250:4332
type: 37.27.113.233:33566
type: 176.31.182.150:52806
type: 72.21.17.53:16714
type: 112.161.57.139:58988
type: 193.223.247.31:27666
type: 45.87.251.138:28037
type: 37.63.78.28:50199
type: 37.237.206.20:47164
type: 195.154.185.217:26327
type: 82.77.98.99:44615
type: 72.180.243.0:41732
type: 89.149.225.105:9963
type: 59.23.124.239:33171
type: 121.128.53.241:7779
type: 121.181.41.229:41078
type: 82.20.115.151:45311
type: 46.232.210.46:64154
type: 88.241.48.197:20263
type: 113.197.146.74:6888
type: 186.28.35.99:6888
type: 177.104.131.83:5881
type: 144.76.175.153:42994
type: 43.156.26.93:60020
type: 38.54.98.21:60020
type: 121.170.203.252:31903
type: 14.32.74.86:41010
type: 80.46.80.63:54737
type: 70.160.162.169:34082
type: 90.107.31.39:42251
type: 89.115.56.248:12919
type: 50.53.208.103:45640
type: 38.212.23.34:27032
type: 152.53.45.107:7085
type: 94.23.215.83:6882
type: 188.165.201.120:6882
type: 122.192.133.232:6882
type: 72.21.17.6:26573
type: 18.196.86.103:6892
type: 186.44.99.99:45870
type: 111.220.26.93:10198
type: 107.173.149.140:6339
type: 18.196.86.103:6992
type: 137.74.200.136:10924
type: 194.29.101.83:10240
type: 78.142.231.133:6767
type: 83.149.72.73:28011
type: 5.79.67.32:50897
type: 72.21.17.73:13508
type: 14.38.132.204:33015
type: 220.70.23.126:62064
type: 80.188.211.117:6599
type: 175.182.108.62:14351
type: 186.227.72.160:33876
type: 95.145.226.116:14821
type: 118.159.0.81:24354
type: 118.38.99.163:33036
type: 95.168.161.96:16881
type: 46.232.210.212:64219
type: 80.142.135.207:15576
type: 46.185.14.210:32000
type: 23.225.41.122:17315
type: 188.237.174.222:60544
type: 93.156.197.106:2949
type: 115.166.11.46:20822
type: 74.48.71.194:50007
type: 91.199.227.109:23320
type: 82.36.151.34:6205
type: 187.73.25.99:22801
type: 51.159.79.241:6113
type: 51.159.34.169:62470
type: 208.87.240.21:11162
type: 84.252.95.149:34480
type: 196.196.53.136:37640
type: 187.250.51.153:22129
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/f1e95943-5730-4851-a0f9-b8cfc96f7490
Behavior Graph:
Download SVG
%3 guuid=fcb597c1-1f00-0000-e5ee-ab0b38060000 pid=1592 /usr/bin/sudo guuid=e09b6fc4-1f00-0000-e5ee-ab0b42060000 pid=1602 /tmp/sample.bin guuid=fcb597c1-1f00-0000-e5ee-ab0b38060000 pid=1592->guuid=e09b6fc4-1f00-0000-e5ee-ab0b42060000 pid=1602 execve
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/57833621-d2fa-4188-8086-53cbcdb8dea8
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1720344
Signature
Executes the "crontab" command typically for achieving persistence
Opens /sys/class/net/* files useful for querying network interface information
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to persist itself using cron
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1720344 Sample: arm926t.elf Startdate: 22/06/2025 Architecture: LINUX Score: 56 41 185.177.126.221, 6881, 6883 WORLDSTREAMNL Netherlands 2->41 43 204.12.208.37, 6881 WIIUS United States 2->43 45 101 other IPs or domains 2->45 9 arm926t.elf configuration 2->9         started        11 dash rm 2->11         started        13 dash rm 2->13         started        process3 process4 15 arm926t.elf sh 9->15         started        17 configuration 9->17         started        20 arm926t.elf sh 9->20         started        signatures5 22 sh crontab 15->22         started        26 sh 15->26         started        49 Opens /sys/class/net/* files useful for querying network interface information 17->49 51 Sample reads /proc/mounts (often used for finding a writable filesystem) 17->51 28 configuration 17->28         started        30 sh crontab 20->30         started        process6 file7 39 /var/spool/cron/crontabs/tmp.2YMnT9, ASCII 22->39 dropped 53 Sample tries to persist itself using cron 22->53 55 Executes the "crontab" command typically for achieving persistence 22->55 32 sh crontab 26->32         started        35 configuration 28->35         started        signatures8 process9 signatures10 47 Executes the "crontab" command typically for achieving persistence 32->47 37 configuration 35->37         started        process11
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/4d6d244bc5fef56f70cc864debbb0ec76d561749d08f745ef8bd6da683ddc3b8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4d6d244bc5fef56f70cc864debbb0ec76d561749d08f745ef8bd6da683ddc3b8/
Threat name:
Linux.Trojan.SAgnt
Create hunting rule
Status:
Malicious
First seen:
2025-06-22 17:28:38 UTC
File Type:
ELF32 Little (Exe)
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jvwsis6f732w64gmqzg6xoyoy5wvmf2j2chxixxyxvw2na65yo4a._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
antivm defense_evasion discovery execution persistence privilege_escalation
Link:
https://tria.ge/reports/250622-vym69svtfs/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to tmp directory
Checks CPU configuration
Checks hardware identifiers (DMI)
Creates/modifies Cron job
Enumerates running processes
Reads MAC address of network interface
Reads hardware information
Renames itself
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/143d8d30-d243-4e16-8768-a0b019be420c
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4d6d244bc5fef56f70cc864debbb0ec76d561749d08f745ef8bd6da683ddc3b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf 4d6d244bc5fef56f70cc864debbb0ec76d561749d08f745ef8bd6da683ddc3b8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3558478/
  
Delivery method
Distributed via web download

Comments