MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59a1c19d985aba761302d506a807f2384bb106edefbb5e99c7a664458d12127f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 8

Intelligence 8 IOCs YARA 5 File information Comments

SHA256 hash:	59a1c19d985aba761302d506a807f2384bb106edefbb5e99c7a664458d12127f
SHA3-384 hash:	a1c2d44e3eaeb8ff602555200072b068506cb831a06905b0e9785cb29782ea45310298939b6015aff0e1a571692bcf79
SHA1 hash:	7a89366da22cfbe1d9a7e4e523a58241ab0ce960
MD5 hash:	0fb5a1a64f9167539d43fb6171de05e8
humanhash:	oxygen-oregon-mango-potato
File name:	amd64
Download:	download sample
File size:	482'032 bytes
First seen:	2025-06-15 21:28:23 UTC
Last seen:	Never
File type:	elf
MIME type:	application/x-executable
ssdeep	12288:iD6LPBCvMk0O9na1M80cLt9i5aIaTtpc4W:2+QGO9naz0Szi5anTtR
TLSH	T109A41212E290D8FEC4DAC070469FD27BFD767C544234BC6B6298F7322B3AE601B16A55
TrID	50.1% (.) ELF Executable and Linkable format (Linux) (4022/12) 49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika	elf
Reporter	abuse_ch
Tags:	elf

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Linux.Siggen.9080.UNOFFICIAL

Sanesecurity.Malware.32058.LX.BOT.UNOFFICIAL

Sanesecurity.Malware.31951.LX.BOT.UNOFFICIAL

Verdict:

Clean

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=684f3b378bd5d68a12e8b82flinux22vpnfull_triage

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creates directories

Verdict:

Malicious

Uses P2P?:

true

Uses anti-vm?:

true

Architecture:

x86

Packer:

custom

Botnet:

unknown

Number of open files:

Number of processes launched:

Processes remaning?

false

Remote TCP ports scanned:

35449

Full report:

https://elfdigest.com/brief/59a1c19d985aba761302d506a807f2384bb106edefbb5e99c7a664458d12127f

Behaviour

Anti-VM

Botnet C2s

TCP botnet C2(s):

not identified

UDP botnet C2(s):

type: 162.159.200.123:123
type: 130.239.18.158:6881
type: 67.215.246.10:6881
type: 178.69.209.93:6881
type: 77.51.136.24:6881
type: 86.97.68.69:6881
type: 63.247.211.162:6881
type: 128.106.149.212:6881
type: 94.188.118.26:6881
type: 59.34.57.200:6881
type: 109.128.92.93:6881
type: 85.215.59.222:6881
type: 94.247.60.181:6881
type: 59.30.92.36:6881
type: 82.67.111.72:6881
type: 84.71.17.12:6881
type: 191.114.85.181:6881
type: 18.218.241.3:6881
type: 152.67.87.91:6881
type: 148.135.106.206:6881
type: 144.24.245.236:6881
type: 109.229.148.39:6881
type: 82.66.185.73:6881
type: 67.167.20.57:6881
type: 202.22.239.45:6881
type: 185.210.87.107:6881
type: 178.162.174.222:28014
type: 178.162.174.77:28014
type: 178.162.173.226:28014
type: 81.171.6.43:28014
type: 88.198.230.221:49668
type: 135.181.238.57:50000
type: 135.181.227.244:50000
type: 37.27.119.177:50000
type: 222.211.146.135:50000
type: 130.239.18.158:8524
type: 178.162.174.43:28004
type: 178.162.174.228:28004
type: 130.239.18.158:8515
type: 213.227.151.25:28013
type: 178.162.174.46:28013
type: 95.211.247.101:28013
type: 185.21.216.185:60731
type: 61.1.235.218:54333
type: 47.237.140.109:5060
type: 130.185.187.154:33464
type: 178.162.174.228:28007
type: 178.162.173.89:28007
type: 46.232.210.175:29809
type: 46.166.197.57:47661
type: 185.203.56.68:62927
type: 185.203.56.24:55543
type: 98.97.141.177:31273
type: 178.162.174.50:28010
type: 78.129.168.50:56912
type: 116.203.122.81:57009
type: 51.158.148.71:57487
type: 95.211.19.32:50315
type: 5.39.85.86:59525
type: 176.212.21.138:51413
type: 188.166.98.93:51413
type: 188.90.169.20:51413
type: 175.200.171.105:51413
type: 95.211.7.108:51413
type: 90.66.119.56:51413
type: 176.214.77.46:51413
type: 27.10.237.155:51413
type: 95.165.152.116:51413
type: 110.177.180.153:51413
type: 85.244.60.129:51413
type: 79.157.49.137:51413
type: 182.164.251.69:51413
type: 222.95.179.15:51413
type: 195.154.112.24:51413
type: 36.24.138.20:51413
type: 45.203.206.46:6880
type: 195.154.233.74:6880
type: 69.164.203.179:6880
type: 13.59.176.186:6880
type: 34.192.33.74:6880
type: 3.93.32.237:6880
type: 137.74.95.13:49999
type: 177.136.220.242:5663
type: 83.149.84.32:28058
type: 83.149.84.32:28008
type: 178.162.174.211:28008
type: 178.162.174.240:28008
type: 172.96.121.2:6884
type: 178.162.174.143:28000
type: 178.162.173.141:28000
type: 178.162.174.234:28000
type: 178.162.174.45:28015
type: 130.239.18.158:8516
type: 217.121.231.94:59625
type: 130.239.18.158:8508
type: 130.239.18.158:8521
type: 37.48.64.29:28002
type: 45.87.251.11:28002
type: 185.203.56.2:61731
type: 178.162.173.19:28011
type: 95.216.116.106:16113
type: 46.232.210.217:11859
type: 46.232.211.222:58184
type: 94.75.194.118:28012
type: 178.162.173.98:28012
type: 213.227.152.142:28017
type: 58.3.23.203:32961
type: 195.201.179.130:16309
type: 130.239.18.158:8500
type: 130.239.18.158:8580
type: 178.162.173.91:28003
type: 130.239.18.158:8513
type: 169.150.223.219:64350
type: 178.162.174.224:28009
type: 185.203.56.51:25481
type: 93.176.146.146:27649
type: 94.211.65.81:50628
type: 141.11.159.210:55784
type: 81.201.49.4:57436
type: 119.47.168.137:14034
type: 167.172.248.254:8081
type: 187.188.191.206:8081
type: 119.246.68.19:24934
type: 156.146.62.216:25504
type: 159.2.118.88:17800
type: 75.156.104.142:16283
type: 109.236.91.11:6886
type: 114.230.238.53:6886
type: 45.154.86.27:54413
type: 85.216.232.28:5849
type: 99.23.159.44:24567
type: 69.156.55.139:52949
type: 103.140.3.18:13836
type: 194.144.191.221:24694
type: 157.157.109.191:58946
type: 37.48.89.181:48531
type: 185.107.71.103:44737
type: 23.88.142.248:47405
type: 5.39.85.82:54378
type: 95.73.142.126:6914
type: 45.87.251.6:28026
type: 159.223.42.117:50694
type: 5.135.165.33:6331
type: 92.233.5.150:50321
type: 107.144.227.134:54700
type: 169.212.19.43:32861
type: 220.81.143.252:41239
type: 58.7.195.244:46478
type: 77.78.30.174:16785
type: 185.149.91.131:51049
type: 8.210.223.210:44109
type: 188.165.198.14:53158
type: 136.169.211.17:16907
type: 125.243.61.70:33219
type: 126.79.120.14:6889
type: 213.190.110.193:6889
type: 92.202.113.49:6889
type: 217.29.110.87:6909
type: 95.161.61.43:32501
type: 213.89.187.98:61136
type: 211.224.247.51:40821
type: 107.149.239.170:26113
type: 218.147.169.201:56784
type: 190.108.214.122:42756
type: 94.249.2.226:33729
type: 68.146.238.131:61247
type: 186.158.146.159:27930
type: 2.196.44.146:52432
type: 128.127.121.40:33459
type: 5.228.112.122:12320
type: 178.142.23.20:47953
type: 188.165.244.11:50422
type: 196.221.194.47:22827
type: 130.239.18.158:8526
type: 192.3.177.104:27853
type: 177.11.247.94:2633
type: 45.191.206.255:19593
type: 46.232.211.184:64170
type: 185.56.20.237:10606
type: 106.1.232.1:61014
type: 45.158.186.50:53846
type: 66.103.202.37:6882
type: 94.23.215.83:6882
type: 178.59.132.248:45598
type: 45.91.211.185:54058
type: 146.198.108.173:43896
type: 195.154.221.146:51415
type: 185.82.192.174:58287
type: 121.140.116.138:7743
type: 27.94.33.213:36179
type: 175.143.35.207:42035
type: 220.87.174.77:33154
type: 189.203.100.148:48143
type: 188.244.253.172:2797
type: 101.181.141.225:57537
type: 95.82.204.115:53328
type: 185.149.91.153:52022
type: 185.150.232.239:27394
type: 109.63.234.128:58493
type: 91.214.209.7:14971
type: 95.247.199.162:41739
type: 5.18.217.90:2864
type: 83.97.7.199:48
type: 27.61.108.17:12084
type: 23.88.68.24:61411
type: 139.59.243.165:35563
type: 97.64.27.2:56360
type: 37.27.113.233:55236
type: 65.108.143.34:55236
type: 193.106.161.201:2577
type: 93.38.142.217:61698
type: 185.156.174.27:62346
type: 95.25.117.59:2221
type: 95.214.53.172:1688
type: 193.233.106.229:18239
type: 80.72.77.71:20830
type: 37.204.167.35:47862
type: 95.57.232.59:30391
type: 79.136.47.126:48054
type: 45.191.255.62:38496
type: 91.126.186.165:36277
type: 71.210.21.181:41045
type: 178.208.236.51:3094
type: 95.26.252.244:29070
type: 152.53.45.107:7036
type: 152.53.45.107:7241
type: 185.149.91.189:51514
type: 185.107.68.193:27873
type: 177.36.57.133:36263
type: 162.55.243.114:2910
type: 194.29.101.83:10240
type: 146.59.3.81:10240
type: 152.53.104.128:10240
type: 78.142.231.133:6767
type: 49.230.64.232:61671
type: 77.79.179.236:60843
type: 38.92.24.158:41586
type: 149.50.218.34:39803
type: 93.170.30.31:35923
type: 178.208.237.128:2816
type: 89.22.226.106:6885
type: 54.39.52.64:32205
type: 213.149.16.168:24867
type: 95.31.13.23:49873
type: 45.224.43.70:8999
type: 154.60.75.84:23081
type: 188.232.24.30:48844
type: 113.155.167.44:23622
type: 188.165.195.203:57219
type: 46.232.211.70:15159
type: 80.47.128.243:37922
type: 213.195.80.46:57123
type: 83.99.189.106:57695
type: 84.238.159.201:57700
type: 176.193.221.67:48243
type: 158.174.115.109:2049
type: 109.126.5.185:1544
type: 198.98.53.245:16567
type: 178.162.173.102:28005
type: 178.208.232.115:2333
type: 210.17.254.51:7713

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/c8310c4d-b8aa-4e36-8dc5-eccb2ef14474

Behavior Graph:

Download SVG

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/8851e77b-77d3-44c8-8f22-366b6c0468df

Score:

100%

Verdict:

Malware

File Type:

ELF

Link:

https://malprob.io/report/59a1c19d985aba761302d506a807f2384bb106edefbb5e99c7a664458d12127f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/59a1c19d985aba761302d506a807f2384bb106edefbb5e99c7a664458d12127f/

Threat name:

Linux.Trojan.Multiverze

Status:

Malicious

First seen:

2025-06-15 21:29:23 UTC

File Type:

ELF64 Little (Exe)

AV detection:

17 of 37 (45.95%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lgq4dhmylk5hmeyc2udkqb7shbf3cbxn565v5gohuzseldiscj7q._file

Result

Malware family:

n/a

Score:

6/10

Tags:

antivm defense_evasion discovery execution linux persistence privilege_escalation

Link:

https://tria.ge/reports/250615-1bty7agl8w/

Behaviour

Enumerates kernel/hardware configuration

Reads runtime system information

Writes file to tmp directory

Checks CPU configuration

Checks hardware identifiers (DMI)

Creates/modifies Cron job

Enumerates running processes

Reads MAC address of network interface

Reads hardware information

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/7034e463-cec1-450b-8bc4-7d6403dd0fae

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.20

Link:

https://yomi.yoroi.company/submissions/59a1c19d985aba761302d506a807f2384bb106edefbb5e99c7a664458d12127f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	enterpriseapps2 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Enterprise apps

Rule name:	enterpriseunix2 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Enterprise UNIX

Rule name:	linux_generic_ipv6_catcher Create hunting rule
Author:	@_lubiedo
Description:	ELF samples using IPv6 addresses

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	unixredflags3 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf 59a1c19d985aba761302d506a807f2384bb106edefbb5e99c7a664458d12127f

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3550042/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample