MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a89b31bc732631ac40e01b76ae99692fbbf0ca74d0a74f817ce23685b525b59. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	5a89b31bc732631ac40e01b76ae99692fbbf0ca74d0a74f817ce23685b525b59
SHA3-384 hash:	f7b04075b828ab6061a971ac281d4a0af4c21b5241ee595722baa95738f6b47d673549e0a036e388c91b94276b16f5b8
SHA1 hash:	e61a22151d3428130fe627f1fd1300addc6c4d45
MD5 hash:	28eaafb14efb3fa947a5d583aada4b08
humanhash:	winter-xray-ceiling-network
File name:	aarch64
Download:	download sample
File size:	509'896 bytes
First seen:	2025-06-26 22:35:12 UTC
Last seen:	Never
File type:	elf
MIME type:	application/x-executable
ssdeep	6144:O/izeB+/ow3gK2lc5bvyI0vOHD6BZkDgn358cIF3RI5HkdY1FP98/8ecjfP:3BohHKTyfvOHD6ByD4WcIMkuDmEesP
TLSH	T189B41228EE4E3881F3D1E378DA0A4BB2B05B7DD0C166C1B2BA41E25D95EDDDEC5D0212
TrID	50.1% (.) ELF Executable and Linkable format (Linux) (4022/12) 49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika	elf
Reporter	abuse_ch
Tags:	elf

Intelligence

File Origin

# of uploads :

# of downloads :

106

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.32057.LX.BOT.UNOFFICIAL

Sanesecurity.Malware.32058.LX.BOT.UNOFFICIAL

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=685dcc9432ed47a3a8d7aac9

Tags:

virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creates directories

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

base64 exploit gcc lolbin remote

Link:

https://www.filescan.io/uploads/685dcb458cd0d23e5be895cd/reports/6e80179d-8b8e-4e93-91a7-6e0d9de6c275/overview

Verdict:

Malicious

Uses P2P?:

true

Uses anti-vm?:

false

Architecture:

arm

Packer:

custom

Botnet:

unknown

Number of open files:

Number of processes launched:

Processes remaning?

false

Remote TCP ports scanned:

47188

Full report:

https://elfdigest.com/brief/5a89b31bc732631ac40e01b76ae99692fbbf0ca74d0a74f817ce23685b525b59

Behaviour

no suspicious findings

Botnet C2s

TCP botnet C2(s):

not identified

UDP botnet C2(s):

type: 162.159.200.1:123
type: 130.239.18.158:6881
type: 67.215.246.10:6881
type: 178.69.209.93:6881
type: 178.137.213.236:6881
type: 36.239.53.165:6881
type: 31.134.27.179:6881
type: 77.91.105.61:6881
type: 83.254.5.34:6881
type: 95.106.37.126:6881
type: 84.232.240.186:6881
type: 37.223.40.133:6881
type: 93.180.40.35:6881
type: 201.232.223.48:6881
type: 84.65.216.76:6881
type: 188.122.2.191:6881
type: 65.25.190.45:6881
type: 185.212.251.19:6881
type: 85.196.168.35:6881
type: 18.223.137.220:6881
type: 123.245.36.7:6881
type: 47.188.87.3:6881
type: 142.171.58.199:6881
type: 54.70.28.180:6881
type: 187.34.182.153:6881
type: 5.133.47.102:6881
type: 18.220.82.190:6881
type: 51.15.20.12:6881
type: 31.18.147.220:6881
type: 47.201.174.82:6881
type: 125.11.61.172:6881
type: 79.243.99.215:6881
type: 54.194.137.170:6881
type: 178.162.173.91:28003
type: 178.162.173.107:28003
type: 130.239.18.158:8513
type: 130.239.18.158:8516
type: 130.239.18.158:8580
type: 195.154.233.74:6880
type: 3.228.205.146:6880
type: 178.162.173.147:28007
type: 130.239.18.158:8531
type: 46.232.211.120:19109
type: 178.162.174.88:28014
type: 178.162.173.220:28014
type: 130.239.18.158:8524
type: 79.106.231.163:1434
type: 51.158.179.35:51413
type: 151.80.44.142:51413
type: 185.13.36.21:51413
type: 77.37.144.14:51413
type: 185.148.3.216:51413
type: 88.22.223.196:51413
type: 116.203.178.179:51413
type: 195.154.235.193:51413
type: 211.158.204.67:51413
type: 87.180.239.85:51413
type: 12.154.108.110:51413
type: 23.241.236.177:51413
type: 77.173.223.10:51413
type: 5.135.156.163:56843
type: 178.162.173.111:28005
type: 178.162.173.102:28005
type: 135.181.227.244:50000
type: 65.21.125.170:50000
type: 37.27.119.180:50000
type: 135.181.238.57:50000
type: 65.21.128.225:50000
type: 37.27.119.179:50000
type: 65.21.125.180:50000
type: 65.21.129.52:50000
type: 37.27.119.187:50000
type: 195.154.172.179:27126
type: 178.162.173.149:28004
type: 178.162.174.17:28008
type: 178.162.173.171:28008
type: 178.162.174.224:28008
type: 98.128.180.209:62143
type: 46.232.211.180:51539
type: 212.7.202.40:28030
type: 54.211.14.111:20876
type: 45.87.251.11:28162
type: 188.141.39.241:35991
type: 89.149.202.17:28070
type: 43.133.45.199:50190
type: 164.132.162.3:51255
type: 188.163.98.155:62125
type: 89.149.222.146:58158
type: 185.162.184.4:49636
type: 185.149.91.33:51023
type: 81.171.22.85:28016
type: 61.85.144.68:40785
type: 98.243.124.22:11533
type: 89.149.200.92:28020
type: 14.51.154.21:32913
type: 84.232.247.166:44282
type: 175.143.57.106:1112
type: 45.143.236.67:3090
type: 81.171.7.65:28006
type: 128.127.112.167:50189
type: 195.154.176.209:8654
type: 46.232.211.140:17259
type: 45.87.251.12:39756
type: 217.26.211.89:8999
type: 62.217.233.46:8621
type: 176.44.16.20:8621
type: 107.159.221.130:8621
type: 83.36.231.226:8621
type: 45.87.251.187:34506
type: 185.203.56.20:63895
type: 5.39.85.155:58319
type: 66.110.234.114:51415
type: 195.167.58.30:35045
type: 89.90.146.174:46440
type: 190.160.48.224:42227
type: 5.39.85.155:55208
type: 125.239.209.107:26642
type: 47.198.74.110:49999
type: 41.226.194.51:51710
type: 86.9.16.89:14818
type: 5.39.85.50:58525
type: 183.96.36.137:10021
type: 178.48.160.194:28345
type: 188.80.31.117:49001
type: 177.226.101.251:35305
type: 46.246.122.101:30367
type: 220.57.105.39:11933
type: 64.224.255.99:10098
type: 213.227.151.231:61455
type: 85.24.174.248:28002
type: 178.162.174.163:28002
type: 185.21.216.166:52524
type: 185.203.56.43:60778
type: 65.94.156.234:47231
type: 181.46.137.84:50582
type: 37.27.113.233:43731
type: 144.76.175.153:27347
type: 208.54.231.6:14326
type: 131.226.110.244:7419
type: 83.251.5.157:47029
type: 181.116.178.173:1050
type: 45.154.87.241:64274
type: 85.247.187.98:6893
type: 187.189.208.70:49182
type: 59.25.128.74:7511
type: 101.183.57.129:45872
type: 223.184.212.63:13269
type: 69.79.13.192:4210
type: 185.203.56.54:51259
type: 70.95.149.69:18697
type: 89.201.147.70:23976
type: 5.189.160.21:13490
type: 187.43.197.157:13653
type: 54.39.107.165:22278
type: 194.29.101.83:10240
type: 152.53.104.128:10240
type: 91.234.26.181:16564
type: 181.9.227.228:16385
type: 10.72.14.190:50321
type: 91.234.26.181:50321
type: 123.176.113.61:51453
type: 54.77.218.23:6892
type: 51.75.78.69:6891
type: 45.4.176.78:62145
type: 152.53.45.107:7139
type: 88.88.149.58:6889
type: 54.38.92.16:16285
type: 121.221.166.15:48137
type: 62.68.180.20:51761
type: 185.203.56.49:17129
type: 43.133.45.199:50066
type: 67.185.16.26:50504
type: 130.239.18.158:8520
type: 109.199.255.250:18265
type: 113.172.113.162:24837
type: 193.95.242.2:57018
type: 69.112.225.112:61281
type: 109.87.55.175:32000
type: 51.255.70.53:52019
type: 49.49.234.127:28951
type: 121.161.65.147:33219
type: 43.230.45.200:40433
type: 37.27.113.233:28336
type: 103.229.129.66:2916

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/347d3a06-cf46-443c-b50d-305915687415

Behavior Graph:

Download SVG

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/b1537675-8ee9-4851-b556-d6d9e31f4ebd

Score:

100%

Verdict:

Malware

File Type:

ELF

Link:

https://malprob.io/report/5a89b31bc732631ac40e01b76ae99692fbbf0ca74d0a74f817ce23685b525b59

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5a89b31bc732631ac40e01b76ae99692fbbf0ca74d0a74f817ce23685b525b59/

Threat name:

Linux.Trojan.SAgnt

Status:

Malicious

First seen:

2025-06-26 22:35:50 UTC

File Type:

ELF64 Little (Exe)

AV detection:

15 of 24 (62.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lke3gg6hgjrrvraoag3wv2mwsl536dfhjufhj6axzyrwqw2slnmq._file

Result

Malware family:

n/a

Score:

1/10

Tags:

linux

Link:

https://tria.ge/reports/250626-2jp6msztgt/

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/c07c1c4a-43d7-4fac-80fc-52bd52a71f42

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5a89b31bc732631ac40e01b76ae99692fbbf0ca74d0a74f817ce23685b525b59

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	linux_generic_ipv6_catcher Create hunting rule
Author:	@_lubiedo
Description:	ELF samples using IPv6 addresses

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	unixredflags3 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf 5a89b31bc732631ac40e01b76ae99692fbbf0ca74d0a74f817ce23685b525b59

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3558221/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample