MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5dc63f32603cbf044abc888f9985206011fac44e33bb6acddcd2fbba2c3e9a67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5dc63f32603cbf044abc888f9985206011fac44e33bb6acddcd2fbba2c3e9a67
SHA3-384 hash: 21f6ec8101bb4ff82ad1ee305b91a2c4410e5984ef43be0ddf165b6470227660fc0a4d97c31fb573421eec6f487da44c
SHA1 hash: 1b2b64ac0e49f4ee3dee5af9a997d1923cbf542e
MD5 hash: 4ec4e04959b84289ec2fa6bd3360749e
humanhash: kilo-pasta-foxtrot-nuts
File name:amd64
Download: download sample
File size:482'032 bytes
First seen:2025-05-24 13:17:36 UTC
Last seen:2025-05-25 02:45:42 UTC
File type: elf
MIME type:application/x-executable
ssdeep 12288:iD6LPBCvMk0O9na1M80cLt9i5aIaTtpc4W:2+QGO9naz0Szi5anTtR
TLSH T162A41212E290D8FEC4DAC070429FD27BFD767C544234BC6B6298F7322B3AE601B16A55
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf

Intelligence

File Origin
# of uploads :
2
# of downloads :
77
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Linux.Siggen.9080.4300.20754.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6831c83a4912a6b9dd4cd94blinux22vpnfull_triage
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creates directories
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
exploit gcc lolbin remote
Link:
https://www.filescan.io/uploads/6831c723fd02ed5e058606d9/reports/6f854e06-b145-41db-b2be-ad8c303e194e/overview
Verdict:
Malicious
Uses P2P?:
true
Uses anti-vm?:
true
Architecture:
x86
Packer:
custom
Botnet:
unknown
Number of open files:
70
Number of processes launched:
10
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/5dc63f32603cbf044abc888f9985206011fac44e33bb6acddcd2fbba2c3e9a67
Behaviour
Anti-VM
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
type: 162.159.200.1:123
type: 130.239.18.158:6881
type: 67.215.246.10:6881
type: 88.151.91.31:6881
type: 45.154.86.83:6881
type: 87.253.97.232:6881
type: 37.133.21.45:6881
type: 151.83.231.143:6881
type: 176.193.231.215:6881
type: 68.193.90.204:6881
type: 46.72.126.4:6881
type: 219.73.87.211:6881
type: 1.123.210.245:6881
type: 86.97.68.69:6881
type: 46.138.248.66:6881
type: 63.247.211.162:6881
type: 37.79.226.39:6881
type: 89.222.185.162:6881
type: 173.89.209.75:6881
type: 92.241.19.32:6881
type: 219.73.116.194:6881
type: 188.32.111.42:6881
type: 188.42.55.92:6881
type: 86.165.132.107:6881
type: 85.215.59.222:6881
type: 217.112.15.47:6881
type: 176.120.32.17:6881
type: 134.209.183.166:6881
type: 70.51.171.5:6881
type: 47.204.255.171:6881
type: 102.182.157.33:6881
type: 176.241.154.169:6881
type: 75.141.249.246:6881
type: 37.192.253.70:6881
type: 185.238.77.132:6881
type: 95.67.250.147:6881
type: 203.176.212.133:6881
type: 81.88.148.17:6881
type: 78.196.151.109:6881
type: 153.232.132.235:6881
type: 91.177.100.227:6881
type: 31.130.87.174:6881
type: 18.191.2.28:6881
type: 52.9.197.152:6881
type: 94.253.63.100:6881
type: 75.119.138.164:6881
type: 51.15.20.12:6881
type: 185.204.165.56:6881
type: 31.42.217.109:6881
type: 179.43.100.170:6881
type: 142.4.209.46:6881
type: 106.104.172.195:6881
type: 18.221.7.72:6881
type: 123.51.21.151:6881
type: 130.239.18.158:8524
type: 130.239.18.158:8515
type: 195.154.233.74:6880
type: 18.117.46.179:6880
type: 173.230.130.111:6880
type: 23.23.69.85:6880
type: 45.203.212.18:6880
type: 45.203.155.73:6880
type: 18.189.222.30:6880
type: 213.158.1.85:51413
type: 51.15.83.218:51413
type: 31.17.127.66:51413
type: 176.62.180.175:51413
type: 173.249.41.192:51413
type: 107.189.13.192:51413
type: 222.108.87.219:51413
type: 162.19.243.205:51413
type: 46.72.89.71:51413
type: 85.245.44.155:51413
type: 193.200.42.246:51413
type: 180.114.226.12:51413
type: 149.28.249.58:51413
type: 95.211.194.52:51413
type: 157.131.60.251:51413
type: 185.170.115.214:51413
type: 95.211.194.40:51413
type: 95.211.153.90:51413
type: 91.128.147.184:51413
type: 178.162.174.43:28004
type: 178.162.174.40:28004
type: 178.162.174.231:28004
type: 178.162.174.228:28004
type: 95.179.127.133:2309
type: 185.107.71.103:44737
type: 89.160.34.143:2145
type: 95.216.100.173:36508
type: 178.162.174.228:28007
type: 178.162.174.65:28007
type: 178.162.173.167:28007
type: 178.162.174.77:28014
type: 178.162.173.226:28014
type: 5.79.80.223:28014
type: 173.249.44.165:8081
type: 178.162.173.91:28003
type: 178.162.174.178:28003
type: 37.48.89.129:50612
type: 79.140.25.242:28933
type: 130.239.18.158:8521
type: 191.116.107.150:54807
type: 67.144.152.115:9010
type: 37.63.16.151:63019
type: 91.199.227.110:23523
type: 95.211.127.54:28011
type: 178.162.173.76:28011
type: 178.162.173.70:28011
type: 51.159.104.61:8940
type: 178.162.173.3:28010
type: 178.162.173.164:28010
type: 195.154.185.217:27143
type: 178.162.173.141:28000
type: 178.162.173.194:28000
type: 178.162.174.230:28000
type: 1.158.136.153:56778
type: 178.196.39.149:6889
type: 223.132.168.13:6889
type: 91.176.186.191:6889
type: 93.157.124.191:6889
type: 93.51.1.4:6889
type: 109.230.136.116:6889
type: 185.132.178.251:6890
type: 185.177.124.181:6890
type: 23.162.56.83:12000
type: 216.39.248.235:3977
type: 23.158.56.119:10074
type: 185.21.216.193:51169
type: 51.158.148.71:57487
type: 95.211.19.32:50315
type: 45.87.251.149:28201
type: 178.162.174.227:28008
type: 178.162.174.85:28008
type: 178.162.174.225:28008
type: 172.111.38.128:26087
type: 23.158.56.120:12082
type: 5.79.66.16:52210
type: 37.187.116.17:51415
type: 24.13.229.114:16623
type: 178.162.173.231:28001
type: 130.239.18.158:8539
type: 37.27.117.115:50000
type: 135.181.238.52:50000
type: 142.132.207.60:50000
type: 135.181.223.82:50000
type: 65.21.129.57:50000
type: 46.191.179.208:4043
type: 178.162.159.67:54545
type: 218.102.95.211:20070
type: 86.111.112.172:9925
type: 175.134.213.183:15021
type: 178.162.174.106:28015
type: 195.201.179.130:16309
type: 130.239.18.158:8500
type: 130.239.18.158:8580
type: 130.239.18.158:8516
type: 130.239.18.158:8513
type: 118.107.220.15:23557
type: 178.66.157.74:6030
type: 162.251.63.78:10071
type: 130.239.18.158:8508
type: 130.239.18.158:8644
type: 51.75.163.151:8644
type: 212.7.202.40:28027
type: 75.100.208.198:48583
type: 185.203.56.38:31318
type: 185.149.91.171:51073
type: 51.159.104.65:7629
type: 62.73.120.174:35885
type: 89.10.239.29:56176
type: 114.34.138.206:51417
type: 198.2.94.34:26690
type: 188.165.222.16:51414
type: 146.196.45.35:59264
type: 78.139.223.85:22341
type: 152.37.101.254:16697
type: 79.100.238.150:19887
type: 95.26.41.139:27819
type: 37.79.38.147:4881
type: 73.176.210.123:32516
type: 195.154.172.179:26862
type: 168.119.13.211:53889
type: 95.27.76.216:7364
type: 31.208.31.10:4608
type: 109.93.55.46:44613
type: 185.72.224.155:39276
type: 126.147.84.150:20653
type: 46.232.210.83:64267
type: 174.130.213.248:15288
type: 90.195.84.253:10453
type: 169.150.223.247:64138
type: 203.218.213.245:9068
type: 195.154.185.217:28501
type: 37.48.95.146:37954
type: 173.177.244.142:39502
type: 176.31.183.108:50527
type: 177.245.48.14:62979
type: 81.140.203.134:10193
type: 181.9.213.113:8239
type: 115.69.41.109:22464
type: 178.162.174.117:28009
type: 178.162.173.91:28009
type: 94.41.184.251:32550
type: 185.33.231.21:1297
type: 94.213.9.116:49001
type: 178.186.157.134:49001
type: 83.42.148.233:49001
type: 94.51.9.159:49001
type: 94.181.79.110:49001
type: 37.4.251.33:2919
type: 193.32.2.164:51160
type: 37.6.81.90:59408
type: 5.39.85.82:54847
type: 73.51.69.194:9640
type: 95.214.53.172:1688
type: 71.233.190.138:28237
type: 109.106.140.46:39535
type: 181.116.45.49:13635
type: 27.60.28.76:31067
type: 37.194.163.18:55793
type: 169.150.223.243:64049
type: 169.150.223.243:64178
type: 169.150.223.243:64080
type: 169.150.223.243:64055
type: 203.236.56.178:61447
type: 37.122.72.130:39499
type: 217.23.78.26:27915
type: 185.162.184.5:60772
type: 79.22.225.170:46388
type: 185.162.184.5:63518
type: 69.157.129.188:23526
type: 14.43.166.145:54562
type: 95.189.75.243:2039
type: 95.189.75.243:1875
type: 87.118.158.225:20598
type: 61.228.66.142:22223
type: 143.202.171.104:36241
type: 187.106.43.104:17126
type: 213.230.87.116:63896
type: 208.87.240.21:11162
type: 177.37.184.166:56116
type: 5.138.251.239:27878
type: 149.56.27.121:34340
type: 46.160.195.253:50560
type: 46.238.2.139:52614
type: 23.162.56.55:24009
type: 27.147.190.113:30229
type: 95.216.96.160:38532
type: 162.251.63.78:12052
type: 185.177.124.180:6885
type: 95.12.126.179:15898
type: 152.53.45.107:7288
type: 195.170.172.38:10240
type: 152.53.104.128:10240
type: 194.29.101.83:10240
type: 185.25.178.164:17059
type: 77.77.216.255:33810
type: 152.53.45.107:7232
type: 5.135.143.91:23956
type: 152.53.45.107:7083
type: 51.159.104.78:8882
type: 89.98.157.37:3304
type: 169.150.223.243:64169
type: 169.150.223.243:64073
type: 105.197.86.60:46697
type: 178.162.173.210:28012
type: 195.154.170.6:8682
type: 5.133.76.111:9179
type: 31.10.147.68:18221
type: 1.165.188.68:15184
type: 189.28.75.162:33838
type: 45.87.154.94:56396
type: 95.168.168.152:48644
type: 49.207.228.112:62424
type: 91.221.219.9:31524
type: 35.171.49.86:6892
type: 223.109.206.184:6892
type: 185.203.56.69:22677
type: 46.166.191.29:62391
type: 188.89.130.94:6907
type: 169.150.223.243:64132
type: 185.203.56.67:28701
type: 46.232.210.10:16409
type: 72.21.17.23:30273
type: 185.21.216.194:59769
type: 64.187.160.230:50533
type: 62.210.201.217:8681
type: 51.195.220.36:8645
type: 62.72.83.222:22895
type: 124.123.165.134:13752
type: 5.79.112.214:50372
type: 185.21.216.145:60415
type: 83.195.120.112:6887
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/81bc2a87-8560-4a14-8021-de36a80d1f7b
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1698453
Signature
Connects to many ports of the same IP (likely port scanning)
Executes the "crontab" command typically for achieving persistence
Opens /sys/class/net/* files useful for querying network interface information
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to persist itself using cron
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1698453 Sample: amd64.elf Startdate: 24/05/2025 Architecture: LINUX Score: 64 44 31.200.249.162, 31940, 54942 NETRACK-ASRU Russian Federation 2->44 46 114.79.7.117, 44069, 6881 WIRELESSNET-IDPTWIRELESSINDONESIAWINID Indonesia 2->46 48 102 other IPs or domains 2->48 50 Connects to many ports of the same IP (likely port scanning) 2->50 52 Uses known network protocols on non-standard ports 2->52 10 dash rm amd64.elf 2->10         started        12 dash rm 2->12         started        14 dash cat 2->14         started        16 7 other processes 2->16 signatures3 process4 process5 18 amd64.elf sh 10->18         started        20 amd64.elf 10->20         started        23 amd64.elf sh 10->23         started        signatures6 25 sh crontab 18->25         started        29 sh 18->29         started        56 Opens /sys/class/net/* files useful for querying network interface information 20->56 58 Sample reads /proc/mounts (often used for finding a writable filesystem) 20->58 31 amd64.elf 20->31         started        33 sh crontab 23->33         started        process7 file8 42 /var/spool/cron/crontabs/tmp.IWJGs6, ASCII 25->42 dropped 60 Sample tries to persist itself using cron 25->60 62 Executes the "crontab" command typically for achieving persistence 25->62 35 sh crontab 29->35         started        38 amd64.elf 31->38         started        signatures9 process10 signatures11 54 Executes the "crontab" command typically for achieving persistence 35->54 40 amd64.elf 38->40         started        process12
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/5dc63f32603cbf044abc888f9985206011fac44e33bb6acddcd2fbba2c3e9a67
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5dc63f32603cbf044abc888f9985206011fac44e33bb6acddcd2fbba2c3e9a67/
Threat name:
Linux.Trojan.SAgnt
Create hunting rule
Status:
Malicious
First seen:
2025-05-24 13:18:24 UTC
File Type:
ELF64 Little (Exe)
AV detection:
13 of 38 (34.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lxdd6mtahs7qisv4rchztbjamai7vrcogo5wvto42l53ulb6tjtq._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
antivm defense_evasion discovery execution linux persistence privilege_escalation
Link:
https://tria.ge/reports/250524-qj5esaal6x/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to tmp directory
Checks CPU configuration
Checks hardware identifiers (DMI)
Creates/modifies Cron job
Enumerates running processes
Reads MAC address of network interface
Reads hardware information
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bcd58340-0a47-4021-a645-f370eafc1283
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5dc63f32603cbf044abc888f9985206011fac44e33bb6acddcd2fbba2c3e9a67

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:enterpriseunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise UNIX
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf 5dc63f32603cbf044abc888f9985206011fac44e33bb6acddcd2fbba2c3e9a67

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3550686/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh

Comments