MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f082d73fe1442f024f6f5ea20ee8047a9ee2e3e6017c9a75ddfcb7524f5ee2f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f082d73fe1442f024f6f5ea20ee8047a9ee2e3e6017c9a75ddfcb7524f5ee2f
SHA3-384 hash: 13b45cc6cd373825da51b9e8ed9a7ec19d864eea6cb8698614548b91aafeca5d29ae232296ae17bf47e76ae24ccc918f
SHA1 hash: 58d8a2c8eb7e4a98d8cc0fbe689092ae4a9a842c
MD5 hash: 994a9b6c3e294962b6365b63ed71faee
humanhash: fruit-shade-foxtrot-connecticut
File name:amd64
Download: download sample
File size:482'032 bytes
First seen:2025-06-26 17:13:11 UTC
Last seen:2025-06-27 11:24:22 UTC
File type: elf
MIME type:application/x-executable
ssdeep 12288:iD6LPBCvMk0O9na1M80cLt9i5aIaTtpc4W:2+QGO9naz0Szi5anTtR
TLSH T19CA41212E290D8FEC4DAC070469FD27BFD76BC544234BC6B6198F7322B3AE601B16A55
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf

Intelligence

File Origin
# of uploads :
2
# of downloads :
80
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Linux.Siggen.9080.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.32058.LX.BOT.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.31951.LX.BOT.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=685d7fbf32ed47a3a8d787c6linux22vpnfull_triage
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creates directories
Verdict:
Malicious
Uses P2P?:
true
Uses anti-vm?:
true
Architecture:
x86
Packer:
custom
Botnet:
unknown
Number of open files:
70
Number of processes launched:
10
Processes remaning?
true
Remote TCP ports scanned:
53631
Full report:
https://elfdigest.com/brief/5f082d73fe1442f024f6f5ea20ee8047a9ee2e3e6017c9a75ddfcb7524f5ee2f
Behaviour
Anti-VM
Process Renaming
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
type: 162.159.200.123:123
type: 130.239.18.158:6881
type: 67.215.246.10:6881
type: 23.118.129.219:6881
type: 178.69.209.93:6881
type: 63.247.211.162:6881
type: 37.19.41.151:6881
type: 86.92.25.183:6881
type: 176.125.139.123:6881
type: 89.207.71.47:6881
type: 69.231.78.166:6881
type: 188.42.55.92:6881
type: 46.0.4.68:6881
type: 112.82.166.20:6881
type: 176.221.0.122:6881
type: 149.90.4.177:6881
type: 109.133.113.79:6881
type: 213.225.210.59:6881
type: 115.87.153.133:6881
type: 197.95.179.228:6881
type: 94.31.146.252:6881
type: 101.78.138.2:6881
type: 217.171.49.177:6881
type: 191.223.124.144:6881
type: 85.105.214.27:6881
type: 194.146.231.247:6881
type: 95.191.24.110:6881
type: 94.231.246.44:6881
type: 47.32.239.226:6881
type: 77.82.41.50:6881
type: 31.134.22.70:6881
type: 51.158.153.100:6881
type: 179.126.140.155:6881
type: 35.155.156.153:6881
type: 179.158.153.100:6881
type: 85.89.171.25:6881
type: 85.16.173.189:6881
type: 37.187.77.174:6881
type: 18.218.241.3:6881
type: 13.58.27.33:6881
type: 179.175.139.222:6881
type: 77.34.173.123:6881
type: 61.238.198.72:6881
type: 62.63.198.215:6881
type: 92.159.142.97:6881
type: 109.200.153.252:6881
type: 24.246.133.66:6881
type: 176.95.158.232:6881
type: 92.138.201.42:6881
type: 183.90.88.53:6881
type: 69.165.228.60:6881
type: 184.22.33.150:6881
type: 178.162.174.222:28014
type: 5.79.80.223:28014
type: 178.162.173.226:28014
type: 178.162.174.77:28014
type: 178.162.174.43:28004
type: 178.162.174.40:28004
type: 178.162.174.228:28004
type: 135.181.238.57:50000
type: 135.181.227.244:50000
type: 65.21.128.240:50000
type: 37.27.107.61:50000
type: 37.27.120.47:50000
type: 65.21.128.221:50000
type: 95.216.13.53:50000
type: 65.21.129.58:50000
type: 65.21.129.61:50000
type: 37.27.119.125:50000
type: 135.181.227.241:50000
type: 37.27.103.179:50000
type: 37.27.103.183:50000
type: 37.27.117.60:50000
type: 65.21.128.213:50000
type: 37.27.103.248:50000
type: 65.21.125.186:50000
type: 37.27.107.114:50000
type: 148.251.186.249:50000
type: 37.27.119.126:50000
type: 78.46.86.235:50000
type: 130.239.18.158:8524
type: 84.247.173.42:8081
type: 52.21.231.83:6880
type: 195.154.233.74:6880
type: 45.203.154.77:6880
type: 3.130.60.88:6880
type: 173.230.130.111:6880
type: 195.137.220.207:6880
type: 54.92.249.197:6880
type: 45.203.154.72:6880
type: 31.210.173.50:27520
type: 178.162.174.228:28007
type: 178.162.173.139:28007
type: 178.162.173.91:28003
type: 178.162.174.231:28003
type: 178.162.174.178:28003
type: 178.162.174.169:28003
type: 178.162.173.141:28000
type: 178.162.173.32:28000
type: 178.162.174.143:28000
type: 178.162.173.107:28000
type: 37.48.89.181:48531
type: 138.19.32.236:20005
type: 172.96.121.2:6884
type: 130.239.18.158:8513
type: 178.162.173.231:28001
type: 178.162.174.178:28001
type: 51.158.148.71:57487
type: 162.251.63.78:12035
type: 69.50.95.40:12005
type: 216.39.248.235:51484
type: 54.233.191.200:20965
type: 63.135.26.24:61677
type: 31.208.57.60:7360
type: 144.76.175.153:35393
type: 189.48.170.219:52246
type: 77.247.181.213:49425
type: 212.7.202.40:28027
type: 172.111.38.128:26020
type: 45.142.232.172:51413
type: 144.76.183.8:51413
type: 95.211.81.107:51413
type: 188.166.98.93:51413
type: 51.254.217.217:51413
type: 37.32.101.136:51413
type: 135.181.80.218:51413
type: 86.83.125.114:51413
type: 51.158.153.124:51413
type: 154.53.58.125:51413
type: 185.203.56.53:25320
type: 95.211.127.54:28011
type: 178.162.174.222:28011
type: 178.162.173.166:28011
type: 85.17.170.48:28011
type: 51.159.104.61:8940
type: 178.162.173.3:28010
type: 178.162.174.50:28010
type: 178.162.173.117:28010
type: 195.154.178.118:8680
type: 91.125.249.74:6889
type: 82.172.167.161:6889
type: 91.128.130.233:6889
type: 95.154.33.147:6889
type: 78.129.168.50:56912
type: 116.203.122.81:57009
type: 95.211.19.32:50315
type: 185.145.245.127:8676
type: 178.162.173.220:28006
type: 178.162.174.229:28006
type: 36.234.195.167:12317
type: 95.168.162.161:42670
type: 130.239.18.158:8539
type: 106.153.29.11:24316
type: 178.162.174.92:28009
type: 64.226.83.235:1434
type: 79.106.231.163:1434
type: 195.201.179.130:16309
type: 130.239.18.158:8500
type: 130.239.18.158:8580
type: 130.239.18.158:8516
type: 178.162.174.46:28013
type: 178.162.173.36:28013
type: 185.203.56.68:62927
type: 83.149.84.32:28008
type: 178.162.174.45:28015
type: 178.79.124.85:46405
type: 45.91.208.243:51936
type: 185.107.71.103:44737
type: 175.110.115.46:6888
type: 5.9.41.13:53504
type: 188.168.117.153:53649
type: 46.232.210.157:64170
type: 130.239.18.158:8515
type: 212.7.200.120:43955
type: 189.216.40.242:51414
type: 45.87.251.178:35104
type: 72.21.17.71:24721
type: 185.21.217.54:63554
type: 37.27.113.233:34756
type: 45.15.92.63:56881
type: 68.201.64.56:49001
type: 79.164.218.227:49001
type: 217.151.237.47:49001
type: 95.72.151.131:49001
type: 91.220.87.132:1518
type: 89.223.199.40:50060
type: 185.157.244.164:55231
type: 76.64.128.178:51575
type: 212.7.200.93:52527
type: 86.76.104.10:10397
type: 81.230.151.92:56800
type: 51.195.223.146:8648
type: 95.35.185.215:49166
type: 185.203.56.69:22677
type: 178.162.174.19:28005
type: 51.159.104.58:8955
type: 65.111.166.154:56557
type: 168.195.121.155:29409
type: 94.64.24.29:62514
type: 31.49.125.25:58646
type: 185.162.184.11:54164
type: 5.79.77.45:52484
type: 60.140.196.145:7101
type: 45.87.251.143:28957
type: 107.214.47.198:56528
type: 67.230.43.106:64068
type: 187.79.24.110:54130
type: 81.4.229.92:64192
type: 175.192.137.242:32634
type: 185.21.217.59:49868
type: 185.21.217.59:59192
type: 185.21.217.59:55279
type: 185.239.36.55:53607
type: 46.232.210.210:18509
type: 47.133.221.106:64875
type: 89.254.202.104:6882
type: 5.128.173.189:6882
type: 178.214.255.77:20043
type: 181.13.69.232:53596
type: 41.107.144.51:35517
type: 93.19.12.135:60432
type: 171.7.44.47:17986
type: 51.158.153.100:6883
type: 71.60.36.1:8917
type: 71.208.139.17:24104
type: 31.10.150.194:46631
type: 83.221.16.171:50015
type: 54.39.52.64:48853
type: 206.125.158.92:15980
type: 194.29.101.83:10240
type: 152.53.104.128:10240
type: 195.170.172.38:10240
type: 152.53.105.61:10240
type: 188.244.47.44:57850
type: 5.135.143.91:21715
type: 41.96.88.29:55236
type: 188.164.163.102:45970
type: 196.207.222.232:10473
type: 94.31.95.2:54808
type: 181.117.15.170:1909
type: 98.221.3.110:15928
type: 190.106.209.240:39980
type: 137.74.95.127:45988
type: 179.108.66.17:61651
type: 152.53.45.107:7092
type: 65.108.143.34:48441
type: 144.76.175.153:32057
type: 37.27.113.233:53890
type: 176.63.30.232:24289
type: 213.227.151.231:51608
type: 72.21.17.42:17115
type: 174.174.90.194:65525
type: 163.172.75.19:27335
type: 191.95.51.82:15771
type: 45.87.251.40:47379
type: 93.50.12.154:31505
type: 212.102.44.168:61120
type: 217.208.204.56:61120
type: 5.249.26.127:26904
type: 131.221.214.228:49901
type: 45.87.251.11:28194
type: 45.87.251.143:12725
type: 149.202.83.197:8080
type: 188.150.42.185:8080
type: 80.151.106.169:45623
type: 178.162.174.43:28012
type: 106.105.86.225:11142
type: 82.32.120.148:47242
type: 31.164.249.13:54423
type: 58.152.156.35:20284
type: 175.201.150.200:40955
type: 27.125.242.26:7506
type: 158.174.243.194:31363
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/fcfac472-aef3-45b9-97fb-1609e42f02f9
Behavior Graph:
Download SVG
%3 guuid=4fb61432-1900-0000-57fd-fb2bdd070000 pid=2013 /usr/bin/sudo guuid=0a67fc33-1900-0000-57fd-fb2be0070000 pid=2016 /tmp/sample.bin guuid=4fb61432-1900-0000-57fd-fb2bdd070000 pid=2013->guuid=0a67fc33-1900-0000-57fd-fb2be0070000 pid=2016 execve guuid=e4811934-1900-0000-57fd-fb2be1070000 pid=2017 /usr/bin/dash guuid=0a67fc33-1900-0000-57fd-fb2be0070000 pid=2016->guuid=e4811934-1900-0000-57fd-fb2be1070000 pid=2017 execve guuid=91270f35-1900-0000-57fd-fb2be2070000 pid=2018 /usr/bin/dash guuid=0a67fc33-1900-0000-57fd-fb2be0070000 pid=2016->guuid=91270f35-1900-0000-57fd-fb2be2070000 pid=2018 execve guuid=67a78035-1900-0000-57fd-fb2be5070000 pid=2021 /tmp/sample.bin mprotect-exec zombie guuid=0a67fc33-1900-0000-57fd-fb2be0070000 pid=2016->guuid=67a78035-1900-0000-57fd-fb2be5070000 pid=2021 clone guuid=6bdd4335-1900-0000-57fd-fb2be3070000 pid=2019 /usr/bin/dash guuid=91270f35-1900-0000-57fd-fb2be2070000 pid=2018->guuid=6bdd4335-1900-0000-57fd-fb2be3070000 pid=2019 clone guuid=559d4b35-1900-0000-57fd-fb2be4070000 pid=2020 /usr/bin/dash guuid=91270f35-1900-0000-57fd-fb2be2070000 pid=2018->guuid=559d4b35-1900-0000-57fd-fb2be4070000 pid=2020 clone guuid=6bd34f39-1900-0000-57fd-fb2bf2070000 pid=2034 /tmp/sample.bin zombie guuid=67a78035-1900-0000-57fd-fb2be5070000 pid=2021->guuid=6bd34f39-1900-0000-57fd-fb2bf2070000 pid=2034 clone guuid=c5dc6139-1900-0000-57fd-fb2bf3070000 pid=2035 /tmp/sample.bin guuid=6bd34f39-1900-0000-57fd-fb2bf2070000 pid=2034->guuid=c5dc6139-1900-0000-57fd-fb2bf3070000 pid=2035 clone guuid=4fb06739-1900-0000-57fd-fb2bf4070000 pid=2036 /tmp/sample.bin dns net net-scan send-data guuid=c5dc6139-1900-0000-57fd-fb2bf3070000 pid=2035->guuid=4fb06739-1900-0000-57fd-fb2bf4070000 pid=2036 clone d316b2ae-0a7e-5b43-8de6-745900c90c54 127.0.0.1:65535 guuid=4fb06739-1900-0000-57fd-fb2bf4070000 pid=2036->d316b2ae-0a7e-5b43-8de6-745900c90c54 con 38a4910e-6f05-5afe-a8e3-398c2eb18329 time.cloudflare.com:123 guuid=4fb06739-1900-0000-57fd-fb2bf4070000 pid=2036->38a4910e-6f05-5afe-a8e3-398c2eb18329 send: 48B 2cd1992e-ed1a-5732-8ff0-b78b14da76cc 146.70.129.29:38405 guuid=4fb06739-1900-0000-57fd-fb2bf4070000 pid=2036->2cd1992e-ed1a-5732-8ff0-b78b14da76cc con 4fe9f2b7-67a4-5812-890a-988253b8f0e7 46.242.12.3:38405 guuid=4fb06739-1900-0000-57fd-fb2bf4070000 pid=2036->4fe9f2b7-67a4-5812-890a-988253b8f0e7 con a42fbd20-913f-5517-9500-77410f4169eb 219.80.0.139:18587 guuid=4fb06739-1900-0000-57fd-fb2bf4070000 pid=2036->a42fbd20-913f-5517-9500-77410f4169eb send: 68B 8c80cf5a-e708-55c7-9d71-d1065525977e 175.120.91.125:38405 guuid=4fb06739-1900-0000-57fd-fb2bf4070000 pid=2036->8c80cf5a-e708-55c7-9d71-d1065525977e con 429c29b1-ff96-5cb3-a984-b4321259d21a 219.80.0.139:11207 guuid=4fb06739-1900-0000-57fd-fb2bf4070000 pid=2036->429c29b1-ff96-5cb3-a984-b4321259d21a send: 68B guuid=4fb06739-1900-0000-57fd-fb2bf4070000 pid=2036|send-data send-data to 285 IP addresses review logs to see them all guuid=4fb06739-1900-0000-57fd-fb2bf4070000 pid=2036->guuid=4fb06739-1900-0000-57fd-fb2bf4070000 pid=2036|send-data send
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f87c9114-401c-4bfa-b94a-7b714b997bc4
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1723652
Signature
Connects to many ports of the same IP (likely port scanning)
Executes the "crontab" command typically for achieving persistence
Opens /sys/class/net/* files useful for querying network interface information
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to persist itself using cron
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1723652 Sample: amd64.elf Startdate: 26/06/2025 Architecture: LINUX Score: 60 42 31.200.249.178, 31875, 31881, 51604 NETRACK-ASRU Russian Federation 2->42 44 221.164.79.172, 41007, 6881 YSU-AS-KRyoungsanuniversityKR Korea Republic of 2->44 46 102 other IPs or domains 2->46 54 Connects to many ports of the same IP (likely port scanning) 2->54 10 amd64.elf 2->10         started        12 dash rm 2->12         started        14 dash rm 2->14         started        signatures3 process4 process5 16 amd64.elf sh 10->16         started        18 amd64.elf 10->18         started        21 amd64.elf sh 10->21         started        signatures6 23 sh crontab 16->23         started        27 sh 16->27         started        50 Opens /sys/class/net/* files useful for querying network interface information 18->50 52 Sample reads /proc/mounts (often used for finding a writable filesystem) 18->52 29 amd64.elf 18->29         started        31 sh crontab 21->31         started        process7 file8 40 /var/spool/cron/crontabs/tmp.2YANQi, ASCII 23->40 dropped 56 Sample tries to persist itself using cron 23->56 58 Executes the "crontab" command typically for achieving persistence 23->58 33 sh crontab 27->33         started        36 amd64.elf 29->36         started        signatures9 process10 signatures11 48 Executes the "crontab" command typically for achieving persistence 33->48 38 amd64.elf 36->38         started        process12
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/5f082d73fe1442f024f6f5ea20ee8047a9ee2e3e6017c9a75ddfcb7524f5ee2f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5f082d73fe1442f024f6f5ea20ee8047a9ee2e3e6017c9a75ddfcb7524f5ee2f/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/5f082d73fe1442f024f6f5ea20ee8047a9ee2e3e6017c9a75ddfcb7524f5ee2f
Threat name:
Linux.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2025-06-26 17:13:33 UTC
File Type:
ELF64 Little (Exe)
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l4ec2476crbpajhw6xvcb3uai6u64lr6mal4tj2537fxkjhv5yxq._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
antivm defense_evasion discovery execution linux persistence privilege_escalation
Link:
https://tria.ge/reports/250626-vrm8payqy4/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to tmp directory
Checks CPU configuration
Checks hardware identifiers (DMI)
Creates/modifies Cron job
Enumerates running processes
Reads MAC address of network interface
Reads hardware information
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/83ec69ca-9a77-4a93-97cb-709c3fa82862
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5f082d73fe1442f024f6f5ea20ee8047a9ee2e3e6017c9a75ddfcb7524f5ee2f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:enterpriseunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise UNIX
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf 5f082d73fe1442f024f6f5ea20ee8047a9ee2e3e6017c9a75ddfcb7524f5ee2f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3550042/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh

Comments