MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a5e641459bf9a13edda730e95d6234fae07f1b0e691375fe4e9dd238e13d01e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	6a5e641459bf9a13edda730e95d6234fae07f1b0e691375fe4e9dd238e13d01e
SHA3-384 hash:	3cc9309110c0bba4c1abf76c9d635935eb2b9567211e61a2e4a3de1ef50b471cd87bff88bb74e0959a32d1a4b16f5269
SHA1 hash:	24fc525ea39dace073298112ac656f7af85d87ad
MD5 hash:	44ea43dd3e1abcf6293714f786710cc7
humanhash:	comet-ink-winter-nuts
File name:	arm
Download:	download sample
File size:	279'100 bytes
First seen:	2025-02-14 22:12:58 UTC
Last seen:	2025-02-15 06:08:07 UTC
File type:	elf
MIME type:	application/x-executable
ssdeep	6144:GRUyBuyN/GNuQVQY9b/J3M9TfROAlGil52ZfOSozJgi6FPyo/jJ:G/zG0T42BZhv8WSgJj6F6o/jJ
TLSH	T17C54237A0A1FB235C739E0F24EB46D1DD2C5B6CA23A3FDAE599228A55CF8F704129504
TrID	50.1% (.) ELF Executable and Linkable format (Linux) (4022/12) 49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika	elf
Reporter	abuse_ch
Tags:	elf

Intelligence

File Origin

# of uploads :

# of downloads :

115

Origin country :

Vendor Threat Intelligence

Detection(s):

Unix.Trojan.DarkNexus-7679166-0

Verdict:

Clean

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67afc0ad28ab76d43a5af156linux22vpnfull_triage

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Verdict:

Unknown

Threat level:

0/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/67afc014c2f1c1c7a059b4ab/reports/490d1fe8-7483-4e1a-9cc1-8f30e79fb161/overview

Verdict:

Malicious

Uses P2P?:

false

Uses anti-vm?:

false

Architecture:

x86

Packer:

custom

Botnet:

unknown

Number of open files:

Number of processes launched:

Processes remaning?

false

Remote TCP ports scanned:

not identified

Full report:

https://elfdigest.com/brief/6a5e641459bf9a13edda730e95d6234fae07f1b0e691375fe4e9dd238e13d01e

Behaviour

no suspicious findings

Botnet C2s

TCP botnet C2(s):

not identified

UDP botnet C2(s):

not identified

Result

Verdict:

MALICIOUS

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/1c4ccd38-3ea1-4d95-b948-e0967ce5532e

Result

Threat name:

n/a

Detection:

clean

Classification:

n/a

Score:

1 / 100

Link:

https://www.joesandbox.com/analysis/1615470

Behaviour

Behavior Graph:

n/a

Score:

100%

Verdict:

Malware

File Type:

ELF

Link:

https://malprob.io/report/6a5e641459bf9a13edda730e95d6234fae07f1b0e691375fe4e9dd238e13d01e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6a5e641459bf9a13edda730e95d6234fae07f1b0e691375fe4e9dd238e13d01e/

Threat name:

Linux.Trojan.Generic

Status:

Suspicious

First seen:

2025-02-14 22:13:11 UTC

File Type:

ELF64 Little (Exe)

AV detection:

9 of 24 (37.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=njpgifczx6nbh3o2omhjlvrdj6xap4nq42itox7e5hoshdqt2apa._file

Result

Malware family:

n/a

Score:

3/10

Tags:

discovery linux

Link:

https://tria.ge/reports/250214-144zvszlhn/

Behaviour

Reads runtime system information

Verdict:

Malicious

Tags:

Unix.Trojan.DarkNexus-7679166-0

YARA:

n/a

Link:

https://app.threat.zone/submission/f89d7898-ecb6-4eb0-ba63-c6d294c327f3

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6a5e641459bf9a13edda730e95d6234fae07f1b0e691375fe4e9dd238e13d01e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	linux_generic_ipv6_catcher Create hunting rule
Author:	@_lubiedo
Description:	ELF samples using IPv6 addresses

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	upx_antiunpack_elf64 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	UPX Anti-Unpacking technique to magic renamed for ELF64

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh a23893ec11dca1f3dc36c0b8afa2f4890080a176a136d4dc6bb93eb1288624c4

elf 6a5e641459bf9a13edda730e95d6234fae07f1b0e691375fe4e9dd238e13d01e

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3438745/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3438738/

URLhaus

https://urlhaus.abuse.ch/url/3438749/

URLhaus

https://urlhaus.abuse.ch/url/3438740/

URLhaus

https://urlhaus.abuse.ch/url/3438744/

URLhaus

https://urlhaus.abuse.ch/url/3438716/

URLhaus

https://urlhaus.abuse.ch/url/3438869/

URLhaus

https://urlhaus.abuse.ch/url/3438741/

URLhaus

https://urlhaus.abuse.ch/url/3438743/

URLhaus

https://urlhaus.abuse.ch/url/3438739/

URLhaus

https://urlhaus.abuse.ch/url/3438717/

URLhaus

https://urlhaus.abuse.ch/url/3438751/

URLhaus

https://urlhaus.abuse.ch/url/3440089/

URLhaus

https://urlhaus.abuse.ch/url/3440090/

URLhaus

https://urlhaus.abuse.ch/url/3440091/

URLhaus

https://urlhaus.abuse.ch/url/3440092/

URLhaus

https://urlhaus.abuse.ch/url/3440094/

URLhaus

https://urlhaus.abuse.ch/url/3440093/

URLhaus

https://urlhaus.abuse.ch/url/3440095/

URLhaus

https://urlhaus.abuse.ch/url/3440096/

URLhaus

https://urlhaus.abuse.ch/url/3440097/

URLhaus

https://urlhaus.abuse.ch/url/3440098/

URLhaus

https://urlhaus.abuse.ch/url/3440099/

URLhaus

https://urlhaus.abuse.ch/url/3440102/

URLhaus

https://urlhaus.abuse.ch/url/3440101/

Dropped by

SHA256 a23893ec11dca1f3dc36c0b8afa2f4890080a176a136d4dc6bb93eb1288624c4

Dropped by

MD5 9e58bb33f250dcbc4605bffae120febb

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample