MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b2ed981ec29144f6687c52c2477c542ea6e72afacba6bea3c9a5bb4ce246b3a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b2ed981ec29144f6687c52c2477c542ea6e72afacba6bea3c9a5bb4ce246b3a
SHA3-384 hash: fe1dc2609baae98e8c853acff1ce0b10b2b657fd058efa4d6016dfab817413c5b64515202cc0a9b1521ad673e98bbc0c
SHA1 hash: e34aa903cb54796643d90685ba6d50fd626ffc59
MD5 hash: f43e48c28759d7e3219e0b353de9a5cf
humanhash: march-tennis-solar-west
File name:aarch64
Download: download sample
File size:509'896 bytes
First seen:2025-06-11 09:14:16 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 6144:O/izeB+/ow3gK2lc5bvyI0vOHD6BZkDgn358cIF3RI5HkdY1FP98/8ecjfP:3BohHKTyfvOHD6ByD4WcIMkuDmEesP
TLSH T15BB41228EE4E38C1F3D1E378DA0A4BB1B05B79D0D166C1B2BA41E25D95EDDDEC5D0212
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.32057.LX.BOT.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.32058.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Siggen.9163.21288.13672.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
84.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=684948fc8bd5d68a12e7ab3dlinux22vpnfull_triage
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creates directories
Verdict:
Malicious
Uses P2P?:
true
Uses anti-vm?:
false
Architecture:
arm
Packer:
custom
Botnet:
unknown
Number of open files:
0
Number of processes launched:
0
Processes remaning?
false
Remote TCP ports scanned:
41030
Full report:
https://elfdigest.com/brief/6b2ed981ec29144f6687c52c2477c542ea6e72afacba6bea3c9a5bb4ce246b3a
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
type: 162.159.200.1:123
type: 130.239.18.158:6881
type: 67.215.246.10:6881
type: 178.69.209.93:6881
type: 24.249.44.66:6881
type: 84.1.239.46:6881
type: 221.124.215.141:6881
type: 46.241.58.163:6881
type: 82.179.1.132:6881
type: 98.34.210.60:6881
type: 79.18.154.226:6881
type: 112.198.138.14:6881
type: 109.162.0.190:6881
type: 125.237.43.247:6881
type: 174.181.7.6:6881
type: 93.57.242.69:6881
type: 54.214.62.55:6881
type: 46.159.53.65:6881
type: 80.61.179.156:6881
type: 167.99.72.189:6881
type: 98.214.118.174:6881
type: 115.130.60.226:6881
type: 62.169.27.65:6881
type: 18.223.137.220:6881
type: 188.80.117.48:6881
type: 35.163.251.58:6881
type: 54.70.28.180:6881
type: 35.167.186.212:6881
type: 5.132.124.213:6881
type: 54.214.105.212:6881
type: 75.119.138.164:6881
type: 5.188.88.22:6881
type: 178.162.174.222:28014
type: 130.239.18.158:8515
type: 188.166.98.93:51413
type: 193.105.124.4:51413
type: 213.227.129.7:51413
type: 93.51.18.111:51413
type: 131.147.157.95:51413
type: 37.187.104.117:51413
type: 89.86.181.42:51413
type: 109.63.255.228:51413
type: 180.103.194.81:51413
type: 112.85.137.109:51413
type: 189.136.36.31:51413
type: 95.217.81.221:51413
type: 5.39.93.119:51413
type: 135.181.238.57:50000
type: 37.27.120.51:50000
type: 37.27.117.190:50000
type: 144.76.42.20:50000
type: 116.202.213.48:50000
type: 95.216.13.168:50000
type: 37.27.104.58:50000
type: 37.27.103.253:50000
type: 135.181.238.122:50000
type: 37.27.117.187:50000
type: 65.21.128.243:50000
type: 37.27.103.247:50000
type: 37.27.103.185:50000
type: 37.27.117.246:50000
type: 130.239.18.158:8524
type: 178.162.174.43:28004
type: 137.74.95.13:49999
type: 130.239.18.158:8580
type: 77.102.230.182:6882
type: 88.119.116.248:6882
type: 89.149.202.17:28018
type: 5.135.156.163:56843
type: 195.154.233.74:6880
type: 34.197.35.250:6880
type: 178.162.173.91:28003
type: 5.79.122.78:28003
type: 178.162.174.46:28013
type: 213.227.151.25:28013
type: 178.162.174.55:28011
type: 172.96.121.2:6884
type: 178.162.173.163:28006
type: 46.166.191.28:24228
type: 195.154.172.179:27126
type: 178.162.174.143:28000
type: 65.108.143.34:30639
type: 114.80.9.209:6883
type: 185.132.178.224:6883
type: 36.151.181.198:6883
type: 178.162.174.106:28015
type: 88.97.164.51:27393
type: 59.138.201.4:37124
type: 130.239.18.158:8508
type: 193.23.250.59:6981
type: 195.78.54.61:27134
type: 46.232.211.240:18209
type: 86.17.74.228:33204
type: 130.239.18.158:8525
type: 8.219.206.212:1887
type: 123.202.26.239:62061
type: 46.214.252.195:60396
type: 81.244.178.80:16946
type: 175.32.121.148:24282
type: 84.113.132.200:46778
type: 109.195.39.213:52539
type: 59.11.218.80:49217
type: 46.232.210.176:64125
type: 67.83.39.85:45880
type: 212.88.156.142:29737
type: 89.64.10.8:5643
type: 46.242.8.104:8352
type: 178.63.212.182:7881
type: 211.237.233.33:8021
type: 118.42.254.202:41559
type: 118.42.254.202:7701
type: 46.232.210.139:64023
type: 175.126.71.207:40855
type: 210.121.221.45:33489
type: 5.166.180.248:49001
type: 77.34.253.72:49001
type: 87.225.99.23:49001
type: 78.30.37.207:6891
type: 138.186.250.88:30880
type: 194.126.169.133:20552
type: 37.27.113.233:42847
type: 220.85.69.228:33061
type: 135.181.208.121:56881
type: 103.152.98.202:60020
type: 122.10.246.132:60020
type: 51.89.175.45:3334
type: 57.129.45.77:8652
type: 188.233.116.144:34622
type: 222.114.12.174:24993
type: 84.15.183.247:1370
type: 213.158.14.255:37848
type: 88.204.62.161:6888
type: 50.92.155.68:42915
type: 185.203.56.71:20820
type: 92.255.207.46:51409
type: 46.232.211.150:11259
type: 195.154.162.18:35997
type: 98.221.4.22:17912
type: 182.232.56.152:50220
type: 176.213.67.193:35844
type: 190.108.99.201:24854
type: 88.97.230.231:20923
type: 49.207.50.32:31490
type: 60.117.150.109:16861
type: 5.79.68.77:62562
type: 93.176.145.250:39371
type: 82.76.167.127:6991
type: 118.33.243.17:40963
type: 221.158.106.180:7872
type: 124.208.78.140:12621
type: 193.164.250.70:30473
type: 59.28.187.120:33144
type: 78.62.15.37:22617
type: 178.237.236.150:48096
type: 95.26.170.101:2868
type: 5.18.156.187:2150
type: 109.229.29.85:32705
type: 187.250.104.134:43472
type: 169.0.65.65:61215
type: 217.107.124.207:3348
type: 194.29.101.83:10240
type: 152.53.52.107:10240
type: 195.170.172.38:10240
type: 212.233.243.150:16709
type: 140.228.217.32:35621
type: 78.190.52.33:47016
type: 149.56.27.121:58813
type: 54.39.52.64:48853
type: 146.120.35.25:5140
type: 76.111.102.77:33353
type: 200.103.210.12:40990
type: 46.191.181.65:2064
type: 176.224.192.146:24508
type: 88.238.62.79:39182
type: 73.202.251.138:46104
type: 31.58.51.146:7037
type: 23.95.11.50:65524
type: 152.110.132.33:20481
type: 148.71.55.37:26822
type: 109.187.124.207:27032
type: 54.39.52.64:54510
type: 141.95.53.34:8648
type: 5.79.66.11:54337
type: 177.148.196.77:56214
type: 125.129.204.251:58139
type: 222.105.214.40:40960
type: 82.151.216.54:4762
type: 91.153.127.105:31324
type: 60.109.26.165:6889
type: 47.202.194.193:6889
type: 185.205.225.203:28485
type: 210.222.167.120:7984
type: 46.216.54.101:23900
type: 95.211.138.114:28008
type: 178.162.174.223:28008
type: 185.149.91.67:51076
type: 46.232.210.228:53101
type: 51.38.80.68:8662
type: 194.44.99.201:39214
type: 31.209.204.16:39362
type: 167.71.145.151:51423
type: 176.63.26.123:8307
type: 69.132.231.176:44317
type: 50.60.103.219:40139
type: 152.110.132.33:31571
type: 195.139.66.59:24342
type: 46.232.211.148:12059
type: 176.63.2.6:64041
type: 188.228.178.71:32275
type: 186.237.65.78:50321
type: 142.160.141.213:24251
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/67e24e71-dfff-4a86-b3ad-dbee766e9a17
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1712046
Signature
Connects to many ports of the same IP (likely port scanning)
Executes the "crontab" command typically for achieving persistence
Multi AV Scanner detection for submitted file
Opens /sys/class/net/* files useful for querying network interface information
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to persist itself using cron
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1712046 Sample: aarch64.elf Startdate: 11/06/2025 Architecture: LINUX Score: 68 38 99.245.232.221, 50413 ROGERS-COMMUNICATIONSCA Canada 2->38 40 178.77.187.203, 2204 XOLJO Jordan 2->40 42 101 other IPs or domains 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Connects to many ports of the same IP (likely port scanning) 2->46 10 aarch64.elf 2->10         started        signatures3 process4 process5 12 aarch64.elf sh 10->12         started        14 aarch64.elf 10->14         started        17 aarch64.elf sh 10->17         started        signatures6 19 sh crontab 12->19         started        23 sh 12->23         started        54 Opens /sys/class/net/* files useful for querying network interface information 14->54 56 Sample reads /proc/mounts (often used for finding a writable filesystem) 14->56 25 aarch64.elf 14->25         started        27 sh crontab 17->27         started        process7 file8 36 /var/spool/cron/crontabs/tmp.CDF76P, ASCII 19->36 dropped 48 Sample tries to persist itself using cron 19->48 50 Executes the "crontab" command typically for achieving persistence 19->50 29 sh crontab 23->29         started        32 aarch64.elf 25->32         started        signatures9 process10 signatures11 52 Executes the "crontab" command typically for achieving persistence 29->52 34 aarch64.elf 32->34         started        process12
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/6b2ed981ec29144f6687c52c2477c542ea6e72afacba6bea3c9a5bb4ce246b3a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b2ed981ec29144f6687c52c2477c542ea6e72afacba6bea3c9a5bb4ce246b3a/
Threat name:
Linux.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2025-06-11 09:14:30 UTC
File Type:
ELF64 Little (Exe)
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nmxntapmfeke6zuhyuwci56filvg44vpvs5gx2r4tjn3jtrenm5a._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
linux
Link:
https://tria.ge/reports/250611-k7hyssyqw4/
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/474c47b8-8745-4e0b-bae7-a3b0c201da87
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6b2ed981ec29144f6687c52c2477c542ea6e72afacba6bea3c9a5bb4ce246b3a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf 6b2ed981ec29144f6687c52c2477c542ea6e72afacba6bea3c9a5bb4ce246b3a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3558221/
  
Delivery method
Distributed via web download

Comments