MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7bfc1524eabbdfc7e5fb44cf47234f855f1331113758a9123fcba695f0acd017. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7bfc1524eabbdfc7e5fb44cf47234f855f1331113758a9123fcba695f0acd017
SHA3-384 hash: 1336264372bb63e6fa2f4afacebee748b9172135f9d571a8d442a45a5eb5603f77c8c1ed75233cc77e6a58adabef0cb9
SHA1 hash: 61e0d99c463c5c2aba5aed5700cf2e5c1343b605
MD5 hash: bf3bd9afebec35174ae70e4f8d1ccebf
humanhash: zulu-eight-red-helium
File name:aarch64
Download: download sample
File size:509'896 bytes
First seen:2025-06-22 05:53:53 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 6144:O/izeB+/ow3gK2lc5bvyI0vOHD6BZkDgn358cIF3RI5HkdY1FP98/8ecjfP:3BohHKTyfvOHD6ByD4WcIMkuDmEesP
TLSH T198B41228EE4E3891F3D1E3B8DA0A4BB1B05B79D0C166C1B2BA41E25D95EDDDEC5D0212
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf

Intelligence

File Origin
# of uploads :
1
# of downloads :
64
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.32057.LX.BOT.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.32058.LX.BOT.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68579a92b06783b9ebd6925flinux22vpnfull_triage
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creates directories
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
base64 exploit gcc lolbin remote
Link:
https://www.filescan.io/uploads/68579a8e3faf8fcd7d3a7f63/reports/41be16b2-c2c3-45f9-ab0d-fc21f6575ed5/overview
Verdict:
Malicious
Uses P2P?:
true
Uses anti-vm?:
false
Architecture:
arm
Packer:
custom
Botnet:
unknown
Number of open files:
0
Number of processes launched:
0
Processes remaning?
false
Remote TCP ports scanned:
47440
Full report:
https://elfdigest.com/brief/7bfc1524eabbdfc7e5fb44cf47234f855f1331113758a9123fcba695f0acd017
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
type: 162.159.200.123:123
type: 130.239.18.158:6881
type: 67.215.246.10:6881
type: 178.69.209.93:6881
type: 95.66.217.20:6881
type: 91.225.20.2:6881
type: 68.249.164.115:6881
type: 161.230.228.167:6881
type: 185.71.14.131:6881
type: 77.98.65.37:6881
type: 98.24.64.80:6881
type: 2.97.5.249:6881
type: 91.203.188.18:6881
type: 83.39.192.148:6881
type: 193.9.113.165:6881
type: 176.196.23.211:6881
type: 13.58.27.33:6881
type: 73.42.251.205:6881
type: 121.135.62.28:6881
type: 45.64.236.130:6881
type: 152.67.87.91:6881
type: 148.135.106.206:6881
type: 213.112.239.150:6881
type: 78.189.164.174:6881
type: 103.215.237.16:6881
type: 196.50.192.235:6881
type: 67.188.144.158:6881
type: 23.95.192.22:6881
type: 52.9.197.152:6881
type: 18.190.61.127:6881
type: 54.70.174.84:6881
type: 18.220.82.190:6881
type: 35.155.156.153:6881
type: 95.214.106.85:6881
type: 144.24.245.236:6881
type: 78.84.70.60:6881
type: 130.239.18.158:8524
type: 135.181.238.57:50000
type: 135.181.227.244:50000
type: 135.181.238.118:50000
type: 65.108.226.122:50000
type: 2.86.204.51:50000
type: 65.21.125.184:50000
type: 178.162.174.43:28004
type: 178.162.174.228:28004
type: 130.239.18.158:8515
type: 178.162.174.222:28014
type: 178.162.174.77:28014
type: 51.159.104.76:7186
type: 45.152.210.34:50171
type: 193.32.16.134:50171
type: 193.23.250.22:50171
type: 193.23.250.122:50171
type: 178.70.30.2:51413
type: 82.44.243.147:51413
type: 88.98.225.179:51413
type: 84.27.153.252:51413
type: 24.113.91.224:51413
type: 151.252.190.120:51413
type: 90.149.85.86:51413
type: 5.135.163.217:51413
type: 176.195.48.46:51413
type: 46.0.203.201:51413
type: 212.251.201.227:51413
type: 130.239.18.158:8513
type: 178.162.173.105:28003
type: 178.162.173.147:28003
type: 3.141.159.213:6880
type: 148.153.188.242:6880
type: 154.202.132.194:6880
type: 54.85.131.184:6880
type: 3.12.65.135:6880
type: 130.239.18.158:8516
type: 130.239.18.158:8580
type: 37.48.111.129:61253
type: 54.211.14.111:20871
type: 34.207.160.46:20871
type: 45.91.208.243:51936
type: 178.162.173.222:28002
type: 39.184.86.244:13553
type: 176.63.30.103:13553
type: 79.127.235.177:64052
type: 130.239.18.158:8500
type: 89.134.6.53:53407
type: 195.154.171.57:30195
type: 79.47.224.122:52322
type: 185.21.216.197:58444
type: 51.159.104.81:8024
type: 46.232.210.143:52987
type: 34.207.160.46:20872
type: 31.13.191.67:48803
type: 89.31.187.75:49001
type: 46.172.35.172:49001
type: 95.54.139.77:49001
type: 81.24.81.11:49001
type: 178.184.114.234:49001
type: 176.209.115.107:49001
type: 75.54.193.244:6889
type: 27.121.134.229:6889
type: 151.62.0.242:6889
type: 219.85.50.46:6889
type: 95.168.168.226:25345
type: 178.162.173.165:28010
type: 46.232.211.220:53106
type: 188.165.200.53:52603
type: 178.162.173.171:28007
type: 5.79.87.194:28009
type: 112.169.232.56:32979
type: 31.10.157.212:4049
type: 27.125.244.246:29425
type: 95.211.19.96:49801
type: 5.39.85.82:51041
type: 121.144.236.97:33102
type: 187.14.176.77:47303
type: 61.255.49.89:7944
type: 212.132.228.91:63093
type: 126.92.33.230:26588
type: 91.160.73.90:56804
type: 27.125.250.95:4574
type: 189.176.193.6:58527
type: 46.98.3.26:8621
type: 213.230.86.62:4148
type: 77.34.234.231:6882
type: 188.165.201.82:6882
type: 187.189.215.219:9381
type: 178.162.159.83:55301
type: 152.53.45.107:6885
type: 194.29.101.83:10240
type: 152.53.52.107:10240
type: 137.74.95.127:15335
type: 37.187.151.6:63238
type: 95.153.31.124:57055
type: 178.162.174.225:28011
type: 222.117.224.24:54484
type: 120.75.247.142:8710
type: 187.190.158.20:47333
type: 211.219.221.29:54667
type: 112.163.225.219:32992
type: 182.232.41.44:57455
type: 68.109.14.232:59833
type: 62.163.84.162:36988
type: 188.163.109.145:15347
type: 114.76.88.66:46598
type: 72.21.17.106:12323
type: 189.179.200.201:45185
type: 188.163.45.145:25181
type: 149.56.27.121:58813
type: 54.39.52.64:48853
type: 152.53.45.107:7095
type: 213.159.77.154:11158
type: 94.111.0.250:13233
type: 81.110.187.96:21453
type: 45.87.251.149:28117
type: 45.154.86.170:56671
type: 77.237.18.135:27486
type: 220.254.9.138:52071
type: 187.43.159.254:10959
type: 57.129.45.80:8656
type: 43.240.149.123:32681
type: 176.31.183.98:33647
type: 152.174.204.31:46710
type: 154.198.72.182:51975
type: 144.76.175.153:47525
type: 31.219.29.60:5725
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/54959547-8f1d-43d9-a66c-427576af0fb6
Behavior Graph:
Download SVG
%3 guuid=05bc9c4a-1900-0000-627f-198bf1080000 pid=2289 /usr/bin/sudo guuid=ab00064d-1900-0000-627f-198bf2080000 pid=2290 /tmp/sample.bin guuid=05bc9c4a-1900-0000-627f-198bf1080000 pid=2289->guuid=ab00064d-1900-0000-627f-198bf2080000 pid=2290 execve guuid=c9e6af4d-1900-0000-627f-198bf4080000 pid=2292 /usr/bin/dash guuid=ab00064d-1900-0000-627f-198bf2080000 pid=2290->guuid=c9e6af4d-1900-0000-627f-198bf4080000 pid=2292 clone guuid=4534f74d-1900-0000-627f-198bf6080000 pid=2294 /usr/bin/dash guuid=ab00064d-1900-0000-627f-198bf2080000 pid=2290->guuid=4534f74d-1900-0000-627f-198bf6080000 pid=2294 clone guuid=d395394e-1900-0000-627f-198bf7080000 pid=2295 /usr/bin/dash guuid=ab00064d-1900-0000-627f-198bf2080000 pid=2290->guuid=d395394e-1900-0000-627f-198bf7080000 pid=2295 clone guuid=86cb594e-1900-0000-627f-198bf8080000 pid=2296 /usr/bin/dash guuid=ab00064d-1900-0000-627f-198bf2080000 pid=2290->guuid=86cb594e-1900-0000-627f-198bf8080000 pid=2296 clone
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/49c41d12-0a4a-487d-a546-58daf856ba6f
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1720148
Signature
Connects to many ports of the same IP (likely port scanning)
Executes the "crontab" command typically for achieving persistence
Multi AV Scanner detection for submitted file
Opens /sys/class/net/* files useful for querying network interface information
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to persist itself using cron
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1720148 Sample: aarch64.elf Startdate: 22/06/2025 Architecture: LINUX Score: 68 38 209.38.196.30, 6814, 6815 ATT-INTERNET4US United States 2->38 40 176.58.226.197, 49097, 6881 WIND-ASGR Greece 2->40 42 102 other IPs or domains 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Connects to many ports of the same IP (likely port scanning) 2->46 10 aarch64.elf 2->10         started        signatures3 process4 process5 12 aarch64.elf sh 10->12         started        14 aarch64.elf 10->14         started        17 aarch64.elf sh 10->17         started        signatures6 19 sh crontab 12->19         started        23 sh 12->23         started        54 Opens /sys/class/net/* files useful for querying network interface information 14->54 56 Sample reads /proc/mounts (often used for finding a writable filesystem) 14->56 25 aarch64.elf 14->25         started        27 sh crontab 17->27         started        process7 file8 36 /var/spool/cron/crontabs/tmp.RTuG62, ASCII 19->36 dropped 48 Sample tries to persist itself using cron 19->48 50 Executes the "crontab" command typically for achieving persistence 19->50 29 sh crontab 23->29         started        32 aarch64.elf 25->32         started        signatures9 process10 signatures11 52 Executes the "crontab" command typically for achieving persistence 29->52 34 aarch64.elf 32->34         started        process12
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/7bfc1524eabbdfc7e5fb44cf47234f855f1331113758a9123fcba695f0acd017
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7bfc1524eabbdfc7e5fb44cf47234f855f1331113758a9123fcba695f0acd017/
Threat name:
Linux.Trojan.SAgnt
Create hunting rule
Status:
Malicious
First seen:
2025-06-22 05:54:23 UTC
File Type:
ELF64 Little (Exe)
AV detection:
17 of 38 (44.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pp6bkjhkxpp4pzp3ithuoi2pqvprgmirg5mkser7zotjl4fm2alq._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
linux
Link:
https://tria.ge/reports/250622-gl28rszscx/
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/38307873-4157-4456-8d61-35990b922284
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/7bfc1524eabbdfc7e5fb44cf47234f855f1331113758a9123fcba695f0acd017

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf 7bfc1524eabbdfc7e5fb44cf47234f855f1331113758a9123fcba695f0acd017

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3558161/
  
Delivery method
Distributed via web download

Comments