MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 7d0c023d7773149572ed64ea816beb4441d06c0b0d87aa53a503d10efd6db978. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Threat unknown
Vendor detections: 4
| SHA256 hash: | 7d0c023d7773149572ed64ea816beb4441d06c0b0d87aa53a503d10efd6db978 |
|---|---|
| SHA3-384 hash: | 25f1b43bf53dc86aa67d77bcf176d844480bb869363620605034d4f5e640b68040d84d214d13223241b999d90f521242 |
| SHA1 hash: | 0ac2417694e7594ad50571a4028e44bde03e8ef1 |
| MD5 hash: | 282190d128962100ba71fe16d0731974 |
| humanhash: | snake-glucose-maryland-cola |
| File name: | Mozi.m |
| Download: | download sample |
| File size: | 307'960 bytes |
| First seen: | 2021-07-11 07:02:21 UTC |
| Last seen: | 2025-02-09 11:53:46 UTC |
| File type: | elf |
| MIME type: | application/x-executable |
| ssdeep | 3072:phNlHuBafLeBtfCzpta8xlBIOdVo3/4sxLJ10xio:p3lOYoaja8xzx/0wsxzSi |
| TLSH | T104641246EB36BD2FCF001AB216CB4F9D9C6D7B5B41C7E0A5A9C0814F17E21C97AD2294 |
| Reporter |  tolisec |
Intelligence
File Origin
# of uploads :
2
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Malicious
Uses P2P?:
true
Uses anti-vm?:
false
Architecture:
mips
Packer:
UPX
Botnet:
117.215.208.250:45613
Number of open files:
430
Number of processes launched:
38
Processes remaning?
true
Remote TCP ports scanned:
80,60001,8081,8181,8080,37215,81,49152,5555,52869,7574,8443,2323,23
Full report:
Behaviour
Process Renaming
Firewall Changes
Information Gathering
Botnet C2s
TCP botnet C2(s):
212.129.33.59:6881
87.98.162.88:6881
67.215.246.10:6881
82.221.103.244:6881
130.239.18.159:6881
42.235.206.3:6881
5.39.84.224:6881
112.248.142.106:6881
5.135.190.37:6881
50.5.232.30:6881
111.38.106.48:6881
222.93.201.40:6881
178.141.215.10:6881
77.248.34.25:6881
51.38.181.72:6881
103.135.33.73:6881
188.209.56.13:28024
178.32.222.81:9090
217.19.214.86:17131
186.99.189.196:9018
72.39.250.209:31710
91.121.122.165:51413
91.218.85.189:51413
74.207.224.193:51413
51.75.255.81:51413
31.44.225.133:51413
37.48.95.95:51413
62.173.158.58:51413
88.99.192.208:51413
87.98.217.40:51413
122.140.154.163:3575
183.2.114.139:36384
125.42.125.190:62925
130.239.18.159:8646
130.239.18.159:8547
130.239.18.159:8896
95.198.73.192:5060
77.88.193.203:5060
5.79.102.206:6908
94.8.154.151:47771
185.107.71.182:28002
111.92.73.237:45513
89.23.222.93:36349
46.159.166.44:41961
54.209.131.199:6992
98.194.188.165:32401
218.250.214.172:13419
185.231.70.115:62243
76.64.98.251:38499
163.172.63.49:13611
201.86.241.53:64018
213.108.36.115:49160
50.39.109.111:61405
185.107.71.144:28037
95.211.213.220:54871
188.209.56.15:28153
130.239.18.159:8953
117.222.161.31:8082
178.141.10.65:8082
130.239.18.159:8744
135.181.182.188:43172
117.92.107.145:30427
27.225.128.110:9611
103.84.6.68:8828
130.239.18.159:8792
130.239.18.159:8978
130.239.18.159:8926
130.239.18.159:8673
95.158.19.130:4872
119.187.110.84:8080
143.137.59.18:8080
124.129.228.167:29712
115.61.96.63:39075
46.249.119.133:26145
178.141.23.249:49181
116.68.104.140:38905
58.253.9.187:12207
115.61.106.216:5353
91.121.159.11:5353
146.71.73.62:56496
192.111.154.186:59607
5.189.188.23:51287
188.40.137.126:46667
173.82.154.191:26881
5.9.63.252:19520
37.48.93.129:64992
163.172.10.189:55011
188.209.56.25:28063
116.255.191.216:17904
81.198.240.73:29328
178.141.220.40:59724
81.227.177.100:55959
111.92.79.155:52879
188.242.167.159:2348
175.168.142.198:32766
111.92.79.168:7496
210.99.36.170:41080
103.41.25.146:29587
59.26.97.155:3291
76.185.97.37:39020
173.212.202.248:51465
211.149.132.127:27131
178.141.63.170:1434
185.149.90.5:52038
176.31.180.84:46881
87.98.162.88:6881
67.215.246.10:6881
82.221.103.244:6881
130.239.18.159:6881
42.235.206.3:6881
5.39.84.224:6881
112.248.142.106:6881
5.135.190.37:6881
50.5.232.30:6881
111.38.106.48:6881
222.93.201.40:6881
178.141.215.10:6881
77.248.34.25:6881
51.38.181.72:6881
103.135.33.73:6881
188.209.56.13:28024
178.32.222.81:9090
217.19.214.86:17131
186.99.189.196:9018
72.39.250.209:31710
91.121.122.165:51413
91.218.85.189:51413
74.207.224.193:51413
51.75.255.81:51413
31.44.225.133:51413
37.48.95.95:51413
62.173.158.58:51413
88.99.192.208:51413
87.98.217.40:51413
122.140.154.163:3575
183.2.114.139:36384
125.42.125.190:62925
130.239.18.159:8646
130.239.18.159:8547
130.239.18.159:8896
95.198.73.192:5060
77.88.193.203:5060
5.79.102.206:6908
94.8.154.151:47771
185.107.71.182:28002
111.92.73.237:45513
89.23.222.93:36349
46.159.166.44:41961
54.209.131.199:6992
98.194.188.165:32401
218.250.214.172:13419
185.231.70.115:62243
76.64.98.251:38499
163.172.63.49:13611
201.86.241.53:64018
213.108.36.115:49160
50.39.109.111:61405
185.107.71.144:28037
95.211.213.220:54871
188.209.56.15:28153
130.239.18.159:8953
117.222.161.31:8082
178.141.10.65:8082
130.239.18.159:8744
135.181.182.188:43172
117.92.107.145:30427
27.225.128.110:9611
103.84.6.68:8828
130.239.18.159:8792
130.239.18.159:8978
130.239.18.159:8926
130.239.18.159:8673
95.158.19.130:4872
119.187.110.84:8080
143.137.59.18:8080
124.129.228.167:29712
115.61.96.63:39075
46.249.119.133:26145
178.141.23.249:49181
116.68.104.140:38905
58.253.9.187:12207
115.61.106.216:5353
91.121.159.11:5353
146.71.73.62:56496
192.111.154.186:59607
5.189.188.23:51287
188.40.137.126:46667
173.82.154.191:26881
5.9.63.252:19520
37.48.93.129:64992
163.172.10.189:55011
188.209.56.25:28063
116.255.191.216:17904
81.198.240.73:29328
178.141.220.40:59724
81.227.177.100:55959
111.92.79.155:52879
188.242.167.159:2348
175.168.142.198:32766
111.92.79.168:7496
210.99.36.170:41080
103.41.25.146:29587
59.26.97.155:3291
76.185.97.37:39020
173.212.202.248:51465
211.149.132.127:27131
178.141.63.170:1434
185.149.90.5:52038
176.31.180.84:46881
UDP botnet C2(s):
not identified
Result
Verdict:
MALICIOUS
Verdict:
Malicious
Threat name:
Linux.Trojan.Skeeyah
Status:
Malicious
First seen:
2021-07-11 07:03:05 UTC
AV detection:
15 of 45 (33.33%)
Threat level:
5/5
Result
Malware family:
n/a
Score:
9/10
Tags:
linux
Behaviour
Reads runtime system information
Writes file to tmp directory
Reads system network configuration
Enumerates active TCP sockets
Reads system routing table
Modifies hosts file
Modifies the Watchdog daemon
Writes file to system bin folder
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.20
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | linux_generic_ipv6_catcher |
|---|---|
| Author: | @_lubiedo |
| Description: | ELF samples using IPv6 addresses |
| Rule name: | SUSP_ELF_LNX_UPX_Compressed_File |
|---|---|
| Author: | Florian Roth |
| Description: | Detects a suspicious ELF binary with UPX compression |
| Reference: | Internal Research |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
elf 7d0c023d7773149572ed64ea816beb4441d06c0b0d87aa53a503d10efd6db978
(this sample)
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.