MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 857d463c693b5c80236eff885408ce3ddbfc45f94e9a5022fe67ebbc090ba151. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PumaBot

Vendor detections: 8

Intelligence 8 IOCs YARA 8 File information Comments

SHA256 hash:	857d463c693b5c80236eff885408ce3ddbfc45f94e9a5022fe67ebbc090ba151
SHA3-384 hash:	019d140862a35a14e2c84bd9ba5c3735e02b2281a5216ede5ad20ddc2c53c72416e84978ce819713aa315d310368ad60
SHA1 hash:	08707d71625644cba93835512d1a6413e1ff3298
MD5 hash:	c3f1b3e25876af35eda033d91d57dd9f
humanhash:	aspen-muppet-eleven-eighteen
File name:	jiedian
Download:	download sample
Signature	PumaBot Create hunting rule
File size:	2'618'680 bytes
First seen:	2025-11-13 18:37:01 UTC
Last seen:	Never
File type:	elf
MIME type:	application/x-executable
ssdeep	49152:k4Fb7UQogZfExV0s1jRITst794gVEifZp8kEz1Sb3ODCoi/WZjH:kSZow9sXIYx4axERuoi/WV
TLSH	T191C53397425E4F89D38FF5AC7B2B49FA10CD96B252B0809E0C579E8E82B11FDCDA3415
TrID	50.1% (.) ELF Executable and Linkable format (Linux) (4022/12) 49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika	elf
Reporter	abuse_ch
Tags:	elf PumaBot

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Result

Verdict:

Clean

Maliciousness:

Gathering data

Verdict:

Malicious

Uses P2P?:

false

Uses anti-vm?:

true

Architecture:

x86

Packer:

custom

Botnet:

unknown

Number of open files:

685

Number of processes launched:

1471

Processes remaning?

true

Remote TCP ports scanned:

not identified

Full report:

https://elfdigest.com/brief/857d463c693b5c80236eff885408ce3ddbfc45f94e9a5022fe67ebbc090ba151

Behaviour

Anti-VM

Persistence

Process Renaming

Botnet C2s

TCP botnet C2(s):

not identified

UDP botnet C2(s):

not identified

Verdict:

Clean

File Type:

elf.64.le

First seen:

2025-11-13T15:57:00Z UTC

Last seen:

2025-11-13T16:10:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/857d463c693b5c80236eff885408ce3ddbfc45f94e9a5022fe67ebbc090ba151/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/2b12953d-ac48-408b-ab4f-067d39b08761

Behavior Graph:

Download SVG

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/96479601-8bfc-42f3-a8dc-fd48e74f4404

Score:

100%

Verdict:

Malware

File Type:

ELF

Link:

https://malprob.io/report/857d463c693b5c80236eff885408ce3ddbfc45f94e9a5022fe67ebbc090ba151

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/857d463c693b5c80236eff885408ce3ddbfc45f94e9a5022fe67ebbc090ba151/

Threat name:

Linux.Trojan.Multiverze

Status:

Malicious

First seen:

2025-11-13 18:37:53 UTC

File Type:

ELF64 Little (Exe)

AV detection:

14 of 38 (36.84%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qv6umpdjhnoiai3o76eficgohxn7yrpzj2nfaix6m7v3ycilufiq._file

Result

Malware family:

pumabot

Score:

10/10

Tags:

family:pumabot botnet defense_evasion discovery linux persistence privilege_escalation upx

Link:

https://tria.ge/reports/251113-w93xjazkas/

Behaviour

Enumerates kernel/hardware configuration

Process Discovery

Reads runtime system information

Reads CPU attributes

Security Software Discovery

UPX packed file

Disables SELinux

Enumerates running processes

Modifies systemd

Detects PumaBot systemd service

PumaBot

Pumabot family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/f375994f-feb2-4e54-b310-91444367cb95

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.08

Link:

https://yomi.yoroi.company/submissions/857d463c693b5c80236eff885408ce3ddbfc45f94e9a5022fe67ebbc090ba151

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	GoBinTest Create hunting rule

Rule name:	golang_binary_string Create hunting rule
Description:	Golang strings present

Rule name:	ProgramLanguage_Golang Create hunting rule
Author:	albertzsigovits
Description:	Application written in Golang programming language

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	upx_antiunpack_elf64 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	UPX Anti-Unpacking technique to magic renamed for ELF64

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PumaBot

elf 857d463c693b5c80236eff885408ce3ddbfc45f94e9a5022fe67ebbc090ba151

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3704589/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample