MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91e30093b3a7c500ac32e40c6c1a99a2d2fecbc2af454f7e457aa0d962a8ad0a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 8

Intelligence 8 IOCs YARA 3 File information Comments

SHA256 hash:	91e30093b3a7c500ac32e40c6c1a99a2d2fecbc2af454f7e457aa0d962a8ad0a
SHA3-384 hash:	d9b195acd24f06c410a36af9c78b66fd9dcafba0bea7583c26b460fb2d9c56e0d3af2e2c5c9539fbf0c6d3f0ee676961
SHA1 hash:	93b28194168db5928a85e6cf71816bc29f61d9ae
MD5 hash:	76e74866792464d81e96a564890300fe
humanhash:	december-eight-zebra-comet
File name:	aarch64
Download:	download sample
File size:	509'896 bytes
First seen:	2025-07-11 05:17:53 UTC
Last seen:	Never
File type:	elf
MIME type:	application/x-executable
ssdeep	6144:O/izeB+/ow3gK2lc5bvyI0vOHD6BZkDgn358cIF3RI5HkdY1FP98/8ecjfP:3BohHKTyfvOHD6ByD4WcIMkuDmEesP
TLSH	T1A0B41228EE4E3891F3D1E378DA0A4BB1B05B7DD0C166C1B2BA41E25D95EDDDEC5D0212
TrID	50.1% (.) ELF Executable and Linkable format (Linux) (4022/12) 49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika	elf
Reporter	abuse_ch
Tags:	elf

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.32057.LX.BOT.UNOFFICIAL

Sanesecurity.Malware.32058.LX.BOT.UNOFFICIAL

Verdict:

Clean

Score:

82.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68709e98900df8e7f869b462linux22vpnfull_triage

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creates directories

Verdict:

Unknown

Threat level:

0/10

Confidence:

100%

Tags:

exploit gcc lolbin packed remote

Link:

https://www.filescan.io/uploads/68709e9a7df8aa79caef094c/reports/56f1ee36-c291-4a41-b0a8-f6c06eaf021a/overview

Verdict:

Malicious

Uses P2P?:

true

Uses anti-vm?:

false

Architecture:

arm

Packer:

custom

Botnet:

unknown

Number of open files:

Number of processes launched:

Processes remaning?

false

Remote TCP ports scanned:

not identified

Full report:

https://elfdigest.com/brief/91e30093b3a7c500ac32e40c6c1a99a2d2fecbc2af454f7e457aa0d962a8ad0a

Behaviour

no suspicious findings

Botnet C2s

TCP botnet C2(s):

not identified

UDP botnet C2(s):

type: 162.159.200.123:123
type: 130.239.18.158:6881
type: 67.215.246.10:6881
type: 188.42.55.92:6881
type: 89.207.71.47:6881
type: 176.125.139.123:6881
type: 31.23.241.27:6881
type: 47.186.58.10:6881
type: 82.114.251.32:6881
type: 174.66.179.58:6881
type: 71.38.133.137:6881
type: 178.158.202.153:6881
type: 81.26.246.106:6881
type: 177.180.144.152:6881
type: 220.133.157.95:6881
type: 52.9.197.152:6881
type: 41.158.124.67:6881
type: 149.12.121.62:6881
type: 109.157.163.61:6881
type: 111.197.169.24:6881
type: 83.226.124.95:6881
type: 107.181.234.235:6881
type: 192.227.221.84:6881
type: 167.99.72.189:6881
type: 142.171.58.199:6881
type: 93.91.112.195:6881
type: 54.214.62.31:6881
type: 3.81.15.194:6881
type: 75.119.138.164:6881
type: 54.70.174.84:6881
type: 35.163.251.58:6881
type: 59.170.166.105:6881
type: 196.42.30.96:6881
type: 64.250.86.148:6881
type: 185.221.169.110:6881
type: 130.239.18.158:8539
type: 178.162.174.178:28003
type: 89.149.202.17:28003
type: 178.162.174.83:28003
type: 178.162.173.74:28003
type: 178.162.173.231:28001
type: 173.230.130.111:6880
type: 54.85.131.184:6880
type: 95.168.162.161:42670
type: 37.27.120.51:50000
type: 135.181.227.244:50000
type: 65.108.193.57:50000
type: 135.181.238.57:50000
type: 37.27.107.117:50000
type: 37.27.119.250:50000
type: 65.21.129.56:50000
type: 37.27.119.190:50000
type: 135.181.238.118:50000
type: 37.27.117.240:50000
type: 65.21.128.238:50000
type: 37.27.104.50:50000
type: 178.162.173.38:28015
type: 195.154.172.179:23188
type: 95.216.116.106:16113
type: 185.21.216.160:57286
type: 195.20.18.136:11072
type: 195.154.185.217:24115
type: 178.162.173.12:28011
type: 178.162.174.52:28011
type: 195.154.185.217:24263
type: 5.79.93.242:61920
type: 46.232.211.170:22909
type: 178.162.174.43:28004
type: 195.154.185.217:24155
type: 178.162.174.155:28012
type: 178.162.173.32:28012
type: 95.168.160.123:28012
type: 130.239.18.158:8510
type: 51.158.148.12:54828
type: 89.134.10.250:51948
type: 37.48.118.19:28014
type: 169.150.223.223:64300
type: 5.39.81.144:56611
type: 195.154.225.2:51414
type: 51.159.104.70:8336
type: 81.171.20.66:64010
type: 178.162.173.203:28005
type: 45.91.209.222:51413
type: 180.199.243.73:51413
type: 213.202.230.139:51413
type: 216.153.96.20:51413
type: 45.81.60.23:51413
type: 130.44.173.194:51413
type: 83.221.25.242:51413
type: 81.171.10.66:51413
type: 188.165.236.95:51413
type: 90.193.159.1:51413
type: 86.71.178.10:51413
type: 176.63.22.23:57004
type: 42.3.108.193:17310
type: 193.70.32.195:51969
type: 213.55.164.22:31337
type: 80.57.184.183:64080
type: 82.52.155.223:58215
type: 46.53.23.253:11270
type: 151.0.34.155:49001
type: 143.179.183.181:49001
type: 5.164.246.187:49001
type: 86.120.242.245:34318
type: 89.134.12.96:13131
type: 66.56.80.5:40984
type: 190.245.47.13:34648
type: 202.150.186.211:41009
type: 47.203.225.81:55557
type: 94.66.243.58:41452
type: 185.203.56.72:63055
type: 94.63.134.88:1027
type: 46.232.211.57:64107
type: 121.176.44.103:40721
type: 193.32.23.174:51711
type: 68.146.42.60:29102
type: 51.159.104.72:8452
type: 188.165.231.77:54544
type: 85.17.28.206:28002
type: 94.54.152.87:22444
type: 84.188.91.68:29135
type: 181.46.66.91:40783
type: 178.43.127.16:26797
type: 195.154.185.217:25173
type: 144.76.175.153:48445
type: 212.203.51.126:17680
type: 115.131.183.126:56425
type: 220.73.113.252:41052
type: 221.164.135.100:41052
type: 169.150.219.153:64056
type: 175.202.171.207:33194
type: 193.138.45.125:57467
type: 177.192.17.147:18109
type: 95.90.240.216:1535
type: 88.91.98.186:58138
type: 195.181.167.43:31301
type: 187.189.102.128:15598
type: 31.209.55.64:6248
type: 176.63.2.16:13235
type: 176.63.116.192:9089
type: 89.66.82.203:6889
type: 96.39.238.72:6889
type: 27.32.112.143:13571
type: 77.247.181.219:56409
type: 46.232.210.110:11759
type: 45.87.251.149:28017
type: 141.95.53.34:8663
type: 185.203.56.59:23660
type: 150.31.49.210:9127
type: 95.194.193.199:32143
type: 152.169.17.154:42547
type: 157.157.114.49:30517
type: 199.126.88.23:51332
type: 59.27.139.179:41033
type: 106.68.54.176:64367
type: 83.138.44.6:54178
type: 49.206.34.126:3094
type: 49.207.193.13:13392
type: 31.217.161.87:55703
type: 81.214.30.179:18177
type: 73.198.216.150:36058
type: 59.2.5.1:32819
type: 81.229.4.147:50321
type: 175.208.203.139:33029
type: 203.188.164.155:34945
type: 95.214.53.172:1688
type: 69.80.13.77:30727
type: 195.170.172.38:10240
type: 152.53.105.61:10240
type: 152.53.104.128:10240
type: 194.29.101.83:10240
type: 49.204.119.151:14349
type: 54.209.131.199:6892
type: 54.77.218.23:6892
type: 27.125.246.20:1915
type: 167.172.226.132:6060
type: 41.97.138.8:52778
type: 78.142.231.133:6767
type: 38.134.41.130:32681
type: 157.48.5.32:37878
type: 213.94.24.70:37878
type: 46.232.211.108:64046
type: 178.162.174.154:28013
type: 130.239.18.158:8597
type: 71.93.133.70:34718
type: 35.79.33.106:60020
type: 81.152.41.133:49388
type: 181.47.126.88:32438
type: 51.38.81.200:8657
type: 81.105.18.50:53544
type: 54.211.14.111:20876
type: 130.239.18.158:8537
type: 94.31.72.238:3263
type: 89.149.202.17:28016
type: 51.15.19.75:32215
type: 91.126.166.16:18971

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/37ed063f-793a-476d-9a9c-bb1ea6d36af6

Behavior Graph:

Download SVG

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/38d7ea36-4db1-41ae-b44c-ec6771381eb3

Score:

100%

Verdict:

Malware

File Type:

ELF

Link:

https://malprob.io/report/91e30093b3a7c500ac32e40c6c1a99a2d2fecbc2af454f7e457aa0d962a8ad0a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/91e30093b3a7c500ac32e40c6c1a99a2d2fecbc2af454f7e457aa0d962a8ad0a/

Threat name:

Linux.Trojan.SAgnt

Status:

Malicious

First seen:

2025-07-11 05:18:16 UTC

File Type:

ELF64 Little (Exe)

AV detection:

19 of 38 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=shrqbe5tu7cqblbs4qggyguzuljp5s6cv5cu67sfpkqnsyvivufa._file

Result

Malware family:

n/a

Score:

1/10

Tags:

linux

Link:

https://tria.ge/reports/250711-fzc1cshk71/

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/90d95bc8-c4d9-4cfd-8495-b00365ad2e63

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/91e30093b3a7c500ac32e40c6c1a99a2d2fecbc2af454f7e457aa0d962a8ad0a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	linux_generic_ipv6_catcher Create hunting rule
Author:	@_lubiedo
Description:	ELF samples using IPv6 addresses

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	unixredflags3 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf 91e30093b3a7c500ac32e40c6c1a99a2d2fecbc2af454f7e457aa0d962a8ad0a

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3558161/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample