MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 98242afc9f106110c22b60311953e6d493d056fd976f2006c3e8dfbf36a0b002. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 98242afc9f106110c22b60311953e6d493d056fd976f2006c3e8dfbf36a0b002
SHA3-384 hash: 80fc48ba4624d91f556b4bfe156a8b67c2f52fe49999ff132b06050fedf1daec06aeed5981e3ce6f576b9f242f42d368
SHA1 hash: 71f820189b87b8a9fa11d9d22f6c6618a854e76c
MD5 hash: 36af936be1f391699ebc412e65d488dd
humanhash: mountain-saturn-early-kansas
File name:amd64
Download: download sample
File size:482'032 bytes
First seen:2025-07-11 11:19:03 UTC
Last seen:2025-07-11 20:50:13 UTC
File type: elf
MIME type:application/x-executable
ssdeep 12288:iD6LPBCvMk0O9na1M80cLt9i5aIaTtpc4W:2+QGO9naz0Szi5anTtR
TLSH T1D0A41212E290D8FEC4DAC070469FD27BFD76BC544234BC6B6198F7322B3AE601B16A55
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf

Intelligence

File Origin
# of uploads :
2
# of downloads :
13
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Linux.Siggen.9080.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.32058.LX.BOT.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.31951.LX.BOT.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6870f33f900df8e7f869d438linux22vpnfull_triage
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creates directories
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
exploit gcc lolbin packed remote
Link:
https://www.filescan.io/uploads/6870f34380b46be06e9fc89e/reports/4c77016e-94f6-4685-8cb2-f01156a6cf26/overview
Verdict:
Malicious
Uses P2P?:
true
Uses anti-vm?:
true
Architecture:
x86
Packer:
custom
Botnet:
unknown
Number of open files:
70
Number of processes launched:
10
Processes remaning?
true
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/98242afc9f106110c22b60311953e6d493d056fd976f2006c3e8dfbf36a0b002
Behaviour
Anti-VM
Process Renaming
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
type: 162.159.200.123:123
type: 130.239.18.158:6881
type: 67.215.246.10:6881
type: 84.28.2.133:6881
type: 93.189.205.138:6881
type: 77.37.206.166:6881
type: 185.183.35.248:6881
type: 188.186.73.198:6881
type: 5.101.195.120:6881
type: 3.92.204.118:6881
type: 90.26.230.99:6881
type: 176.215.63.88:6881
type: 2.37.162.141:6881
type: 95.79.250.103:6881
type: 172.96.121.2:6881
type: 85.7.199.118:6881
type: 178.32.223.198:6881
type: 89.179.246.14:6881
type: 115.130.199.51:6881
type: 109.248.1.211:6881
type: 31.130.18.94:6881
type: 57.132.144.193:6881
type: 41.10.109.137:6881
type: 67.80.27.82:6881
type: 193.233.185.88:6881
type: 31.10.99.122:6881
type: 35.167.186.212:6881
type: 81.174.40.226:6881
type: 23.169.120.123:6881
type: 35.163.251.58:6881
type: 18.191.2.28:6881
type: 188.129.136.182:6881
type: 89.22.27.160:6881
type: 73.64.206.123:6881
type: 69.242.42.210:6881
type: 54.194.124.68:6881
type: 54.70.28.180:6881
type: 192.227.221.84:6881
type: 142.171.125.191:6881
type: 18.221.7.72:6881
type: 217.215.30.202:6881
type: 5.228.155.249:6881
type: 37.0.62.210:6881
type: 45.133.75.86:6881
type: 118.31.116.208:6881
type: 130.239.18.158:8516
type: 148.153.188.242:6880
type: 45.203.154.67:6880
type: 52.15.209.223:6880
type: 195.154.233.74:6880
type: 23.93.172.206:50413
type: 65.186.49.156:31226
type: 72.21.17.54:27563
type: 140.245.76.181:9081
type: 130.239.18.158:8580
type: 121.81.3.88:17009
type: 172.245.45.179:9002
type: 130.239.18.158:8597
type: 5.135.156.163:56843
type: 185.149.91.159:51029
type: 46.138.241.181:51413
type: 173.3.57.78:51413
type: 146.59.236.218:51413
type: 83.239.95.30:51413
type: 182.169.106.48:51413
type: 87.71.163.216:51413
type: 101.66.54.44:51413
type: 5.137.195.208:51413
type: 178.124.154.112:51413
type: 50.92.97.127:51413
type: 122.23.170.206:51413
type: 51.15.171.31:51413
type: 45.87.251.137:35218
type: 130.239.18.158:8603
type: 213.114.88.184:26494
type: 138.0.22.125:47692
type: 14.1.246.75:17539
type: 179.217.41.104:53621
type: 84.71.50.255:49998
type: 201.124.168.220:59204
type: 185.128.245.196:43979
type: 178.86.42.180:4289
type: 135.181.227.244:50000
type: 135.181.238.113:50000
type: 37.27.117.54:50000
type: 135.181.238.48:50000
type: 37.27.119.114:50000
type: 65.21.196.126:50000
type: 135.181.238.57:50000
type: 65.21.129.41:50000
type: 65.21.128.229:50000
type: 65.109.88.197:50000
type: 119.119.159.196:50000
type: 135.181.223.174:50000
type: 109.51.214.113:50982
type: 118.236.42.28:21106
type: 64.83.221.70:13968
type: 49.171.135.89:7751
type: 124.244.148.23:20476
type: 130.239.18.158:8529
type: 178.162.174.55:28001
type: 178.162.173.231:28001
type: 178.162.174.149:28001
type: 90.250.120.157:14082
type: 176.43.166.187:30550
type: 193.23.250.121:50171
type: 60.140.81.150:49500
type: 178.162.173.8:28006
type: 178.162.174.38:28006
type: 72.21.17.92:13382
type: 45.87.251.132:28018
type: 174.2.18.125:63075
type: 189.40.88.82:62753
type: 88.9.230.145:8621
type: 216.8.181.74:8621
type: 188.79.237.223:8621
type: 79.116.175.85:8621
type: 45.91.211.129:54058
type: 178.162.173.24:28009
type: 177.70.13.157:7586
type: 193.23.250.53:64274
type: 103.42.240.7:54479
type: 169.150.223.215:64113
type: 146.200.188.31:6889
type: 212.158.136.87:6889
type: 93.51.12.142:6889
type: 83.139.224.249:6889
type: 193.80.214.255:6889
type: 88.97.204.39:34210
type: 84.250.245.111:1821
type: 195.154.231.73:50165
type: 50.71.68.26:15195
type: 185.149.91.63:51059
type: 119.198.125.102:40879
type: 178.207.10.84:59833
type: 188.165.253.193:20986
type: 130.239.18.158:8501
type: 172.96.121.2:6883
type: 37.48.118.83:8999
type: 76.29.193.152:8999
type: 185.149.91.21:51118
type: 130.239.18.158:8520
type: 212.7.202.40:28030
type: 112.170.64.233:7734
type: 178.162.174.43:28004
type: 130.239.18.158:8524
type: 130.239.18.158:8515
type: 74.192.157.159:59834
type: 178.162.173.91:28003
type: 178.162.174.99:28003
type: 130.239.18.158:8513
type: 87.210.222.164:52032
type: 178.162.174.183:28002
type: 144.76.175.153:44693
type: 37.157.146.214:45633
type: 109.94.208.217:21332
type: 201.123.8.241:42467
type: 24.150.181.234:23070
type: 149.34.150.192:61413
type: 80.98.73.98:28857
type: 37.59.60.178:5900
type: 195.154.172.179:23060
type: 144.76.175.153:44384
type: 65.108.143.34:44384
type: 201.141.104.232:37101
type: 195.154.185.217:26585
type: 24.80.84.249:20698
type: 94.67.40.7:63469
type: 121.139.174.199:7781
type: 94.60.159.190:17847
type: 190.55.35.107:6882
type: 24.57.60.247:6882
type: 54.194.137.170:6882
type: 188.165.201.82:6882
type: 195.154.185.217:28215
type: 144.76.175.153:27999
type: 176.10.159.75:31440
type: 37.27.113.233:44383
type: 37.27.113.233:28000
type: 65.108.143.34:28000
type: 189.50.251.245:37321
type: 178.173.127.112:43168
type: 112.169.216.42:41113
type: 125.142.156.105:32979
type: 46.232.211.213:64099
type: 83.198.191.226:23399
type: 181.84.98.100:54188
type: 83.68.250.202:42152
type: 92.253.1.152:14797
type: 188.190.72.87:59853
type: 82.61.180.170:17679
type: 73.19.77.219:28463
type: 93.34.89.5:8192
type: 162.250.188.146:57581
type: 37.14.90.76:19890
type: 93.39.144.175:7869
type: 185.111.174.129:56159
type: 177.50.198.212:63845
type: 157.97.11.221:26604
type: 82.29.92.154:41409
type: 190.106.222.29:51726
type: 87.70.8.172:57075
type: 191.126.60.237:62529
type: 86.100.7.174:36280
type: 152.53.105.61:10240
type: 194.29.101.83:10240
type: 186.122.0.10:42207
type: 211.51.194.176:33139
type: 18.196.86.103:6992
type: 200.109.193.152:17587
type: 121.129.169.44:33080
type: 211.178.89.154:41110
type: 41.227.48.250:36323
type: 54.77.218.23:6892
type: 208.87.240.21:11158
type: 54.39.52.64:25568
type: 23.95.32.170:6969
type: 176.31.183.98:33764
type: 109.67.176.250:43653
type: 221.163.69.186:33131
type: 222.99.17.150:33088
type: 211.48.90.21:32938
type: 183.98.110.176:32504
type: 221.145.206.24:33061
type: 5.79.98.151:59939
type: 89.149.202.17:28034
type: 178.162.173.102:28007
type: 185.203.56.55:12337
type: 205.234.170.106:14266
type: 120.138.167.156:10723
type: 169.150.223.208:13659
type: 220.76.147.107:7691
type: 176.31.182.150:51201
type: 95.42.117.114:38697
type: 82.58.230.52:61340
type: 211.63.173.160:40815
type: 89.149.202.13:28023
type: 178.136.107.252:4432
type: 24.76.109.134:46640
type: 185.203.56.56:20360
type: 218.255.65.181:9004
type: 84.254.90.19:64098
type: 65.108.143.34:27988
type: 219.251.118.241:7834
type: 188.165.244.171:58117
type: 211.193.88.209:40233
type: 78.137.218.94:1205
type: 64.33.162.194:40641
type: 81.228.59.144:58465
type: 64.33.110.136:11374
type: 119.247.247.27:33145
type: 95.211.175.145:8151
type: 137.74.95.127:2647
type: 137.74.200.136:21004
type: 46.232.210.83:64008
type: 95.211.2.99:2031
type: 185.107.71.113:45917
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/36a6e084-95dd-45ba-b5e1-39b1d087ea85
Behavior Graph:
Download SVG
%3 guuid=1fb3381c-1a00-0000-e3d3-48cae1090000 pid=2529 /usr/bin/sudo guuid=4e49881e-1a00-0000-e3d3-48cae7090000 pid=2535 /tmp/sample.bin guuid=1fb3381c-1a00-0000-e3d3-48cae1090000 pid=2529->guuid=4e49881e-1a00-0000-e3d3-48cae7090000 pid=2535 execve guuid=526bad1e-1a00-0000-e3d3-48cae8090000 pid=2536 /usr/bin/dash guuid=4e49881e-1a00-0000-e3d3-48cae7090000 pid=2535->guuid=526bad1e-1a00-0000-e3d3-48cae8090000 pid=2536 execve guuid=424ae71e-1a00-0000-e3d3-48cae9090000 pid=2537 /usr/bin/dash guuid=4e49881e-1a00-0000-e3d3-48cae7090000 pid=2535->guuid=424ae71e-1a00-0000-e3d3-48cae9090000 pid=2537 execve guuid=61494e1f-1a00-0000-e3d3-48caec090000 pid=2540 /tmp/sample.bin mprotect-exec zombie guuid=4e49881e-1a00-0000-e3d3-48cae7090000 pid=2535->guuid=61494e1f-1a00-0000-e3d3-48caec090000 pid=2540 clone guuid=a357171f-1a00-0000-e3d3-48caea090000 pid=2538 /usr/bin/dash guuid=424ae71e-1a00-0000-e3d3-48cae9090000 pid=2537->guuid=a357171f-1a00-0000-e3d3-48caea090000 pid=2538 clone guuid=2e3e1f1f-1a00-0000-e3d3-48caeb090000 pid=2539 /usr/bin/dash guuid=424ae71e-1a00-0000-e3d3-48cae9090000 pid=2537->guuid=2e3e1f1f-1a00-0000-e3d3-48caeb090000 pid=2539 clone guuid=e711c723-1a00-0000-e3d3-48caf6090000 pid=2550 /tmp/sample.bin zombie guuid=61494e1f-1a00-0000-e3d3-48caec090000 pid=2540->guuid=e711c723-1a00-0000-e3d3-48caf6090000 pid=2550 clone guuid=cc13cf23-1a00-0000-e3d3-48caf7090000 pid=2551 /tmp/sample.bin guuid=e711c723-1a00-0000-e3d3-48caf6090000 pid=2550->guuid=cc13cf23-1a00-0000-e3d3-48caf7090000 pid=2551 clone guuid=214cd523-1a00-0000-e3d3-48caf8090000 pid=2552 /tmp/sample.bin dns net net-scan send-data guuid=cc13cf23-1a00-0000-e3d3-48caf7090000 pid=2551->guuid=214cd523-1a00-0000-e3d3-48caf8090000 pid=2552 clone d316b2ae-0a7e-5b43-8de6-745900c90c54 127.0.0.1:65535 guuid=214cd523-1a00-0000-e3d3-48caf8090000 pid=2552->d316b2ae-0a7e-5b43-8de6-745900c90c54 con 38a4910e-6f05-5afe-a8e3-398c2eb18329 time.cloudflare.com:123 guuid=214cd523-1a00-0000-e3d3-48caf8090000 pid=2552->38a4910e-6f05-5afe-a8e3-398c2eb18329 send: 48B e41dcc10-2e74-5f0b-81fc-c4b1ebafb1fc 159.65.200.220:6813 guuid=214cd523-1a00-0000-e3d3-48caf8090000 pid=2552->e41dcc10-2e74-5f0b-81fc-c4b1ebafb1fc send: 68B ee367654-2e5f-5911-86e0-4905b36e82e8 31.200.249.162:31988 guuid=214cd523-1a00-0000-e3d3-48caf8090000 pid=2552->ee367654-2e5f-5911-86e0-4905b36e82e8 send: 68B eb734178-7662-5bf6-8e17-e4f8c7c86bbc 159.65.200.220:6817 guuid=214cd523-1a00-0000-e3d3-48caf8090000 pid=2552->eb734178-7662-5bf6-8e17-e4f8c7c86bbc send: 68B guuid=214cd523-1a00-0000-e3d3-48caf8090000 pid=2552|send-data send-data to 294 IP addresses review logs to see them all guuid=214cd523-1a00-0000-e3d3-48caf8090000 pid=2552->guuid=214cd523-1a00-0000-e3d3-48caf8090000 pid=2552|send-data send
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c7781df3-d973-4bdf-b1a7-9aad21ff48df
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1733755
Signature
Executes the "crontab" command typically for achieving persistence
Multi AV Scanner detection for submitted file
Opens /sys/class/net/* files useful for querying network interface information
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to persist itself using cron
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1733755 Sample: amd64.elf Startdate: 11/07/2025 Architecture: LINUX Score: 64 42 77.54.158.6, 57312, 6881 VODAFONE-PTVodafonePortugalPT Portugal 2->42 44 94.134.90.191, 15112 VERSATELDE Germany 2->44 46 102 other IPs or domains 2->46 54 Multi AV Scanner detection for submitted file 2->54 10 amd64.elf 2->10         started        12 dash rm 2->12         started        14 dash rm 2->14         started        signatures3 process4 process5 16 amd64.elf sh 10->16         started        18 amd64.elf 10->18         started        21 amd64.elf sh 10->21         started        signatures6 23 sh crontab 16->23         started        27 sh 16->27         started        50 Opens /sys/class/net/* files useful for querying network interface information 18->50 52 Sample reads /proc/mounts (often used for finding a writable filesystem) 18->52 29 amd64.elf 18->29         started        31 sh crontab 21->31         started        process7 file8 40 /var/spool/cron/crontabs/tmp.40hRSb, ASCII 23->40 dropped 56 Sample tries to persist itself using cron 23->56 58 Executes the "crontab" command typically for achieving persistence 23->58 33 sh crontab 27->33         started        36 amd64.elf 29->36         started        signatures9 process10 signatures11 48 Executes the "crontab" command typically for achieving persistence 33->48 38 amd64.elf 36->38         started        process12
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/98242afc9f106110c22b60311953e6d493d056fd976f2006c3e8dfbf36a0b002
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/98242afc9f106110c22b60311953e6d493d056fd976f2006c3e8dfbf36a0b002/
Threat name:
Linux.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2025-07-11 11:19:27 UTC
File Type:
ELF64 Little (Exe)
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tascv7e7cbqrbqrlmayrsu7g2sj5avx5s5xsabwd5dp36nvawaba._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
antivm defense_evasion discovery execution linux persistence privilege_escalation
Link:
https://tria.ge/reports/250711-ne1vpawjt8/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to tmp directory
Checks CPU configuration
Checks hardware identifiers (DMI)
Creates/modifies Cron job
Enumerates running processes
Reads MAC address of network interface
Reads hardware information
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/629cdcd7-c044-4462-af3e-802c1b78dce5
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.20
Link:
https://yomi.yoroi.company/submissions/98242afc9f106110c22b60311953e6d493d056fd976f2006c3e8dfbf36a0b002

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:enterpriseunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise UNIX
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf 98242afc9f106110c22b60311953e6d493d056fd976f2006c3e8dfbf36a0b002

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3550686/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh

Comments