MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a062f434729355db91fd58e5a00a3b897a32e59ed86a9394423bcb7e4c853b70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a062f434729355db91fd58e5a00a3b897a32e59ed86a9394423bcb7e4c853b70
SHA3-384 hash: 0dcd672f4ab9d6fe090f4e37d29e058bae6919e9486db3768828edc2d0478b05e7fd9978d3ef6bfb0d8374fff10f12f5
SHA1 hash: 49f0dd843c669f8a828d58ece34b9c302bbcaf1c
MD5 hash: 5ff1c58a9bb71823f8b36f8bb6cedcbf
humanhash: july-sixteen-massachusetts-foxtrot
File name:aarch64
Download: download sample
File size:509'896 bytes
First seen:2025-07-03 04:33:44 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 6144:O/izeB+/ow3gK2lc5bvyI0vOHD6BZkDgn358cIF3RI5HkdY1FP98/8ecjfP:3BohHKTyfvOHD6ByD4WcIMkuDmEesP
TLSH T1EFB41228EE4E3881F3D1E3B8DA0A4BB1B05B7DD0D166C1B2BA41E25D95EDDDEC5D0212
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf

Intelligence

File Origin
# of uploads :
1
# of downloads :
10
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.32057.LX.BOT.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.32058.LX.BOT.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68660849c9eb97473765bdaflinux22vpnfull_triage
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creates directories
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
exploit gcc
Link:
https://www.filescan.io/uploads/686608497423ff017c3da8f2/reports/9cf964e0-8ab9-49e2-b302-514c7ea2c488/overview
Verdict:
Malicious
Uses P2P?:
true
Uses anti-vm?:
false
Architecture:
arm
Packer:
custom
Botnet:
unknown
Number of open files:
0
Number of processes launched:
0
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/a062f434729355db91fd58e5a00a3b897a32e59ed86a9394423bcb7e4c853b70
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
type: 162.159.200.123:123
type: 130.239.18.158:6881
type: 67.215.246.10:6881
type: 46.189.195.95:6881
type: 3.92.204.118:6881
type: 89.207.71.47:6881
type: 88.87.84.154:6881
type: 222.106.129.62:6881
type: 115.134.158.174:6881
type: 174.166.243.226:6881
type: 89.115.3.105:6881
type: 86.137.245.213:6881
type: 31.186.199.238:6881
type: 115.126.186.137:6881
type: 188.232.146.147:6881
type: 221.155.183.245:6881
type: 151.31.200.230:6881
type: 107.141.251.202:6881
type: 188.213.93.34:6881
type: 103.241.62.33:6881
type: 39.153.194.90:6881
type: 83.151.207.184:6881
type: 81.56.154.239:6881
type: 81.22.57.150:6881
type: 89.70.57.150:6881
type: 142.171.125.191:6881
type: 31.43.38.141:6881
type: 181.95.38.76:6881
type: 23.95.192.22:6881
type: 18.188.31.0:6881
type: 54.214.105.212:6881
type: 18.221.7.72:6881
type: 75.119.138.164:6881
type: 54.214.62.55:6881
type: 18.191.2.28:6881
type: 47.121.118.91:6881
type: 23.95.32.170:6881
type: 18.220.82.190:6881
type: 185.54.21.72:6881
type: 167.99.72.189:6881
type: 74.48.140.189:6881
type: 142.171.58.199:6881
type: 99.121.250.216:6881
type: 217.215.144.96:6881
type: 130.239.18.158:8597
type: 130.239.18.158:8513
type: 178.162.173.91:28003
type: 178.162.173.32:28003
type: 130.239.18.158:8580
type: 195.154.233.74:6880
type: 130.239.18.158:8516
type: 178.162.173.103:28010
type: 178.162.173.117:28010
type: 51.159.104.68:7606
type: 147.135.129.139:52557
type: 130.239.18.158:8531
type: 178.162.173.231:28001
type: 178.162.173.169:28001
type: 213.67.207.46:11318
type: 46.232.211.180:51539
type: 178.162.173.147:28007
type: 212.7.202.40:28007
type: 178.162.173.38:28007
type: 178.162.173.98:28000
type: 178.162.173.220:28014
type: 178.162.174.88:28014
type: 62.92.98.15:37095
type: 178.162.174.168:28012
type: 178.162.173.160:28012
type: 185.149.91.185:51007
type: 46.232.211.167:16409
type: 178.162.173.154:28008
type: 104.228.147.22:22742
type: 72.13.29.84:6889
type: 68.9.221.158:6889
type: 89.27.57.219:6889
type: 176.223.9.206:51413
type: 121.224.212.92:51413
type: 51.79.3.221:51413
type: 124.211.217.31:51413
type: 151.80.44.142:51413
type: 45.13.104.233:51413
type: 37.187.140.76:51413
type: 37.187.100.137:51413
type: 178.66.166.143:51413
type: 209.17.171.189:51413
type: 46.232.211.63:8076
type: 5.196.95.225:54512
type: 31.220.98.19:17238
type: 89.11.219.137:25456
type: 89.149.235.158:21187
type: 176.169.30.0:49001
type: 95.71.15.10:49001
type: 141.196.192.123:49001
type: 178.162.174.120:28013
type: 178.162.173.150:28013
type: 185.203.56.59:16107
type: 72.21.17.68:24144
type: 104.219.26.28:45375
type: 115.70.122.138:33673
type: 198.166.121.167:59927
type: 190.172.120.55:6882
type: 139.28.232.16:6882
type: 5.77.206.89:64611
type: 178.136.234.7:40030
type: 46.232.211.56:64041
type: 178.162.173.51:28006
type: 116.202.157.206:31177
type: 46.232.211.148:41204
type: 181.221.79.231:25075
type: 106.180.121.175:9975
type: 90.241.208.98:47664
type: 59.146.168.216:12033
type: 46.232.210.83:58108
type: 190.86.106.63:33315
type: 126.62.70.196:7343
type: 210.178.4.17:40987
type: 125.200.61.201:8792
type: 82.71.111.186:28950
type: 78.63.245.62:13357
type: 5.180.98.111:26881
type: 181.45.46.213:6149
type: 185.11.81.170:3726
type: 203.128.5.82:61481
type: 91.200.242.96:26723
type: 45.233.13.197:51899
type: 24.184.193.189:38874
type: 185.244.158.147:51180
type: 181.116.42.46:22014
type: 203.208.100.231:12242
type: 41.46.144.84:45808
type: 83.247.56.208:14658
type: 130.239.18.158:8524
type: 218.212.151.160:65000
type: 217.84.78.175:52845
type: 187.187.192.44:37854
type: 61.77.2.61:32713
type: 154.178.223.136:53549
type: 124.13.170.91:56214
type: 72.21.17.51:49620
type: 189.120.79.198:9923
type: 211.196.181.217:36438
type: 89.149.225.144:10548
type: 49.177.195.16:43790
type: 152.53.168.133:5489
type: 89.216.116.210:45030
type: 203.30.5.231:18130
type: 31.223.91.125:57310
type: 221.167.82.13:33028
type: 37.48.70.166:57450
type: 85.187.115.164:53527
type: 42.108.145.81:11917
type: 187.190.158.219:54773
type: 97.103.36.212:58974
type: 45.230.85.72:53934
type: 179.0.127.65:7080
type: 181.118.57.150:5881
type: 59.11.166.141:33109
type: 183.100.181.217:38930
type: 189.217.206.128:40663
type: 78.142.231.133:6767
type: 176.31.183.98:18668
type: 54.209.131.199:6992
type: 13.114.205.93:6992
type: 54.39.52.64:39450
type: 54.39.52.64:25568
type: 38.134.41.130:32681
type: 195.170.172.38:10240
type: 51.15.19.75:22466
type: 95.214.53.172:1688
type: 115.179.83.107:19097
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/efc3a993-1f22-42cf-896b-701e79202cc7
Behavior Graph:
Download SVG
%3 guuid=6baa277e-1800-0000-14b6-2ed4cb0b0000 pid=3019 /usr/bin/sudo guuid=4c121a80-1800-0000-14b6-2ed4d20b0000 pid=3026 /tmp/sample.bin guuid=6baa277e-1800-0000-14b6-2ed4cb0b0000 pid=3019->guuid=4c121a80-1800-0000-14b6-2ed4d20b0000 pid=3026 execve guuid=c18a5982-1800-0000-14b6-2ed4d80b0000 pid=3032 /usr/bin/dash guuid=4c121a80-1800-0000-14b6-2ed4d20b0000 pid=3026->guuid=c18a5982-1800-0000-14b6-2ed4d80b0000 pid=3032 clone guuid=eb04aa82-1800-0000-14b6-2ed4da0b0000 pid=3034 /usr/bin/dash guuid=4c121a80-1800-0000-14b6-2ed4d20b0000 pid=3026->guuid=eb04aa82-1800-0000-14b6-2ed4da0b0000 pid=3034 clone guuid=6750bd82-1800-0000-14b6-2ed4db0b0000 pid=3035 /usr/bin/dash guuid=4c121a80-1800-0000-14b6-2ed4d20b0000 pid=3026->guuid=6750bd82-1800-0000-14b6-2ed4db0b0000 pid=3035 clone guuid=3e43c782-1800-0000-14b6-2ed4dc0b0000 pid=3036 /usr/bin/dash guuid=4c121a80-1800-0000-14b6-2ed4d20b0000 pid=3026->guuid=3e43c782-1800-0000-14b6-2ed4dc0b0000 pid=3036 clone
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5bc3bf4a-3714-428f-96da-7a1c979e3bf0
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj.spyw
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1727751
Signature
Connects to many ports of the same IP (likely port scanning)
Executes the "crontab" command typically for achieving persistence
Multi AV Scanner detection for submitted file
Opens /sys/class/net/* files useful for querying network interface information
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample scans a subnet
Sample tries to persist itself using cron
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1727751 Sample: aarch64.elf Startdate: 03/07/2025 Architecture: LINUX Score: 72 42 178.162.174.178, 28003, 6881 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 2->42 44 5.17.199.5, 22522 ZTELECOM-ASRU Russian Federation 2->44 46 102 other IPs or domains 2->46 54 Multi AV Scanner detection for submitted file 2->54 56 Connects to many ports of the same IP (likely port scanning) 2->56 58 Sample scans a subnet 2->58 10 aarch64.elf 2->10         started        12 dash rm 2->12         started        14 dash rm 2->14         started        signatures3 process4 process5 16 aarch64.elf sh 10->16         started        18 aarch64.elf 10->18         started        21 aarch64.elf sh 10->21         started        signatures6 23 sh crontab 16->23         started        27 sh 16->27         started        50 Opens /sys/class/net/* files useful for querying network interface information 18->50 52 Sample reads /proc/mounts (often used for finding a writable filesystem) 18->52 29 aarch64.elf 18->29         started        31 sh crontab 21->31         started        process7 file8 40 /var/spool/cron/crontabs/tmp.H2OiqM, ASCII 23->40 dropped 60 Sample tries to persist itself using cron 23->60 62 Executes the "crontab" command typically for achieving persistence 23->62 33 sh crontab 27->33         started        36 aarch64.elf 29->36         started        signatures9 process10 signatures11 48 Executes the "crontab" command typically for achieving persistence 33->48 38 aarch64.elf 36->38         started        process12
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/a062f434729355db91fd58e5a00a3b897a32e59ed86a9394423bcb7e4c853b70
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a062f434729355db91fd58e5a00a3b897a32e59ed86a9394423bcb7e4c853b70/
Threat name:
Linux.Trojan.SAgnt
Create hunting rule
Status:
Malicious
First seen:
2025-07-03 04:34:20 UTC
File Type:
ELF64 Little (Exe)
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ubrpindssnk5xep5lds2acr3rf5dfzm63bvjhfcchpfx4tefhnya._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
linux
Link:
https://tria.ge/reports/250703-e68j6stvhy/
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/aeb2477c-7ed3-450e-9a04-1539ada5b507
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/a062f434729355db91fd58e5a00a3b897a32e59ed86a9394423bcb7e4c853b70

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf a062f434729355db91fd58e5a00a3b897a32e59ed86a9394423bcb7e4c853b70

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3558221/
  
Delivery method
Distributed via web download

Comments