MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a08d8daff0aae201450f7cb834138432e413d819d3e79295fc83216c528bc80b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a08d8daff0aae201450f7cb834138432e413d819d3e79295fc83216c528bc80b
SHA3-384 hash: 4120fbcd93e90b2d60a127194006aefc9fa5d403a30381b05818be9191b25d9c377a8fd1d1f7aa9e0b9ef7a2002cbbd3
SHA1 hash: 4c35bad258eac98da7e41983d0afb206e3736c22
MD5 hash: 13c3a863cacd52fba7f2f0df97b5a4fe
humanhash: queen-carbon-angel-cola
File name:mips
Download: download sample
File size:592'688 bytes
First seen:2025-06-11 21:54:16 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 12288:M57U0INmdtgOcyJXDOMzf03gdvZ/yCnEI7zP:W7v+mrY2xzf03yvZ/YIv
TLSH T138C4F1A377204F91C35195B209F389335AF6199706F39982537DEE107F20A68386BFE9
telfhash t10ab0011070740bb84308e12d5cdcae5679f20cc3fe470c27db6047a159b54434d00d18
Magika elf
Reporter abuse_ch
Tags:elf

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.32057.LX.BOT.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.32058.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Siggen.9084.29053.26864.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
82.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6849fb1407b5e8c1cfe65510linux22vpnfull_triage
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process from a recently created file
Runs as daemon
Connection attempt
Changes access rights for a written file
Receives data from a server
Locks files
DNS request
Opens a port
Sends data to a server
Launching a process
Changes the time when the file was created, accessed, or modified
Creating a file
Creates directories
Creates or modifies files in /cron to set up autorun
Verdict:
Malicious
Uses P2P?:
true
Uses anti-vm?:
true
Architecture:
mips
Packer:
custom
Botnet:
unknown
Number of open files:
60
Number of processes launched:
10
Processes remaning?
false
Remote TCP ports scanned:
43627
Full report:
https://elfdigest.com/brief/a08d8daff0aae201450f7cb834138432e413d819d3e79295fc83216c528bc80b
Behaviour
Anti-VM
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
type: 162.159.200.123:123
type: 130.239.18.158:6881
type: 67.215.246.10:6881
type: 188.42.55.92:6881
type: 89.207.71.47:6881
type: 84.147.74.154:6881
type: 188.32.50.192:6881
type: 23.88.96.103:6881
type: 5.104.52.78:6881
type: 114.38.33.131:6881
type: 109.111.87.171:6881
type: 141.145.201.29:6881
type: 185.165.216.161:6881
type: 109.93.234.152:6881
type: 205.178.98.103:6881
type: 60.216.181.225:6881
type: 84.255.238.212:6881
type: 24.11.7.231:6881
type: 160.3.224.98:6881
type: 86.22.18.31:6881
type: 2.222.17.84:6881
type: 49.37.227.89:6881
type: 176.194.180.250:6881
type: 125.129.128.227:6881
type: 176.62.112.27:6881
type: 31.222.108.89:6881
type: 18.188.31.0:6881
type: 54.194.137.170:6881
type: 79.133.235.46:6881
type: 2.124.162.218:6881
type: 46.120.243.228:6881
type: 35.155.156.153:6881
type: 54.214.105.212:6881
type: 78.10.176.95:6881
type: 54.70.174.84:6881
type: 144.217.72.98:6881
type: 107.181.234.235:6881
type: 70.191.85.30:6881
type: 89.251.254.201:6881
type: 95.248.185.130:6881
type: 94.240.182.235:6881
type: 23.95.192.22:6881
type: 119.28.68.97:6881
type: 5.172.7.137:6881
type: 2.222.215.84:6881
type: 187.57.167.51:6881
type: 119.28.55.240:6881
type: 212.230.191.96:6881
type: 101.6.86.152:6881
type: 89.79.229.27:6881
type: 102.182.95.3:6881
type: 181.73.169.88:6881
type: 175.156.223.172:6881
type: 192.99.3.72:6881
type: 167.99.72.189:6881
type: 47.144.199.249:6881
type: 31.47.152.148:6881
type: 89.102.24.106:6881
type: 178.85.36.80:6881
type: 217.96.243.78:6881
type: 76.154.3.215:6881
type: 109.242.84.214:6881
type: 178.162.173.231:28001
type: 178.162.173.160:28013
type: 85.17.12.165:28013
type: 130.239.18.158:8539
type: 173.230.130.111:6880
type: 45.56.122.13:6880
type: 45.203.155.80:6880
type: 45.203.212.13:6880
type: 114.134.221.237:6880
type: 45.203.151.81:6880
type: 178.162.174.233:28003
type: 178.162.173.110:28003
type: 178.162.174.178:28003
type: 15.235.82.46:47265
type: 5.196.7.57:50722
type: 95.211.136.213:57087
type: 46.232.211.204:64288
type: 88.198.230.221:54817
type: 46.232.211.79:13259
type: 212.7.200.120:43955
type: 46.232.210.17:16659
type: 188.255.113.18:43807
type: 130.239.18.158:8512
type: 93.183.137.179:44538
type: 45.139.24.53:43093
type: 142.215.167.165:6882
type: 87.207.94.229:6882
type: 188.165.201.194:6882
type: 216.39.248.235:6982
type: 217.178.143.61:19261
type: 172.111.38.128:26090
type: 46.172.31.4:51413
type: 5.135.166.132:51413
type: 54.38.44.77:51413
type: 95.168.174.173:51413
type: 37.59.38.123:51413
type: 185.207.107.188:51413
type: 218.228.194.213:51413
type: 213.133.97.34:51413
type: 94.228.165.193:51413
type: 114.251.230.130:51413
type: 85.216.148.249:51413
type: 78.198.28.186:51413
type: 77.250.168.97:51413
type: 115.36.245.93:51413
type: 213.233.49.24:51413
type: 115.201.97.26:51413
type: 37.204.157.137:62180
type: 216.39.248.235:51505
type: 89.107.139.91:54642
type: 130.239.18.158:8575
type: 130.239.18.158:8521
type: 130.239.18.158:8501
type: 209.141.42.141:8999
type: 91.90.126.3:22571
type: 62.122.179.152:44752
type: 46.232.211.130:16609
type: 65.21.33.212:50000
type: 148.251.44.51:50000
type: 221.217.54.40:6888
type: 185.21.216.137:65379
type: 178.162.173.41:28008
type: 23.158.56.119:10006
type: 69.50.95.40:10060
type: 130.239.18.158:8573
type: 130.239.18.158:8554
type: 130.239.18.158:8510
type: 130.239.18.158:8515
type: 94.59.145.93:39247
type: 185.203.56.1:61615
type: 131.147.53.4:6889
type: 24.50.72.3:6889
type: 188.23.245.154:6889
type: 82.84.218.209:6889
type: 79.6.127.57:6889
type: 220.134.199.87:6889
type: 62.210.95.121:22223
type: 23.158.56.120:14049
type: 51.15.13.221:65381
type: 46.232.211.238:64353
type: 45.131.79.64:64132
type: 178.162.174.153:28004
type: 212.32.246.218:12133
type: 178.162.173.199:28005
type: 178.162.173.160:28005
type: 178.162.174.149:28005
type: 81.171.7.65:28005
type: 92.222.217.68:54272
type: 45.87.251.132:28143
type: 46.232.210.90:23609
type: 178.162.174.111:28000
type: 212.7.202.40:28035
type: 212.66.38.250:8621
type: 82.135.152.1:8621
type: 83.9.198.160:8621
type: 47.206.196.118:8621
type: 62.43.153.177:8621
type: 142.93.42.55:8000
type: 169.150.251.164:12509
type: 197.245.88.114:49001
type: 81.152.106.91:49001
type: 90.150.246.102:49001
type: 185.80.251.190:49001
type: 23.162.56.55:10070
type: 178.22.126.99:25089
type: 81.171.6.43:28014
type: 46.232.210.50:22159
type: 46.232.210.90:15809
type: 85.235.66.132:23334
type: 93.176.133.6:19501
type: 76.68.232.28:53592
type: 45.128.27.34:52278
type: 72.21.17.29:17983
type: 80.76.56.133:33926
type: 161.0.194.102:49559
type: 46.120.18.172:23428
type: 89.149.202.220:15162
type: 169.150.223.221:11659
type: 87.119.141.13:61984
type: 114.33.37.154:42244
type: 85.17.12.232:8163
type: 195.19.127.212:16447
type: 178.34.158.87:36298
type: 178.208.225.182:15691
type: 88.160.56.213:45490
type: 186.205.22.50:14019
type: 119.247.49.93:15466
type: 116.91.223.91:29142
type: 152.165.53.185:17359
type: 118.38.39.246:40880
type: 185.21.216.142:57523
type: 37.187.249.171:51415
type: 31.128.190.30:52223
type: 46.232.210.167:11009
type: 186.208.182.235:37321
type: 177.222.99.49:57662
type: 188.187.216.105:44507
type: 83.142.234.41:13788
type: 175.203.54.61:7719
type: 60.96.9.66:7913
type: 178.162.174.229:28007
type: 89.149.202.3:28007
type: 95.211.127.53:28015
type: 178.162.173.97:28006
type: 213.227.152.142:28006
type: 178.162.174.242:28010
type: 185.234.230.125:49571
type: 103.140.3.3:24334
type: 81.233.227.53:49403
type: 59.13.180.35:32853
type: 169.150.219.145:64065
type: 185.162.184.35:55276
type: 157.5.8.88:22597
type: 94.31.95.95:23443
type: 153.174.247.238:16621
type: 31.54.106.109:43287
type: 179.125.163.230:1968
type: 79.143.21.35:20771
type: 176.58.227.35:28673
type: 46.232.211.14:64037
type: 62.210.211.99:33282
type: 211.48.241.31:14352
type: 95.214.53.172:1688
type: 5.39.94.213:31416
type: 188.165.246.140:57142
type: 91.146.88.94:43689
type: 185.149.91.47:51546
type: 93.172.230.130:18224
type: 188.18.242.244:1143
type: 77.79.169.104:55085
type: 189.217.87.50:42426
type: 41.232.16.119:37770
type: 176.116.136.120:16554
type: 112.168.174.65:32683
type: 88.253.176.182:54034
type: 118.32.220.178:32738
type: 125.135.31.202:41025
type: 45.164.86.5:42625
type: 185.128.36.54:54541
type: 72.208.37.194:32541
type: 174.95.237.48:51395
type: 176.31.183.98:54550
type: 5.39.85.155:55622
type: 112.146.156.6:32926
type: 41.144.100.54:32182
type: 54.39.52.64:64804
type: 91.215.89.45:7654
type: 77.120.172.254:21385
type: 162.55.243.114:1910
type: 194.29.101.83:10240
type: 152.53.104.128:10240
type: 195.170.172.38:10240
type: 27.62.170.41:10676
type: 137.74.95.127:43866
type: 54.39.107.165:22278
type: 208.87.240.21:11158
type: 54.209.131.199:6892
type: 114.80.9.44:6892
type: 46.6.11.115:6892
type: 178.162.173.168:28012
type: 51.15.179.48:65357
type: 91.199.227.102:10046
type: 123.202.19.118:27342
type: 95.211.247.101:28009
type: 24.3.16.226:62732
type: 163.172.11.38:37874
type: 185.149.91.45:51011
type: 46.232.211.247:54130
type: 43.134.18.13:6005
type: 188.129.18.54:14828
type: 24.101.0.49:28807
type: 46.232.211.247:64032
type: 72.21.17.73:15120
type: 31.44.245.142:49715
type: 23.95.32.170:6969
type: 195.154.230.112:17049
type: 187.73.183.26:31913
type: 64.181.231.113:42731
type: 218.250.156.240:25163
type: 176.195.155.67:54475
type: 177.231.4.136:22359
type: 184.60.253.156:47757
type: 46.232.211.50:13859
type: 85.215.200.194:61620
type: 84.42.75.192:8833
type: 203.188.164.163:50328
type: 172.111.38.128:26055
type: 169.150.219.145:64099
type: 169.150.219.145:64092
type: 181.46.137.230:43448
type: 125.130.46.122:18185
type: 31.134.187.50:3926
type: 172.115.55.121:7197
type: 45.160.88.234:19707
type: 185.75.84.82:3333
type: 54.39.52.64:25568
type: 45.152.210.52:50171
type: 189.29.169.26:7782
type: 51.178.25.97:8083
type: 136.169.151.5:31974
type: 216.189.150.94:51419
type: 51.195.217.134:8665
type: 133.32.155.91:62060
type: 195.154.174.141:32102
type: 218.250.213.197:29147
type: 163.172.41.61:49927
type: 95.79.97.148:62328
type: 24.162.83.94:61137
type: 95.104.171.14:1947
type: 176.88.168.157:40279
type: 221.155.156.131:32873
type: 37.27.113.233:46666
type: 85.24.226.2:59120
type: 54.77.218.23:6992
type: 217.112.11.113:43864
type: 201.35.147.147:25297
type: 211.34.82.49:41963
type: 213.149.4.171:51075
type: 189.139.50.57:47212
type: 203.188.164.163:31570
type: 95.26.100.147:9265
type: 94.59.82.193:22169
type: 72.53.206.152:12212
type: 176.109.184.58:34851
type: 211.230.147.162:65507
type: 185.255.236.42:27538
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/75b578ff-1203-4cc6-b06f-29fff5c89c03
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1712760
Signature
Executes the "crontab" command typically for achieving persistence
Multi AV Scanner detection for submitted file
Opens /sys/class/net/* files useful for querying network interface information
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to persist itself using cron
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1712760 Sample: mips.elf Startdate: 12/06/2025 Architecture: LINUX Score: 64 38 93.66.3.222, 46058 VODAFONE-IT-ASNIT Italy 2->38 40 190.4.160.228, 6881 UnitedTelecommunicationServicesUTSCW Curacao 2->40 42 102 other IPs or domains 2->42 44 Multi AV Scanner detection for submitted file 2->44 10 mips.elf configuration 2->10         started        signatures3 process4 process5 12 mips.elf sh 10->12         started        14 configuration 10->14         started        17 mips.elf sh 10->17         started        signatures6 19 sh crontab 12->19         started        23 sh 12->23         started        52 Opens /sys/class/net/* files useful for querying network interface information 14->52 54 Sample reads /proc/mounts (often used for finding a writable filesystem) 14->54 25 configuration 14->25         started        27 sh crontab 17->27         started        process7 file8 36 /var/spool/cron/crontabs/tmp.8HpSNn, ASCII 19->36 dropped 46 Sample tries to persist itself using cron 19->46 48 Executes the "crontab" command typically for achieving persistence 19->48 29 sh crontab 23->29         started        32 configuration 25->32         started        signatures9 process10 signatures11 50 Executes the "crontab" command typically for achieving persistence 29->50 34 configuration 32->34         started        process12
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/a08d8daff0aae201450f7cb834138432e413d819d3e79295fc83216c528bc80b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a08d8daff0aae201450f7cb834138432e413d819d3e79295fc83216c528bc80b/
Threat name:
Linux.Trojan.SAgnt
Create hunting rule
Status:
Malicious
First seen:
2025-06-11 21:55:24 UTC
File Type:
ELF32 Big (Exe)
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ucgy3l7qvlracripps4die4eglsbhwaz2ptzffp4qmqwyuulzafq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
antivm defense_evasion discovery execution persistence privilege_escalation
Link:
https://tria.ge/reports/250611-1sdcrsxpy5/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Checks CPU configuration
Reads CPU attributes
Checks hardware identifiers (DMI)
Creates/modifies Cron job
Enumerates running processes
Reads MAC address of network interface
Reads hardware information
Renames itself
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9ad9bb3e-40fd-4f0e-a3dc-8f2d34438b1a
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf a08d8daff0aae201450f7cb834138432e413d819d3e79295fc83216c528bc80b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3558223/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh

Comments