MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a904eb3842eca4b85341ef01ce22892d970b6d53fc26ec6b1893831080e1f021. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a904eb3842eca4b85341ef01ce22892d970b6d53fc26ec6b1893831080e1f021
SHA3-384 hash: 64647e06f447be5490942ece680c53726f8a40022f1c1a9c9e5016a65194d4850c9a3447f5fed065fdd5dae775618c08
SHA1 hash: 32b67af6813742046fd767528274ec0a3d13fca7
MD5 hash: ffa69f5cf3a89e9ff4bb895277263126
humanhash: social-purple-zulu-oscar
File name:amd64
Download: download sample
File size:482'032 bytes
First seen:2025-06-22 23:27:05 UTC
Last seen:2025-06-23 02:41:59 UTC
File type: elf
MIME type:application/x-executable
ssdeep 12288:iD6LPBCvMk0O9na1M80cLt9i5aIaTtpc4W:2+QGO9naz0Szi5anTtR
TLSH T15CA41212E290D8FEC4DAC070469FD27BFD767C544234BC6B6298F7322B3AE601B16A55
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf

Intelligence

File Origin
# of uploads :
2
# of downloads :
116
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Linux.Siggen.9080.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.32058.LX.BOT.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.31951.LX.BOT.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6858919a32ed47a3a8d68e8alinux22vpnfull_triage
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creates directories
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
exploit gcc lolbin remote
Link:
https://www.filescan.io/uploads/6858918ef8f8abe4f8b7ac59/reports/c7f9c132-b8e5-4625-a221-08327942f148/overview
Verdict:
Malicious
Uses P2P?:
true
Uses anti-vm?:
true
Architecture:
x86
Packer:
custom
Botnet:
unknown
Number of open files:
70
Number of processes launched:
10
Processes remaning?
false
Remote TCP ports scanned:
55462
Full report:
https://elfdigest.com/brief/a904eb3842eca4b85341ef01ce22892d970b6d53fc26ec6b1893831080e1f021
Behaviour
Anti-VM
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
type: 162.159.200.1:123
type: 130.239.18.158:6881
type: 67.215.246.10:6881
type: 82.66.233.116:6881
type: 5.166.64.245:6881
type: 95.211.169.28:6881
type: 73.208.41.226:6881
type: 110.141.151.10:6881
type: 188.245.209.21:6881
type: 210.234.149.253:6881
type: 82.66.183.31:6881
type: 217.15.227.187:6881
type: 31.39.99.124:6881
type: 84.50.134.125:6881
type: 62.245.103.9:6881
type: 95.79.250.103:6881
type: 172.96.121.2:6881
type: 95.79.69.93:6881
type: 213.14.193.6:6881
type: 195.154.184.19:6881
type: 151.248.149.51:6881
type: 37.48.93.7:6881
type: 193.233.180.127:6881
type: 188.124.126.47:6881
type: 213.164.215.161:6881
type: 185.132.178.224:6881
type: 90.58.171.97:6881
type: 65.92.52.33:6881
type: 194.58.182.47:6881
type: 179.113.248.7:6881
type: 65.31.175.51:6881
type: 72.46.61.18:6881
type: 62.56.123.197:6881
type: 218.225.131.224:6881
type: 35.155.156.153:6881
type: 54.214.105.212:6881
type: 81.92.222.209:6881
type: 124.11.64.10:6881
type: 75.230.83.116:6881
type: 89.18.214.198:6881
type: 87.79.96.225:6881
type: 91.44.36.80:6881
type: 23.95.192.22:6881
type: 62.212.86.120:6881
type: 35.167.186.212:6881
type: 68.150.6.226:6881
type: 86.141.90.70:6881
type: 167.114.157.148:6881
type: 130.239.18.158:8516
type: 130.239.18.158:8513
type: 178.162.173.91:28003
type: 37.48.64.31:28003
type: 178.162.173.58:28003
type: 178.162.174.113:28003
type: 178.124.193.198:51413
type: 222.0.129.136:51413
type: 212.125.27.2:51413
type: 198.27.80.151:51413
type: 188.90.169.20:51413
type: 89.223.38.206:51413
type: 109.194.107.65:51413
type: 128.140.49.95:51413
type: 104.11.214.164:51413
type: 178.66.50.3:51413
type: 80.253.93.152:51413
type: 51.178.138.26:51413
type: 185.217.240.60:51413
type: 130.162.176.243:51413
type: 160.237.167.100:51413
type: 89.157.208.153:51413
type: 27.132.138.99:51413
type: 88.99.218.112:51413
type: 51.159.53.72:51413
type: 45.32.136.167:51413
type: 212.15.59.40:51413
type: 130.239.18.158:8580
type: 195.154.233.74:6880
type: 45.203.155.80:6880
type: 148.153.188.242:6880
type: 45.203.205.61:6880
type: 18.117.46.179:6880
type: 148.153.188.226:6880
type: 154.202.132.194:6880
type: 18.190.107.194:6880
type: 137.184.226.118:56333
type: 178.162.174.9:28004
type: 178.162.173.22:28004
type: 62.212.81.233:28004
type: 95.211.110.228:28004
type: 45.87.251.149:28004
type: 109.201.152.178:46908
type: 83.149.84.32:28008
type: 94.75.234.248:28008
type: 45.91.208.243:51936
type: 186.158.30.208:32792
type: 77.25.12.143:7343
type: 195.154.176.26:8649
type: 178.162.173.13:28006
type: 81.67.29.3:31441
type: 178.162.173.24:28013
type: 178.162.173.138:28013
type: 46.232.211.100:18659
type: 83.149.84.32:28047
type: 178.162.173.38:28015
type: 178.162.174.101:28015
type: 217.121.231.94:59625
type: 130.239.18.158:8508
type: 130.239.18.158:8521
type: 130.239.18.158:8501
type: 37.27.117.115:50000
type: 95.216.13.53:50000
type: 65.21.33.212:50000
type: 142.132.202.188:50000
type: 142.132.200.50:50000
type: 37.27.117.125:50000
type: 142.132.193.161:50000
type: 65.21.34.57:50000
type: 95.216.14.159:50000
type: 144.76.164.145:50000
type: 37.27.107.119:50000
type: 46.232.211.130:16609
type: 130.239.18.158:8500
type: 185.164.143.108:1587
type: 23.162.56.55:10099
type: 54.211.14.111:20876
type: 185.21.217.58:56796
type: 46.232.211.120:19109
type: 178.162.173.138:28012
type: 178.162.173.120:28007
type: 178.162.174.76:28007
type: 178.162.173.24:28007
type: 178.162.173.210:28007
type: 178.162.173.13:28010
type: 178.162.174.82:28010
type: 178.162.173.231:28005
type: 178.162.173.225:28005
type: 213.227.153.16:28005
type: 37.48.95.144:63141
type: 213.227.153.16:28009
type: 94.51.113.191:1793
type: 195.154.170.6:8665
type: 178.162.174.233:28000
type: 187.190.94.252:12942
type: 152.228.162.85:42435
type: 195.154.172.179:27126
type: 212.7.202.40:28011
type: 178.162.173.134:28011
type: 5.79.73.138:28001
type: 62.212.81.233:28001
type: 5.2.130.18:17970
type: 46.48.23.245:55970
type: 45.87.251.185:25599
type: 121.44.19.31:18371
type: 61.63.182.237:6889
type: 101.180.201.251:6889
type: 87.7.235.200:6889
type: 159.196.21.73:6889
type: 84.131.38.91:6889
type: 86.140.82.247:6889
type: 140.130.83.76:6889
type: 213.3.20.219:6889
type: 79.131.161.147:26102
type: 222.98.79.121:41095
type: 91.201.233.181:14293
type: 51.75.64.23:8646
type: 121.178.114.68:33000
type: 90.247.157.8:10051
type: 185.162.184.39:57618
type: 178.214.245.155:47438
type: 86.17.50.169:46414
type: 116.122.120.144:55914
type: 92.180.9.112:10619
type: 141.94.246.201:8659
type: 195.154.167.39:8641
type: 121.148.238.27:55949
type: 185.243.216.145:30689
type: 93.39.139.76:18514
type: 89.149.197.198:23946
type: 45.128.27.49:54058
type: 94.23.213.219:42069
type: 83.198.210.209:16887
type: 85.172.110.237:8175
type: 148.153.100.251:60020
type: 46.238.3.95:45585
type: 82.64.38.35:51511
type: 84.54.73.83:22025
type: 162.247.221.26:4741
type: 211.109.128.89:40561
type: 114.80.9.175:6892
type: 54.77.218.23:6892
type: 1.218.200.222:33051
type: 189.82.202.60:6882
type: 185.149.91.137:20036
type: 174.161.138.34:44480
type: 95.32.77.101:1248
type: 200.193.155.205:5881
type: 144.76.175.153:42093
type: 178.149.131.240:41164
type: 119.231.154.246:7378
type: 211.219.49.117:7928
type: 222.116.21.205:32891
type: 211.104.37.48:32902
type: 173.45.178.250:30678
type: 220.79.83.75:32824
type: 87.219.180.45:46746
type: 93.47.126.147:63561
type: 89.109.48.25:1827
type: 187.106.241.139:2910
type: 162.55.243.114:2910
type: 1.162.22.198:56635
type: 149.50.22.198:47350
type: 89.134.7.250:11039
type: 46.132.91.100:5755
type: 188.163.90.246:39477
type: 36.39.9.125:8078
type: 184.65.216.96:44224
type: 175.139.243.121:13325
type: 5.135.178.41:57240
type: 176.40.39.120:20760
type: 95.214.53.172:1688
type: 66.131.5.230:41734
type: 46.98.128.64:42608
type: 186.23.28.84:2799
type: 62.109.164.181:49001
type: 178.71.145.8:49001
type: 95.178.202.214:49001
type: 98.52.233.227:49001
type: 62.217.185.8:11796
type: 186.235.253.187:45866
type: 77.38.47.19:15091
type: 46.232.210.124:64124
type: 137.175.253.102:35125
type: 51.15.19.75:3063
type: 152.53.105.61:10240
type: 152.53.52.107:10240
type: 152.53.104.128:10240
type: 46.232.211.70:25709
type: 84.54.73.83:21632
type: 211.4.144.17:58077
type: 185.203.56.1:10666
type: 57.128.101.96:47019
type: 184.22.9.83:22600
type: 37.27.113.233:56469
type: 37.27.113.233:56487
type: 176.44.124.41:19177
type: 54.39.52.64:25568
type: 37.27.113.233:56461
type: 37.27.113.233:40120
type: 37.27.113.233:40117
type: 94.49.199.112:52776
type: 24.157.190.68:57420
type: 34.207.160.46:20872
type: 31.10.146.90:7417
type: 73.159.130.39:18992
type: 72.21.17.19:17291
type: 36.231.191.182:61858
type: 185.107.45.29:7246
type: 218.39.29.26:63332
type: 181.214.153.57:57426
type: 5.53.204.93:62462
type: 60.48.194.53:45385
type: 89.210.106.121:52363
type: 95.215.22.233:52818
type: 89.149.197.198:62422
type: 185.148.0.96:62671
type: 185.203.56.56:22718
type: 212.232.35.232:57757
type: 46.232.211.148:17409
type: 49.158.45.139:8748
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/575fd2a9-bf58-4185-906e-67e7d45685a0
Behavior Graph:
Download SVG
%3 guuid=61c1bd7c-1900-0000-a60e-b3b3570c0000 pid=3159 /usr/bin/sudo guuid=85559f7e-1900-0000-a60e-b3b35d0c0000 pid=3165 /tmp/sample.bin guuid=61c1bd7c-1900-0000-a60e-b3b3570c0000 pid=3159->guuid=85559f7e-1900-0000-a60e-b3b35d0c0000 pid=3165 execve guuid=bc12cc7e-1900-0000-a60e-b3b35e0c0000 pid=3166 /usr/bin/dash guuid=85559f7e-1900-0000-a60e-b3b35d0c0000 pid=3165->guuid=bc12cc7e-1900-0000-a60e-b3b35e0c0000 pid=3166 execve guuid=7eda197f-1900-0000-a60e-b3b35f0c0000 pid=3167 /usr/bin/dash guuid=85559f7e-1900-0000-a60e-b3b35d0c0000 pid=3165->guuid=7eda197f-1900-0000-a60e-b3b35f0c0000 pid=3167 execve guuid=410d867f-1900-0000-a60e-b3b3620c0000 pid=3170 /tmp/sample.bin mprotect-exec zombie guuid=85559f7e-1900-0000-a60e-b3b35d0c0000 pid=3165->guuid=410d867f-1900-0000-a60e-b3b3620c0000 pid=3170 clone guuid=97c35a7f-1900-0000-a60e-b3b3600c0000 pid=3168 /usr/bin/dash guuid=7eda197f-1900-0000-a60e-b3b35f0c0000 pid=3167->guuid=97c35a7f-1900-0000-a60e-b3b3600c0000 pid=3168 clone guuid=033d607f-1900-0000-a60e-b3b3610c0000 pid=3169 /usr/bin/dash guuid=7eda197f-1900-0000-a60e-b3b35f0c0000 pid=3167->guuid=033d607f-1900-0000-a60e-b3b3610c0000 pid=3169 clone guuid=c8a39787-1900-0000-a60e-b3b3630c0000 pid=3171 /tmp/sample.bin zombie guuid=410d867f-1900-0000-a60e-b3b3620c0000 pid=3170->guuid=c8a39787-1900-0000-a60e-b3b3630c0000 pid=3171 clone guuid=b635bb87-1900-0000-a60e-b3b3640c0000 pid=3172 /tmp/sample.bin guuid=c8a39787-1900-0000-a60e-b3b3630c0000 pid=3171->guuid=b635bb87-1900-0000-a60e-b3b3640c0000 pid=3172 clone guuid=7355c487-1900-0000-a60e-b3b3650c0000 pid=3173 /tmp/sample.bin dns net net-scan send-data guuid=b635bb87-1900-0000-a60e-b3b3640c0000 pid=3172->guuid=7355c487-1900-0000-a60e-b3b3650c0000 pid=3173 clone d316b2ae-0a7e-5b43-8de6-745900c90c54 127.0.0.1:65535 guuid=7355c487-1900-0000-a60e-b3b3650c0000 pid=3173->d316b2ae-0a7e-5b43-8de6-745900c90c54 con 38a4910e-6f05-5afe-a8e3-398c2eb18329 time.cloudflare.com:123 guuid=7355c487-1900-0000-a60e-b3b3650c0000 pid=3173->38a4910e-6f05-5afe-a8e3-398c2eb18329 send: 48B 5f883f7b-aff3-5d24-99bc-b1f7b55ee8f7 115.21.218.233:38516 guuid=7355c487-1900-0000-a60e-b3b3650c0000 pid=3173->5f883f7b-aff3-5d24-99bc-b1f7b55ee8f7 con bfc31395-2a58-5829-abef-c80466bdbc82 88.240.186.250:38516 guuid=7355c487-1900-0000-a60e-b3b3650c0000 pid=3173->bfc31395-2a58-5829-abef-c80466bdbc82 con guuid=7355c487-1900-0000-a60e-b3b3650c0000 pid=3173|send-data send-data to 298 IP addresses review logs to see them all guuid=7355c487-1900-0000-a60e-b3b3650c0000 pid=3173->guuid=7355c487-1900-0000-a60e-b3b3650c0000 pid=3173|send-data send
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d1c85829-4900-4cc9-8206-6e03698e285f
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1720529
Signature
Connects to many ports of the same IP (likely port scanning)
Executes the "crontab" command typically for achieving persistence
Opens /sys/class/net/* files useful for querying network interface information
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to persist itself using cron
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1720529 Sample: amd64.elf Startdate: 23/06/2025 Architecture: LINUX Score: 60 38 31.200.249.130, 31794, 60548 NETRACK-ASRU Russian Federation 2->38 40 180.221.251.15, 64123, 6881 ZAQJupiterTelecommunicationsCoLtdJP Japan 2->40 42 101 other IPs or domains 2->42 44 Connects to many ports of the same IP (likely port scanning) 2->44 10 amd64.elf 2->10         started        signatures3 process4 process5 12 amd64.elf sh 10->12         started        14 amd64.elf 10->14         started        17 amd64.elf sh 10->17         started        signatures6 19 sh crontab 12->19         started        23 sh 12->23         started        52 Opens /sys/class/net/* files useful for querying network interface information 14->52 54 Sample reads /proc/mounts (often used for finding a writable filesystem) 14->54 25 amd64.elf 14->25         started        27 sh crontab 17->27         started        process7 file8 36 /var/spool/cron/crontabs/tmp.pdxUIH, ASCII 19->36 dropped 46 Sample tries to persist itself using cron 19->46 48 Executes the "crontab" command typically for achieving persistence 19->48 29 sh crontab 23->29         started        32 amd64.elf 25->32         started        signatures9 process10 signatures11 50 Executes the "crontab" command typically for achieving persistence 29->50 34 amd64.elf 32->34         started        process12
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/a904eb3842eca4b85341ef01ce22892d970b6d53fc26ec6b1893831080e1f021
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a904eb3842eca4b85341ef01ce22892d970b6d53fc26ec6b1893831080e1f021/
Threat name:
Linux.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2025-06-23 00:28:19 UTC
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vecowocc5sslqu2b54a44iujfwlqw3kt7qtoy2yysobrbahb6aqq._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
antivm defense_evasion discovery execution linux persistence privilege_escalation
Link:
https://tria.ge/reports/250622-3f973sbl8x/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to tmp directory
Checks CPU configuration
Creates/modifies Cron job
Enumerates running processes
Reads MAC address of network interface
Reads hardware information
Checks hardware identifiers (DMI)
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/cd14143e-fc12-471a-a65a-8598a654948e
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a904eb3842eca4b85341ef01ce22892d970b6d53fc26ec6b1893831080e1f021

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:enterpriseunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise UNIX
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf a904eb3842eca4b85341ef01ce22892d970b6d53fc26ec6b1893831080e1f021

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3550686/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh

Comments