MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9fe656e4df08283038d41b2fd39fcc8571ba058f3d89130a8a343fd1d127aba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a9fe656e4df08283038d41b2fd39fcc8571ba058f3d89130a8a343fd1d127aba
SHA3-384 hash: f42eb4ad09f5a555abd1c54d7604e88668b08c7a5d3f71fc5660bba357bcdb366ab5fd595225da59049efa2b4b47810b
SHA1 hash: 465380bed6e33726b2cd36e6733f8a03a80da3d5
MD5 hash: 4e3e67ac0baf9d4f0e829df7d5736775
humanhash: timing-mississippi-emma-lion
File name:amd64
Download: download sample
File size:482'032 bytes
First seen:2025-06-27 22:42:18 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 12288:iD6LPBCvMk0O9na1M80cLt9i5aIaTtpc4W:2+QGO9naz0Szi5anTtR
TLSH T177A41212E290D8FEC4DAC070469FD27BFD7A7C544234BC6B6198F7322B3AE601B16A55
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf

Intelligence

File Origin
# of uploads :
1
# of downloads :
112
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Linux.Siggen.9080.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.32058.LX.BOT.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.31951.LX.BOT.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=685f1e5537c34367794697c3linux22vpnfull_triage
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creates directories
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
base64 exploit gcc lolbin remote
Link:
https://www.filescan.io/uploads/685f1e528cd0d23e5be977f6/reports/395dd55f-ae70-4775-aa8e-2b65172ece67/overview
Verdict:
Malicious
Uses P2P?:
true
Uses anti-vm?:
true
Architecture:
x86
Packer:
custom
Botnet:
unknown
Number of open files:
70
Number of processes launched:
10
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/a9fe656e4df08283038d41b2fd39fcc8571ba058f3d89130a8a343fd1d127aba
Behaviour
Anti-VM
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
type: 162.159.200.123:123
type: 8.138.177.115:123
type: 130.239.18.158:6881
type: 67.215.246.10:6881
type: 178.69.209.93:6881
type: 176.125.139.123:6881
type: 89.207.71.47:6881
type: 188.42.55.92:6881
type: 95.37.26.86:6881
type: 23.118.129.219:6881
type: 31.188.101.97:6881
type: 82.15.157.86:6881
type: 118.240.4.101:6881
type: 67.248.170.251:6881
type: 185.117.82.74:6881
type: 168.90.160.208:6881
type: 189.101.163.176:6881
type: 146.120.220.4:6881
type: 86.179.139.246:6881
type: 188.187.99.27:6881
type: 5.39.88.49:6881
type: 203.221.117.197:6881
type: 94.190.75.24:6881
type: 80.229.233.244:6881
type: 176.37.52.221:6881
type: 86.211.35.191:6881
type: 2.227.147.195:6881
type: 60.242.188.142:6881
type: 110.66.193.171:6881
type: 126.111.91.36:6881
type: 82.197.120.119:6881
type: 80.30.62.246:6881
type: 178.168.201.186:6881
type: 80.79.65.101:6881
type: 85.17.65.74:6881
type: 90.188.134.208:6881
type: 85.143.145.186:6881
type: 18.221.7.72:6881
type: 35.167.186.212:6881
type: 222.97.243.243:6881
type: 176.221.2.100:6881
type: 109.194.133.153:6881
type: 72.211.17.134:6881
type: 84.65.19.58:6881
type: 142.171.125.191:6881
type: 31.126.19.121:6881
type: 24.218.98.51:6881
type: 86.156.230.7:6881
type: 24.61.135.159:6881
type: 185.8.202.108:6881
type: 178.162.174.222:28014
type: 178.162.174.40:28014
type: 141.95.53.34:8648
type: 130.239.18.158:8515
type: 135.181.227.244:50000
type: 65.21.128.209:50000
type: 65.21.125.172:50000
type: 65.21.125.161:50000
type: 37.27.104.57:50000
type: 65.21.125.160:50000
type: 37.27.117.250:50000
type: 135.181.238.57:50000
type: 135.181.223.211:50000
type: 37.27.117.189:50000
type: 182.117.228.92:50000
type: 45.203.208.35:6880
type: 173.230.130.111:6880
type: 195.154.233.74:6880
type: 54.144.88.168:6880
type: 52.21.231.83:6880
type: 185.196.61.72:6880
type: 44.216.7.139:6880
type: 3.215.223.233:6880
type: 81.230.0.32:64177
type: 5.135.156.163:56843
type: 5.79.66.11:54337
type: 95.211.247.101:28009
type: 79.106.231.163:1434
type: 130.239.18.158:8524
type: 172.111.38.128:16001
type: 114.240.213.153:16001
type: 46.110.111.42:6040
type: 5.135.178.12:53659
type: 45.83.232.30:51413
type: 148.71.166.49:51413
type: 188.166.98.93:51413
type: 185.158.114.210:51413
type: 46.17.102.90:51413
type: 198.98.58.139:51413
type: 65.21.0.40:51413
type: 2.236.169.3:51413
type: 88.146.115.43:51413
type: 116.147.70.73:51413
type: 81.231.179.24:51413
type: 222.129.104.209:51413
type: 31.37.76.137:51413
type: 174.48.250.152:51413
type: 67.235.153.231:51413
type: 37.112.57.60:51413
type: 104.148.218.240:51413
type: 51.68.181.39:51413
type: 178.79.183.54:51413
type: 212.52.40.204:51413
type: 37.48.122.32:51413
type: 62.210.129.155:51413
type: 84.220.211.193:51413
type: 172.96.121.2:6884
type: 95.168.162.161:42670
type: 83.149.84.32:28008
type: 178.162.173.231:28001
type: 178.162.173.150:28001
type: 178.162.174.178:28003
type: 178.162.173.91:28003
type: 178.162.174.227:28003
type: 178.162.174.169:28003
type: 213.227.134.137:28003
type: 130.239.18.158:8539
type: 130.239.18.158:8580
type: 130.239.18.158:8516
type: 130.239.18.158:8513
type: 69.50.95.40:10085
type: 79.11.107.190:6889
type: 82.172.167.161:6889
type: 84.221.237.210:6889
type: 185.149.91.185:51059
type: 23.237.162.130:20094
type: 52.70.68.19:49205
type: 218.155.113.110:40734
type: 149.120.116.231:59028
type: 112.87.174.216:6892
type: 175.110.115.46:6892
type: 78.137.216.66:31145
type: 5.9.41.13:53504
type: 46.232.210.157:64170
type: 31.210.173.50:27520
type: 84.247.173.42:8081
type: 62.210.24.66:57101
type: 46.232.210.138:64151
type: 178.162.174.46:28013
type: 95.211.247.101:28013
type: 213.227.151.25:28013
type: 185.203.56.68:62927
type: 178.162.174.143:28000
type: 178.162.174.45:28015
type: 178.79.124.85:46405
type: 185.57.5.216:55086
type: 42.200.253.141:7459
type: 5.39.85.82:51555
type: 69.50.95.40:10087
type: 78.63.24.30:26312
type: 45.128.27.138:8999
type: 213.232.235.11:8999
type: 180.56.128.105:26606
type: 5.39.85.82:51589
type: 51.75.68.29:8655
type: 195.154.171.138:30519
type: 212.7.200.93:23999
type: 178.162.173.89:28007
type: 178.162.174.43:28007
type: 37.48.111.3:28007
type: 5.135.165.33:6331
type: 88.198.230.221:49668
type: 185.21.216.185:60731
type: 152.53.22.181:32482
type: 185.149.91.145:51509
type: 46.232.211.193:58017
type: 31.10.158.193:54413
type: 185.149.91.21:51118
type: 178.162.174.43:28004
type: 95.211.140.135:28004
type: 46.232.211.134:64302
type: 45.131.79.50:14559
type: 51.38.40.9:50288
type: 101.140.216.187:22175
type: 75.185.121.22:58390
type: 24.225.179.127:58154
type: 163.172.86.70:64341
type: 142.186.14.171:10158
type: 169.150.219.153:64101
type: 188.165.240.192:55551
type: 66.131.21.102:51032
type: 185.203.56.65:21757
type: 86.26.253.117:13932
type: 178.237.229.132:19706
type: 88.241.31.189:54735
type: 45.152.211.65:54058
type: 45.87.250.94:54058
type: 193.32.2.27:54058
type: 188.165.235.23:50268
type: 170.246.69.239:16781
type: 195.154.172.179:22934
type: 86.125.221.34:12659
type: 169.150.223.221:16259
type: 82.192.65.69:49349
type: 154.47.21.141:57943
type: 77.96.19.240:60041
type: 45.152.210.31:50171
type: 38.25.16.21:1274
type: 72.21.17.37:31979
type: 211.114.193.200:8084
type: 211.20.132.29:31400
type: 186.137.202.57:48879
type: 122.199.31.207:28801
type: 5.39.85.154:55901
type: 78.137.212.41:33371
type: 5.79.69.185:28011
type: 51.77.66.149:53352
type: 130.239.18.158:8552
type: 220.84.161.74:7848
type: 109.245.194.67:49001
type: 94.181.75.139:49001
type: 5.144.96.232:49001
type: 10.18.31.6:49001
type: 84.40.218.182:28683
type: 151.249.149.142:15791
type: 84.28.1.231:50716
type: 145.40.131.36:62808
type: 45.6.162.190:3060
type: 123.145.128.92:6882
type: 190.245.223.127:6882
type: 142.215.164.99:6882
type: 54.194.124.68:6882
type: 172.127.119.208:6882
type: 188.165.201.120:6882
type: 54.70.28.180:6882
type: 80.7.130.249:50321
type: 118.141.162.119:13542
type: 154.236.108.123:41469
type: 191.96.36.105:21932
type: 188.70.4.246:64815
type: 95.214.53.172:1688
type: 116.14.113.253:18730
type: 86.120.247.42:14082
type: 211.179.248.121:58480
type: 54.209.131.199:6992
type: 194.29.101.83:10240
type: 200.24.90.182:49083
type: 193.23.249.105:57442
type: 45.87.251.132:28177
type: 107.173.149.140:6339
type: 54.211.14.111:20871
type: 152.53.45.107:7089
type: 89.22.226.106:6933
type: 178.172.210.235:11399
type: 212.102.35.92:45449
type: 91.90.120.199:56503
type: 76.69.154.134:14208
type: 45.87.251.132:28181
type: 37.27.113.233:48769
type: 144.76.175.153:25952
type: 176.10.139.44:32014
type: 89.152.164.18:3035
type: 149.22.80.97:57623
type: 153.151.235.93:11636
type: 46.232.211.44:58021
type: 185.246.188.70:54444
type: 212.7.200.5:55157
type: 78.26.199.48:15315
type: 46.232.211.108:64001
type: 211.54.106.74:40835
type: 77.38.68.11:17119
type: 144.76.175.153:27686
type: 50.66.184.223:64447
type: 217.178.161.204:5032
type: 212.7.200.12:21046
type: 70.77.222.94:17110
type: 62.210.114.238:35718
type: 185.162.184.43:49514
type: 185.21.217.61:62766
type: 212.102.35.138:29124
type: 112.141.1.213:43731
type: 2.49.12.162:44078
type: 186.22.16.149:31914
type: 90.24.53.201:42059
type: 144.76.175.153:56002
type: 144.76.175.153:40323
type: 37.27.113.233:56707
type: 185.21.216.185:58910
type: 46.232.211.108:64111
type: 188.91.220.17:50494
type: 5.39.85.82:56617
type: 176.23.240.151:33730
type: 46.232.211.168:64154
type: 72.21.17.82:64019
type: 194.219.254.229:14830
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/fdf9c02b-e287-47b0-b27c-828917f071b9
Behavior Graph:
Download SVG
%3 guuid=20baa245-1800-0000-6752-8ed9c9080000 pid=2249 /usr/bin/sudo guuid=4a96bf48-1800-0000-6752-8ed9cd080000 pid=2253 /tmp/sample.bin guuid=20baa245-1800-0000-6752-8ed9c9080000 pid=2249->guuid=4a96bf48-1800-0000-6752-8ed9cd080000 pid=2253 execve guuid=d41cd848-1800-0000-6752-8ed9ce080000 pid=2254 /usr/bin/dash guuid=4a96bf48-1800-0000-6752-8ed9cd080000 pid=2253->guuid=d41cd848-1800-0000-6752-8ed9ce080000 pid=2254 execve guuid=1b464849-1800-0000-6752-8ed9d0080000 pid=2256 /usr/bin/dash guuid=4a96bf48-1800-0000-6752-8ed9cd080000 pid=2253->guuid=1b464849-1800-0000-6752-8ed9d0080000 pid=2256 execve guuid=4b78b549-1800-0000-6752-8ed9d4080000 pid=2260 /tmp/sample.bin mprotect-exec zombie guuid=4a96bf48-1800-0000-6752-8ed9cd080000 pid=2253->guuid=4b78b549-1800-0000-6752-8ed9d4080000 pid=2260 clone guuid=eb8a6d49-1800-0000-6752-8ed9d2080000 pid=2258 /usr/bin/dash guuid=1b464849-1800-0000-6752-8ed9d0080000 pid=2256->guuid=eb8a6d49-1800-0000-6752-8ed9d2080000 pid=2258 clone guuid=00bb7649-1800-0000-6752-8ed9d3080000 pid=2259 /usr/bin/dash guuid=1b464849-1800-0000-6752-8ed9d0080000 pid=2256->guuid=00bb7649-1800-0000-6752-8ed9d3080000 pid=2259 clone guuid=f04c1650-1800-0000-6752-8ed9e7080000 pid=2279 /tmp/sample.bin zombie guuid=4b78b549-1800-0000-6752-8ed9d4080000 pid=2260->guuid=f04c1650-1800-0000-6752-8ed9e7080000 pid=2279 clone guuid=2ae52450-1800-0000-6752-8ed9e8080000 pid=2280 /tmp/sample.bin guuid=f04c1650-1800-0000-6752-8ed9e7080000 pid=2279->guuid=2ae52450-1800-0000-6752-8ed9e8080000 pid=2280 clone guuid=27163250-1800-0000-6752-8ed9e9080000 pid=2281 /tmp/sample.bin dns net net-scan send-data guuid=2ae52450-1800-0000-6752-8ed9e8080000 pid=2280->guuid=27163250-1800-0000-6752-8ed9e9080000 pid=2281 clone d316b2ae-0a7e-5b43-8de6-745900c90c54 127.0.0.1:65535 guuid=27163250-1800-0000-6752-8ed9e9080000 pid=2281->d316b2ae-0a7e-5b43-8de6-745900c90c54 con 38a4910e-6f05-5afe-a8e3-398c2eb18329 time.cloudflare.com:123 guuid=27163250-1800-0000-6752-8ed9e9080000 pid=2281->38a4910e-6f05-5afe-a8e3-398c2eb18329 send: 48B 92e9fc51-6ce8-5f01-9f86-cb643ef3edf5 219.70.138.162:21638 guuid=27163250-1800-0000-6752-8ed9e9080000 pid=2281->92e9fc51-6ce8-5f01-9f86-cb643ef3edf5 send: 68B 2d9988e1-a566-5d0c-9f2e-bb13ad12b7cb 172.17.0.1:58292 guuid=27163250-1800-0000-6752-8ed9e9080000 pid=2281->2d9988e1-a566-5d0c-9f2e-bb13ad12b7cb con guuid=27163250-1800-0000-6752-8ed9e9080000 pid=2281|send-data send-data to 268 IP addresses review logs to see them all guuid=27163250-1800-0000-6752-8ed9e9080000 pid=2281->guuid=27163250-1800-0000-6752-8ed9e9080000 pid=2281|send-data send
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/cc25f700-4699-4fed-bb08-53fcd156629c
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj.spyw
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1724471
Signature
Connects to many ports of the same IP (likely port scanning)
Executes the "crontab" command typically for achieving persistence
Multi AV Scanner detection for submitted file
Opens /sys/class/net/* files useful for querying network interface information
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample scans a subnet
Sample tries to persist itself using cron
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1724471 Sample: amd64.elf Startdate: 28/06/2025 Architecture: LINUX Score: 72 38 31.200.249.178, 31785, 60660 NETRACK-ASRU Russian Federation 2->38 40 178.162.173.111, 28005, 6881 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 2->40 42 102 other IPs or domains 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Connects to many ports of the same IP (likely port scanning) 2->46 48 Sample scans a subnet 2->48 10 amd64.elf 2->10         started        signatures3 process4 process5 12 amd64.elf sh 10->12         started        14 amd64.elf 10->14         started        17 amd64.elf sh 10->17         started        signatures6 19 sh crontab 12->19         started        23 sh 12->23         started        56 Opens /sys/class/net/* files useful for querying network interface information 14->56 58 Sample reads /proc/mounts (often used for finding a writable filesystem) 14->58 25 amd64.elf 14->25         started        27 sh crontab 17->27         started        process7 file8 36 /var/spool/cron/crontabs/tmp.puJUnv, ASCII 19->36 dropped 50 Sample tries to persist itself using cron 19->50 52 Executes the "crontab" command typically for achieving persistence 19->52 29 sh crontab 23->29         started        32 amd64.elf 25->32         started        signatures9 process10 signatures11 54 Executes the "crontab" command typically for achieving persistence 29->54 34 amd64.elf 32->34         started        process12
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/a9fe656e4df08283038d41b2fd39fcc8571ba058f3d89130a8a343fd1d127aba
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a9fe656e4df08283038d41b2fd39fcc8571ba058f3d89130a8a343fd1d127aba/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/a9fe656e4df08283038d41b2fd39fcc8571ba058f3d89130a8a343fd1d127aba
Threat name:
Linux.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2025-06-27 22:42:35 UTC
File Type:
ELF64 Little (Exe)
AV detection:
16 of 38 (42.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vh7gk3sn6cbiga4nigzp2op4zblrxicy6pmjcmfiunb72hispk5a._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
antivm defense_evasion discovery execution linux persistence privilege_escalation
Link:
https://tria.ge/reports/250627-2mxd5avvhz/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to tmp directory
Checks CPU configuration
Checks hardware identifiers (DMI)
Creates/modifies Cron job
Enumerates running processes
Reads MAC address of network interface
Reads hardware information
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c39fd446-f6e8-4d48-8200-766ca23c1228
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/a9fe656e4df08283038d41b2fd39fcc8571ba058f3d89130a8a343fd1d127aba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:enterpriseunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise UNIX
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf a9fe656e4df08283038d41b2fd39fcc8571ba058f3d89130a8a343fd1d127aba

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3550042/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh

Comments