MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab5cf4489aefbac374d2ae0b6fc736f72d51e570d18bfaf935ce6d9b89eebf64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab5cf4489aefbac374d2ae0b6fc736f72d51e570d18bfaf935ce6d9b89eebf64
SHA3-384 hash: fe5e014eee2750fa6227bb5be8c5b066e55c0c55c5a6644fd9a69b89cd2b5ba451225dc9499ee1d286cb5be3bcf5cb00
SHA1 hash: 3361ace0661b7e543d1a93e47288c7eca3104eab
MD5 hash: 991b57375b45d244fe5d5c03fd34b49e
humanhash: five-jig-pizza-pluto
File name:i686
Download: download sample
File size:587'764 bytes
First seen:2025-07-13 23:23:00 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 12288:5D+Azf/CVCW3ISw+hRNb3W/aTyA9VV/cZWLnR98V+:5D+AznCVNIZ+vNbG/WYWrR98V
TLSH T169C42241EAB7C0F2F65349320103E7BF8F33C9099165D2A6DB42F661EDB1B42469E66C
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf

Intelligence

File Origin
# of uploads :
1
# of downloads :
13
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.32058.LX.BOT.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.31951.LX.BOT.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Locks files
Creating a file in the %temp% directory
Opens a port
Sends data to a server
Creating a file
Changes the time when the file was created, accessed, or modified
Receives data from a server
Creates directories
Collects information on the CPU
Launching a process
Connection attempt
DNS request
Changes access rights for a written file
Creating a process from a recently created file
Runs as daemon
Creates or modifies files in /cron to set up autorun
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
exploit gcc lolbin packed remote
Link:
https://www.filescan.io/uploads/68743fe9425a30d7acd8f6fe/reports/85312b34-2422-477d-9333-b11e514302ea/overview
Verdict:
Malicious
Uses P2P?:
true
Uses anti-vm?:
true
Architecture:
x86
Packer:
custom
Botnet:
unknown
Number of open files:
72
Number of processes launched:
10
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/ab5cf4489aefbac374d2ae0b6fc736f72d51e570d18bfaf935ce6d9b89eebf64
Behaviour
Anti-VM
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
type: 162.159.200.123:123
type: 130.239.18.158:6881
type: 67.215.246.10:6881
type: 89.179.246.14:6881
type: 5.42.87.138:6881
type: 95.66.246.179:6881
type: 84.66.244.43:6881
type: 80.16.102.114:6881
type: 217.234.112.2:6881
type: 216.128.97.44:6881
type: 89.154.174.158:6881
type: 114.35.215.3:6881
type: 75.236.135.95:6881
type: 217.104.5.139:6881
type: 188.54.237.207:6881
type: 218.91.255.128:6881
type: 35.167.186.212:6881
type: 188.124.190.56:6881
type: 38.43.130.71:6881
type: 18.218.241.3:6881
type: 35.155.156.153:6881
type: 142.171.58.199:6881
type: 35.163.251.58:6881
type: 148.135.106.206:6881
type: 103.117.150.72:6881
type: 190.83.246.6:6881
type: 104.229.71.70:6881
type: 139.162.168.10:6881
type: 74.120.175.232:6881
type: 31.201.89.39:6881
type: 176.214.239.3:6881
type: 90.250.10.233:6881
type: 13.58.27.33:6881
type: 204.12.208.37:6881
type: 91.199.149.77:6881
type: 107.173.127.249:6881
type: 74.48.140.189:6881
type: 99.59.200.75:6881
type: 176.36.69.94:6881
type: 202.94.62.140:6881
type: 62.171.49.3:6881
type: 194.46.137.14:6881
type: 135.181.238.57:50000
type: 65.21.129.60:50000
type: 37.27.103.242:50000
type: 135.181.227.244:50000
type: 65.21.128.209:50000
type: 135.181.238.125:50000
type: 65.21.128.250:50000
type: 37.27.117.251:50000
type: 37.27.117.242:50000
type: 65.109.35.105:50000
type: 65.21.125.174:50000
type: 37.27.120.59:50000
type: 65.21.125.159:50000
type: 95.216.13.168:50000
type: 37.27.107.122:50000
type: 65.108.102.46:50000
type: 37.27.117.58:50000
type: 37.27.117.182:50000
type: 65.21.129.54:50000
type: 65.21.128.232:50000
type: 37.27.119.116:50000
type: 135.181.238.126:50000
type: 65.109.84.42:50000
type: 142.132.193.161:50000
type: 65.21.128.237:50000
type: 135.181.238.113:50000
type: 178.162.174.149:28001
type: 130.239.18.158:8524
type: 178.162.174.43:28004
type: 178.162.174.227:28004
type: 94.75.250.195:28004
type: 178.162.174.222:28014
type: 5.79.69.185:28014
type: 54.211.14.111:20871
type: 185.183.35.248:6882
type: 54.211.14.111:6882
type: 112.82.166.50:6882
type: 175.199.198.231:6882
type: 188.165.201.82:6882
type: 85.17.31.172:28011
type: 195.201.179.130:16309
type: 46.232.211.148:11209
type: 130.239.18.158:8580
type: 178.162.173.111:28008
type: 83.149.84.32:28008
type: 87.210.241.132:33486
type: 193.32.16.134:50171
type: 45.128.27.206:50171
type: 46.232.211.160:15709
type: 78.82.43.239:20146
type: 81.171.31.153:59091
type: 185.183.32.162:6888
type: 181.46.77.105:11842
type: 212.7.204.116:50568
type: 185.132.179.66:6886
type: 58.241.139.200:6886
type: 5.79.66.11:54337
type: 178.162.174.43:28007
type: 85.17.28.206:28007
type: 178.162.174.5:28005
type: 178.162.174.226:28005
type: 178.33.233.79:8999
type: 130.239.18.158:8500
type: 178.162.174.46:28013
type: 178.168.49.40:33282
type: 185.203.56.68:62927
type: 188.166.98.93:51413
type: 194.44.45.138:51413
type: 5.135.163.217:51413
type: 5.135.155.133:51413
type: 5.39.29.69:51413
type: 45.132.114.236:51413
type: 37.187.20.193:51413
type: 138.199.27.226:51413
type: 94.190.112.28:51413
type: 89.168.69.159:51413
type: 37.59.37.92:51413
type: 86.68.227.55:51413
type: 157.245.232.159:51413
type: 193.32.16.4:51413
type: 115.206.150.214:51413
type: 5.39.79.53:51413
type: 101.143.173.7:51413
type: 212.51.147.217:51413
type: 188.165.226.154:51413
type: 96.19.227.227:51413
type: 172.96.121.2:6884
type: 185.132.178.224:6884
type: 178.162.174.45:28015
type: 178.162.173.117:28015
type: 142.202.48.88:12087
type: 3.141.159.213:6880
type: 3.12.65.135:6880
type: 148.153.170.2:6880
type: 195.154.233.74:6880
type: 154.202.133.222:6880
type: 54.85.131.184:6880
type: 178.162.173.105:28003
type: 178.162.173.91:28003
type: 178.162.174.119:28003
type: 130.239.18.158:8516
type: 130.239.18.158:8597
type: 130.239.18.158:8513
type: 51.159.104.76:7186
type: 51.159.104.70:8336
type: 34.207.160.46:20872
type: 46.232.210.80:13259
type: 5.39.81.144:56611
type: 178.162.173.166:28006
type: 178.162.174.88:28006
type: 183.97.84.214:65339
type: 185.149.91.171:51010
type: 178.162.174.169:28016
type: 178.162.174.173:28016
type: 95.211.247.106:28016
type: 81.171.20.66:64010
type: 178.162.173.172:28009
type: 178.162.173.220:28009
type: 15.204.107.67:8080
type: 69.50.95.40:10000
type: 103.208.104.91:57258
type: 45.87.251.137:62743
type: 130.239.18.158:8515
type: 109.48.201.44:54182
type: 178.162.173.9:28012
type: 178.162.173.98:28012
type: 31.208.31.93:14857
type: 45.91.208.205:54413
type: 112.171.237.40:33235
type: 51.158.148.107:20087
type: 118.240.97.26:60101
type: 1.241.36.155:6889
type: 174.102.28.135:6889
type: 60.246.178.102:6889
type: 81.167.245.134:6889
type: 185.132.178.224:6889
type: 212.7.202.40:28018
type: 72.21.17.100:30411
type: 14.49.95.75:32749
type: 95.168.168.180:16626
type: 175.122.51.128:40503
type: 76.131.161.180:50321
type: 77.71.17.38:21450
type: 65.108.143.34:38413
type: 65.108.143.34:54786
type: 76.67.140.169:47352
type: 79.116.92.179:47510
type: 195.22.205.162:52000
type: 37.48.95.51:51953
type: 131.221.212.224:5341
type: 146.200.176.219:51560
type: 95.168.168.180:55626
type: 185.203.56.57:15288
type: 64.66.117.125:55455
type: 187.183.41.172:23307
type: 179.209.191.27:37321
type: 5.79.77.20:62595
type: 72.183.255.52:11122
type: 106.206.149.83:13189
type: 45.131.79.74:64056
type: 51.38.81.122:8662
type: 138.199.55.47:47697
type: 216.225.45.96:49001
type: 190.153.168.24:38292
type: 82.172.89.157:2592
type: 46.232.210.124:64124
type: 176.62.5.211:59025
type: 154.198.110.212:45115
type: 68.186.208.43:17466
type: 87.138.238.178:21849
type: 95.168.162.219:54815
type: 76.14.91.109:55846
type: 188.165.231.77:59855
type: 111.90.196.176:40474
type: 197.207.203.168:12357
type: 179.152.138.58:27389
type: 218.233.117.230:7974
type: 185.203.56.12:25166
type: 104.167.205.31:6892
type: 54.194.135.233:6892
type: 86.168.11.136:51143
type: 220.123.133.154:40720
type: 75.134.169.67:26596
type: 186.158.200.97:38515
type: 200.192.151.13:20591
type: 37.27.113.233:30079
type: 188.4.76.92:64036
type: 24.22.202.54:54696
type: 45.227.78.186:35535
type: 189.195.206.186:27830
type: 187.90.196.176:27375
type: 24.212.74.121:15102
type: 188.165.198.14:55139
type: 144.76.175.153:48689
type: 194.29.101.83:10240
type: 195.170.172.38:10240
type: 158.69.224.81:14700
type: 181.72.51.52:44373
type: 54.36.168.18:46075
type: 156.57.95.193:58080
type: 95.214.53.172:1688
type: 72.18.80.65:56881
type: 47.149.72.109:16717
type: 103.187.131.245:1754
type: 106.195.118.6:29593
type: 46.232.211.73:58270
type: 5.79.98.140:43759
type: 185.255.237.36:23996
type: 5.1.10.174:15706
type: 46.232.210.170:11259
type: 37.48.118.87:28000
type: 78.128.127.43:20477
type: 185.21.216.198:52148
type: 14.54.218.219:41017
type: 175.182.64.42:23468
type: 149.40.59.133:64132
type: 83.29.134.2:53697
type: 115.98.233.82:24104
type: 124.58.75.22:32931
type: 216.39.248.237:6954
type: 130.239.18.158:8595
type: 46.232.211.179:18359
type: 46.232.210.141:64095
type: 31.208.184.76:9251
type: 185.203.56.54:15373
type: 195.154.170.6:8659
type: 5.77.195.7:8856
type: 79.161.123.221:51369
type: 185.24.53.246:57071
type: 190.128.2.115:50060
type: 121.169.92.144:40826
type: 124.6.1.104:15494
type: 60.125.21.190:61736
type: 146.199.167.244:52719
type: 54.39.52.183:14497
type: 156.206.176.178:60941
type: 46.232.211.88:64101
type: 89.149.202.3:28053
type: 142.202.48.88:12032
type: 92.180.72.206:48226
type: 93.41.60.77:12181
type: 109.51.53.192:16118
type: 212.102.49.86:46401
type: 67.169.127.121:19352
type: 151.237.48.128:58195
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/5ffd0fec-12ca-4955-9e85-bb0fad68591f
Behavior Graph:
Download SVG
%3 guuid=10cb905d-1c00-0000-95b3-5d7d7c070000 pid=1916 /usr/bin/sudo guuid=bc12ce5f-1c00-0000-95b3-5d7d83070000 pid=1923 /root/.sys/configuration guuid=10cb905d-1c00-0000-95b3-5d7d7c070000 pid=1916->guuid=bc12ce5f-1c00-0000-95b3-5d7d83070000 pid=1923 execve guuid=869ef05f-1c00-0000-95b3-5d7d84070000 pid=1924 /usr/bin/dash guuid=bc12ce5f-1c00-0000-95b3-5d7d83070000 pid=1923->guuid=869ef05f-1c00-0000-95b3-5d7d84070000 pid=1924 execve guuid=fbbb2d60-1c00-0000-95b3-5d7d85070000 pid=1925 /usr/bin/dash guuid=bc12ce5f-1c00-0000-95b3-5d7d83070000 pid=1923->guuid=fbbb2d60-1c00-0000-95b3-5d7d85070000 pid=1925 execve guuid=c0428560-1c00-0000-95b3-5d7d89070000 pid=1929 /root/.sys/configuration zombie guuid=bc12ce5f-1c00-0000-95b3-5d7d83070000 pid=1923->guuid=c0428560-1c00-0000-95b3-5d7d89070000 pid=1929 clone guuid=e6fd5260-1c00-0000-95b3-5d7d87070000 pid=1927 /usr/bin/dash guuid=fbbb2d60-1c00-0000-95b3-5d7d85070000 pid=1925->guuid=e6fd5260-1c00-0000-95b3-5d7d87070000 pid=1927 clone guuid=58d35760-1c00-0000-95b3-5d7d88070000 pid=1928 /usr/bin/dash guuid=fbbb2d60-1c00-0000-95b3-5d7d85070000 pid=1925->guuid=58d35760-1c00-0000-95b3-5d7d88070000 pid=1928 clone guuid=f5e04366-1c00-0000-95b3-5d7d99070000 pid=1945 /root/.sys/configuration guuid=c0428560-1c00-0000-95b3-5d7d89070000 pid=1929->guuid=f5e04366-1c00-0000-95b3-5d7d99070000 pid=1945 clone guuid=98725e66-1c00-0000-95b3-5d7d9a070000 pid=1946 /root/.sys/configuration guuid=f5e04366-1c00-0000-95b3-5d7d99070000 pid=1945->guuid=98725e66-1c00-0000-95b3-5d7d9a070000 pid=1946 clone guuid=936a6c66-1c00-0000-95b3-5d7d9c070000 pid=1948 /root/.sys/configuration dns net net-scan send-data guuid=98725e66-1c00-0000-95b3-5d7d9a070000 pid=1946->guuid=936a6c66-1c00-0000-95b3-5d7d9c070000 pid=1948 clone d316b2ae-0a7e-5b43-8de6-745900c90c54 127.0.0.1:65535 guuid=936a6c66-1c00-0000-95b3-5d7d9c070000 pid=1948->d316b2ae-0a7e-5b43-8de6-745900c90c54 con 38a4910e-6f05-5afe-a8e3-398c2eb18329 time.cloudflare.com:123 guuid=936a6c66-1c00-0000-95b3-5d7d9c070000 pid=1948->38a4910e-6f05-5afe-a8e3-398c2eb18329 send: 48B ee367654-2e5f-5911-86e0-4905b36e82e8 31.200.249.162:31988 guuid=936a6c66-1c00-0000-95b3-5d7d9c070000 pid=1948->ee367654-2e5f-5911-86e0-4905b36e82e8 send: 68B 68e757f5-d0f2-5b63-8d1b-ebb53982869b 54.215.207.56:8583 guuid=936a6c66-1c00-0000-95b3-5d7d9c070000 pid=1948->68e757f5-d0f2-5b63-8d1b-ebb53982869b send: 68B 9f62c55c-2568-551b-bfe5-0bdbf6c35802 114.227.158.12:56002 guuid=936a6c66-1c00-0000-95b3-5d7d9c070000 pid=1948->9f62c55c-2568-551b-bfe5-0bdbf6c35802 send: 165B 4e290653-6856-569e-b01d-549f6a68c9d4 176.212.20.239:45823 guuid=936a6c66-1c00-0000-95b3-5d7d9c070000 pid=1948->4e290653-6856-569e-b01d-549f6a68c9d4 con 1c7fb2e7-7d4f-5540-ad05-977c3886d4d2 209.38.196.30:6815 guuid=936a6c66-1c00-0000-95b3-5d7d9c070000 pid=1948->1c7fb2e7-7d4f-5540-ad05-977c3886d4d2 con guuid=936a6c66-1c00-0000-95b3-5d7d9c070000 pid=1948|send-data send-data to 302 IP addresses review logs to see them all guuid=936a6c66-1c00-0000-95b3-5d7d9c070000 pid=1948->guuid=936a6c66-1c00-0000-95b3-5d7d9c070000 pid=1948|send-data send
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/4399653f-ac54-470c-a8e3-9141d1dc7b40
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj.spyw
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1735513
Signature
Connects to many ports of the same IP (likely port scanning)
Executes the "crontab" command typically for achieving persistence
Multi AV Scanner detection for submitted file
Opens /sys/class/net/* files useful for querying network interface information
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample scans a subnet
Sample tries to persist itself using cron
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1735513 Sample: i686.elf Startdate: 14/07/2025 Architecture: LINUX Score: 72 42 31.200.249.146, 31840, 31870, 44252 NETRACK-ASRU Russian Federation 2->42 44 31.200.249.178, 31869, 31917, 40796 NETRACK-ASRU Russian Federation 2->44 46 102 other IPs or domains 2->46 54 Multi AV Scanner detection for submitted file 2->54 56 Connects to many ports of the same IP (likely port scanning) 2->56 58 Sample scans a subnet 2->58 10 i686.elf configuration 2->10         started        12 dash rm 2->12         started        14 dash rm 2->14         started        signatures3 process4 process5 16 i686.elf sh 10->16         started        18 configuration 10->18         started        21 i686.elf sh 10->21         started        signatures6 23 sh crontab 16->23         started        27 sh 16->27         started        50 Opens /sys/class/net/* files useful for querying network interface information 18->50 52 Sample reads /proc/mounts (often used for finding a writable filesystem) 18->52 29 configuration 18->29         started        31 sh crontab 21->31         started        process7 file8 40 /var/spool/cron/crontabs/tmp.zDaECu, ASCII 23->40 dropped 60 Sample tries to persist itself using cron 23->60 62 Executes the "crontab" command typically for achieving persistence 23->62 33 sh crontab 27->33         started        36 configuration 29->36         started        signatures9 process10 signatures11 48 Executes the "crontab" command typically for achieving persistence 33->48 38 configuration 36->38         started        process12
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/ab5cf4489aefbac374d2ae0b6fc736f72d51e570d18bfaf935ce6d9b89eebf64
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab5cf4489aefbac374d2ae0b6fc736f72d51e570d18bfaf935ce6d9b89eebf64/
Threat name:
Linux.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2025-07-13 23:23:21 UTC
File Type:
ELF32 Little (Exe)
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vnopise2565mg5gsvyfw7rzw64wvdzlq2gf7v6jvzzwzxcpox5sa._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
antivm defense_evasion discovery execution linux persistence privilege_escalation
Link:
https://tria.ge/reports/250713-3c9r5swlz6/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to tmp directory
Checks CPU configuration
Checks hardware identifiers (DMI)
Creates/modifies Cron job
Enumerates running processes
Reads MAC address of network interface
Reads hardware information
Renames itself
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d5216b34-c5c8-442c-a57e-5bff4e914416
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.20
Link:
https://yomi.yoroi.company/submissions/ab5cf4489aefbac374d2ae0b6fc736f72d51e570d18bfaf935ce6d9b89eebf64

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf ab5cf4489aefbac374d2ae0b6fc736f72d51e570d18bfaf935ce6d9b89eebf64

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3558224/
  
Delivery method
Distributed via web download

Comments