MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aebc7d622eaef343c462ac1f4442191798c3f59563f222fa8cf386d15fe44225. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Tsunami


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aebc7d622eaef343c462ac1f4442191798c3f59563f222fa8cf386d15fe44225
SHA3-384 hash: c07e68ec7b93a27b735e7acfa7d711aef1c7915db367ed38306d2ece6e6c54d914831121afbf7545c3cac513116adfa6
SHA1 hash: 7c6337ae3ab32c5ed9f353ff986962536ba995a9
MD5 hash: 4ce6a00b6110069929311e18e32973ad
humanhash: eleven-butter-king-white
File name:pty10
Download: download sample
Signature Tsunami
Create hunting rule
File size:801'296 bytes
First seen:2026-01-26 01:24:42 UTC
Last seen:2026-01-26 23:14:19 UTC
File type: elf
MIME type:application/x-executable
ssdeep 24576:94rrq9fbGIFcSrtgk2/Ow9eWI2ZcaeN/yEN:yW9DPOSqk+0WISsyi
TLSH T119053358378E0BA602AFDF4DCC01B9D4C2C7352C95F3AF88258A067663F5175EF6A492
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf Tsunami

Intelligence

File Origin
# of uploads :
3
# of downloads :
96
Origin country :
DE DE
Vendor Threat Intelligence
Malware configuration found for:
Mirai
Details
Mirai
a patched binary
Link:
https://research.acce.ciphertechsolutions.com/results/5a249e27-8907-4def-92c5-610d516f5c64/
Detection(s):
Unix.Trojan.Muhstik-7555544-0
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
android tsunami
Link:
https://www.filescan.io/uploads/6976c28e55805a763ff591e9/reports/37c06d55-7251-48f3-aa79-5231e7103b2f/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
arm
Packer:
custom
Botnet:
unknown
Number of open files:
97
Number of processes launched:
2
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/aebc7d622eaef343c462ac1f4442191798c3f59563f222fa8cf386d15fe44225
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Malicious
File Type:
elf.32.le
First seen:
2025-03-03T16:42:00Z UTC
Last seen:
2026-01-27T12:58:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/aebc7d622eaef343c462ac1f4442191798c3f59563f222fa8cf386d15fe44225/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/e5199317-c0ac-492c-8ad7-0681774a58f7
Behavior Graph:
Download SVG
%3 guuid=c92c0405-1700-0000-e8b0-ea8ac90a0000 pid=2761 /usr/bin/sudo guuid=a3deaf07-1700-0000-e8b0-ea8ad00a0000 pid=2768 /tmp/sample.bin guuid=c92c0405-1700-0000-e8b0-ea8ac90a0000 pid=2761->guuid=a3deaf07-1700-0000-e8b0-ea8ad00a0000 pid=2768 execve
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/8853a97b-10e7-4696-b70f-d3d19fd43e9b
Result
Threat name:
Muhstik, Tsunami
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1857373
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Executes the "crontab" command typically for achieving persistence
Explicitly modifies time stamps using the "touch" command
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample tries to persist itself using cron
Suricata IDS alerts for network traffic
Uses IRC for communication with a C&C
Uses known network protocols on non-standard ports
Writes identical ELF files to multiple locations
Yara detected Muhstik
Yara detected Tsunami
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1857373 Sample: pty10.elf Startdate: 26/01/2026 Architecture: LINUX Score: 100 107 217.18.237.210, 22 VOZTELECOMSpainEU Spain 2->107 109 217.147.115.175, 22 VISLGI Gibraltar 2->109 111 98 other IPs or domains 2->111 123 Suricata IDS alerts for network traffic 2->123 125 Malicious sample detected (through community Yara rule) 2->125 127 Antivirus detection for dropped file 2->127 129 6 other signatures 2->129 11 pty10.elf 2->11         started        signatures3 process4 process5 13 pty10.elf 11->13         started        15 pty10.elf 11->15         started        17 pty10.elf 11->17         started        19 8 other processes 11->19 process6 21 pty10.elf 13->21         started        23 pty10.elf 13->23         started        25 pty10.elf 13->25         started        35 25 other processes 13->35 27 pty10.elf 15->27         started        29 pty10.elf sh 15->29         started        31 pty10.elf sh 17->31         started        33 pty10.elf sh 19->33         started        37 7 other processes 19->37 signatures7 40 pty10.elf sh 21->40         started        42 pty10.elf sh 23->42         started        44 pty10.elf sh 25->44         started        53 817 other processes 27->53 46 sh uname 29->46         started        55 5 other processes 31->55 48 sh crontab 33->48         started        51 pty10.elf sh 35->51         started        58 24 other processes 35->58 131 Explicitly modifies time stamps using the "touch" command 37->131 process8 file9 60 sh crontab 40->60         started        72 4 other processes 40->72 64 sh crontab 42->64         started        74 4 other processes 42->74 66 sh crontab 44->66         started        76 4 other processes 44->76 113 Executes the "crontab" command typically for achieving persistence 48->113 68 sh crontab 51->68         started        78 4 other processes 51->78 89 /var/spool/cron/crontabs/tmp.hhSua3, ASCII 55->89 dropped 115 Sample tries to persist itself using cron 55->115 70 sh crontab 55->70         started        91 /var/tmp/pty10.elf, ELF 58->91 dropped 93 /run/pty10.elf, ELF 58->93 dropped 95 /run/lock/pty10.elf, ELF 58->95 dropped 97 2 other malicious files 58->97 dropped 117 Writes identical ELF files to multiple locations 58->117 119 Explicitly modifies time stamps using the "touch" command 58->119 signatures10 process11 file12 99 /var/spool/cron/crontabs/tmp.atpH2S, ASCII 60->99 dropped 133 Sample tries to persist itself using cron 60->133 135 Executes the "crontab" command typically for achieving persistence 60->135 101 /var/spool/cron/crontabs/tmp.rSVM69, ASCII 64->101 dropped 103 /var/spool/cron/crontabs/tmp.ajHwsZ, ASCII 66->103 dropped 105 /var/spool/cron/crontabs/tmp.vzCgeQ, ASCII 68->105 dropped 80 sh crontab 72->80         started        83 sh crontab 74->83         started        85 sh crontab 76->85         started        87 sh crontab 78->87         started        signatures13 process14 signatures15 121 Executes the "crontab" command typically for achieving persistence 80->121
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/aebc7d622eaef343c462ac1f4442191798c3f59563f222fa8cf386d15fe44225
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aebc7d622eaef343c462ac1f4442191798c3f59563f222fa8cf386d15fe44225/
Threat name:
Linux.Trojan.Tsunami
Create hunting rule
Status:
Malicious
First seen:
2025-02-21 07:23:07 UTC
File Type:
ELF32 Little (Exe)
AV detection:
19 of 36 (52.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v26h2yrov3zuhrdcvqpuiqqzc6mmh5mvmpzcf6um6odncx7eiisq._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
defense_evasion discovery execution persistence privilege_escalation upx
Link:
https://tria.ge/reports/260126-bs7tyafw7c/
Behaviour
Reads runtime system information
Writes file to shm directory
Writes file to tmp directory
Changes its process name
Indicator Removal: Timestomp
UPX packed file
Creates/modifies Cron job
Enumerates running processes
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/aebc7d622eaef343c462ac1f4442191798c3f59563f222fa8cf386d15fe44225

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Linux_Trojan_Tsunami_97288af8
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Tsunami

elf aebc7d622eaef343c462ac1f4442191798c3f59563f222fa8cf386d15fe44225

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3763918/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3763919/

Comments