MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b618fd5ea69d48d449c27f6b96cfd2bd2c3ea3786ed311c144c5167e0ccab4d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b618fd5ea69d48d449c27f6b96cfd2bd2c3ea3786ed311c144c5167e0ccab4d5
SHA3-384 hash: 1119749f2ec5b8a9d1334144fba719b7a029255e700406256b36758f0888fe50212fb1aca2e573668585d7ef171f9743
SHA1 hash: 47f2a5656b12a6d2ae424fbc77599e35746158f4
MD5 hash: 1eb710c0d4605c282ad7725978571e9c
humanhash: oxygen-oven-one-foxtrot
File name:amd64
Download: download sample
File size:482'032 bytes
First seen:2025-07-08 11:17:28 UTC
Last seen:2025-07-08 23:41:31 UTC
File type: elf
MIME type:application/x-executable
ssdeep 12288:iD6LPBCvMk0O9na1M80cLt9i5aIaTtpc4W:2+QGO9naz0Szi5anTtR
TLSH T1F1A41212E290D8FEC4DAC070469FD27BFD767C544234BC6B6298F7322B3AE601B16A55
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf

Intelligence

File Origin
# of uploads :
2
# of downloads :
13
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Linux.Siggen.9080.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.32058.LX.BOT.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.31951.LX.BOT.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
84.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=686cfe79c9eb974737678ed5linux22vpnfull_triage
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creates directories
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
exploit gcc
Link:
https://www.filescan.io/uploads/686cfe810737c4165a949313/reports/5aac137c-4b89-4de8-8740-d2fb27dd3b1c/overview
Verdict:
Malicious
Uses P2P?:
true
Uses anti-vm?:
false
Architecture:
x86
Packer:
custom
Botnet:
unknown
Number of open files:
11
Number of processes launched:
7
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/b618fd5ea69d48d449c27f6b96cfd2bd2c3ea3786ed311c144c5167e0ccab4d5
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
type: 162.159.200.123:123
type: 130.239.18.158:6881
type: 67.215.246.10:6881
type: 188.42.55.92:6881
type: 176.125.139.123:6881
type: 89.207.71.47:6881
type: 70.71.249.93:6881
type: 5.167.75.80:6881
type: 37.252.221.223:6881
type: 73.208.41.226:6881
type: 188.213.93.33:6881
type: 172.96.121.2:6881
type: 5.81.118.137:6881
type: 213.121.0.43:6881
type: 88.216.156.80:6881
type: 85.247.158.38:6881
type: 217.155.121.71:6881
type: 116.203.104.92:6881
type: 89.76.145.135:6881
type: 95.53.203.108:6881
type: 167.99.72.189:6881
type: 111.253.185.178:6881
type: 125.59.127.223:6881
type: 123.57.222.45:6881
type: 95.79.35.35:6881
type: 180.235.42.115:6881
type: 82.65.148.233:6881
type: 142.116.224.79:6881
type: 212.28.178.141:6881
type: 142.171.58.199:6881
type: 192.227.221.84:6881
type: 179.255.107.95:6881
type: 186.226.151.73:6881
type: 54.214.105.212:6881
type: 78.152.109.130:6881
type: 119.28.68.97:6881
type: 142.171.125.191:6881
type: 85.250.186.121:6881
type: 18.223.137.220:6881
type: 35.163.251.58:6881
type: 176.181.123.98:6881
type: 62.231.172.139:6881
type: 24.128.233.223:6881
type: 72.46.57.6:6881
type: 207.35.206.40:6881
type: 109.255.218.171:6881
type: 175.136.45.238:6881
type: 94.180.205.205:6881
type: 188.114.11.26:6881
type: 81.191.175.154:6881
type: 121.74.219.106:6881
type: 204.12.208.37:6881
type: 178.162.173.231:28001
type: 122.10.246.140:60020
type: 92.223.87.20:60020
type: 178.162.174.178:28003
type: 178.162.174.236:28003
type: 173.230.130.111:6880
type: 3.138.130.148:6880
type: 45.203.154.94:6880
type: 69.164.203.179:6880
type: 195.137.220.207:6880
type: 3.132.219.151:6880
type: 3.149.154.1:6880
type: 45.56.122.13:6880
type: 95.168.162.161:42670
type: 130.239.18.158:8539
type: 91.167.75.130:51413
type: 162.19.243.205:51413
type: 213.231.5.66:51413
type: 188.90.169.20:51413
type: 193.23.250.28:51413
type: 185.246.211.211:51413
type: 77.161.224.55:51413
type: 83.80.148.202:51413
type: 51.158.153.124:51413
type: 77.238.77.131:51413
type: 164.132.173.113:51413
type: 81.157.67.94:51413
type: 126.120.160.243:51413
type: 54.38.44.77:51413
type: 213.135.66.30:51413
type: 222.153.249.84:51413
type: 185.56.144.177:51413
type: 23.141.160.193:51413
type: 5.196.70.206:51413
type: 78.60.62.114:51413
type: 89.149.200.205:51413
type: 122.155.206.250:31353
type: 130.239.18.158:8521
type: 31.220.98.19:17238
type: 178.162.174.155:28012
type: 178.162.173.32:28012
type: 178.162.173.138:28012
type: 5.79.93.242:61920
type: 23.158.56.119:10033
type: 130.239.18.158:8525
type: 185.203.56.69:12282
type: 133.155.207.129:11602
type: 85.26.119.92:49001
type: 83.134.145.217:49001
type: 126.141.95.182:49001
type: 105.108.242.32:49001
type: 5.166.93.195:49001
type: 54.233.191.200:20965
type: 23.158.56.119:10037
type: 178.162.174.7:28004
type: 178.162.173.201:28004
type: 185.149.91.65:51042
type: 93.38.41.37:3305
type: 199.195.252.87:49152
type: 178.162.173.218:28000
type: 178.162.174.92:28000
type: 37.48.70.3:28000
type: 178.162.174.211:28005
type: 178.162.173.159:28005
type: 213.227.153.16:28005
type: 178.162.173.154:28015
type: 178.162.173.38:28015
type: 162.55.95.146:51555
type: 195.20.18.136:11072
type: 95.216.116.106:16113
type: 185.250.204.85:33291
type: 46.232.210.43:59944
type: 45.87.251.132:28215
type: 212.7.202.40:28030
type: 95.168.160.123:28006
type: 37.27.120.51:50000
type: 37.27.117.121:50000
type: 37.27.120.57:50000
type: 65.21.129.40:50000
type: 116.202.157.48:50000
type: 185.149.91.61:51053
type: 185.177.124.176:6890
type: 130.239.18.158:8561
type: 185.21.216.160:57286
type: 130.239.18.158:8580
type: 130.239.18.158:8537
type: 95.214.229.99:12452
type: 149.248.50.164:26930
type: 45.87.251.11:28127
type: 217.121.231.94:59625
type: 130.239.18.158:8508
type: 185.203.56.73:17490
type: 178.162.173.12:28011
type: 178.162.173.159:28011
type: 185.203.56.50:59141
type: 169.150.223.208:64034
type: 57.129.45.79:8654
type: 88.97.214.216:48132
type: 46.232.211.170:22909
type: 46.232.211.15:12009
type: 146.71.50.197:34385
type: 45.87.251.132:28057
type: 69.50.95.40:12084
type: 23.158.56.119:10078
type: 162.251.63.120:10094
type: 216.39.248.235:3892
type: 73.7.226.103:8621
type: 87.217.41.202:8621
type: 188.77.163.179:8621
type: 159.224.215.47:8621
type: 85.17.218.9:48168
type: 5.79.93.225:21153
type: 31.208.56.192:1871
type: 78.56.238.129:37850
type: 203.186.248.45:17434
type: 46.232.210.48:11959
type: 23.158.56.120:16016
type: 142.4.212.121:54723
type: 121.179.212.24:7923
type: 142.215.164.110:6882
type: 94.23.215.83:6882
type: 188.165.201.82:6882
type: 45.112.0.178:6882
type: 180.214.185.229:26122
type: 178.162.173.111:28014
type: 219.77.4.251:8549
type: 186.32.216.165:41539
type: 129.151.253.91:49349
type: 72.21.17.54:63581
type: 87.212.206.71:51765
type: 46.232.211.56:64101
type: 185.149.91.31:51035
type: 81.131.200.231:48599
type: 67.171.180.189:42961
type: 211.227.224.239:32680
type: 27.109.237.131:54859
type: 118.240.79.155:6889
type: 87.208.49.184:6889
type: 157.65.91.72:6889
type: 204.83.248.140:6889
type: 95.10.132.203:54434
type: 45.91.208.255:51389
type: 59.30.165.227:26583
type: 59.30.160.132:58769
type: 217.91.52.139:18553
type: 223.187.67.59:7665
type: 119.204.102.52:40859
type: 217.136.99.129:12722
type: 141.95.53.34:8652
type: 5.79.73.90:21551
type: 65.92.12.223:11828
type: 49.217.203.70:18641
type: 176.145.197.166:53150
type: 83.87.57.32:49160
type: 125.142.217.66:40981
type: 89.133.36.204:18659
type: 169.150.223.243:11309
type: 70.119.98.73:10154
type: 119.198.33.201:7422
type: 189.217.212.26:26594
type: 85.144.36.167:51414
type: 47.198.120.64:18048
type: 81.151.236.99:12653
type: 107.189.10.128:45366
type: 61.85.148.42:37510
type: 45.173.80.141:59165
type: 49.205.80.141:9272
type: 37.11.26.144:59143
type: 41.133.218.131:12469
type: 183.83.226.27:6968
type: 109.64.103.30:45682
type: 45.131.79.88:64020
type: 146.70.10.61:58430
type: 45.87.251.6:28031
type: 78.142.231.133:6767
type: 54.77.218.23:6892
type: 36.151.181.232:6892
type: 38.134.41.130:32681
type: 213.10.250.121:64041
type: 161.97.163.50:52845
type: 191.99.36.84:34381
type: 78.177.181.26:37294
type: 103.87.193.32:35004
type: 152.117.115.238:13111
type: 115.70.28.95:61845
type: 142.167.172.139:15152
type: 169.150.251.166:17409
type: 183.97.24.40:51244
type: 147.192.184.37:52402
type: 111.220.74.7:6012
type: 125.137.65.217:41081
type: 172.114.171.235:30568
type: 195.181.243.108:59357
type: 178.162.173.147:28002
type: 129.222.157.238:23782
type: 89.134.29.95:18207
type: 221.167.228.151:33150
type: 1.247.73.217:40574
type: 202.53.53.158:39387
type: 188.165.201.10:47291
type: 186.122.225.235:49466
type: 152.53.52.107:10240
type: 59.18.205.78:7929
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/8b3e855b-a57d-4689-a4e5-29860cea8242
Behavior Graph:
Download SVG
%3 guuid=3d1117b1-1600-0000-5336-46ebd30b0000 pid=3027 /usr/bin/sudo guuid=4e7629b3-1600-0000-5336-46ebda0b0000 pid=3034 /tmp/sample.bin guuid=3d1117b1-1600-0000-5336-46ebd30b0000 pid=3027->guuid=4e7629b3-1600-0000-5336-46ebda0b0000 pid=3034 execve guuid=bfdf84b3-1600-0000-5336-46ebdc0b0000 pid=3036 /usr/bin/dash guuid=4e7629b3-1600-0000-5336-46ebda0b0000 pid=3034->guuid=bfdf84b3-1600-0000-5336-46ebdc0b0000 pid=3036 execve guuid=474ddfb3-1600-0000-5336-46ebdf0b0000 pid=3039 /usr/bin/dash guuid=4e7629b3-1600-0000-5336-46ebda0b0000 pid=3034->guuid=474ddfb3-1600-0000-5336-46ebdf0b0000 pid=3039 execve guuid=19ed72b4-1600-0000-5336-46ebe30b0000 pid=3043 /tmp/sample.bin mprotect-exec zombie guuid=4e7629b3-1600-0000-5336-46ebda0b0000 pid=3034->guuid=19ed72b4-1600-0000-5336-46ebe30b0000 pid=3043 clone guuid=51e541b4-1600-0000-5336-46ebe10b0000 pid=3041 /usr/bin/dash guuid=474ddfb3-1600-0000-5336-46ebdf0b0000 pid=3039->guuid=51e541b4-1600-0000-5336-46ebe10b0000 pid=3041 clone guuid=7c404bb4-1600-0000-5336-46ebe20b0000 pid=3042 /usr/bin/dash guuid=474ddfb3-1600-0000-5336-46ebdf0b0000 pid=3039->guuid=7c404bb4-1600-0000-5336-46ebe20b0000 pid=3042 clone guuid=fc0bc0ba-1600-0000-5336-46ebfa0b0000 pid=3066 /tmp/sample.bin zombie guuid=19ed72b4-1600-0000-5336-46ebe30b0000 pid=3043->guuid=fc0bc0ba-1600-0000-5336-46ebfa0b0000 pid=3066 clone guuid=0697c9ba-1600-0000-5336-46ebfb0b0000 pid=3067 /tmp/sample.bin guuid=fc0bc0ba-1600-0000-5336-46ebfa0b0000 pid=3066->guuid=0697c9ba-1600-0000-5336-46ebfb0b0000 pid=3067 clone guuid=4e13d0ba-1600-0000-5336-46ebfc0b0000 pid=3068 /tmp/sample.bin dns net net-scan send-data guuid=0697c9ba-1600-0000-5336-46ebfb0b0000 pid=3067->guuid=4e13d0ba-1600-0000-5336-46ebfc0b0000 pid=3068 clone d316b2ae-0a7e-5b43-8de6-745900c90c54 127.0.0.1:65535 guuid=4e13d0ba-1600-0000-5336-46ebfc0b0000 pid=3068->d316b2ae-0a7e-5b43-8de6-745900c90c54 con 38a4910e-6f05-5afe-a8e3-398c2eb18329 time.cloudflare.com:123 guuid=4e13d0ba-1600-0000-5336-46ebfc0b0000 pid=3068->38a4910e-6f05-5afe-a8e3-398c2eb18329 send: 48B 33f04ae9-c655-57aa-8540-500e9a4ff979 31.200.249.227:31973 guuid=4e13d0ba-1600-0000-5336-46ebfc0b0000 pid=3068->33f04ae9-c655-57aa-8540-500e9a4ff979 send: 68B cddb66f9-ed88-5a74-baba-69cb4a765996 31.200.249.162:31946 guuid=4e13d0ba-1600-0000-5336-46ebfc0b0000 pid=3068->cddb66f9-ed88-5a74-baba-69cb4a765996 send: 68B 036e85d0-89e7-5fd5-ae3a-d3fb13c1e296 46.246.3.197:21924 guuid=4e13d0ba-1600-0000-5336-46ebfc0b0000 pid=3068->036e85d0-89e7-5fd5-ae3a-d3fb13c1e296 send: 68B f2dfbe0d-88c8-596e-8556-a29a02f1dd78 31.200.249.130:31950 guuid=4e13d0ba-1600-0000-5336-46ebfc0b0000 pid=3068->f2dfbe0d-88c8-596e-8556-a29a02f1dd78 send: 68B 16997e52-305e-57f9-8721-85aee6542ab7 95.24.152.151:47669 guuid=4e13d0ba-1600-0000-5336-46ebfc0b0000 pid=3068->16997e52-305e-57f9-8721-85aee6542ab7 con 55e67744-851c-5b4f-a18a-8c1e1bb3f117 46.158.123.209:47669 guuid=4e13d0ba-1600-0000-5336-46ebfc0b0000 pid=3068->55e67744-851c-5b4f-a18a-8c1e1bb3f117 con 22ddd0f0-63f9-5001-bc20-e470587ebe62 46.246.3.197:17443 guuid=4e13d0ba-1600-0000-5336-46ebfc0b0000 pid=3068->22ddd0f0-63f9-5001-bc20-e470587ebe62 send: 68B 1256a7c0-1054-5be3-8a8b-ee4f1c4de407 223.109.206.185:47669 guuid=4e13d0ba-1600-0000-5336-46ebfc0b0000 pid=3068->1256a7c0-1054-5be3-8a8b-ee4f1c4de407 con guuid=4e13d0ba-1600-0000-5336-46ebfc0b0000 pid=3068|send-data send-data to 300 IP addresses review logs to see them all guuid=4e13d0ba-1600-0000-5336-46ebfc0b0000 pid=3068->guuid=4e13d0ba-1600-0000-5336-46ebfc0b0000 pid=3068|send-data send
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f370bc32-3e53-4a5d-b414-d93500de1ec1
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1730831
Signature
Connects to many ports of the same IP (likely port scanning)
Executes the "crontab" command typically for achieving persistence
Multi AV Scanner detection for submitted file
Opens /sys/class/net/* files useful for querying network interface information
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to persist itself using cron
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1730831 Sample: amd64.elf Startdate: 08/07/2025 Architecture: LINUX Score: 68 38 31.200.249.233, 31897, 56160 NETRACK-ASRU Russian Federation 2->38 40 88.97.204.185, 53913, 6881 ZEN-ASZenInternet-UKGB United Kingdom 2->40 42 102 other IPs or domains 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Connects to many ports of the same IP (likely port scanning) 2->46 10 amd64.elf 2->10         started        signatures3 process4 process5 12 amd64.elf sh 10->12         started        14 amd64.elf 10->14         started        17 amd64.elf sh 10->17         started        signatures6 19 sh crontab 12->19         started        23 sh 12->23         started        54 Opens /sys/class/net/* files useful for querying network interface information 14->54 56 Sample reads /proc/mounts (often used for finding a writable filesystem) 14->56 25 amd64.elf 14->25         started        27 sh crontab 17->27         started        process7 file8 36 /var/spool/cron/crontabs/tmp.xJU81C, ASCII 19->36 dropped 48 Sample tries to persist itself using cron 19->48 50 Executes the "crontab" command typically for achieving persistence 19->50 29 sh crontab 23->29         started        32 amd64.elf 25->32         started        signatures9 process10 signatures11 52 Executes the "crontab" command typically for achieving persistence 29->52 34 amd64.elf 32->34         started        process12
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/b618fd5ea69d48d449c27f6b96cfd2bd2c3ea3786ed311c144c5167e0ccab4d5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b618fd5ea69d48d449c27f6b96cfd2bd2c3ea3786ed311c144c5167e0ccab4d5/
Threat name:
Linux.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2025-07-08 11:18:11 UTC
File Type:
ELF64 Little (Exe)
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wymp2xvgtvenisocp5vznt6sxuwd5i3yn3jrdqkeyulh4dgkwtkq._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
antivm defense_evasion discovery execution linux persistence privilege_escalation
Link:
https://tria.ge/reports/250708-nec4mawvgy/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to tmp directory
Checks CPU configuration
Checks hardware identifiers (DMI)
Creates/modifies Cron job
Enumerates running processes
Reads MAC address of network interface
Reads hardware information
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/eb226fc9-6dce-4866-9909-a4078fd68fd2
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.20
Link:
https://yomi.yoroi.company/submissions/b618fd5ea69d48d449c27f6b96cfd2bd2c3ea3786ed311c144c5167e0ccab4d5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:enterpriseunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise UNIX
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf b618fd5ea69d48d449c27f6b96cfd2bd2c3ea3786ed311c144c5167e0ccab4d5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3550042/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh

Comments