MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be9c0748ceb99312bcf9ae40a3a6f86a40490eaeb2c33d7fa2b35a14f38cf7f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be9c0748ceb99312bcf9ae40a3a6f86a40490eaeb2c33d7fa2b35a14f38cf7f7
SHA3-384 hash: d6e73762315c75cfaee83133556a585baab7a83fc494c3ae0edd2b12522af3877876e33b98286a2bbc96dc92a2aa2f5d
SHA1 hash: 75f1e39bbd155fe4d1a8010a97af5769ecb9017a
MD5 hash: e35faced979dc568cda8aed610223f1d
humanhash: nine-eighteen-nevada-cardinal
File name:aarch64
Download: download sample
File size:509'896 bytes
First seen:2025-06-11 15:50:13 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 6144:O/izeB+/ow3gK2lc5bvyI0vOHD6BZkDgn358cIF3RI5HkdY1FP98/8ecjfP:3BohHKTyfvOHD6ByD4WcIMkuDmEesP
TLSH T163B41228EE4E38D1F3D1E3B8DA0A4BB1B05B79D0C166C1B2BA41E25D95E9DDEC5D0212
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.32057.LX.BOT.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.32058.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Siggen.9163.28114.6581.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
82.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6849a5c78bd5d68a12e7ba3clinux22vpnfull_triage
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creates directories
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
exploit gcc lolbin remote
Link:
https://www.filescan.io/uploads/6849a5d9fd02ed5e05a47291/reports/1f41a283-09fb-410d-9076-56e7bc0686ea/overview
Verdict:
Malicious
Uses P2P?:
true
Uses anti-vm?:
false
Architecture:
arm
Packer:
custom
Botnet:
unknown
Number of open files:
0
Number of processes launched:
0
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/be9c0748ceb99312bcf9ae40a3a6f86a40490eaeb2c33d7fa2b35a14f38cf7f7
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
type: 162.159.200.123:123
type: 130.239.18.158:6881
type: 178.69.209.93:6881
type: 165.227.238.235:6881
type: 85.10.33.226:6881
type: 79.196.210.96:6881
type: 38.148.88.28:6881
type: 220.233.107.26:6881
type: 94.75.194.176:6881
type: 185.165.217.13:6881
type: 31.40.84.110:6881
type: 46.61.183.242:6881
type: 67.215.246.10:6881
type: 62.165.3.228:6881
type: 212.162.136.187:6881
type: 141.101.213.79:6881
type: 77.37.162.204:6881
type: 14.137.80.72:6881
type: 211.218.205.246:6881
type: 181.23.212.95:6881
type: 175.214.49.135:6881
type: 201.162.105.147:6881
type: 2.51.168.58:6881
type: 118.101.185.113:6881
type: 167.99.72.189:6881
type: 190.151.110.194:6881
type: 82.215.110.194:6881
type: 94.14.209.170:6881
type: 35.155.156.153:6881
type: 18.190.61.127:6881
type: 13.58.27.33:6881
type: 54.194.137.170:6881
type: 75.119.138.164:6881
type: 74.48.140.189:6881
type: 91.175.193.231:6881
type: 54.214.105.212:6881
type: 195.35.14.152:6881
type: 18.223.137.220:6881
type: 181.214.58.169:6881
type: 23.95.192.22:6881
type: 58.136.113.130:6881
type: 18.218.241.3:6881
type: 142.169.135.242:6881
type: 188.77.199.5:6881
type: 68.145.40.21:6881
type: 46.13.202.53:6881
type: 43.163.123.2:6881
type: 178.162.174.43:28004
type: 178.162.174.228:28004
type: 135.181.238.57:50000
type: 37.27.117.57:50000
type: 37.27.117.56:50000
type: 65.21.125.174:50000
type: 65.21.129.56:50000
type: 162.55.84.207:50000
type: 135.181.223.104:50000
type: 162.55.84.209:50000
type: 130.239.18.158:8524
type: 178.162.174.222:28014
type: 83.149.84.32:28014
type: 130.239.18.158:8515
type: 80.77.168.54:51413
type: 193.105.124.4:51413
type: 138.199.27.226:51413
type: 223.134.26.211:51413
type: 46.32.78.22:51413
type: 42.48.87.132:51413
type: 86.86.174.235:51413
type: 90.241.129.32:51413
type: 45.8.200.180:51413
type: 93.171.169.7:51413
type: 142.59.161.176:51413
type: 5.135.158.154:51413
type: 178.162.174.169:28003
type: 178.162.173.105:28003
type: 178.162.173.66:28003
type: 178.162.173.167:28007
type: 178.162.173.141:28000
type: 46.232.210.90:15809
type: 50.17.19.6:6880
type: 45.203.206.46:6880
type: 3.141.159.213:6880
type: 195.154.233.74:6880
type: 192.210.231.24:6880
type: 3.218.205.217:6880
type: 52.21.231.83:6880
type: 194.42.111.125:51400
type: 46.232.210.175:29809
type: 130.239.18.158:8500
type: 189.113.8.254:36703
type: 82.24.182.234:31527
type: 89.152.48.106:28299
type: 82.172.167.161:6889
type: 87.148.145.70:6889
type: 79.3.80.72:6889
type: 153.142.200.84:6889
type: 183.97.251.47:41149
type: 5.79.77.82:52900
type: 111.106.11.9:12934
type: 95.211.247.101:28010
type: 195.201.179.130:16309
type: 118.39.177.186:57253
type: 103.107.198.252:10104
type: 37.187.98.18:62536
type: 185.145.245.116:8644
type: 46.232.210.80:20809
type: 121.157.54.158:32904
type: 185.165.216.240:10845
type: 8.219.206.212:1887
type: 210.149.153.32:12347
type: 46.232.211.180:15509
type: 186.13.124.150:23221
type: 145.53.221.83:16881
type: 176.213.48.54:46491
type: 196.74.138.74:11333
type: 185.106.58.41:42370
type: 186.22.18.200:24177
type: 123.203.142.143:12705
type: 191.221.101.217:37321
type: 177.39.106.40:22958
type: 91.234.25.253:6771
type: 37.189.141.209:50321
type: 96.21.215.183:50321
type: 45.188.229.155:50321
type: 95.179.121.98:5136
type: 187.19.185.98:14678
type: 93.56.157.143:60205
type: 98.159.244.69:57937
type: 195.191.244.60:1098
type: 221.159.9.52:41046
type: 203.229.96.243:32983
type: 116.43.19.32:46969
type: 176.96.238.174:30824
type: 65.108.143.34:58371
type: 46.232.210.29:22995
type: 89.168.23.136:8081
type: 67.4.141.61:22843
type: 144.91.73.210:46604
type: 92.125.5.230:26342
type: 37.48.111.235:61180
type: 37.48.95.139:55330
type: 169.150.251.161:23575
type: 134.195.198.230:49689
type: 106.208.44.254:63169
type: 47.225.109.16:10049
type: 46.232.210.161:64173
type: 194.36.147.92:55139
type: 185.217.189.155:13761
type: 185.162.184.19:62710
type: 109.120.2.184:49001
type: 178.187.152.156:49001
type: 178.234.91.223:49001
type: 188.129.140.223:49001
type: 31.162.196.5:49001
type: 46.181.8.26:10519
type: 5.39.85.50:50619
type: 220.211.44.134:21624
type: 121.151.47.91:40852
type: 24.202.69.73:13046
type: 95.24.152.107:64105
type: 84.115.210.151:18405
type: 46.55.127.119:33648
type: 92.127.90.217:23028
type: 104.128.94.19:6927
type: 185.207.133.74:4573
type: 68.235.48.108:61963
type: 156.146.62.198:54245
type: 95.211.94.225:62460
type: 148.251.90.116:45613
type: 46.232.211.199:64045
type: 78.57.22.97:44757
type: 138.185.22.97:60839
type: 95.27.32.207:1337
type: 181.214.153.117:22673
type: 191.99.18.171:53824
type: 191.58.134.44:12834
type: 49.204.128.251:43427
type: 94.60.33.50:57535
type: 89.134.31.80:44158
type: 85.87.216.21:18350
type: 187.245.69.147:13225
type: 120.138.140.162:32531
type: 37.27.113.233:41990
type: 60.50.184.227:13239
type: 46.72.132.113:22210
type: 176.52.58.142:2048
type: 90.189.212.9:36824
type: 80.201.69.109:43892
type: 200.89.82.219:46676
type: 204.157.203.105:35147
type: 95.211.247.101:28011
type: 5.79.69.185:28011
type: 72.18.80.65:56881
type: 95.26.227.76:1826
type: 149.56.27.121:58813
type: 54.194.137.170:6882
type: 188.165.201.82:6882
type: 188.113.228.121:41994
type: 106.205.152.101:15654
type: 190.236.31.32:39459
type: 176.115.42.243:1044
type: 41.212.116.186:47599
type: 54.194.135.233:6992
type: 13.114.205.93:6992
type: 152.53.52.107:10240
type: 194.29.101.83:10240
type: 54.39.52.64:40452
type: 149.56.27.121:62247
type: 208.87.240.21:11158
type: 31.58.51.146:6987
type: 209.141.51.29:14734
type: 91.148.160.140:59797
type: 85.164.99.239:22173
type: 128.127.113.30:56807
type: 104.36.20.99:26659
type: 46.232.211.240:12409
type: 89.134.26.35:6438
type: 218.145.191.223:15186
type: 95.181.238.90:33707
type: 87.116.167.182:63170
type: 85.17.84.59:28008
type: 68.229.131.191:40908
type: 178.162.174.141:28012
type: 140.228.24.167:57321
type: 45.128.27.243:50171
type: 185.42.180.134:25266
type: 84.52.48.225:43660
type: 98.124.25.5:16851
type: 51.15.3.204:6886
type: 177.226.161.97:17832
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c7fd35aa-2fba-4762-88e4-095efe3f7ef3
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1712464
Signature
Connects to many ports of the same IP (likely port scanning)
Executes the "crontab" command typically for achieving persistence
Multi AV Scanner detection for submitted file
Opens /sys/class/net/* files useful for querying network interface information
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to persist itself using cron
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1712464 Sample: aarch64.elf Startdate: 11/06/2025 Architecture: LINUX Score: 68 42 31.200.249.178, 31785, 33254 NETRACK-ASRU Russian Federation 2->42 44 210.209.131.165, 6881, 9723 VEETIME-TW-APVEETIMECORPTW Taiwan; Republic of China (ROC) 2->44 46 101 other IPs or domains 2->46 54 Multi AV Scanner detection for submitted file 2->54 56 Connects to many ports of the same IP (likely port scanning) 2->56 10 aarch64.elf 2->10         started        12 dash rm 2->12         started        14 dash rm 2->14         started        signatures3 process4 process5 16 aarch64.elf sh 10->16         started        18 aarch64.elf 10->18         started        21 aarch64.elf sh 10->21         started        signatures6 23 sh crontab 16->23         started        27 sh 16->27         started        50 Opens /sys/class/net/* files useful for querying network interface information 18->50 52 Sample reads /proc/mounts (often used for finding a writable filesystem) 18->52 29 aarch64.elf 18->29         started        31 sh crontab 21->31         started        process7 file8 40 /var/spool/cron/crontabs/tmp.15rHJ8, ASCII 23->40 dropped 58 Sample tries to persist itself using cron 23->58 60 Executes the "crontab" command typically for achieving persistence 23->60 33 sh crontab 27->33         started        36 aarch64.elf 29->36         started        signatures9 process10 signatures11 48 Executes the "crontab" command typically for achieving persistence 33->48 38 aarch64.elf 36->38         started        process12
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/be9c0748ceb99312bcf9ae40a3a6f86a40490eaeb2c33d7fa2b35a14f38cf7f7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/be9c0748ceb99312bcf9ae40a3a6f86a40490eaeb2c33d7fa2b35a14f38cf7f7/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/be9c0748ceb99312bcf9ae40a3a6f86a40490eaeb2c33d7fa2b35a14f38cf7f7
Threat name:
Linux.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2025-06-11 15:50:30 UTC
File Type:
ELF64 Little (Exe)
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x2oaosgoxgjrfphzvzakhjxynjaesdvowlbt275cwnnbj44m673q._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
linux
Link:
https://tria.ge/reports/250611-s94bhshm21/
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5c1647ad-e5b8-4284-8b76-3c7a4ee23d77
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf be9c0748ceb99312bcf9ae40a3a6f86a40490eaeb2c33d7fa2b35a14f38cf7f7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3558221/
  
Delivery method
Distributed via web download

Comments