MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c29f7e11fa8ea7135d35e0a1381e95ba14ede21165829876f3b12f34f7bf217f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 5

Intelligence 5 IOCs YARA 1 File information Comments

SHA256 hash:	c29f7e11fa8ea7135d35e0a1381e95ba14ede21165829876f3b12f34f7bf217f
SHA3-384 hash:	2b7a0bbdcbbe2b1a58c25db89d991a8af2984561c2b010f7d33eee928ed2fee071173761f958c40e742a43d537868963
SHA1 hash:	62aee813ccafdf5ad3fbf3991e3995c37dc4d8d2
MD5 hash:	7696de089d7a6b88a6b154a990b99137
humanhash:	west-cardinal-alaska-freddie
File name:	lol.arm5
Download:	download sample
File size:	90'908 bytes
First seen:	2025-05-01 07:10:35 UTC
Last seen:	Never
File type:	elf
MIME type:	application/x-executable
ssdeep	1536:rwHnXjAe/Mtk53nTfh0GIQi8tHHSeCSE5dy4vx5YsqGTCOhn3iqHpLYIRor:rGjAjtk9OQDUSE/Zp3iqJLhRQ
TLSH	T136930796B8419B16C6D056BBFE1E11CE33232FB8E3DA3202DD146F2477DA94A0E3B551
Magika	elf
Reporter	abuse_ch
Tags:	elf

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.LINUX.Agent.28263.9326.UNOFFICIAL

Verdict:

Clean

Score:

89.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68132410c8b2e86d0ac5b57flinux22vpnfull_triage

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt

Mounts file systems

DNS request

Runs as daemon

Creating a file

Opens a port

Receives data from a server

Sends data to a server

Substitutes an application name

Verdict:

Unknown

Threat level:

0/10

Confidence:

100%

Tags:

expand lolbin masquerade remote

Link:

https://www.filescan.io/uploads/68131e8d218c4a98adeaa24c/reports/406737bb-e20c-4636-ae86-80725031b889/overview

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/229c8445-92a2-45db-b7fd-b60e14b52273

Result

Threat name:

n/a

Detection:

malicious

Classification:

spre.troj.spyw.evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/1679031

Signature

Opens /proc/net/* files useful for finding connected devices and routers

Opens /sys/class/net/* files useful for querying network interface information

Performs DNS TXT record lookups

Sample reads /proc/mounts (often used for finding a writable filesystem)

Sample tries to kill multiple processes (SIGKILL)

Uses STUN server to do NAT traversial

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

ELF

Link:

https://malprob.io/report/c29f7e11fa8ea7135d35e0a1381e95ba14ede21165829876f3b12f34f7bf217f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c29f7e11fa8ea7135d35e0a1381e95ba14ede21165829876f3b12f34f7bf217f/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ykpx4ep2r2trgxjv4cqtqhuvxiko3yqrmwbjq5xtwextj557ef7q._file

Result

Malware family:

n/a

Score:

7/10

Tags:

credential_access defense_evasion discovery

Link:

https://tria.ge/reports/250501-hzz61a1shv/

Behaviour

Reads runtime system information

Changes its process name

Reads system network configuration

Reads process memory

Reads MAC address of network interface

Reads system routing table

Renames itself

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/c29f7e11fa8ea7135d35e0a1381e95ba14ede21165829876f3b12f34f7bf217f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.