MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7df384b82fd3a56ec48e4717b94e9ac3bf07db58cd9d32dfc234a8733d77178. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c7df384b82fd3a56ec48e4717b94e9ac3bf07db58cd9d32dfc234a8733d77178
SHA3-384 hash: 0e8a6bcc43e4cc806fbe39d6b0c7f995ae0cda75541d336a392c4ebcc2a3c3d236fabcb2a35eca2195ed57d985839361
SHA1 hash: ab1107db47a889a7411834d5688c05626101002d
MD5 hash: 7aedbd15d0eb836347ef1d33c104352b
humanhash: leopard-nine-oscar-zulu
File name:amd64
Download: download sample
File size:482'032 bytes
First seen:2025-06-23 11:16:00 UTC
Last seen:2025-06-24 10:01:01 UTC
File type: elf
MIME type:application/x-executable
ssdeep 12288:iD6LPBCvMk0O9na1M80cLt9i5aIaTtpc4W:2+QGO9naz0Szi5anTtR
TLSH T1EFA41212E290D8FEC4DAC070469FD27BFD767C544234BC6B6298F7322B3AE601B16A55
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf

Intelligence

File Origin
# of uploads :
2
# of downloads :
66
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Linux.Siggen.9080.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.32058.LX.BOT.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.31951.LX.BOT.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
84.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68593795b06783b9ebd6ad82linux22vpnfull_triage
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creates directories
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
exploit gcc lolbin remote similar-threat
Link:
https://www.filescan.io/uploads/6859378ecf2af157111528e5/reports/48bc851d-9156-4028-bddb-6da56f7cee5f/overview
Verdict:
Malicious
Uses P2P?:
true
Uses anti-vm?:
true
Architecture:
x86
Packer:
custom
Botnet:
unknown
Number of open files:
70
Number of processes launched:
10
Processes remaning?
false
Remote TCP ports scanned:
33243
Full report:
https://elfdigest.com/brief/c7df384b82fd3a56ec48e4717b94e9ac3bf07db58cd9d32dfc234a8733d77178
Behaviour
Anti-VM
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
type: 162.159.200.1:123
type: 130.239.18.158:6881
type: 67.215.246.10:6881
type: 195.154.184.19:6881
type: 5.101.194.86:6881
type: 90.244.187.161:6881
type: 213.88.12.218:6881
type: 88.85.202.75:6881
type: 178.62.5.109:6881
type: 91.225.20.2:6881
type: 178.69.209.93:6881
type: 93.176.180.96:6881
type: 86.163.83.158:6881
type: 109.63.239.114:6881
type: 95.79.250.103:6881
type: 172.96.121.2:6881
type: 217.215.30.202:6881
type: 5.196.70.116:6881
type: 95.211.169.28:6881
type: 90.204.161.161:6881
type: 54.211.14.111:6881
type: 112.187.206.7:6881
type: 109.111.144.194:6881
type: 213.47.128.91:6881
type: 80.60.104.179:6881
type: 116.232.30.225:6881
type: 124.133.136.84:6881
type: 115.165.120.225:6881
type: 61.84.29.245:6881
type: 5.69.11.32:6881
type: 24.56.226.167:6881
type: 86.127.241.41:6881
type: 151.16.62.185:6881
type: 71.212.147.141:6881
type: 92.32.64.153:6881
type: 112.118.117.16:6881
type: 178.151.220.171:6881
type: 110.148.142.225:6881
type: 141.98.154.145:6881
type: 46.162.203.96:6881
type: 18.191.2.28:6881
type: 75.119.138.164:6881
type: 144.217.72.98:6881
type: 118.160.27.244:6881
type: 61.228.66.31:6881
type: 46.235.49.88:6881
type: 49.228.176.193:6881
type: 95.66.141.26:6881
type: 120.77.8.170:6881
type: 49.36.240.193:6881
type: 109.202.54.152:6881
type: 130.239.18.158:8516
type: 18.117.46.179:6880
type: 195.154.233.74:6880
type: 45.203.205.61:6880
type: 45.203.206.54:6880
type: 45.203.155.80:6880
type: 52.201.45.189:6880
type: 45.203.206.61:6880
type: 18.118.77.23:6880
type: 130.239.18.158:8580
type: 178.162.173.91:28003
type: 178.162.174.99:28003
type: 178.162.173.32:28003
type: 178.162.173.105:28003
type: 178.162.173.14:28003
type: 130.239.18.158:8513
type: 178.162.173.102:28007
type: 178.162.173.70:28007
type: 178.162.173.218:28007
type: 109.201.152.178:46908
type: 178.162.173.13:28010
type: 178.162.173.136:28010
type: 65.21.34.43:50000
type: 135.181.238.57:50000
type: 144.76.220.196:50000
type: 135.181.227.244:50000
type: 65.21.125.170:50000
type: 65.21.196.126:50000
type: 37.27.117.115:50000
type: 95.216.13.53:50000
type: 65.21.33.212:50000
type: 37.27.104.50:50000
type: 135.181.238.58:50000
type: 37.27.104.49:50000
type: 37.27.119.242:50000
type: 162.55.82.165:50000
type: 162.55.85.174:50000
type: 95.217.226.236:50000
type: 162.55.82.88:50000
type: 65.21.34.15:50000
type: 37.27.117.50:50000
type: 89.149.202.17:28034
type: 5.79.98.151:59939
type: 199.79.190.23:56051
type: 51.77.230.184:51413
type: 185.107.44.197:51413
type: 141.224.215.245:51413
type: 89.223.38.206:51413
type: 161.35.126.19:51413
type: 51.77.53.62:51413
type: 124.213.90.196:51413
type: 51.222.42.30:51413
type: 178.128.114.125:51413
type: 192.99.7.39:51413
type: 110.87.8.159:51413
type: 5.143.51.194:51413
type: 51.222.137.166:51413
type: 164.132.175.155:51413
type: 82.72.231.200:51413
type: 61.99.212.6:51413
type: 37.187.20.193:51413
type: 178.162.144.51:21183
type: 178.38.177.125:21456
type: 27.131.232.73:24157
type: 185.21.216.198:49651
type: 103.174.9.66:3691
type: 112.91.94.70:6882
type: 126.107.120.100:6882
type: 178.162.173.222:28002
type: 178.162.174.163:28002
type: 178.162.173.149:28004
type: 178.162.174.43:28004
type: 178.162.173.67:28004
type: 178.162.173.6:28004
type: 178.162.173.58:28004
type: 178.162.173.228:28005
type: 178.162.173.111:28005
type: 178.162.173.108:28005
type: 178.162.173.231:28005
type: 178.162.173.225:28005
type: 178.162.173.102:28005
type: 178.162.174.222:28014
type: 178.162.174.88:28014
type: 178.162.173.132:28014
type: 178.162.173.231:28014
type: 130.239.18.158:8524
type: 130.239.18.158:8515
type: 130.239.18.158:8510
type: 178.162.174.170:28001
type: 178.162.173.169:28001
type: 179.61.197.105:25002
type: 172.96.121.2:6884
type: 37.48.118.83:8999
type: 104.195.12.36:1434
type: 185.203.56.59:16107
type: 130.239.18.158:8501
type: 83.105.62.43:61249
type: 46.232.211.130:16609
type: 45.87.251.152:59739
type: 46.232.211.180:51539
type: 178.162.174.168:28012
type: 178.162.173.148:28012
type: 185.203.56.38:61855
type: 178.162.174.185:28011
type: 213.227.153.16:28009
type: 46.232.211.20:12009
type: 178.162.173.97:28013
type: 178.162.174.105:28013
type: 51.75.68.29:8648
type: 222.227.201.215:6112
type: 178.162.173.141:28000
type: 185.203.56.1:63010
type: 62.195.108.191:16881
type: 69.87.207.136:9118
type: 94.31.117.198:3483
type: 73.146.134.158:6008
type: 49.205.80.218:42769
type: 89.134.22.211:14049
type: 180.63.42.185:26086
type: 46.173.148.123:48678
type: 77.85.33.102:18038
type: 211.229.26.217:32806
type: 106.163.77.175:9020
type: 90.94.28.163:6889
type: 106.104.114.124:6889
type: 84.242.68.106:6889
type: 79.57.203.152:6889
type: 70.54.19.230:47202
type: 98.14.176.250:26556
type: 90.222.114.25:36362
type: 216.49.131.12:54594
type: 176.31.121.46:51423
type: 45.87.251.132:28140
type: 24.2.133.225:7840
type: 45.87.251.138:28037
type: 70.49.158.169:6893
type: 208.77.22.212:49699
type: 88.97.22.8:52932
type: 3.125.33.61:20965
type: 42.127.32.249:14635
type: 186.13.115.90:57097
type: 185.21.216.187:65285
type: 50.44.94.117:19388
type: 86.123.166.129:23629
type: 84.70.93.216:50321
type: 194.126.124.109:52648
type: 186.12.168.25:22698
type: 159.54.171.98:34567
type: 178.162.173.26:28006
type: 178.162.173.166:28006
type: 80.240.11.142:8621
type: 178.85.132.16:8621
type: 38.248.39.212:43489
type: 84.15.102.70:47801
type: 102.213.69.248:16283
type: 102.141.49.185:1038
type: 144.76.175.153:57025
type: 119.65.253.58:41139
type: 142.116.88.158:57703
type: 118.166.16.49:6842
type: 65.108.143.34:36192
type: 144.76.175.153:36893
type: 186.22.16.49:47960
type: 76.91.107.104:29310
type: 5.192.169.115:47602
type: 112.163.159.41:40794
type: 46.184.241.171:56473
type: 120.28.185.246:33112
type: 172.90.7.101:33112
type: 186.83.140.37:37069
type: 152.53.45.107:6989
type: 152.53.104.128:10240
type: 146.59.3.81:10240
type: 152.53.52.107:10240
type: 152.53.105.61:10240
type: 49.205.195.197:62708
type: 152.53.45.107:7248
type: 51.15.19.75:3063
type: 23.95.11.50:65524
type: 37.48.89.229:13312
type: 178.81.18.245:48091
type: 188.165.200.53:57498
type: 178.162.148.94:63461
type: 178.162.174.154:28008
type: 95.216.116.106:16113
type: 37.26.131.67:30258
type: 69.50.95.40:10023
type: 144.76.175.153:26615
type: 211.184.140.221:7949
type: 61.255.141.79:7625
type: 180.151.24.23:40224
type: 213.111.77.79:32340
type: 67.11.38.76:37186
type: 37.187.98.89:65482
type: 88.97.210.185:56528
type: 46.232.211.86:64050
type: 173.249.217.7:51372
type: 37.48.89.139:56111
type: 192.166.211.113:60252
type: 84.65.139.128:55404
type: 78.190.248.118:40300
type: 45.136.230.151:50171
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/b839e276-6095-41a5-be40-a744c3b13b12
Behavior Graph:
Download SVG
%3 guuid=1df09c76-1600-0000-406f-e7fe3e0c0000 pid=3134 /usr/bin/sudo guuid=78768d79-1600-0000-406f-e7fe470c0000 pid=3143 /tmp/sample.bin guuid=1df09c76-1600-0000-406f-e7fe3e0c0000 pid=3134->guuid=78768d79-1600-0000-406f-e7fe470c0000 pid=3143 execve guuid=1f28a579-1600-0000-406f-e7fe480c0000 pid=3144 /usr/bin/dash guuid=78768d79-1600-0000-406f-e7fe470c0000 pid=3143->guuid=1f28a579-1600-0000-406f-e7fe480c0000 pid=3144 execve guuid=6865067a-1600-0000-406f-e7fe4a0c0000 pid=3146 /usr/bin/dash guuid=78768d79-1600-0000-406f-e7fe470c0000 pid=3143->guuid=6865067a-1600-0000-406f-e7fe4a0c0000 pid=3146 execve guuid=32f95f7a-1600-0000-406f-e7fe4d0c0000 pid=3149 /tmp/sample.bin mprotect-exec zombie guuid=78768d79-1600-0000-406f-e7fe470c0000 pid=3143->guuid=32f95f7a-1600-0000-406f-e7fe4d0c0000 pid=3149 clone guuid=acae417a-1600-0000-406f-e7fe4b0c0000 pid=3147 /usr/bin/dash guuid=6865067a-1600-0000-406f-e7fe4a0c0000 pid=3146->guuid=acae417a-1600-0000-406f-e7fe4b0c0000 pid=3147 clone guuid=b072497a-1600-0000-406f-e7fe4c0c0000 pid=3148 /usr/bin/dash guuid=6865067a-1600-0000-406f-e7fe4a0c0000 pid=3146->guuid=b072497a-1600-0000-406f-e7fe4c0c0000 pid=3148 clone guuid=8e37477e-1600-0000-406f-e7fe560c0000 pid=3158 /tmp/sample.bin zombie guuid=32f95f7a-1600-0000-406f-e7fe4d0c0000 pid=3149->guuid=8e37477e-1600-0000-406f-e7fe560c0000 pid=3158 clone guuid=6ff5517e-1600-0000-406f-e7fe570c0000 pid=3159 /tmp/sample.bin guuid=8e37477e-1600-0000-406f-e7fe560c0000 pid=3158->guuid=6ff5517e-1600-0000-406f-e7fe570c0000 pid=3159 clone guuid=e368597e-1600-0000-406f-e7fe580c0000 pid=3160 /tmp/sample.bin dns net net-scan send-data guuid=6ff5517e-1600-0000-406f-e7fe570c0000 pid=3159->guuid=e368597e-1600-0000-406f-e7fe580c0000 pid=3160 clone d316b2ae-0a7e-5b43-8de6-745900c90c54 127.0.0.1:65535 guuid=e368597e-1600-0000-406f-e7fe580c0000 pid=3160->d316b2ae-0a7e-5b43-8de6-745900c90c54 con 38a4910e-6f05-5afe-a8e3-398c2eb18329 time.cloudflare.com:123 guuid=e368597e-1600-0000-406f-e7fe580c0000 pid=3160->38a4910e-6f05-5afe-a8e3-398c2eb18329 send: 48B 2d752d5e-5dfa-5bf1-a89f-d1ded8e3be97 31.200.249.178:31995 guuid=e368597e-1600-0000-406f-e7fe580c0000 pid=3160->2d752d5e-5dfa-5bf1-a89f-d1ded8e3be97 send: 68B eb903f15-a5f4-5d26-9452-dbf24da3602e 31.200.249.162:31868 guuid=e368597e-1600-0000-406f-e7fe580c0000 pid=3160->eb903f15-a5f4-5d26-9452-dbf24da3602e send: 68B 0f729d83-af23-5067-854c-eb8b560d11b1 31.200.249.227:31871 guuid=e368597e-1600-0000-406f-e7fe580c0000 pid=3160->0f729d83-af23-5067-854c-eb8b560d11b1 send: 68B 5a54693e-c6d1-5f52-98e0-73a18b44ec61 31.200.249.146:31870 guuid=e368597e-1600-0000-406f-e7fe580c0000 pid=3160->5a54693e-c6d1-5f52-98e0-73a18b44ec61 send: 68B c7a5c0f9-e140-5c8c-8d5d-bd571f5f6b6c 31.200.249.178:31869 guuid=e368597e-1600-0000-406f-e7fe580c0000 pid=3160->c7a5c0f9-e140-5c8c-8d5d-bd571f5f6b6c send: 68B f81ecdf5-7348-5d29-b567-54b51856ec99 31.200.249.178:31887 guuid=e368597e-1600-0000-406f-e7fe580c0000 pid=3160->f81ecdf5-7348-5d29-b567-54b51856ec99 send: 68B guuid=e368597e-1600-0000-406f-e7fe580c0000 pid=3160|send-data send-data to 340 IP addresses review logs to see them all guuid=e368597e-1600-0000-406f-e7fe580c0000 pid=3160->guuid=e368597e-1600-0000-406f-e7fe580c0000 pid=3160|send-data send
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2dbc1948-13e0-4f4d-a839-f5b2b860cf12
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj.spyw
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1720845
Signature
Executes the "crontab" command typically for achieving persistence
Multi AV Scanner detection for submitted file
Opens /sys/class/net/* files useful for querying network interface information
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample scans a subnet
Sample tries to persist itself using cron
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1720845 Sample: amd64.elf Startdate: 23/06/2025 Architecture: LINUX Score: 68 38 178.162.174.178, 28003, 6881 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 2->38 40 178.162.174.8, 45560, 6881 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 2->40 42 102 other IPs or domains 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Sample scans a subnet 2->46 10 amd64.elf 2->10         started        signatures3 process4 process5 12 amd64.elf sh 10->12         started        14 amd64.elf 10->14         started        17 amd64.elf sh 10->17         started        signatures6 19 sh crontab 12->19         started        23 sh 12->23         started        54 Opens /sys/class/net/* files useful for querying network interface information 14->54 56 Sample reads /proc/mounts (often used for finding a writable filesystem) 14->56 25 amd64.elf 14->25         started        27 sh crontab 17->27         started        process7 file8 36 /var/spool/cron/crontabs/tmp.7QyYzu, ASCII 19->36 dropped 48 Sample tries to persist itself using cron 19->48 50 Executes the "crontab" command typically for achieving persistence 19->50 29 sh crontab 23->29         started        32 amd64.elf 25->32         started        signatures9 process10 signatures11 52 Executes the "crontab" command typically for achieving persistence 29->52 34 amd64.elf 32->34         started        process12
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/c7df384b82fd3a56ec48e4717b94e9ac3bf07db58cd9d32dfc234a8733d77178
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c7df384b82fd3a56ec48e4717b94e9ac3bf07db58cd9d32dfc234a8733d77178/
Threat name:
Linux.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2025-06-23 11:16:29 UTC
File Type:
ELF64 Little (Exe)
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y7ptqs4c7u5fn3ci4ryxxfhjvq57a7nvrtm5glp4enfiom6xof4a._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
antivm defense_evasion discovery execution linux persistence privilege_escalation
Link:
https://tria.ge/reports/250623-ndcrgayrt8/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to tmp directory
Checks CPU configuration
Checks hardware identifiers (DMI)
Creates/modifies Cron job
Enumerates running processes
Reads MAC address of network interface
Reads hardware information
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f7e3f7bd-1f24-4cd1-9619-d5b86c18bc33
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c7df384b82fd3a56ec48e4717b94e9ac3bf07db58cd9d32dfc234a8733d77178

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:enterpriseunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise UNIX
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf c7df384b82fd3a56ec48e4717b94e9ac3bf07db58cd9d32dfc234a8733d77178

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3550686/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh

Comments