MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ccbf66093dd3819d665c0e60628e54928c1c5ec557a87989b414cb5d296bf9ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ccbf66093dd3819d665c0e60628e54928c1c5ec557a87989b414cb5d296bf9ea
SHA3-384 hash: cad106dbce6dfc22f45cd02eb6c0d3c445c380f36ab1bfd058285150438afdde2d96bd02c62bd312b5c5c31528b8f0aa
SHA1 hash: 15f8f89e9d753a8276b987a9ac39466901887395
MD5 hash: f24524fd61d130dc0297198f1f9aef95
humanhash: video-low-alpha-island
File name:arm926t
Download: download sample
File size:480'792 bytes
First seen:2025-06-23 12:00:06 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 12288:ndLGtVtlmIHk6Rtx02O6R+9X8C5SGEzf:pGntlzJx02O6E9X8XG
TLSH T112A40294E9819B62C2C801BFFF0F45BC77A31F69E1EA71068D16EB2662D745A4F7E400
telfhash t186c08c8c0fd401beba7d72a203bef2bf61a072f0be0224920404eb6f074c584028144c
Magika elf
Reporter abuse_ch
Tags:elf

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
DE DE
Vendor Threat Intelligence
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6859421a32ed47a3a8d69a50linux22vpnfull_triage
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creates directories
Creating a process from a recently created file
Changes the time when the file was created, accessed, or modified
Creating a file in the %temp% directory
Creating a file
Connection attempt
Locks files
Opens a port
Changes access rights for a written file
Collects information on the CPU
Receives data from a server
Sends data to a server
DNS request
Runs as daemon
Creates or modifies files in /cron to set up autorun
Verdict:
Malicious
Uses P2P?:
true
Uses anti-vm?:
true
Architecture:
arm
Packer:
custom
Botnet:
unknown
Number of open files:
103
Number of processes launched:
10
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/ccbf66093dd3819d665c0e60628e54928c1c5ec557a87989b414cb5d296bf9ea
Behaviour
Anti-VM
Persistence
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
type: 162.159.200.123:123
type: 130.239.18.158:6881
type: 67.215.246.10:6881
type: 178.69.209.93:6881
type: 31.187.191.91:6881
type: 95.211.162.131:6881
type: 37.187.121.149:6881
type: 185.148.0.69:6881
type: 176.125.139.123:6881
type: 89.207.71.47:6881
type: 188.42.55.92:6881
type: 83.114.61.193:6881
type: 93.49.253.30:6881
type: 178.32.217.211:6881
type: 176.135.247.67:6881
type: 176.221.2.205:6881
type: 217.155.105.198:6881
type: 46.77.74.253:6881
type: 86.238.26.198:6881
type: 149.50.101.153:6881
type: 88.22.73.27:6881
type: 82.66.146.26:6881
type: 84.226.240.58:6881
type: 185.123.47.3:6881
type: 47.150.30.53:6881
type: 178.67.42.230:6881
type: 58.188.93.144:6881
type: 81.226.111.143:6881
type: 102.119.32.30:6881
type: 86.38.200.129:6881
type: 84.175.49.77:6881
type: 5.196.70.116:6881
type: 5.135.138.137:6881
type: 107.181.234.235:6881
type: 35.167.186.212:6881
type: 37.187.116.143:6881
type: 68.79.91.206:6881
type: 149.56.106.67:6881
type: 5.45.106.38:6881
type: 218.103.191.137:6881
type: 90.7.253.68:6881
type: 198.53.187.251:6881
type: 176.106.155.71:6881
type: 54.194.137.170:6881
type: 80.144.85.113:6881
type: 178.162.174.222:28014
type: 141.95.53.34:8648
type: 135.181.227.244:50000
type: 176.9.91.222:50000
type: 162.55.84.205:50000
type: 142.132.206.120:50000
type: 135.181.238.57:50000
type: 95.216.5.92:50000
type: 142.132.207.59:50000
type: 144.76.166.157:50000
type: 162.55.86.25:50000
type: 148.251.1.23:50000
type: 37.27.119.190:50000
type: 65.21.125.174:50000
type: 37.27.117.57:50000
type: 65.21.129.56:50000
type: 130.239.18.158:8515
type: 185.149.91.21:51118
type: 45.203.208.35:6880
type: 52.15.209.223:6880
type: 195.154.233.74:6880
type: 173.230.130.111:6880
type: 3.17.7.18:6880
type: 3.130.230.203:6880
type: 44.216.7.139:6880
type: 45.203.151.81:6880
type: 185.149.91.145:51509
type: 5.79.66.11:54337
type: 95.211.247.101:28009
type: 213.232.235.11:8999
type: 51.158.200.129:6913
type: 176.36.60.52:22483
type: 5.135.156.163:56843
type: 178.162.174.116:28012
type: 104.195.12.40:25829
type: 130.239.18.158:8516
type: 111.108.18.125:10971
type: 5.182.17.111:5091
type: 45.152.210.33:50171
type: 31.187.131.195:45252
type: 212.7.202.213:6848
type: 83.226.130.15:65297
type: 116.203.50.42:34383
type: 37.48.89.212:64442
type: 5.79.78.96:62930
type: 5.79.98.150:50725
type: 158.69.27.241:43789
type: 176.119.113.160:57025
type: 88.230.51.8:6138
type: 78.189.151.217:6889
type: 79.11.107.190:6889
type: 58.159.131.111:6889
type: 175.38.122.153:6889
type: 45.137.83.152:55159
type: 83.233.211.39:12946
type: 178.162.173.198:28007
type: 178.162.173.89:28007
type: 169.150.223.219:27159
type: 198.46.160.130:51444
type: 178.162.174.102:28013
type: 95.211.247.101:28013
type: 5.79.122.80:28013
type: 158.101.0.137:51413
type: 45.83.232.30:51413
type: 84.217.73.58:51413
type: 95.31.43.219:51413
type: 198.27.67.208:51413
type: 130.89.163.82:51413
type: 217.155.196.78:51413
type: 91.176.233.195:51413
type: 165.0.78.85:51413
type: 149.86.63.216:51413
type: 2.236.169.3:51413
type: 109.160.122.210:51413
type: 99.27.237.241:51413
type: 85.28.94.84:51413
type: 77.75.10.50:51413
type: 176.52.22.34:51413
type: 76.91.210.182:51413
type: 118.39.33.106:7592
type: 130.62.1.147:41514
type: 35.173.196.4:49203
type: 130.239.18.158:8580
type: 178.162.173.91:28003
type: 178.162.174.227:28003
type: 178.162.173.209:28003
type: 178.162.174.178:28003
type: 178.162.173.105:28003
type: 130.239.18.158:8513
type: 69.50.95.40:10085
type: 142.202.48.88:12037
type: 185.149.91.185:51059
type: 178.162.174.221:28000
type: 213.227.152.133:28000
type: 178.162.174.141:28000
type: 185.203.56.12:64599
type: 45.136.230.98:51589
type: 101.12.176.90:56837
type: 23.162.56.83:14036
type: 95.168.162.161:42670
type: 178.162.173.231:28001
type: 178.162.173.14:28001
type: 130.239.18.158:8539
type: 142.215.164.99:6882
type: 142.215.167.173:6882
type: 67.163.57.37:6882
type: 188.165.201.82:6882
type: 78.194.51.76:7781
type: 211.105.44.80:7899
type: 89.253.120.202:53591
type: 185.162.184.11:63365
type: 188.165.242.169:52718
type: 185.203.56.51:12996
type: 178.162.173.6:28008
type: 83.149.98.184:28008
type: 5.135.178.12:53659
type: 46.232.211.193:58017
type: 31.10.158.193:54413
type: 152.53.22.181:32482
type: 178.162.174.43:28004
type: 178.162.173.76:28004
type: 130.239.18.158:8524
type: 185.149.91.51:20021
type: 213.227.151.209:18238
type: 93.2.146.193:6822
type: 78.163.140.108:50709
type: 186.226.139.41:46607
type: 94.190.164.57:56183
type: 212.7.200.93:23999
type: 62.210.73.202:50260
type: 95.174.109.44:49001
type: 95.52.178.139:49001
type: 95.47.118.71:49001
type: 163.172.96.194:49164
type: 46.232.210.200:23359
type: 46.132.80.91:7853
type: 144.76.175.153:32429
type: 176.119.71.121:32000
type: 89.64.80.32:6775
type: 174.91.240.161:56971
type: 80.122.204.142:21867
type: 210.183.223.177:32965
type: 78.172.162.63:50182
type: 78.178.137.87:42783
type: 212.36.2.163:41050
type: 87.120.2.28:27069
type: 185.255.236.5:42488
type: 188.165.246.140:53937
type: 5.2.78.242:61238
type: 46.232.210.104:64237
type: 45.87.251.149:28129
type: 212.7.200.22:60422
type: 188.255.144.14:34994
type: 47.157.45.18:51332
type: 101.10.49.182:18837
type: 24.236.221.214:15694
type: 92.203.29.97:10992
type: 82.43.233.243:18453
type: 218.152.4.34:7751
type: 186.22.16.4:38765
type: 188.165.198.24:54539
type: 170.150.93.15:18094
type: 90.125.98.98:25425
type: 156.204.123.72:14082
type: 119.200.194.142:7896
type: 148.75.176.138:12301
type: 182.227.108.195:41206
type: 72.192.213.113:54650
type: 125.229.106.76:124
type: 87.16.5.31:6888
type: 95.105.236.223:51412
type: 176.63.7.83:35307
type: 121.200.34.253:51426
type: 220.71.34.187:37453
type: 177.39.125.50:3981
type: 89.240.45.79:16160
type: 112.221.26.147:34972
type: 5.79.67.28:65131
type: 5.135.178.41:51941
type: 51.158.149.182:45600
type: 61.79.133.57:7897
type: 69.247.243.155:62837
type: 95.211.187.198:6886
type: 218.236.142.218:20018
type: 144.76.175.153:51871
type: 188.165.198.46:57615
type: 149.56.27.121:58813
type: 54.39.52.183:37249
type: 178.162.174.185:28011
type: 178.162.173.142:28011
type: 188.163.70.6:7171
type: 185.203.56.73:17490
type: 66.70.178.54:14701
type: 152.53.104.128:10240
type: 195.170.172.38:10240
type: 95.214.53.172:1688
type: 185.149.91.171:51004
type: 83.58.91.185:65500
type: 43.206.226.221:20965
type: 37.203.20.41:20762
type: 111.94.32.221:37812
type: 37.187.151.6:63238
type: 34.207.160.46:20874
type: 187.137.40.78:42354
type: 178.214.193.194:52513
type: 170.106.162.90:60020
type: 39.126.177.101:32951
type: 81.228.232.108:59980
type: 95.26.10.33:45246
type: 109.186.130.79:21726
type: 144.76.175.153:55295
type: 174.3.117.230:50082
type: 46.232.211.18:64112
type: 86.157.220.240:62653
type: 51.15.184.129:27717
type: 61.230.46.119:21240
type: 46.232.211.174:64217
type: 46.232.210.47:64065
type: 185.203.56.22:27090
type: 119.192.122.183:40834
type: 69.50.95.40:10003
type: 110.15.135.21:29083
type: 122.150.244.17:13388
type: 24.191.177.77:58734
type: 144.6.197.81:19999
type: 118.156.160.220:51638
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/8e10587f-2f35-4479-b8cb-d07be4741611
Behavior Graph:
Download SVG
%3 guuid=266e90fd-1800-0000-2bc8-d4309e070000 pid=1950 /usr/bin/sudo guuid=af97f100-1900-0000-2bc8-d4309f070000 pid=1951 /tmp/sample.bin guuid=266e90fd-1800-0000-2bc8-d4309e070000 pid=1950->guuid=af97f100-1900-0000-2bc8-d4309f070000 pid=1951 execve
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/074c0b30-0b5e-4aa6-aa97-3d0625bfae53
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1720890
Signature
Connects to many ports of the same IP (likely port scanning)
Executes the "crontab" command typically for achieving persistence
Multi AV Scanner detection for submitted file
Opens /sys/class/net/* files useful for querying network interface information
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to persist itself using cron
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1720890 Sample: arm926t.elf Startdate: 23/06/2025 Architecture: LINUX Score: 68 38 202.170.206.45, 39013, 6881 WHIPCORDCA India 2->38 40 185.203.56.7, 63571, 6881 WHATBOX-NL Netherlands 2->40 42 102 other IPs or domains 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Connects to many ports of the same IP (likely port scanning) 2->46 10 arm926t.elf configuration 2->10         started        signatures3 process4 process5 12 arm926t.elf sh 10->12         started        14 configuration 10->14         started        17 arm926t.elf sh 10->17         started        signatures6 19 sh crontab 12->19         started        23 sh 12->23         started        54 Opens /sys/class/net/* files useful for querying network interface information 14->54 56 Sample reads /proc/mounts (often used for finding a writable filesystem) 14->56 25 configuration 14->25         started        27 sh crontab 17->27         started        process7 file8 36 /var/spool/cron/crontabs/tmp.pIHtBF, ASCII 19->36 dropped 48 Sample tries to persist itself using cron 19->48 50 Executes the "crontab" command typically for achieving persistence 19->50 29 sh crontab 23->29         started        32 configuration 25->32         started        signatures9 process10 signatures11 52 Executes the "crontab" command typically for achieving persistence 29->52 34 configuration 32->34         started        process12
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/ccbf66093dd3819d665c0e60628e54928c1c5ec557a87989b414cb5d296bf9ea
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ccbf66093dd3819d665c0e60628e54928c1c5ec557a87989b414cb5d296bf9ea/
Threat name:
Linux.Trojan.SAgnt
Create hunting rule
Status:
Malicious
First seen:
2025-06-23 12:00:57 UTC
File Type:
ELF32 Little (Exe)
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zs7wmcj52oaz2zs4bzqgfdsuskgbyxwfk6uhtcnuctfv2kll7hva._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
antivm defense_evasion discovery execution persistence privilege_escalation
Link:
https://tria.ge/reports/250623-n6qtsszks2/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to tmp directory
Checks CPU configuration
Checks hardware identifiers (DMI)
Creates/modifies Cron job
Enumerates running processes
Reads MAC address of network interface
Reads hardware information
Renames itself
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3e7fe30a-8377-4443-8d50-660ab42d78a3
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ccbf66093dd3819d665c0e60628e54928c1c5ec557a87989b414cb5d296bf9ea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf ccbf66093dd3819d665c0e60628e54928c1c5ec557a87989b414cb5d296bf9ea

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3558478/
  
Delivery method
Distributed via web download

Comments