MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cebf0999f5a5e6f5e975b99966ebc666d28a98b2c1192e6b7673935bb62344cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cebf0999f5a5e6f5e975b99966ebc666d28a98b2c1192e6b7673935bb62344cf
SHA3-384 hash: e7c64ade43b396f242fafc835ef87b4312462c8a3d625d4d4075e3b5d1eb014ee06f1575e80587b706a324acb376e65a
SHA1 hash: 7dbeb8ca5fba798c6ccceb52a8aa42ec321dae90
MD5 hash: 4bd9a86130bcfdf486a58d22b2d51976
humanhash: ohio-monkey-violet-stairway
File name:aarch64
Download: download sample
File size:509'896 bytes
First seen:2025-06-19 05:11:46 UTC
Last seen:2025-06-19 06:12:29 UTC
File type: elf
MIME type:application/x-executable
ssdeep 6144:O/izeB+/ow3gK2lc5bvyI0vOHD6BZkDgn358cIF3RI5HkdY1FP98/8ecjfP:3BohHKTyfvOHD6ByD4WcIMkuDmEesP
TLSH T187B41228EE4E3891F3D1E378DA0A4BB1B05B79D0C166C1B2BA41E25D95EDEDEC5D0212
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf

Intelligence

File Origin
# of uploads :
2
# of downloads :
73
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.32057.LX.BOT.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.32058.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Siggen.9163.23075.6876.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6853e1ace04cd8dcf13b1be6linux22vpnfull_triage
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creates directories
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
base64 exploit gcc lolbin remote
Link:
https://www.filescan.io/uploads/68539c40cf2af1571111cbb5/reports/1cf9e3b8-cc56-400a-963f-f3f2017f29dc/overview
Verdict:
Malicious
Uses P2P?:
true
Uses anti-vm?:
false
Architecture:
arm
Packer:
custom
Botnet:
unknown
Number of open files:
0
Number of processes launched:
0
Processes remaning?
false
Remote TCP ports scanned:
55193
Full report:
https://elfdigest.com/brief/cebf0999f5a5e6f5e975b99966ebc666d28a98b2c1192e6b7673935bb62344cf
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
type: 162.159.200.1:123
type: 130.239.18.158:6881
type: 67.215.246.10:6881
type: 178.69.209.93:6881
type: 46.72.201.135:6881
type: 31.37.107.255:6881
type: 143.131.221.9:6881
type: 46.117.89.86:6881
type: 76.176.73.29:6881
type: 94.209.89.221:6881
type: 1.123.214.178:6881
type: 193.84.180.81:6881
type: 109.187.133.3:6881
type: 81.99.46.185:6881
type: 18.191.2.28:6881
type: 23.95.192.22:6881
type: 18.223.137.220:6881
type: 153.120.83.55:6881
type: 23.95.32.170:6881
type: 54.194.124.68:6881
type: 5.15.22.63:6881
type: 86.63.33.126:6881
type: 52.9.197.152:6881
type: 188.124.126.47:6881
type: 94.195.78.110:6881
type: 82.66.95.43:6881
type: 35.163.251.58:6881
type: 81.56.56.120:6881
type: 176.110.250.22:6881
type: 193.29.63.22:6881
type: 112.141.28.105:6881
type: 212.3.136.94:6881
type: 5.228.43.177:6881
type: 95.67.42.35:6881
type: 130.239.18.158:8580
type: 195.154.233.74:6880
type: 178.162.173.91:28003
type: 178.162.173.105:28003
type: 178.162.173.41:28003
type: 130.239.18.158:8513
type: 130.239.18.158:8597
type: 92.237.99.171:8597
type: 130.239.18.158:8516
type: 178.162.174.170:28001
type: 5.79.73.138:28001
type: 178.162.173.169:28001
type: 85.17.28.206:28001
type: 178.162.173.110:28001
type: 178.162.174.168:28012
type: 178.162.173.9:28012
type: 45.87.250.224:50171
type: 45.154.86.179:50171
type: 213.227.152.142:28002
type: 178.162.174.163:28002
type: 178.162.174.136:28000
type: 178.162.173.56:28000
type: 77.37.132.206:5222
type: 178.162.174.65:28014
type: 178.162.174.222:28014
type: 222.0.129.136:51413
type: 198.244.201.14:51413
type: 37.187.126.47:51413
type: 47.240.77.76:51413
type: 217.182.78.204:51413
type: 223.199.178.162:51413
type: 97.113.206.4:51413
type: 85.10.109.182:51413
type: 114.228.65.112:51413
type: 212.15.59.40:51413
type: 51.68.181.39:51413
type: 130.239.18.158:8524
type: 46.48.23.245:55970
type: 85.172.39.239:59331
type: 181.197.31.14:11186
type: 119.237.208.119:25105
type: 186.233.119.248:44587
type: 178.162.173.218:28005
type: 91.199.227.99:21531
type: 137.184.226.118:56333
type: 39.109.241.180:5005
type: 185.132.179.61:6890
type: 51.159.104.68:8725
type: 178.162.174.7:28009
type: 2.135.66.97:3772
type: 185.145.245.151:8670
type: 178.162.173.57:28010
type: 178.162.174.10:28010
type: 169.150.223.247:40832
type: 151.237.60.29:10340
type: 217.66.103.22:39124
type: 195.154.172.179:27144
type: 2.222.157.189:4391
type: 176.63.18.227:40665
type: 148.153.10.66:60020
type: 120.92.106.8:60020
type: 185.145.245.127:8663
type: 72.21.17.37:12849
type: 88.99.163.99:50336
type: 185.149.91.43:51035
type: 37.14.155.21:22393
type: 93.219.137.168:53412
type: 99.74.31.2:34622
type: 95.211.247.101:28011
type: 178.162.174.185:28011
type: 177.37.236.244:37174
type: 115.91.158.98:7786
type: 81.104.4.161:14339
type: 68.47.148.76:3080
type: 142.180.191.193:42186
type: 94.41.222.152:39922
type: 185.132.178.224:6886
type: 81.235.174.44:38479
type: 185.183.32.162:6885
type: 212.7.211.46:28128
type: 169.150.223.227:64193
type: 185.203.56.28:15644
type: 149.75.32.133:47413
type: 46.232.211.80:64110
type: 185.203.56.8:64634
type: 59.1.164.98:7850
type: 186.22.16.153:44280
type: 81.235.143.70:12525
type: 188.165.243.15:58552
type: 181.12.223.240:39258
type: 95.211.19.97:45868
type: 46.232.211.62:64015
type: 204.8.98.15:49601
type: 188.163.95.129:22915
type: 24.235.231.173:65009
type: 178.34.137.43:35459
type: 106.251.58.47:8136
type: 212.92.251.189:18340
type: 185.149.91.163:51003
type: 92.105.58.25:6889
type: 62.195.1.208:6889
type: 82.11.103.208:6889
type: 94.158.59.139:22628
type: 14.35.87.87:33305
type: 50.53.1.103:63047
type: 175.212.237.200:32946
type: 217.25.82.87:5593
type: 65.30.0.201:18076
type: 189.224.101.149:51843
type: 46.189.182.205:44965
type: 221.133.121.129:6699
type: 91.227.189.181:3659
type: 88.231.153.47:53123
type: 90.189.112.232:28470
type: 89.149.202.13:28035
type: 54.194.135.233:6992
type: 206.0.253.225:37674
type: 170.233.105.90:14803
type: 187.223.146.165:41616
type: 194.29.101.83:10240
type: 152.53.105.61:10240
type: 195.170.172.38:10240
type: 152.53.45.107:7136
type: 45.47.22.135:40404
type: 188.165.197.21:51000
type: 152.53.45.107:6989
type: 176.31.183.98:60634
type: 116.202.83.115:56881
type: 130.255.33.126:36043
type: 177.192.4.203:13184
type: 54.39.52.64:25568
type: 208.87.240.21:11158
type: 47.89.251.173:7776
type: 103.181.40.110:4899
type: 157.90.221.189:49514
type: 213.86.232.178:65111
type: 185.203.56.12:18410
type: 149.40.59.137:64086
type: 192.99.8.94:8164
type: 46.152.236.179:35231
type: 211.197.241.244:8730
type: 148.113.162.131:52882
type: 222.96.13.206:32898
type: 144.76.175.153:39956
type: 178.166.141.102:34191
type: 186.22.13.102:32368
type: 94.41.126.65:27800
type: 46.146.212.212:21948
type: 119.40.104.32:21735
type: 185.149.91.21:51118
type: 185.203.56.5:18719
type: 178.162.173.6:28004
type: 112.118.176.238:8849
type: 70.31.124.129:43426
type: 76.125.140.236:51366
type: 95.220.73.245:39142
type: 95.139.233.44:52323
type: 5.228.112.166:11055
type: 24.101.51.254:32501
type: 185.162.184.3:54594
type: 130.255.52.143:2079
type: 94.141.125.250:1609
type: 146.120.149.193:1270
type: 46.0.220.49:21673
type: 101.191.64.90:51977
type: 188.165.246.171:56971
type: 188.32.144.203:7870
type: 45.87.251.132:28059
type: 125.140.170.53:40969
type: 176.10.0.220:21139
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/b090c457-7b7c-409b-b8bc-61736b498921
Behavior Graph:
Download SVG
%3 guuid=f14ac7c0-1800-0000-5104-b614350b0000 pid=2869 /usr/bin/sudo guuid=fb4e68c2-1800-0000-5104-b6143c0b0000 pid=2876 /tmp/sample.bin guuid=f14ac7c0-1800-0000-5104-b614350b0000 pid=2869->guuid=fb4e68c2-1800-0000-5104-b6143c0b0000 pid=2876 execve guuid=de3d8cc3-1800-0000-5104-b614420b0000 pid=2882 /usr/bin/dash guuid=fb4e68c2-1800-0000-5104-b6143c0b0000 pid=2876->guuid=de3d8cc3-1800-0000-5104-b614420b0000 pid=2882 clone guuid=63bfc6c3-1800-0000-5104-b614440b0000 pid=2884 /usr/bin/dash guuid=fb4e68c2-1800-0000-5104-b6143c0b0000 pid=2876->guuid=63bfc6c3-1800-0000-5104-b614440b0000 pid=2884 clone guuid=2a10e7c3-1800-0000-5104-b614450b0000 pid=2885 /usr/bin/dash guuid=fb4e68c2-1800-0000-5104-b6143c0b0000 pid=2876->guuid=2a10e7c3-1800-0000-5104-b614450b0000 pid=2885 clone guuid=c95ef1c3-1800-0000-5104-b614460b0000 pid=2886 /usr/bin/dash guuid=fb4e68c2-1800-0000-5104-b6143c0b0000 pid=2876->guuid=c95ef1c3-1800-0000-5104-b614460b0000 pid=2886 clone
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c5b37ef5-1416-4d4b-8387-1bf3aa24fffc
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj.spyw
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1718175
Signature
Connects to many ports of the same IP (likely port scanning)
Executes the "crontab" command typically for achieving persistence
Opens /sys/class/net/* files useful for querying network interface information
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample scans a subnet
Sample tries to persist itself using cron
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1718175 Sample: aarch64.elf Startdate: 19/06/2025 Architecture: LINUX Score: 64 38 31.200.249.146, 31768, 47916 NETRACK-ASRU Russian Federation 2->38 40 178.162.173.111, 28005, 6881 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 2->40 42 102 other IPs or domains 2->42 44 Connects to many ports of the same IP (likely port scanning) 2->44 46 Sample scans a subnet 2->46 10 aarch64.elf 2->10         started        signatures3 process4 process5 12 aarch64.elf sh 10->12         started        14 aarch64.elf 10->14         started        17 aarch64.elf sh 10->17         started        signatures6 19 sh crontab 12->19         started        23 sh 12->23         started        54 Opens /sys/class/net/* files useful for querying network interface information 14->54 56 Sample reads /proc/mounts (often used for finding a writable filesystem) 14->56 25 aarch64.elf 14->25         started        27 sh crontab 17->27         started        process7 file8 36 /var/spool/cron/crontabs/tmp.0tyLXI, ASCII 19->36 dropped 48 Sample tries to persist itself using cron 19->48 50 Executes the "crontab" command typically for achieving persistence 19->50 29 sh crontab 23->29         started        32 aarch64.elf 25->32         started        signatures9 process10 signatures11 52 Executes the "crontab" command typically for achieving persistence 29->52 34 aarch64.elf 32->34         started        process12
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/cebf0999f5a5e6f5e975b99966ebc666d28a98b2c1192e6b7673935bb62344cf
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cebf0999f5a5e6f5e975b99966ebc666d28a98b2c1192e6b7673935bb62344cf/
Threat name:
Linux.Trojan.SAgnt
Create hunting rule
Status:
Malicious
First seen:
2025-06-19 16:26:49 UTC
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z27qtgpvuxtpl2lvxgmwn26gm3jivgfsyems423woojvxnrdithq._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
linux
Link:
https://tria.ge/reports/250619-fv4bra1ly2/
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fdbbd0c5-3516-4699-9e60-5056190b2dd3
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cebf0999f5a5e6f5e975b99966ebc666d28a98b2c1192e6b7673935bb62344cf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf cebf0999f5a5e6f5e975b99966ebc666d28a98b2c1192e6b7673935bb62344cf

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3558161/
  
Delivery method
Distributed via web download

Comments