MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0ca62e68e235aca958e3877ae7ed505c5667207c95d34907bc806e5ffa0b21b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Ngioweb


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0ca62e68e235aca958e3877ae7ed505c5667207c95d34907bc806e5ffa0b21b
SHA3-384 hash: 46f9989f9806f8cae80776aa25cd25ef1d2af97f619199613d9b7ced787cadf48648163aa40bc4b6e1a4ff25b9bacb82
SHA1 hash: 85e5a2ebe6e7e93eefca0594f703f79f8abf622d
MD5 hash: e11a30fbc51aa29573f1bf62762beb1f
humanhash: oklahoma-glucose-undress-oranges
File name:frost.armv7
Download: download sample
Signature Ngioweb
Create hunting rule
File size:79'104 bytes
First seen:2025-11-08 02:38:17 UTC
Last seen:2025-11-08 04:19:12 UTC
File type: elf
MIME type:application/x-sharedlib
ssdeep 1536:x86RsUMiveqQHP2htLDTggI3OMEbwtrvLrxQJaNJSFOg9MB1Ir:x8bZi3Q8tTMEUNLwjPp
TLSH T171730A55F880CB61C6D526BAFA5D428C73230B78D3DE72059D24AB353BF7A560F36902
Magika elf
Reporter abuse_ch
Tags:elf Ngioweb

Intelligence

File Origin
# of uploads :
3
# of downloads :
46
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Other.Malware-gen.63624453.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Runs as daemon
Receives data from a server
Sends data to a server
DNS request
Connection attempt
Substitutes an application name
Deleting of the original file
Gathering data
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
arm
Packer:
UPX
Botnet:
unknown
Number of open files:
0
Number of processes launched:
2
Processes remaning?
true
Remote TCP ports scanned:
80
Full report:
https://elfdigest.com/brief/d0ca62e68e235aca958e3877ae7ed505c5667207c95d34907bc806e5ffa0b21b
Behaviour
Process Renaming
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Clean
File Type:
elf.32.le
First seen:
2025-11-08T00:01:00Z UTC
Last seen:
2025-11-08T13:07:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/d0ca62e68e235aca958e3877ae7ed505c5667207c95d34907bc806e5ffa0b21b/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/f5149e01-0cce-49eb-8a96-47511ebd1343
Behavior Graph:
Download SVG
%3 guuid=4e37df6a-1a00-0000-32ba-17b9f8080000 pid=2296 /usr/bin/sudo guuid=0cf7be6d-1a00-0000-32ba-17b9fd080000 pid=2301 /tmp/sample.bin guuid=4e37df6a-1a00-0000-32ba-17b9f8080000 pid=2296->guuid=0cf7be6d-1a00-0000-32ba-17b9fd080000 pid=2301 execve
Malware family:
Ngioweb
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e39b18d2-0f09-4199-842e-d26271c61a10
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1810322
Signature
Performs DNS queries to domains with low reputation
Sample deletes itself
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/d0ca62e68e235aca958e3877ae7ed505c5667207c95d34907bc806e5ffa0b21b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d0ca62e68e235aca958e3877ae7ed505c5667207c95d34907bc806e5ffa0b21b/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/d0ca62e68e235aca958e3877ae7ed505c5667207c95d34907bc806e5ffa0b21b
Threat name:
Linux.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2025-11-08 02:39:26 UTC
File Type:
ELF32 Little (SO)
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2dfgfzuoennmvfmohb3247wvaxcwm4qhzfotjed3zadol75awinq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery
Link:
https://tria.ge/reports/251108-c5frnaskgn/
Behaviour
Changes its process name
Deletes itself
Modifies Watchdog functionality
Contacts a large (786) amount of remote hosts
Verdict:
Unknown
Tags:
botnet persirai trojan
YARA:
Persirai elf_persirai_w0
Link:
https://app.threat.zone/submission/3f760447-f34e-4a93-8c1e-bb6ec578042e
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/d0ca62e68e235aca958e3877ae7ed505c5667207c95d34907bc806e5ffa0b21b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:elf_arm_mips_ko_so
Create hunting rule
Rule name:elf_persirai_w0
Create hunting rule
Author:Tim Yeh
Description:Detects Persirai Botnet Malware
Reference:Internal Research
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Ngioweb

sh 4a96f132025ca1ec8c7efa747c130bffb7e39fb1992e8d08db20926e9f494dbe

Ngioweb

elf d0ca62e68e235aca958e3877ae7ed505c5667207c95d34907bc806e5ffa0b21b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3699272/
  
Delivery method
Distributed via web download
  
Dropped by
SHA256 4a96f132025ca1ec8c7efa747c130bffb7e39fb1992e8d08db20926e9f494dbe
  
Dropped by
MD5 08f6ef6eca372c7a95dcb3e52896bd6f
  
Dropped by
SHA256 d38c1a2f7cff1e5188eb3cf98f0e515a82fd368d77229bec1c1d41c899ed2b62
  
Dropped by
MD5 ef0db40d9e29034759d5000bcc418c08
  
Dropped by
SHA256 119031d11c894b585fd88084898929a892beb5b9df57e56b779d8aaa3dae9ba6
  
Dropped by
MD5 4a2d05f9e4bb2ac0c77cd1d7c276436f
  
URLhaus
https://urlhaus.abuse.ch/url/3699267/
  
URLhaus
https://urlhaus.abuse.ch/url/3699266/
  
URLhaus
https://urlhaus.abuse.ch/url/3699276/
  
Dropped by
SHA256 a8e87888e8e4cea9a8afacad551c18d2b1ccf0fd763a5f2d3000b5fa8869514d
  
Dropped by
MD5 3fef122a4e7c08c8663902126edf7a37
  
URLhaus
https://urlhaus.abuse.ch/url/3699269/
  
URLhaus
https://urlhaus.abuse.ch/url/3700345/
  
URLhaus
https://urlhaus.abuse.ch/url/3700354/
  
Dropped by
SHA256 7b43d80550bca89fecb7ae2fb40c74fa308216400491e0ad84dcacc2b2e166b2
  
Dropped by
MD5 b61782a2897dba6c81602acd3dde8190
  
Dropped by
SHA256 a9e190994f75b7b2aea999b99674b344b064f4c87279729e76d3dbdd4d322e60
  
Dropped by
MD5 504d3683310be2370696c41255134948
  
Dropped by
SHA256 f423bf3c71770f069ab5d6bd0109c000c0f97234ee6a8d543d769d195e18ddaf
  
Dropped by
MD5 634668be5c5bcc2f1488e2c2d08edf31
  
Dropped by
SHA256 925d5525563d3438245bfc9bd409a5b126b96cf449f7d540bffe284f56d5745d
  
Dropped by
MD5 fb151744ccc778f6ca910d0b586bc687
  
URLhaus
https://urlhaus.abuse.ch/url/3700352/
  
URLhaus
https://urlhaus.abuse.ch/url/3699275/
  
URLhaus
https://urlhaus.abuse.ch/url/3700700/
  
Dropped by
SHA256 e1c3f7b42e3266079e0800de42709d05cd0a509fe179ab6b078a6bb4a19a2407
  
Dropped by
MD5 59062b7ab0a869aeae0b6e0f1da96145
  
Dropped by
SHA256 b83ec68f00187d77fa8bf6d792954470116c098847afd77025f4d1b0eb765125
  
Dropped by
MD5 eb686f37e40a329e6dc441a3868f0b9b
  
Dropped by
SHA256 e513b052f35bbac9e2678b3197867ee47ec0354c58af44d6c1574633f96de934
  
Dropped by
MD5 f65141a8bb9c8cd5018d3a116fe83cff
  
URLhaus
https://urlhaus.abuse.ch/url/3700353/
  
URLhaus
https://urlhaus.abuse.ch/url/3700360/

Comments