MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df5b9f21a22876035afe961e25bc42e5c4bd23e06a42b9f7e7a958e40bb8fc83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	df5b9f21a22876035afe961e25bc42e5c4bd23e06a42b9f7e7a958e40bb8fc83
SHA3-384 hash:	dc890651a18beef8365e3d99a7fe770759141c5b752a7012a4a93b1f919dd554f4d09499eccecb3d78bb4786e847e051
SHA1 hash:	98832bdf20f42204a49be25211399902ec0c5364
MD5 hash:	c8f04f85fe87848a1eb30c39c1804fc7
humanhash:	sierra-batman-tennis-emma
File name:	aarch64
Download:	download sample
File size:	509'896 bytes
First seen:	2025-06-30 05:16:49 UTC
Last seen:	Never
File type:	elf
MIME type:	application/x-executable
ssdeep	6144:O/izeB+/ow3gK2lc5bvyI0vOHD6BZkDgn358cIF3RI5HkdY1FP98/8ecjfP:3BohHKTyfvOHD6ByD4WcIMkuDmEesP
TLSH	T10CB41228EE4E38D1F3D1E3B8DA0A4BB1B05B79D0C166C1B2BA41E25D95EDDDEC5D0212
TrID	50.1% (.) ELF Executable and Linkable format (Linux) (4022/12) 49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika	elf
Reporter	abuse_ch
Tags:	elf

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.32057.LX.BOT.UNOFFICIAL

Sanesecurity.Malware.32058.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Siggen.9163.11199.1030.UNOFFICIAL

Verdict:

Clean

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68621ded37c3436779478fa8linux22vpnfull_triage

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creates directories

Verdict:

Unknown

Threat level:

2.5/10

Confidence:

100%

Tags:

base64 exploit gcc lolbin remote

Link:

https://www.filescan.io/uploads/68621de7d1f1eb5d81cb466a/reports/7d27638b-6310-48ba-a813-5c3146914ed1/overview

Verdict:

Malicious

Uses P2P?:

true

Uses anti-vm?:

false

Architecture:

arm

Packer:

custom

Botnet:

unknown

Number of open files:

Number of processes launched:

Processes remaning?

false

Remote TCP ports scanned:

58613

Full report:

https://elfdigest.com/brief/df5b9f21a22876035afe961e25bc42e5c4bd23e06a42b9f7e7a958e40bb8fc83

Behaviour

no suspicious findings

Botnet C2s

TCP botnet C2(s):

not identified

UDP botnet C2(s):

type: 162.159.200.123:123
type: 130.239.18.158:6881
type: 67.215.246.10:6881
type: 93.176.180.96:6881
type: 151.248.149.51:6881
type: 178.69.209.93:6881
type: 79.111.0.219:6881
type: 193.77.182.235:6881
type: 82.65.203.207:6881
type: 24.179.221.26:6881
type: 92.242.16.180:6881
type: 174.81.146.25:6881
type: 86.90.43.113:6881
type: 126.217.228.187:6881
type: 178.151.69.33:6881
type: 77.37.244.37:6881
type: 63.142.123.85:6881
type: 54.194.124.68:6881
type: 46.149.227.20:6881
type: 91.21.100.232:6881
type: 107.181.234.235:6881
type: 54.214.62.31:6881
type: 18.190.61.127:6881
type: 35.155.156.153:6881
type: 121.218.128.183:6881
type: 88.165.5.75:6881
type: 167.99.72.189:6881
type: 142.171.125.191:6881
type: 54.194.137.170:6881
type: 95.84.245.12:6881
type: 212.237.200.77:6881
type: 46.165.138.113:6881
type: 58.178.40.1:6881
type: 90.114.235.4:6881
type: 82.65.128.158:6881
type: 54.70.174.84:6881
type: 35.167.186.212:6881
type: 18.188.31.0:6881
type: 195.154.233.74:6880
type: 3.17.7.18:6880
type: 130.239.18.158:8580
type: 130.239.18.158:8516
type: 178.162.173.91:28003
type: 178.162.173.105:28003
type: 130.239.18.158:8513
type: 178.162.174.43:28004
type: 178.162.173.138:28004
type: 217.121.231.94:59625
type: 178.162.174.88:28014
type: 178.162.173.48:28014
type: 95.246.21.24:51413
type: 37.187.78.72:51413
type: 188.90.169.20:51413
type: 163.172.68.38:51413
type: 85.28.110.233:51413
type: 116.255.43.64:51413
type: 73.242.71.164:51413
type: 84.15.198.101:51413
type: 178.162.173.111:28005
type: 178.162.173.221:28005
type: 130.239.18.158:8510
type: 65.21.34.43:50000
type: 135.181.238.57:50000
type: 95.216.13.180:50000
type: 162.55.82.15:50000
type: 178.162.144.51:21183
type: 51.75.163.151:8643
type: 112.161.52.153:40752
type: 178.162.173.231:28012
type: 178.162.174.120:28012
type: 178.162.173.169:28001
type: 178.162.173.101:28001
type: 222.118.65.13:7968
type: 45.87.251.6:28049
type: 221.150.169.153:7875
type: 41.135.89.237:16132
type: 216.121.219.185:38178
type: 51.210.179.31:49048
type: 72.21.17.91:65077
type: 74.15.112.85:30078
type: 185.145.245.116:8668
type: 178.246.31.86:55040
type: 96.18.115.222:50321
type: 218.148.205.36:33083
type: 195.154.185.217:26881
type: 152.53.228.76:26881
type: 178.121.124.133:30730
type: 178.162.174.68:28010
type: 159.223.200.138:31782
type: 45.87.251.132:28074
type: 133.123.29.238:25906
type: 46.232.211.148:17659
type: 211.51.79.248:32883
type: 45.201.148.70:6882
type: 174.27.156.67:6882
type: 94.23.215.83:6882
type: 188.165.201.82:6882
type: 169.212.176.98:40956
type: 178.162.174.110:28009
type: 58.160.93.208:40229
type: 123.243.35.138:49001
type: 5.252.101.228:12527
type: 122.27.112.26:23060
type: 88.88.145.151:17371
type: 198.101.60.95:28793
type: 218.155.108.20:33231
type: 62.194.41.163:50162
type: 37.123.171.156:25420
type: 221.148.28.59:18668
type: 5.79.73.211:6906
type: 120.29.106.195:29556
type: 201.77.175.63:63776
type: 178.162.174.220:28002
type: 38.25.98.158:61519
type: 5.39.85.86:58285
type: 121.165.107.244:40798
type: 195.154.172.179:26882
type: 76.18.8.218:56804
type: 5.135.156.163:56843
type: 195.154.185.217:25403
type: 5.79.77.47:60584
type: 73.65.168.115:34812
type: 185.74.159.146:58689
type: 71.1.224.104:41469
type: 220.119.89.227:55242
type: 213.161.14.134:40247
type: 67.20.1.158:24735
type: 175.192.26.207:33987
type: 189.232.90.85:37321
type: 45.91.209.121:63220
type: 195.154.172.179:25404
type: 83.0.33.8:44526
type: 93.185.156.50:14066
type: 220.254.1.161:13571
type: 95.211.231.236:28007
type: 106.240.102.244:7854
type: 176.10.137.22:11426
type: 185.203.56.72:65300
type: 115.138.192.212:60068
type: 176.63.6.153:62422
type: 181.90.115.8:58626
type: 189.151.59.141:43876
type: 121.168.61.130:7719
type: 5.246.190.43:31007
type: 112.82.166.64:6890
type: 175.156.151.236:6890
type: 13.114.205.93:6892
type: 170.62.30.154:24802
type: 78.165.35.20:20540
type: 54.39.52.64:23883
type: 46.120.121.127:20506
type: 181.28.129.4:19739
type: 181.44.129.4:47980
type: 187.138.7.211:42652
type: 118.41.206.231:57306
type: 111.118.109.39:32628
type: 45.9.221.16:35080
type: 94.65.221.9:51535
type: 115.69.176.236:49174
type: 37.187.151.6:32530
type: 189.181.50.0:39974
type: 208.87.240.21:11158
type: 206.123.150.176:6666
type: 66.70.178.54:43882
type: 169.224.9.195:2182
type: 54.39.52.64:40452
type: 152.53.52.107:10240
type: 146.59.3.81:10240
type: 95.214.53.172:1688
type: 222.157.77.35:21809
type: 185.162.184.38:49745
type: 83.83.64.109:10775
type: 185.203.56.27:4881
type: 178.162.173.111:28011
type: 5.79.73.138:28013
type: 45.137.83.185:50171
type: 76.150.49.91:55589
type: 5.39.85.155:55486
type: 161.35.205.245:30301
type: 121.155.52.224:33143
type: 218.156.28.122:7771
type: 1.47.8.203:27580
type: 181.94.228.190:55937

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/1d5f5eea-b11e-414d-a6d2-bc501ffad5bf

Behavior Graph:

Download SVG

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/21fce021-5f35-401d-b2eb-debf2204d7b3

Score:

100%

Verdict:

Malware

File Type:

ELF

Link:

https://malprob.io/report/df5b9f21a22876035afe961e25bc42e5c4bd23e06a42b9f7e7a958e40bb8fc83

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/df5b9f21a22876035afe961e25bc42e5c4bd23e06a42b9f7e7a958e40bb8fc83/

Threat name:

Linux.Trojan.SAgnt

Status:

Malicious

First seen:

2025-06-30 05:17:32 UTC

File Type:

ELF64 Little (Exe)

AV detection:

15 of 24 (62.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=35nz6incfb3agwx6sypclpcc4xcl2i7anjblt57hvfmoic5y7sbq._file

Result

Malware family:

n/a

Score:

1/10

Tags:

linux

Link:

https://tria.ge/reports/250630-fyyknshl6v/

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/9cb8429c-7c93-49c1-9d1a-3abde0ba9913

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/df5b9f21a22876035afe961e25bc42e5c4bd23e06a42b9f7e7a958e40bb8fc83

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	linux_generic_ipv6_catcher Create hunting rule
Author:	@_lubiedo
Description:	ELF samples using IPv6 addresses

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	unixredflags3 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf df5b9f21a22876035afe961e25bc42e5c4bd23e06a42b9f7e7a958e40bb8fc83

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3558161/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample