MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0a9a770d548db6b37688c29b6f904f0d0a6fee7cfb5deb7944fac12f8e72a5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	e0a9a770d548db6b37688c29b6f904f0d0a6fee7cfb5deb7944fac12f8e72a5d
SHA3-384 hash:	d7178cbe1e30086ec13032941a29d5a0a8ff8e529464521a560e700f1cce5096c96743fcccd6f5a113261309e4ea7c7c
SHA1 hash:	aeab199f8e3d90534e71f81ff613b4bf063de6d5
MD5 hash:	50624df39208b23149ab8b6752ad5fe2
humanhash:	princess-failed-london-august
File name:	mips
Download:	download sample
File size:	592'688 bytes
First seen:	2025-06-29 10:58:48 UTC
Last seen:	2025-06-30 05:35:13 UTC
File type:	elf
MIME type:	application/x-executable
ssdeep	12288:M57U0INmdtgOcyJXDOMzf03gdvZ/yCnEI7zW:W7v+mrY2xzf03yvZ/YI2
TLSH	T1B7C4F1A377204F91C35195B209F389335AF6199706F39982537DEE107F20A68386BFE9
telfhash	t10ab0011070740bb84308e12d5cdcae5679f20cc3fe470c27db6047a159b54434d00d18
Magika	elf
Reporter	abuse_ch
Tags:	elf

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.32057.LX.BOT.UNOFFICIAL

Sanesecurity.Malware.32058.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Siggen.9084.6940.3992.UNOFFICIAL

Verdict:

Clean

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68611c9837c34367794726aflinux22vpnfull_triage

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Runs as daemon

Creates directories

Creating a process from a recently created file

Creating a file

Connection attempt

Locks files

Opens a port

Changes access rights for a written file

Receives data from a server

Sends data to a server

DNS request

Changes the time when the file was created, accessed, or modified

Creates or modifies files in /cron to set up autorun

Verdict:

Unknown

Threat level:

2.5/10

Confidence:

100%

Tags:

exploit gcc lolbin remote

Link:

https://www.filescan.io/uploads/68611c85d1f1eb5d81ca758c/reports/a97197e5-89e8-48cf-8922-41abaf0c5db9/overview

Verdict:

Malicious

Uses P2P?:

true

Uses anti-vm?:

true

Architecture:

mips

Packer:

custom

Botnet:

unknown

Number of open files:

Number of processes launched:

Processes remaning?

false

Remote TCP ports scanned:

not identified

Full report:

https://elfdigest.com/brief/e0a9a770d548db6b37688c29b6f904f0d0a6fee7cfb5deb7944fac12f8e72a5d

Behaviour

Anti-VM

Botnet C2s

TCP botnet C2(s):

not identified

UDP botnet C2(s):

type: 162.159.200.123:123
type: 130.239.18.158:6881
type: 67.215.246.10:6881
type: 178.69.209.93:6881
type: 5.79.98.134:6881
type: 202.94.60.80:6881
type: 81.21.147.77:6881
type: 193.107.127.210:6881
type: 94.180.188.189:6881
type: 193.178.60.41:6881
type: 51.15.11.6:6881
type: 63.247.211.162:6881
type: 79.34.233.233:6881
type: 79.148.92.59:6881
type: 185.184.192.202:6881
type: 81.10.202.99:6881
type: 99.7.57.53:6881
type: 95.55.162.99:6881
type: 188.233.6.77:6881
type: 60.250.37.49:6881
type: 92.137.181.134:6881
type: 156.67.180.40:6881
type: 77.95.94.199:6881
type: 176.179.125.233:6881
type: 178.47.103.14:6881
type: 5.77.20.194:6881
type: 217.9.209.28:6881
type: 112.104.29.113:6881
type: 142.171.125.191:6881
type: 18.188.31.0:6881
type: 147.45.45.178:6881
type: 213.140.218.85:6881
type: 38.25.183.44:6881
type: 185.39.50.206:6881
type: 178.162.174.222:28014
type: 178.162.174.77:28014
type: 52.21.231.83:6880
type: 45.203.206.46:6880
type: 195.154.233.74:6880
type: 44.210.22.159:6880
type: 45.203.155.73:6880
type: 192.210.231.24:6880
type: 135.181.227.244:50000
type: 135.181.238.57:50000
type: 135.181.238.123:50000
type: 65.108.194.186:50000
type: 37.27.104.57:50000
type: 65.21.125.160:50000
type: 65.21.125.172:50000
type: 65.21.125.161:50000
type: 65.21.128.209:50000
type: 135.181.223.86:50000
type: 65.21.129.45:50000
type: 65.21.129.62:50000
type: 37.27.117.62:50000
type: 37.27.107.120:50000
type: 65.21.128.220:50000
type: 65.21.125.189:50000
type: 130.239.18.158:8515
type: 130.239.18.158:8524
type: 178.162.174.43:28004
type: 178.162.174.228:28004
type: 31.210.173.50:27520
type: 46.232.210.157:64170
type: 82.172.167.161:6889
type: 221.229.52.112:6889
type: 125.30.87.236:6889
type: 84.168.123.192:6889
type: 188.155.126.146:6889
type: 61.244.234.210:6889
type: 45.66.204.62:6889
type: 180.0.206.148:6889
type: 178.162.174.169:28003
type: 178.162.173.91:28003
type: 185.149.91.45:51612
type: 185.21.217.5:14567
type: 181.197.31.14:11186
type: 5.135.165.33:6331
type: 130.239.18.158:8516
type: 178.162.174.228:28007
type: 178.162.173.12:28007
type: 178.162.173.89:28007
type: 37.48.71.178:28007
type: 130.239.18.158:8513
type: 42.200.253.141:7459
type: 37.48.89.181:48531
type: 185.57.5.216:55086
type: 178.162.174.222:28011
type: 89.149.200.92:28027
type: 46.232.211.220:29709
type: 92.119.178.3:37160
type: 106.165.62.6:8500
type: 51.83.75.174:49662
type: 85.94.160.51:9089
type: 45.91.211.131:54058
type: 112.157.166.208:17777
type: 51.195.150.96:51463
type: 45.87.251.11:28005
type: 178.162.174.153:28005
type: 178.162.174.178:28005
type: 83.149.84.32:28046
type: 185.111.172.20:4655
type: 5.39.85.86:59525
type: 82.42.81.120:51413
type: 193.105.124.4:51413
type: 67.244.11.221:51413
type: 163.172.64.67:51413
type: 77.129.46.162:51413
type: 95.174.108.18:51413
type: 114.241.23.18:51413
type: 137.74.95.13:49999
type: 167.172.248.254:8081
type: 64.147.87.217:56139
type: 98.243.124.22:11533
type: 178.162.173.154:28010
type: 178.162.148.93:55100
type: 185.132.179.66:6883
type: 81.171.22.205:28002
type: 5.79.69.185:28002
type: 146.0.36.45:8999
type: 51.155.214.6:14663
type: 185.183.34.96:6887
type: 70.79.179.81:6887
type: 46.232.211.224:64228
type: 45.91.208.243:51936
type: 178.162.173.141:28000
type: 178.162.174.234:28000
type: 178.162.173.75:28000
type: 185.107.71.103:44737
type: 195.154.171.138:30519
type: 95.211.247.101:28013
type: 213.227.151.25:28013
type: 212.7.200.93:23999
type: 88.198.230.221:49668
type: 185.21.216.185:60731
type: 213.91.250.121:18457
type: 89.149.202.17:28018
type: 185.132.178.224:6886
type: 23.158.56.120:16033
type: 116.203.122.81:57009
type: 204.106.239.226:34305
type: 59.182.90.214:5353
type: 89.149.202.17:28052
type: 58.182.31.30:8239
type: 72.21.17.34:23391
type: 178.162.174.242:28009
type: 192.30.89.67:54961
type: 5.9.41.13:53504
type: 83.254.226.199:8083
type: 47.239.158.59:30301
type: 79.106.231.163:1434
type: 113.155.52.70:15098
type: 61.68.251.63:18408
type: 133.114.9.252:18162
type: 45.128.27.86:52278
type: 175.182.22.69:15674
type: 185.157.244.162:50753
type: 49.215.241.91:25689
type: 185.21.216.133:56748
type: 46.232.210.71:64060
type: 73.19.77.194:20171
type: 66.56.80.174:43772
type: 149.56.201.146:51864
type: 195.154.167.135:8655
type: 60.42.150.236:19811
type: 95.211.210.167:58134
type: 185.159.157.139:36869
type: 93.103.137.82:52937
type: 130.208.131.47:11323
type: 89.149.225.148:64864
type: 88.97.211.4:15879
type: 91.176.23.17:36771
type: 177.236.2.255:45916
type: 118.34.27.4:48616
type: 212.92.104.202:64132
type: 195.154.172.179:22580
type: 176.119.83.97:17855
type: 132.184.55.93:59760
type: 84.54.86.199:59905
type: 154.118.195.238:27855
type: 37.27.113.233:26866
type: 45.88.200.214:34256
type: 37.228.203.214:7533
type: 195.154.185.217:22325
type: 205.250.15.142:14279
type: 144.76.175.153:42547
type: 175.158.142.1:6890
type: 177.44.218.85:41821
type: 5.79.77.183:56908
type: 5.79.85.89:64158
type: 177.39.229.56:38761
type: 178.162.174.156:28008
type: 178.162.174.232:28008
type: 178.162.174.47:28006
type: 81.171.20.66:64010
type: 165.169.15.147:28271
type: 54.39.52.64:25568
type: 85.251.61.85:50117
type: 54.194.135.233:6992
type: 152.53.105.61:10240
type: 2.48.21.142:57281
type: 103.184.124.252:50166
type: 181.203.8.203:41026
type: 199.247.13.122:37924
type: 95.214.53.172:1688
type: 176.31.183.98:53946
type: 54.194.137.170:6882
type: 46.232.210.83:58108
type: 5.79.93.231:51404
type: 178.162.144.51:30185
type: 185.203.56.39:10520
type: 130.239.18.158:8526
type: 185.195.236.20:44763
type: 191.95.16.125:54033
type: 175.196.175.221:36769
type: 129.146.126.87:50024
type: 179.61.197.45:20404
type: 31.10.150.222:27636
type: 91.126.52.104:58526
type: 179.125.63.68:47237
type: 187.65.20.146:51684
type: 185.21.216.145:53647
type: 143.58.200.236:16897
type: 188.165.198.24:53956
type: 212.7.204.118:57645

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/5932eeea-dbb0-4ccb-a848-c8e84eb3e8cd

Behavior Graph:

Download SVG

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/02df9480-2221-4230-bfcb-89e193b553d6

Score:

100%

Verdict:

Malware

File Type:

ELF

Link:

https://malprob.io/report/e0a9a770d548db6b37688c29b6f904f0d0a6fee7cfb5deb7944fac12f8e72a5d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e0a9a770d548db6b37688c29b6f904f0d0a6fee7cfb5deb7944fac12f8e72a5d/

Threat name:

Linux.Trojan.Multiverze

Status:

Malicious

First seen:

2025-06-29 10:59:28 UTC

File Type:

ELF32 Big (Exe)

AV detection:

15 of 24 (62.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4cu2o4gvjdnwwn3irqu3n6ie6dikn7xhz6255n4uj6wbf6hhfjoq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

antivm defense_evasion discovery execution persistence privilege_escalation

Link:

https://tria.ge/reports/250629-m3kmyatnz3/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Enumerates kernel/hardware configuration

Checks CPU configuration

Reads CPU attributes

Checks hardware identifiers (DMI)

Creates/modifies Cron job

Enumerates running processes

Reads MAC address of network interface

Reads hardware information

Renames itself

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/65fdae90-5c34-4c0c-96d4-21c6991d8910

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e0a9a770d548db6b37688c29b6f904f0d0a6fee7cfb5deb7944fac12f8e72a5d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	enterpriseapps2 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Enterprise apps

Rule name:	linux_generic_ipv6_catcher Create hunting rule
Author:	@_lubiedo
Description:	ELF samples using IPv6 addresses

Rule name:	unixredflags3 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf e0a9a770d548db6b37688c29b6f904f0d0a6fee7cfb5deb7944fac12f8e72a5d

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3558223/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample