MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e45ccf8161e9bd6a3cd50caefa1c86a4edeb772264d1977c26d828edba2df022. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e45ccf8161e9bd6a3cd50caefa1c86a4edeb772264d1977c26d828edba2df022
SHA3-384 hash: fe474db4de1db57697de9a0af0c5550159cdbe924971d6fc754e81742a8d21e081567f080cb82dbb8de37df900d31f7e
SHA1 hash: d12bd731398615831308e78d3a155c8b520b2179
MD5 hash: 03736ec98bda591eb69bebe798db1b1b
humanhash: oven-mobile-august-low
File name:n2
Download: download sample
File size:111'851 bytes
First seen:2025-12-16 07:10:43 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 1536:1mkqotbjB6rhvaJXM8EOv7E//x7xA+dkYgboo5jr+6KZ9GsPgAUA1q:1UotnB6daJcqO/XdHuoo9Uq
TLSH T114B3D81E2A619BFDF15D823487B3CB7556D4229127E4C389E29CDA082E343CD6C4F7A9
telfhash t1873133125b684e097fe289ac8b8d72f0655466276b1c0d729f34ce8c74211d1fb3bc07
Magika elf
Reporter abuse_ch
Tags:elf

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Result
Verdict:
Malware
Maliciousness:

Behaviour
Kills processes
Receives data from a server
Sends data to a server
Collects information on the network activity
Connection attempt
Substitutes an application name
Deleting of the original file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/69410612e8abb702f8042ecd/reports/a06e03b4-57d9-4fce-828f-b272e97e1314/overview
Verdict:
Malicious
File Type:
elf.32.be
First seen:
2025-12-16T05:24:00Z UTC
Last seen:
2025-12-16T06:23:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/e45ccf8161e9bd6a3cd50caefa1c86a4edeb772264d1977c26d828edba2df022/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/db1d8332-2366-4bde-858b-7cfb252ff61f
Behavior Graph:
Download SVG
%3 guuid=97289205-1900-0000-ea02-fac4ee130000 pid=5102 /usr/bin/sudo guuid=c5872007-1900-0000-ea02-fac4f5130000 pid=5109 /tmp/sample.bin guuid=97289205-1900-0000-ea02-fac4ee130000 pid=5102->guuid=c5872007-1900-0000-ea02-fac4f5130000 pid=5109 execve
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/74cf285f-5702-4739-9dc7-46941553f4ee
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1833698
Signature
Connects to many ports of the same IP (likely port scanning)
Contains symbols with names commonly found in malware
Sample tries to kill multiple processes (SIGKILL)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1833698 Sample: n2.elf Startdate: 16/12/2025 Architecture: LINUX Score: 52 31 157.182.44.130 WVUUS United States 2->31 33 66.202.82.4 WINDSTREAMUS United States 2->33 35 98 other IPs or domains 2->35 37 Connects to many ports of the same IP (likely port scanning) 2->37 39 Contains symbols with names commonly found in malware 2->39 9 n2.elf 2->9         started        12 xfce4-panel wrapper-2.0 2->12         started        14 xfce4-panel wrapper-2.0 2->14         started        16 5 other processes 2->16 signatures3 process4 signatures5 43 Sample tries to kill multiple processes (SIGKILL) 9->43 18 n2.elf 9->18         started        20 wrapper-2.0 xfpm-power-backlight-helper 12->20         started        process6 process7 22 n2.elf 18->22         started        signatures8 41 Sample tries to kill multiple processes (SIGKILL) 22->41 25 n2.elf 22->25         started        27 n2.elf 22->27         started        29 n2.elf 22->29         started        process9
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/e45ccf8161e9bd6a3cd50caefa1c86a4edeb772264d1977c26d828edba2df022
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e45ccf8161e9bd6a3cd50caefa1c86a4edeb772264d1977c26d828edba2df022/
Threat name:
Linux.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2025-12-16 07:11:14 UTC
File Type:
ELF32 Big (Exe)
AV detection:
6 of 23 (26.09%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4rom7alb5g6wupgvbsxpuhegutw6w5zcmtizo7bg3auo3orn6ara._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery
Link:
https://tria.ge/reports/251216-hz2d3awjas/
Behaviour
Reads runtime system information
Changes its process name
Enumerates running processes
Creates a large amount of network flows
Contacts a large (37441) amount of remote hosts
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/877c6d7f-7c71-46db-91a3-342ed3f1791e
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/e45ccf8161e9bd6a3cd50caefa1c86a4edeb772264d1977c26d828edba2df022

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:setsockopt
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for setsockopt() red flags
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf e45ccf8161e9bd6a3cd50caefa1c86a4edeb772264d1977c26d828edba2df022

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3729283/
  
Delivery method
Distributed via web download

Comments