MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e8b803dfe5267de8754e789acafb5f61c7bdbac05cf44ea397acbe1ae3325245. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e8b803dfe5267de8754e789acafb5f61c7bdbac05cf44ea397acbe1ae3325245
SHA3-384 hash: 0db1be2c26520b7802cc8437ec545cc2aa0351fdc9e8513bfe2f3072334565f3e0ea8baf1f5e4b24cdd2d2cea369ee38
SHA1 hash: 4f8e6d91f0710378c66a798347423f0547e18144
MD5 hash: 2b7361338f380ac5e808cd38b49400ae
humanhash: ten-summer-finch-happy
File name:aarch64
Download: download sample
File size:509'896 bytes
First seen:2025-06-27 05:01:43 UTC
Last seen:2025-06-27 07:21:25 UTC
File type: elf
MIME type:application/x-executable
ssdeep 6144:O/izeB+/ow3gK2lc5bvyI0vOHD6BZkDgn358cIF3RI5HkdY1FP98/8ecjfP:3BohHKTyfvOHD6ByD4WcIMkuDmEesP
TLSH T141B41228EE4E38C1F3D1E3B8DA0A4BB1B05B79D0D166C1B2BA41E25D95EDDDEC5D0212
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf

Intelligence

File Origin
# of uploads :
2
# of downloads :
79
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.32057.LX.BOT.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.32058.LX.BOT.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=685e269ae7ab83bcc170d6fa
Tags:
malware
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creates directories
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
base64 exploit gcc lolbin remote
Link:
https://www.filescan.io/uploads/685e25ddd1f1eb5d81c80492/reports/540328f3-1d2d-458f-a54a-0327f1036645/overview
Verdict:
Malicious
Uses P2P?:
true
Uses anti-vm?:
false
Architecture:
arm
Packer:
custom
Botnet:
unknown
Number of open files:
0
Number of processes launched:
0
Processes remaning?
false
Remote TCP ports scanned:
35776
Full report:
https://elfdigest.com/brief/e8b803dfe5267de8754e789acafb5f61c7bdbac05cf44ea397acbe1ae3325245
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
type: 162.159.200.123:123
type: 130.239.18.158:6881
type: 67.215.246.10:6881
type: 93.176.180.96:6881
type: 51.198.170.225:6881
type: 32.221.89.231:6881
type: 172.96.121.2:6881
type: 65.48.164.39:6881
type: 82.64.240.208:6881
type: 89.204.26.126:6881
type: 69.203.128.93:6881
type: 212.30.76.98:6881
type: 82.12.118.228:6881
type: 81.136.161.174:6881
type: 112.151.24.102:6881
type: 18.223.137.220:6881
type: 110.77.236.136:6881
type: 54.70.174.84:6881
type: 167.99.72.189:6881
type: 18.188.31.0:6881
type: 107.181.234.235:6881
type: 74.48.140.189:6881
type: 52.9.197.152:6881
type: 54.214.62.31:6881
type: 141.98.154.145:6881
type: 35.163.251.58:6881
type: 18.191.2.28:6881
type: 192.227.221.84:6881
type: 75.119.138.164:6881
type: 201.146.221.64:6881
type: 148.135.106.206:6881
type: 54.70.28.180:6881
type: 204.12.208.37:6881
type: 178.162.173.91:28003
type: 178.162.173.32:28003
type: 130.239.18.158:8513
type: 195.154.233.74:6880
type: 3.12.65.135:6880
type: 3.211.86.78:6880
type: 44.195.180.169:6880
type: 148.153.32.82:6880
type: 192.210.231.24:6880
type: 130.239.18.158:8580
type: 130.239.18.158:8516
type: 178.162.144.51:21183
type: 65.21.33.208:50000
type: 78.46.86.235:50000
type: 37.27.117.179:50000
type: 95.216.13.53:50000
type: 178.162.173.147:28007
type: 178.162.173.117:28007
type: 178.162.173.169:28001
type: 178.162.174.168:28012
type: 178.162.174.234:28000
type: 178.162.173.8:28000
type: 178.162.174.17:28008
type: 178.162.174.163:28002
type: 46.232.211.130:16609
type: 95.246.21.24:51413
type: 39.88.230.130:51413
type: 150.249.70.213:51413
type: 27.43.91.116:51413
type: 93.51.18.111:51413
type: 213.202.230.224:51413
type: 170.253.4.205:51413
type: 80.71.131.109:51413
type: 5.75.135.49:51413
type: 183.141.135.89:51413
type: 178.162.173.149:28004
type: 178.162.174.120:28013
type: 37.48.116.206:55201
type: 130.239.18.158:8554
type: 84.247.173.42:8081
type: 89.168.23.136:8081
type: 178.162.173.219:28014
type: 185.149.91.65:51049
type: 59.148.145.149:13405
type: 185.203.56.49:17129
type: 95.214.53.172:1688
type: 95.211.209.139:28015
type: 76.89.197.236:32904
type: 24.36.83.246:19161
type: 220.88.176.97:51453
type: 89.149.226.28:42758
type: 94.63.112.47:52406
type: 148.66.6.98:9825
type: 72.21.17.10:25370
type: 61.206.226.156:52243
type: 51.159.54.20:51414
type: 83.106.45.250:22406
type: 92.203.2.177:13466
type: 130.239.18.158:8510
type: 5.39.85.155:52642
type: 73.10.85.187:43290
type: 198.44.133.99:35735
type: 43.230.214.214:62416
type: 178.162.173.92:28011
type: 185.236.159.177:6882
type: 54.194.137.170:6882
type: 54.194.124.68:6882
type: 185.162.184.14:49158
type: 45.87.251.132:28183
type: 185.203.56.11:13227
type: 93.32.76.45:34431
type: 119.199.95.137:33132
type: 46.232.210.119:64082
type: 177.185.180.32:30572
type: 62.212.89.178:59764
type: 108.175.224.109:32324
type: 195.154.200.95:39069
type: 174.29.115.219:55277
type: 87.64.32.118:57230
type: 81.57.116.32:32889
type: 93.44.212.230:43014
type: 89.138.73.149:49001
type: 87.210.90.162:1602
type: 157.125.97.19:6889
type: 159.146.28.135:6889
type: 79.106.231.163:1434
type: 121.168.131.110:51521
type: 187.106.40.198:12441
type: 73.54.216.91:62657
type: 5.47.171.95:44490
type: 185.253.101.213:12601
type: 91.6.75.87:44956
type: 133.226.179.89:34088
type: 139.47.72.0:38035
type: 172.97.143.94:59862
type: 72.21.17.75:25270
type: 169.150.223.229:5995
type: 5.145.72.38:21009
type: 221.156.118.181:32726
type: 37.48.89.165:53021
type: 46.232.210.110:12259
type: 178.148.192.70:43768
type: 107.179.207.44:20003
type: 89.64.7.224:10205
type: 195.154.185.217:24095
type: 97.156.98.144:34061
type: 188.165.198.14:59488
type: 187.243.203.234:2341
type: 95.91.253.72:8671
type: 185.44.124.218:47352
type: 54.77.218.23:6892
type: 35.171.49.86:6892
type: 13.114.205.93:6892
type: 54.39.52.64:29129
type: 194.29.101.83:10240
type: 152.53.52.107:10240
type: 152.53.104.128:10240
type: 66.70.178.54:25029
type: 5.135.138.216:14377
type: 37.111.231.222:19350
type: 187.131.149.189:55428
type: 177.23.159.30:43330
type: 121.160.147.202:8148
type: 179.7.82.88:41090
type: 54.39.52.64:32205
type: 78.142.231.133:6767
type: 149.56.27.121:58813
type: 163.172.13.241:58761
type: 169.197.143.248:53804
type: 178.162.173.225:28006
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/abe6b2ba-0d82-45c8-8b73-adde11eb54b2
Behavior Graph:
Download SVG
%3 guuid=1196a550-1800-0000-96b5-0024a7060000 pid=1703 /usr/bin/sudo guuid=ef933e52-1800-0000-96b5-0024ab060000 pid=1707 /tmp/sample.bin guuid=1196a550-1800-0000-96b5-0024a7060000 pid=1703->guuid=ef933e52-1800-0000-96b5-0024ab060000 pid=1707 execve guuid=07281a53-1800-0000-96b5-0024b0060000 pid=1712 /usr/bin/dash guuid=ef933e52-1800-0000-96b5-0024ab060000 pid=1707->guuid=07281a53-1800-0000-96b5-0024b0060000 pid=1712 clone guuid=52263053-1800-0000-96b5-0024b2060000 pid=1714 /usr/bin/dash guuid=ef933e52-1800-0000-96b5-0024ab060000 pid=1707->guuid=52263053-1800-0000-96b5-0024b2060000 pid=1714 clone guuid=d40e4653-1800-0000-96b5-0024b3060000 pid=1715 /usr/bin/dash guuid=ef933e52-1800-0000-96b5-0024ab060000 pid=1707->guuid=d40e4653-1800-0000-96b5-0024b3060000 pid=1715 clone guuid=f25e5453-1800-0000-96b5-0024b4060000 pid=1716 /usr/bin/dash guuid=ef933e52-1800-0000-96b5-0024ab060000 pid=1707->guuid=f25e5453-1800-0000-96b5-0024b4060000 pid=1716 clone
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8aaf0347-e1ae-4f91-adc6-4d2a837cd63b
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj.spyw
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1723969
Signature
Connects to many ports of the same IP (likely port scanning)
Executes the "crontab" command typically for achieving persistence
Multi AV Scanner detection for submitted file
Opens /sys/class/net/* files useful for querying network interface information
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample scans a subnet
Sample tries to persist itself using cron
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1723969 Sample: aarch64.elf Startdate: 27/06/2025 Architecture: LINUX Score: 72 38 31.200.249.162, 31904, 49248 NETRACK-ASRU Russian Federation 2->38 40 178.162.174.43, 28004, 6881 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 2->40 42 102 other IPs or domains 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Connects to many ports of the same IP (likely port scanning) 2->46 48 Sample scans a subnet 2->48 10 aarch64.elf 2->10         started        signatures3 process4 process5 12 aarch64.elf sh 10->12         started        14 aarch64.elf 10->14         started        17 aarch64.elf sh 10->17         started        signatures6 19 sh crontab 12->19         started        23 sh 12->23         started        56 Opens /sys/class/net/* files useful for querying network interface information 14->56 58 Sample reads /proc/mounts (often used for finding a writable filesystem) 14->58 25 aarch64.elf 14->25         started        27 sh crontab 17->27         started        process7 file8 36 /var/spool/cron/crontabs/tmp.KZnrVl, ASCII 19->36 dropped 50 Sample tries to persist itself using cron 19->50 52 Executes the "crontab" command typically for achieving persistence 19->52 29 sh crontab 23->29         started        32 aarch64.elf 25->32         started        signatures9 process10 signatures11 54 Executes the "crontab" command typically for achieving persistence 29->54 34 aarch64.elf 32->34         started        process12
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/e8b803dfe5267de8754e789acafb5f61c7bdbac05cf44ea397acbe1ae3325245
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e8b803dfe5267de8754e789acafb5f61c7bdbac05cf44ea397acbe1ae3325245/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/e8b803dfe5267de8754e789acafb5f61c7bdbac05cf44ea397acbe1ae3325245
Threat name:
Linux.Trojan.SAgnt
Create hunting rule
Status:
Malicious
First seen:
2025-06-27 05:02:21 UTC
File Type:
ELF64 Little (Exe)
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5c4ahx7fez66q5kopcnmv627mhd33owalt2e5i4xvs7bvyzskjcq._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
linux
Link:
https://tria.ge/reports/250627-fpaggsvwcw/
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/13c1cff4-0d6f-4ca8-913b-b7ffd53f2ca0
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e8b803dfe5267de8754e789acafb5f61c7bdbac05cf44ea397acbe1ae3325245

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf e8b803dfe5267de8754e789acafb5f61c7bdbac05cf44ea397acbe1ae3325245

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3558221/
  
Delivery method
Distributed via web download

Comments