MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec7010669da15f5a89ac2776893ae850d48b03c4eda831fcb10fc890582dd0db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ec7010669da15f5a89ac2776893ae850d48b03c4eda831fcb10fc890582dd0db
SHA3-384 hash: 7f601a7df5fe1f4f74d40078dc0468772396cec98935510b916cf148d2393c9e089d9075ca77c21a0b7329989803e1ff
SHA1 hash: 3c39f6bf86f6a6fba1e5baa004664129e23f2c49
MD5 hash: b4b65c5403e6ac62f5837723ce3fad6c
humanhash: stairway-magazine-bacon-neptune
File name:aarch64
Download: download sample
File size:509'896 bytes
First seen:2025-06-18 11:09:24 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 6144:O/izeB+/ow3gK2lc5bvyI0vOHD6BZkDgn358cIF3RI5HkdY1FP98/8ecjfP:3BohHKTyfvOHD6ByD4WcIMkuDmEesP
TLSH T1ECB41228EE4E3881F3D1E378DA0A4BB2B05B79D0C166C1B2BA41E25D95EDDDED5D0212
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf

Intelligence

File Origin
# of uploads :
1
# of downloads :
68
Origin country :
DE DE
Vendor Threat Intelligence
Verdict:
Clean
Score:
82.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68529e9bd506f858d62238b4linux22vpnfull_triage
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creates directories
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
exploit gcc lolbin remote
Link:
https://www.filescan.io/uploads/68529ec1fd02ed5e05b1d50c/reports/f921f26b-7642-47f3-b3db-0a6985cdcefb/overview
Verdict:
Malicious
Uses P2P?:
true
Uses anti-vm?:
false
Architecture:
arm
Packer:
custom
Botnet:
unknown
Number of open files:
0
Number of processes launched:
0
Processes remaning?
false
Remote TCP ports scanned:
60861
Full report:
https://elfdigest.com/brief/ec7010669da15f5a89ac2776893ae850d48b03c4eda831fcb10fc890582dd0db
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
type: 162.159.200.1:123
type: 130.239.18.158:6881
type: 62.235.5.35:6881
type: 62.198.34.244:6881
type: 195.32.48.98:6881
type: 202.208.121.196:6881
type: 67.215.246.10:6881
type: 90.196.8.15:6881
type: 211.198.134.12:6881
type: 146.115.222.177:6881
type: 80.1.133.18:6881
type: 87.208.29.149:6881
type: 62.192.34.54:6881
type: 222.187.1.190:6881
type: 13.58.27.33:6881
type: 31.39.99.124:6881
type: 60.116.190.141:6881
type: 67.146.129.59:6881
type: 88.95.106.125:6881
type: 217.15.181.46:6881
type: 124.230.0.111:6881
type: 72.211.17.134:6881
type: 54.214.105.212:6881
type: 176.209.131.55:6881
type: 62.238.202.234:6881
type: 54.194.124.68:6881
type: 18.218.241.3:6881
type: 51.15.117.118:6881
type: 90.191.170.14:6881
type: 89.161.26.218:6881
type: 188.68.94.232:6881
type: 46.117.69.4:6881
type: 178.120.95.49:6881
type: 148.135.106.206:6881
type: 110.33.82.110:6881
type: 195.154.233.74:6880
type: 52.21.231.83:6880
type: 130.239.18.158:8580
type: 83.149.84.32:28008
type: 178.162.173.91:28003
type: 178.162.174.7:28003
type: 178.162.173.138:28012
type: 178.162.174.43:28004
type: 178.162.173.149:28004
type: 178.162.174.170:28001
type: 178.162.173.70:28007
type: 178.162.173.120:28007
type: 178.162.173.167:28007
type: 178.162.174.11:28007
type: 178.162.174.101:28007
type: 46.232.211.130:16609
type: 178.162.174.222:28014
type: 130.239.18.158:8508
type: 213.227.152.137:28006
type: 95.211.110.228:28006
type: 51.75.163.151:8643
type: 185.203.56.25:24633
type: 89.149.202.3:28028
type: 217.121.231.94:59625
type: 62.100.243.128:51413
type: 87.169.97.218:51413
type: 77.125.161.26:51413
type: 185.25.217.105:51413
type: 77.37.209.101:51413
type: 5.79.105.11:51413
type: 118.35.109.238:51413
type: 81.196.202.157:51413
type: 220.132.39.41:51413
type: 102.165.23.205:51413
type: 47.132.17.82:51413
type: 118.10.60.120:51413
type: 150.249.154.214:22123
type: 178.162.173.12:28009
type: 89.149.202.17:28009
type: 178.162.174.85:28005
type: 178.162.173.225:28005
type: 46.232.210.90:15809
type: 114.34.126.86:11330
type: 176.241.83.187:8000
type: 172.221.224.58:48519
type: 79.118.197.103:45555
type: 95.84.251.145:6889
type: 77.166.43.91:6889
type: 108.173.198.161:6889
type: 107.10.242.89:6889
type: 94.31.95.208:40151
type: 122.243.115.204:50000
type: 65.21.33.212:50000
type: 178.162.173.38:28010
type: 169.150.223.223:16359
type: 220.253.108.39:8999
type: 84.201.253.252:28288
type: 78.139.100.89:2079
type: 130.255.48.106:2079
type: 108.174.97.46:16895
type: 24.122.124.90:26342
type: 78.99.30.177:63516
type: 102.208.151.126:64634
type: 95.191.89.228:15392
type: 45.249.118.77:47566
type: 178.162.174.176:28002
type: 115.143.143.126:32880
type: 216.172.124.162:11561
type: 76.89.89.41:49697
type: 218.146.119.171:7770
type: 65.108.143.34:37596
type: 80.7.126.150:2603
type: 46.232.211.159:64273
type: 66.23.99.44:23057
type: 142.116.52.3:60905
type: 98.227.48.238:59555
type: 188.165.244.11:53310
type: 72.21.17.33:56728
type: 186.195.14.36:59228
type: 86.86.156.153:23594
type: 95.220.143.6:21217
type: 178.162.148.117:55841
type: 37.27.113.233:36251
type: 174.100.163.120:35948
type: 210.242.154.87:25135
type: 31.163.181.54:49001
type: 24.146.48.38:49001
type: 220.85.253.94:21132
type: 116.255.7.149:14732
type: 176.114.132.125:49880
type: 86.22.129.141:31948
type: 178.66.62.47:32000
type: 178.78.21.249:52752
type: 90.26.14.168:15857
type: 186.193.113.197:50321
type: 142.184.98.244:23248
type: 223.185.85.97:63053
type: 168.205.109.236:43298
type: 138.186.108.126:19556
type: 24.165.184.92:9010
type: 82.215.122.134:5196
type: 94.31.94.6:8371
type: 178.162.173.137:28013
type: 188.128.68.114:14489
type: 136.169.150.136:31030
type: 185.21.216.158:51164
type: 47.86.167.191:40696
type: 194.29.101.83:10240
type: 152.53.105.61:10240
type: 194.36.147.92:55139
type: 176.31.182.150:59256
type: 104.166.246.176:28696
type: 5.135.138.216:24402
type: 47.89.251.173:7774
type: 54.38.222.153:7596
type: 92.34.182.246:56760
type: 185.203.56.59:50945
type: 71.237.5.68:23085
type: 152.53.45.107:7044
type: 212.35.191.26:8577
type: 84.54.47.68:38040
type: 125.168.237.167:23691
type: 13.114.205.93:6892
type: 152.53.45.107:7095
type: 54.39.52.64:32205
type: 146.70.163.91:6331
type: 146.70.163.91:5568
type: 152.53.45.107:7186
type: 202.171.169.216:33213
type: 92.97.130.252:44943
type: 184.4.83.242:36701
type: 195.20.18.136:11070
type: 78.139.126.89:2027
type: 42.98.63.1:7192
type: 130.239.18.158:8521
type: 96.3.105.243:58205
type: 86.151.39.169:4445
type: 94.139.200.229:57442
type: 129.213.88.72:23371
type: 178.74.41.98:11198
type: 72.52.99.201:11216
type: 176.114.132.125:60548
type: 186.122.108.126:23487
type: 66.208.66.192:18659
type: 51.159.220.114:25018
type: 196.130.72.27:49023
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/5e32cd35-ae4f-4516-a805-2556af129c9a
Behavior Graph:
Download SVG
%3 guuid=dce8d183-1700-0000-b68d-2013750b0000 pid=2933 /usr/bin/sudo guuid=4b655b86-1700-0000-b68d-20137b0b0000 pid=2939 /tmp/sample.bin guuid=dce8d183-1700-0000-b68d-2013750b0000 pid=2933->guuid=4b655b86-1700-0000-b68d-20137b0b0000 pid=2939 execve guuid=aacb4d87-1700-0000-b68d-20137d0b0000 pid=2941 /usr/bin/dash guuid=4b655b86-1700-0000-b68d-20137b0b0000 pid=2939->guuid=aacb4d87-1700-0000-b68d-20137d0b0000 pid=2941 clone guuid=b8906287-1700-0000-b68d-20137e0b0000 pid=2942 /usr/bin/dash guuid=4b655b86-1700-0000-b68d-20137b0b0000 pid=2939->guuid=b8906287-1700-0000-b68d-20137e0b0000 pid=2942 clone guuid=cdeb9e87-1700-0000-b68d-2013800b0000 pid=2944 /usr/bin/dash guuid=4b655b86-1700-0000-b68d-20137b0b0000 pid=2939->guuid=cdeb9e87-1700-0000-b68d-2013800b0000 pid=2944 clone guuid=910fdf87-1700-0000-b68d-2013820b0000 pid=2946 /usr/bin/dash guuid=4b655b86-1700-0000-b68d-20137b0b0000 pid=2939->guuid=910fdf87-1700-0000-b68d-2013820b0000 pid=2946 clone
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/24752b59-8ac4-4735-9b83-d96d4a66863c
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj.spyw
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1717380
Signature
Connects to many ports of the same IP (likely port scanning)
Executes the "crontab" command typically for achieving persistence
Multi AV Scanner detection for submitted file
Opens /sys/class/net/* files useful for querying network interface information
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample scans a subnet
Sample tries to persist itself using cron
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1717380 Sample: aarch64.elf Startdate: 18/06/2025 Architecture: LINUX Score: 72 38 31.200.249.178, 31905, 44574 NETRACK-ASRU Russian Federation 2->38 40 178.162.173.231, 28005, 6881 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 2->40 42 101 other IPs or domains 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Connects to many ports of the same IP (likely port scanning) 2->46 48 Sample scans a subnet 2->48 10 aarch64.elf 2->10         started        signatures3 process4 process5 12 aarch64.elf sh 10->12         started        14 aarch64.elf 10->14         started        17 aarch64.elf sh 10->17         started        signatures6 19 sh crontab 12->19         started        23 sh 12->23         started        56 Opens /sys/class/net/* files useful for querying network interface information 14->56 58 Sample reads /proc/mounts (often used for finding a writable filesystem) 14->58 25 aarch64.elf 14->25         started        27 sh crontab 17->27         started        process7 file8 36 /var/spool/cron/crontabs/tmp.gl1Wi5, ASCII 19->36 dropped 50 Sample tries to persist itself using cron 19->50 52 Executes the "crontab" command typically for achieving persistence 19->52 29 sh crontab 23->29         started        32 aarch64.elf 25->32         started        signatures9 process10 signatures11 54 Executes the "crontab" command typically for achieving persistence 29->54 34 aarch64.elf 32->34         started        process12
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/ec7010669da15f5a89ac2776893ae850d48b03c4eda831fcb10fc890582dd0db
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ec7010669da15f5a89ac2776893ae850d48b03c4eda831fcb10fc890582dd0db/
Threat name:
Linux.Trojan.SAgnt
Create hunting rule
Status:
Malicious
First seen:
2025-06-18 11:10:38 UTC
File Type:
ELF64 Little (Exe)
AV detection:
17 of 38 (44.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5rybazu5ufpvvcnme53isoxikdkiwa6e5wudd7frb7ejawbn2dnq._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
linux
Link:
https://tria.ge/reports/250618-m9qsjaztcv/
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9339dfa6-e56c-4192-baa5-e32503ff9e0d
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ec7010669da15f5a89ac2776893ae850d48b03c4eda831fcb10fc890582dd0db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf ec7010669da15f5a89ac2776893ae850d48b03c4eda831fcb10fc890582dd0db

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3558221/
  
Delivery method
Distributed via web download

Comments