MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee4d468dfb2b65b994f6ce6580c87df613416f80f9267d0316c105c115c8e68b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments

SHA256 hash: ee4d468dfb2b65b994f6ce6580c87df613416f80f9267d0316c105c115c8e68b
SHA3-384 hash: 403b742d900f236d93685d296de23b1b31cbbff9a30a685e6ec80205194c93ec80e64e084871f13f6bf663f0db486738
SHA1 hash: 9696069a45627182985fdc6efff0f2f9982b1953
MD5 hash: 5a3ab3336d43c44b49921d32b83108b2
humanhash: indigo-artist-burger-oklahoma
File name:amd64
Download: download sample
File size:482'032 bytes
First seen:2025-06-29 11:22:49 UTC
Last seen:2025-06-30 00:54:44 UTC
File type: elf
MIME type:application/x-executable
ssdeep 12288:iD6LPBCvMk0O9na1M80cLt9i5aIaTtpc4W:2+QGO9naz0Szi5anTtR
TLSH T10FA41212E290D8FEC4DAC070469FD27BFD767C544234BC6B6298F7322B3AE601B16A55
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf

Intelligence


File Origin
# of uploads :
2
# of downloads :
86
Origin country :
DE DE
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creates directories
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
exploit gcc lolbin remote
Verdict:
Malicious
Uses P2P?:
true
Uses anti-vm?:
true
Architecture:
x86
Packer:
custom
Botnet:
unknown
Number of open files:
70
Number of processes launched:
10
Processes remaning?
true
Remote TCP ports scanned:
40950
Behaviour
Anti-VM
Process Renaming
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
type: 162.159.200.123:123
type: 130.239.18.158:6881
type: 67.215.246.10:6881
type: 31.170.175.36:6881
type: 155.4.225.41:6881
type: 178.69.209.93:6881
type: 37.194.55.75:6881
type: 79.118.170.190:6881
type: 178.215.232.114:6881
type: 176.125.139.123:6881
type: 89.207.71.47:6881
type: 188.42.55.92:6881
type: 212.130.26.184:6881
type: 80.79.5.27:6881
type: 73.130.181.217:6881
type: 77.58.25.41:6881
type: 109.248.152.64:6881
type: 76.171.160.27:6881
type: 18.188.31.0:6881
type: 35.167.186.212:6881
type: 86.38.200.129:6881
type: 18.221.7.72:6881
type: 142.171.58.199:6881
type: 193.151.213.163:6881
type: 139.195.118.194:6881
type: 54.70.28.180:6881
type: 18.191.2.28:6881
type: 35.155.156.153:6881
type: 54.70.174.84:6881
type: 35.163.251.58:6881
type: 18.220.82.190:6881
type: 5.39.91.215:6881
type: 5.143.37.36:6881
type: 24.11.7.231:6881
type: 188.165.232.17:6881
type: 84.85.169.150:6881
type: 80.60.98.152:6881
type: 77.175.241.89:6881
type: 5.43.96.185:6881
type: 176.241.245.12:6881
type: 178.162.173.231:28001
type: 142.132.193.163:50000
type: 95.216.14.177:50000
type: 95.216.3.232:50000
type: 78.46.90.53:50000
type: 95.216.14.154:50000
type: 148.251.19.168:50000
type: 65.21.34.57:50000
type: 162.55.81.153:50000
type: 142.132.195.39:50000
type: 148.251.134.137:50000
type: 142.132.200.45:50000
type: 142.132.193.161:50000
type: 135.181.223.232:50000
type: 95.216.114.31:50000
type: 176.9.3.238:50000
type: 135.181.227.244:50000
type: 135.181.238.57:50000
type: 148.251.87.55:50000
type: 37.27.117.240:50000
type: 46.4.96.86:50000
type: 144.76.108.135:50000
type: 142.132.203.124:50000
type: 116.202.157.48:50000
type: 37.27.120.51:50000
type: 142.132.207.124:50000
type: 148.251.92.45:50000
type: 142.132.202.190:50000
type: 162.55.82.88:50000
type: 178.162.174.178:28003
type: 5.79.122.78:28003
type: 178.162.174.233:28003
type: 178.162.174.41:28003
type: 178.162.174.236:28003
type: 185.149.91.77:51009
type: 185.203.56.7:63571
type: 123.203.20.187:25839
type: 173.230.130.111:6880
type: 3.15.85.168:6880
type: 45.203.151.81:6880
type: 3.149.132.150:6880
type: 45.203.154.94:6880
type: 45.203.212.13:6880
type: 3.133.238.179:6880
type: 45.203.152.79:6880
type: 62.212.81.227:28013
type: 178.162.173.160:28013
type: 178.162.174.147:28013
type: 5.79.93.242:61920
type: 15.235.82.46:47265
type: 178.162.174.43:28004
type: 178.162.174.222:28014
type: 81.171.17.36:44990
type: 212.7.202.40:28030
type: 178.162.174.32:28000
type: 178.162.173.167:28007
type: 178.162.173.164:28007
type: 178.162.173.38:28007
type: 213.248.20.215:51413
type: 95.217.200.231:51413
type: 51.91.97.190:51413
type: 134.122.103.46:51413
type: 37.97.250.33:51413
type: 213.231.5.66:51413
type: 31.45.31.41:51413
type: 112.74.104.111:51413
type: 84.220.211.193:51413
type: 36.14.48.112:51413
type: 188.24.13.46:51413
type: 5.2.74.231:51413
type: 165.120.114.115:51413
type: 118.159.54.113:51413
type: 87.118.110.129:51413
type: 115.196.39.162:51413
type: 86.49.106.207:51413
type: 62.63.202.117:51413
type: 163.172.222.138:51413
type: 163.172.38.214:51413
type: 45.33.88.167:51413
type: 95.143.216.112:51413
type: 195.191.244.43:1063
type: 90.195.163.146:37432
type: 185.145.245.127:8649
type: 178.162.174.105:28002
type: 95.211.216.167:28002
type: 178.162.173.118:28002
type: 91.199.227.107:12247
type: 159.223.162.113:8083
type: 89.67.73.128:8083
type: 178.162.173.109:28011
type: 178.162.174.55:28011
type: 178.162.174.11:28011
type: 88.99.90.38:60500
type: 213.232.235.11:8999
type: 195.154.172.179:23188
type: 195.154.185.217:25051
type: 195.154.185.217:24155
type: 195.154.185.217:24263
type: 195.154.185.217:24115
type: 185.149.91.13:51127
type: 46.232.210.48:21109
type: 46.232.211.148:17409
type: 72.21.17.74:12448
type: 79.106.231.163:1434
type: 130.239.18.158:8524
type: 130.239.18.158:8515
type: 37.27.113.233:35404
type: 185.21.216.193:55966
type: 5.196.7.57:50722
type: 194.42.111.125:51400
type: 178.162.173.154:28015
type: 162.55.95.146:51555
type: 195.20.18.136:11072
type: 178.162.173.159:28005
type: 178.162.173.203:28005
type: 37.48.64.29:28005
type: 95.216.116.106:16113
type: 178.162.173.32:28012
type: 178.162.174.141:28012
type: 178.162.173.201:28012
type: 220.132.179.42:59228
type: 31.209.55.64:6248
type: 198.245.51.194:51414
type: 138.64.67.105:59282
type: 162.251.63.78:12028
type: 5.79.93.231:51404
type: 153.229.92.167:62882
type: 114.80.9.220:6889
type: 1.159.59.81:6889
type: 37.222.178.59:6889
type: 185.203.56.49:23232
type: 185.250.204.85:33291
type: 46.232.210.43:59944
type: 45.87.251.132:28215
type: 130.239.18.158:8539
type: 126.91.215.239:21566
type: 185.203.56.72:20167
type: 113.211.212.57:41083
type: 5.2.79.57:49982
type: 185.203.56.58:13498
type: 126.39.99.40:12680
type: 46.232.211.70:26359
type: 204.228.151.196:59713
type: 191.219.33.51:6898
type: 5.39.85.217:54932
type: 103.243.98.69:53865
type: 46.232.210.180:13759
type: 169.150.223.237:17559
type: 191.185.78.89:21508
type: 72.21.17.83:14388
type: 106.205.169.114:46598
type: 5.79.67.18:53990
type: 37.187.159.38:48181
type: 69.55.31.145:18611
type: 46.232.210.200:22909
type: 180.150.8.28:6882
type: 95.84.150.14:6882
type: 5.81.97.152:6882
type: 85.26.119.92:49001
type: 92.248.145.143:49001
type: 109.169.143.96:49001
type: 37.18.41.145:49001
type: 31.148.20.72:49001
type: 185.107.44.27:49001
type: 45.147.97.7:50185
type: 169.150.219.153:64003
type: 216.228.219.246:49232
type: 72.21.17.20:65295
type: 181.117.9.65:42422
type: 109.13.112.185:11612
type: 37.48.95.58:14897
type: 93.102.206.201:41674
type: 189.143.253.205:47846
type: 176.88.103.125:39824
type: 185.149.91.41:61907
type: 193.168.49.159:53480
type: 195.154.172.179:23466
type: 196.50.92.74:17013
type: 149.154.20.41:38806
type: 93.176.135.61:5866
type: 185.149.91.41:51559
type: 87.197.165.60:61565
type: 104.157.191.175:51793
type: 106.213.220.36:64032
type: 189.216.235.123:46989
type: 135.19.1.209:17435
type: 170.150.23.8:47672
type: 170.199.144.77:51044
type: 181.94.230.167:34863
type: 77.81.160.23:42256
type: 109.146.158.174:16702
type: 95.75.194.131:18202
type: 190.9.113.215:41694
type: 176.31.183.98:37241
type: 208.87.240.21:11158
type: 194.29.101.83:10240
type: 146.59.3.81:10240
type: 152.53.52.107:10240
type: 210.99.30.211:16847
type: 46.232.210.133:64061
type: 178.162.174.19:28009
type: 179.34.49.135:39332
type: 54.77.218.23:6992
type: 54.209.131.199:6892
type: 216.82.207.139:38693
type: 45.174.36.91:20481
type: 170.239.36.12:41976
type: 211.176.148.49:50671
type: 138.19.221.38:24277
type: 181.191.174.138:14918
type: 46.10.149.145:61611
type: 93.35.193.64:58638
type: 185.21.216.133:54378
type: 176.63.8.194:7270
type: 186.80.29.2:12122
type: 116.202.166.186:3334
type: 89.149.221.12:60541
type: 216.160.223.118:51136
type: 93.176.133.6:19501
type: 169.150.223.197:64023
type: 88.212.53.106:21445
type: 163.172.86.70:64341
type: 82.192.80.227:52088
type: 169.150.219.153:64011
type: 85.145.82.16:48783
type: 94.131.199.154:8621
type: 88.229.13.203:43097
type: 188.163.24.16:23250
type: 89.22.226.106:6935
type: 185.203.56.39:18644
type: 79.100.209.245:48438
type: 94.75.234.248:28008
type: 144.76.175.153:56321
type: 121.168.51.231:12877
type: 185.203.56.6:57961
type: 98.161.199.16:59907
type: 191.95.50.238:6763
type: 176.63.11.138:10215
type: 62.73.73.192:58600
type: 46.232.211.129:14759
type: 5.39.85.217:54865
type: 83.253.62.135:38733
Status:
terminated
Behavior Graph:
%3 guuid=d63604c1-1700-0000-f784-956d150c0000 pid=3093 /usr/bin/sudo guuid=bbeaa6c2-1700-0000-f784-956d1d0c0000 pid=3101 /tmp/sample.bin guuid=d63604c1-1700-0000-f784-956d150c0000 pid=3093->guuid=bbeaa6c2-1700-0000-f784-956d1d0c0000 pid=3101 execve guuid=4b48bec2-1700-0000-f784-956d1e0c0000 pid=3102 /usr/bin/dash guuid=bbeaa6c2-1700-0000-f784-956d1d0c0000 pid=3101->guuid=4b48bec2-1700-0000-f784-956d1e0c0000 pid=3102 execve guuid=7ba5ecc2-1700-0000-f784-956d200c0000 pid=3104 /usr/bin/dash guuid=bbeaa6c2-1700-0000-f784-956d1d0c0000 pid=3101->guuid=7ba5ecc2-1700-0000-f784-956d200c0000 pid=3104 execve guuid=d0193fc3-1700-0000-f784-956d240c0000 pid=3108 /tmp/sample.bin mprotect-exec zombie guuid=bbeaa6c2-1700-0000-f784-956d1d0c0000 pid=3101->guuid=d0193fc3-1700-0000-f784-956d240c0000 pid=3108 clone guuid=ee0412c3-1700-0000-f784-956d210c0000 pid=3105 /usr/bin/dash guuid=7ba5ecc2-1700-0000-f784-956d200c0000 pid=3104->guuid=ee0412c3-1700-0000-f784-956d210c0000 pid=3105 clone guuid=152418c3-1700-0000-f784-956d220c0000 pid=3106 /usr/bin/dash guuid=7ba5ecc2-1700-0000-f784-956d200c0000 pid=3104->guuid=152418c3-1700-0000-f784-956d220c0000 pid=3106 clone guuid=dcccb5c6-1700-0000-f784-956d320c0000 pid=3122 /tmp/sample.bin zombie guuid=d0193fc3-1700-0000-f784-956d240c0000 pid=3108->guuid=dcccb5c6-1700-0000-f784-956d320c0000 pid=3122 clone guuid=b068c0c6-1700-0000-f784-956d330c0000 pid=3123 /tmp/sample.bin guuid=dcccb5c6-1700-0000-f784-956d320c0000 pid=3122->guuid=b068c0c6-1700-0000-f784-956d330c0000 pid=3123 clone guuid=29d6d2c6-1700-0000-f784-956d350c0000 pid=3125 /tmp/sample.bin dns net net-scan send-data guuid=b068c0c6-1700-0000-f784-956d330c0000 pid=3123->guuid=29d6d2c6-1700-0000-f784-956d350c0000 pid=3125 clone d316b2ae-0a7e-5b43-8de6-745900c90c54 127.0.0.1:65535 guuid=29d6d2c6-1700-0000-f784-956d350c0000 pid=3125->d316b2ae-0a7e-5b43-8de6-745900c90c54 con 38a4910e-6f05-5afe-a8e3-398c2eb18329 time.cloudflare.com:123 guuid=29d6d2c6-1700-0000-f784-956d350c0000 pid=3125->38a4910e-6f05-5afe-a8e3-398c2eb18329 send: 48B eb734178-7662-5bf6-8e17-e4f8c7c86bbc 159.65.200.220:6817 guuid=29d6d2c6-1700-0000-f784-956d350c0000 pid=3125->eb734178-7662-5bf6-8e17-e4f8c7c86bbc con 1309a196-f09d-5259-8d9b-d238fe885ee0 31.200.249.178:31791 guuid=29d6d2c6-1700-0000-f784-956d350c0000 pid=3125->1309a196-f09d-5259-8d9b-d238fe885ee0 send: 68B 7804ef8e-7729-5412-9198-755dbdb2b396 159.65.200.220:6815 guuid=29d6d2c6-1700-0000-f784-956d350c0000 pid=3125->7804ef8e-7729-5412-9198-755dbdb2b396 con guuid=29d6d2c6-1700-0000-f784-956d350c0000 pid=3125|send-data send-data to 291 IP addresses review logs to see them all guuid=29d6d2c6-1700-0000-f784-956d350c0000 pid=3125->guuid=29d6d2c6-1700-0000-f784-956d350c0000 pid=3125|send-data send
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw
Score:
68 / 100
Signature
Connects to many ports of the same IP (likely port scanning)
Executes the "crontab" command typically for achieving persistence
Multi AV Scanner detection for submitted file
Opens /sys/class/net/* files useful for querying network interface information
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to persist itself using cron
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1724989 Sample: amd64.elf Startdate: 29/06/2025 Architecture: LINUX Score: 68 42 104.234.173.77, 4009, 6881 VELCOMCA Canada 2->42 44 46.232.211.100, 58660, 6881 V4ESCROW-ASRO Romania 2->44 46 101 other IPs or domains 2->46 54 Multi AV Scanner detection for submitted file 2->54 56 Connects to many ports of the same IP (likely port scanning) 2->56 10 amd64.elf 2->10         started        12 dash rm 2->12         started        14 dash rm 2->14         started        signatures3 process4 process5 16 amd64.elf sh 10->16         started        18 amd64.elf 10->18         started        21 amd64.elf sh 10->21         started        signatures6 23 sh crontab 16->23         started        27 sh 16->27         started        50 Opens /sys/class/net/* files useful for querying network interface information 18->50 52 Sample reads /proc/mounts (often used for finding a writable filesystem) 18->52 29 amd64.elf 18->29         started        31 sh crontab 21->31         started        process7 file8 40 /var/spool/cron/crontabs/tmp.MnasMU, ASCII 23->40 dropped 58 Sample tries to persist itself using cron 23->58 60 Executes the "crontab" command typically for achieving persistence 23->60 33 sh crontab 27->33         started        36 amd64.elf 29->36         started        signatures9 process10 signatures11 48 Executes the "crontab" command typically for achieving persistence 33->48 38 amd64.elf 36->38         started        process12
Threat name:
Linux.Trojan.Multiverze
Status:
Malicious
First seen:
2025-06-29 11:23:41 UTC
File Type:
ELF64 Little (Exe)
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  6/10
Tags:
antivm defense_evasion discovery execution linux persistence privilege_escalation
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to tmp directory
Checks CPU configuration
Checks hardware identifiers (DMI)
Creates/modifies Cron job
Enumerates running processes
Reads MAC address of network interface
Reads hardware information
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:enterpriseapps2
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:enterpriseunix2
Author:Tim Brown @timb_machine
Description:Enterprise UNIX
Rule name:linux_generic_ipv6_catcher
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:unixredflags3
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf ee4d468dfb2b65b994f6ce6580c87df613416f80f9267d0316c105c115c8e68b

(this sample)

  
Delivery method
Distributed via web download

Comments