MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f16fb1ca59b5aaaee4016268d3d02684da8a972a6ce29b97d5cc975fe06b0af0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA 5 File information Comments

SHA256 hash:	f16fb1ca59b5aaaee4016268d3d02684da8a972a6ce29b97d5cc975fe06b0af0
SHA3-384 hash:	eadeaf0d3c02d4026b7c48d4feccc83dfff0f0a7d5baae689a61997f33848843688ea99967ecdeadc359df31c94fa382
SHA1 hash:	847949d8b8dcebf3d2b837a5d7904b31108aed4a
MD5 hash:	50ef61685c4a914e596bdace9f472d1c
humanhash:	august-foxtrot-kansas-nuts
File name:	amd64
Download:	download sample
File size:	482'032 bytes
First seen:	2025-06-24 16:51:44 UTC
Last seen:	Never
File type:	elf
MIME type:	application/x-executable
ssdeep	12288:iD6LPBCvMk0O9na1M80cLt9i5aIaTtpc4W:2+QGO9naz0Szi5anTtR
TLSH	T102A41212E290D8FEC4DAC070469FD27BFD767C544234BC6B6298F7322B3AE601B16A55
TrID	50.1% (.) ELF Executable and Linkable format (Linux) (4022/12) 49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika	elf
Reporter	abuse_ch
Tags:	elf

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Verdict:

Clean

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=685ad7c332ed47a3a8d6c626linux22vpnfull_triage

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creates directories

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

base64 exploit gcc lolbin remote

Link:

https://www.filescan.io/uploads/685ad7d93faf8fcd7d3f8e53/reports/aed88201-6af9-4303-9f26-2174ca6e0f8f/overview

Verdict:

Malicious

Uses P2P?:

true

Uses anti-vm?:

true

Architecture:

x86

Packer:

custom

Botnet:

unknown

Number of open files:

Number of processes launched:

Processes remaning?

true

Remote TCP ports scanned:

not identified

Full report:

https://elfdigest.com/brief/f16fb1ca59b5aaaee4016268d3d02684da8a972a6ce29b97d5cc975fe06b0af0

Behaviour

Anti-VM

Process Renaming

Botnet C2s

TCP botnet C2(s):

not identified

UDP botnet C2(s):

type: 162.159.200.123:123
type: 130.239.18.158:6881
type: 67.215.246.10:6881
type: 178.69.209.93:6881
type: 95.211.162.131:6881
type: 37.187.121.149:6881
type: 24.132.252.4:6881
type: 73.208.41.226:6881
type: 209.97.129.185:6881
type: 63.247.211.162:6881
type: 81.153.143.163:6881
type: 87.208.59.208:6881
type: 176.195.143.118:6881
type: 54.211.14.111:6881
type: 82.172.47.183:6881
type: 72.18.39.127:6881
type: 188.187.99.27:6881
type: 185.241.151.157:6881
type: 81.106.154.134:6881
type: 37.27.66.2:6881
type: 73.151.236.5:6881
type: 121.160.52.244:6881
type: 116.88.225.181:6881
type: 79.196.250.140:6881
type: 217.103.154.123:6881
type: 35.163.251.58:6881
type: 108.170.158.18:6881
type: 18.191.2.28:6881
type: 18.218.241.3:6881
type: 217.172.82.193:6881
type: 85.184.186.38:6881
type: 176.119.23.52:6881
type: 109.161.53.148:6881
type: 176.144.95.222:6881
type: 93.176.180.96:6881
type: 80.186.163.48:6881
type: 188.232.173.186:6881
type: 46.236.189.112:6881
type: 119.246.234.208:6881
type: 109.227.150.64:6881
type: 93.48.34.174:6881
type: 178.162.174.222:28014
type: 178.162.173.148:28014
type: 178.162.173.86:28014
type: 178.162.173.161:28014
type: 141.95.53.34:8648
type: 45.203.208.35:6880
type: 52.21.231.83:6880
type: 195.154.233.74:6880
type: 44.216.7.139:6880
type: 81.230.0.32:64177
type: 185.149.91.21:51118
type: 135.181.238.57:50000
type: 135.181.227.244:50000
type: 113.227.183.202:50000
type: 65.21.125.170:50000
type: 65.21.34.43:50000
type: 130.239.18.158:8524
type: 5.135.156.163:56843
type: 130.239.18.158:8515
type: 5.79.66.11:54337
type: 213.232.235.11:8999
type: 89.163.153.49:8999
type: 107.148.40.205:8999
type: 178.162.174.43:28004
type: 178.162.174.227:28004
type: 95.211.247.101:28009
type: 178.162.173.172:28009
type: 178.162.173.91:28003
type: 178.162.174.169:28003
type: 95.31.43.219:51413
type: 138.199.27.226:51413
type: 130.89.163.82:51413
type: 37.187.20.193:51413
type: 84.217.73.58:51413
type: 198.27.67.208:51413
type: 23.239.22.57:51413
type: 188.90.169.20:51413
type: 2.236.169.3:51413
type: 124.213.90.196:51413
type: 91.235.247.80:51413
type: 42.87.104.162:51413
type: 91.148.243.173:51413
type: 222.112.203.11:51413
type: 95.211.194.52:51413
type: 92.15.220.95:51413
type: 5.135.183.21:51413
type: 81.254.18.56:51413
type: 176.31.46.220:51413
type: 156.146.51.79:65474
type: 185.203.56.51:15182
type: 178.162.174.143:28000
type: 178.162.174.221:28000
type: 178.162.174.45:28015
type: 178.162.173.38:28015
type: 178.162.173.202:28001
type: 178.162.173.231:28001
type: 178.162.173.228:28001
type: 178.162.174.170:28001
type: 45.87.250.224:50171
type: 45.152.209.130:50171
type: 45.136.229.76:50171
type: 178.162.173.141:28010
type: 89.149.202.17:28056
type: 178.162.174.1:28007
type: 94.75.250.195:28007
type: 213.227.152.142:28002
type: 178.162.173.74:28002
type: 185.203.56.12:64599
type: 45.136.230.98:51589
type: 185.21.216.145:60781
type: 178.162.174.116:28012
type: 78.61.125.234:43357
type: 107.173.47.37:8083
type: 46.232.211.148:11209
type: 176.241.83.187:8000
type: 5.9.41.13:53504
type: 46.232.210.157:64170
type: 82.172.167.161:6889
type: 87.206.61.118:6889
type: 178.26.185.58:6889
type: 76.71.81.17:6889
type: 93.108.235.136:6889
type: 101.176.9.31:6889
type: 31.210.173.50:27520
type: 185.203.56.28:15644
type: 84.247.173.42:8081
type: 5.182.17.111:5091
type: 104.195.12.40:25829
type: 217.121.231.94:59625
type: 130.239.18.158:8508
type: 130.239.18.158:8521
type: 195.191.244.10:1073
type: 64.226.83.235:1434
type: 195.201.179.130:16309
type: 130.239.18.158:8500
type: 130.239.18.158:8580
type: 130.239.18.158:8516
type: 27.17.237.86:6888
type: 112.87.174.85:6888
type: 109.137.155.197:6888
type: 130.239.18.158:8513
type: 212.7.202.213:6848
type: 185.203.56.68:54148
type: 105.233.151.249:45284
type: 140.228.24.85:50856
type: 51.158.148.12:54828
type: 24.113.247.182:62781
type: 195.191.244.47:1028
type: 147.192.98.4:18586
type: 186.39.156.168:13741
type: 95.99.97.132:50321
type: 180.211.46.221:32840
type: 188.227.9.64:4283
type: 81.171.20.66:64010
type: 86.127.243.115:51000
type: 178.168.229.43:18935
type: 87.155.86.227:65432
type: 5.135.178.12:53659
type: 185.149.91.145:51509
type: 46.232.211.193:58017
type: 31.10.158.193:54413
type: 45.158.186.132:54413
type: 217.115.37.220:38921
type: 122.222.194.124:57631
type: 72.21.17.75:31245
type: 155.4.133.147:6652
type: 107.189.13.117:20622
type: 171.6.209.115:15939
type: 185.132.178.151:6890
type: 185.165.240.24:6890
type: 185.132.178.151:6882
type: 185.86.121.220:6882
type: 62.141.98.162:6882
type: 59.26.31.208:41106
type: 1.169.70.226:11924
type: 173.249.217.38:63245
type: 77.33.96.69:62344
type: 37.48.95.41:54289
type: 72.21.17.87:21483
type: 45.91.211.131:54058
type: 183.100.127.219:32682
type: 213.227.152.142:28011
type: 59.138.67.72:10572
type: 107.218.24.206:35069
type: 181.171.205.144:57638
type: 93.38.28.34:54124
type: 146.212.2.150:58627
type: 210.101.76.126:7735
type: 162.250.189.232:3334
type: 176.113.74.138:29197
type: 212.7.200.12:22727
type: 192.162.210.61:48740
type: 195.154.172.179:27166
type: 168.138.44.19:49022
type: 106.137.84.141:7488
type: 186.227.138.62:37896
type: 192.140.255.237:36185
type: 130.239.18.158:8502
type: 178.162.173.226:28005
type: 95.211.198.95:28005
type: 140.83.53.29:7741
type: 185.21.217.58:49754
type: 115.86.52.6:7981
type: 185.21.217.78:63435
type: 82.211.130.91:58737
type: 91.64.65.234:6005
type: 88.251.188.226:43368
type: 186.122.104.171:23032
type: 152.53.45.107:6985
type: 72.21.17.50:54460
type: 46.150.71.187:61540
type: 188.163.8.163:28916
type: 200.180.68.143:37628
type: 212.7.202.40:28027
type: 46.232.211.238:58135
type: 91.214.138.239:55272
type: 162.212.211.69:49900
type: 185.149.91.150:51584
type: 92.249.91.50:26872
type: 130.239.18.158:8510
type: 178.162.144.51:21183
type: 190.2.132.125:56689
type: 23.162.56.55:22001
type: 88.94.98.124:12190
type: 174.56.92.255:53289
type: 132.184.55.206:39105
type: 83.104.196.45:56805
type: 86.29.201.246:11190
type: 217.211.53.244:56881
type: 185.149.91.141:51083
type: 89.149.226.66:16192
type: 45.138.53.206:57363
type: 213.204.93.193:10011
type: 51.15.171.105:53100
type: 119.202.246.72:32659
type: 126.206.217.237:9568
type: 185.36.131.177:59685
type: 59.26.11.105:17087
type: 121.81.237.103:28111
type: 89.133.118.54:16244
type: 46.232.210.70:13259
type: 73.149.219.3:16012
type: 66.111.7.7:47806
type: 137.74.95.127:28386

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/7644bd14-e143-4bb1-a544-02bc10a471ae

Behavior Graph:

Download SVG

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/a8a2eca4-efeb-496b-823e-c213ebe12f6b

Score:

100%

Verdict:

Malware

File Type:

ELF

Link:

https://malprob.io/report/f16fb1ca59b5aaaee4016268d3d02684da8a972a6ce29b97d5cc975fe06b0af0

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f16fb1ca59b5aaaee4016268d3d02684da8a972a6ce29b97d5cc975fe06b0af0/

Threat name:

Linux.Trojan.Multiverze

Status:

Malicious

First seen:

2025-06-24 16:52:33 UTC

File Type:

ELF64 Little (Exe)

AV detection:

16 of 38 (42.11%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6fx3dsszwwvk5zabmjunhubgqtnivfzkntrjxf6vzslv7ydlblya._file

Result

Malware family:

n/a

Score:

6/10

Tags:

antivm defense_evasion discovery execution linux persistence privilege_escalation

Link:

https://tria.ge/reports/250624-vdmd8svnz4/

Behaviour

Enumerates kernel/hardware configuration

Reads runtime system information

Writes file to tmp directory

Checks CPU configuration

Checks hardware identifiers (DMI)

Creates/modifies Cron job

Enumerates running processes

Reads MAC address of network interface

Reads hardware information

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/d56f9e11-1221-4dab-b916-dfbdece663de

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.20

Link:

https://yomi.yoroi.company/submissions/f16fb1ca59b5aaaee4016268d3d02684da8a972a6ce29b97d5cc975fe06b0af0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	enterpriseapps2 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Enterprise apps

Rule name:	enterpriseunix2 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Enterprise UNIX

Rule name:	linux_generic_ipv6_catcher Create hunting rule
Author:	@_lubiedo
Description:	ELF samples using IPv6 addresses

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	unixredflags3 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf f16fb1ca59b5aaaee4016268d3d02684da8a972a6ce29b97d5cc975fe06b0af0

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3550042/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample