MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f77df4e3e05680a354f001e0286b5301094ea0e885a7289c3f303b562a231b08. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f77df4e3e05680a354f001e0286b5301094ea0e885a7289c3f303b562a231b08
SHA3-384 hash: ae1a3446a3b9223ca30d1117523a2b05f33372c8941b3adc809043fd869f2283af6c4d39178915ddfa0c968045124cd3
SHA1 hash: ba3acc2f8df3dcee3ae8e6e44b9bc91ebe8c88d1
MD5 hash: 95352356201e467b0fc185f581c1e6f3
humanhash: arizona-glucose-network-leopard
File name:mips
Download: download sample
File size:592'688 bytes
First seen:2025-06-11 15:59:33 UTC
Last seen:2025-06-12 12:37:59 UTC
File type: elf
MIME type:application/x-executable
ssdeep 12288:M57U0INmdtgOcyJXDOMzf03gdvZ/yCnEI7zt:W7v+mrY2xzf03yvZ/YIN
TLSH T196C4F1A377204F91C35195B209F389335AF6199706F29982537DEE107F20A68386BFA9
telfhash t10ab0011070740bb84308e12d5cdcae5679f20cc3fe470c27db6047a159b54434d00d18
Magika elf
Reporter abuse_ch
Tags:elf

Intelligence

File Origin
# of uploads :
2
# of downloads :
66
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.32057.LX.BOT.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.32058.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Siggen.9084.29336.9913.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
82.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6849a82f8bd5d68a12e7baaclinux22vpnfull_triage
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process from a recently created file
Runs as daemon
Connection attempt
Changes access rights for a written file
Receives data from a server
Locks files
DNS request
Opens a port
Sends data to a server
Launching a process
Changes the time when the file was created, accessed, or modified
Creating a file
Creates directories
Creates or modifies files in /cron to set up autorun
Verdict:
Malicious
Uses P2P?:
true
Uses anti-vm?:
true
Architecture:
mips
Packer:
custom
Botnet:
unknown
Number of open files:
60
Number of processes launched:
10
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/f77df4e3e05680a354f001e0286b5301094ea0e885a7289c3f303b562a231b08
Behaviour
Anti-VM
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
type: 162.159.200.1:123
type: 130.239.18.158:6881
type: 67.215.246.10:6881
type: 92.17.155.46:6881
type: 188.226.11.99:6881
type: 176.193.116.28:6881
type: 47.203.163.244:6881
type: 195.138.67.124:6881
type: 95.29.249.87:6881
type: 178.69.209.93:6881
type: 80.87.204.105:6881
type: 92.38.203.251:6881
type: 112.87.174.110:6881
type: 73.195.160.108:6881
type: 78.73.24.71:6881
type: 88.174.220.195:6881
type: 46.48.49.123:6881
type: 84.6.36.22:6881
type: 82.136.108.47:6881
type: 39.111.216.219:6881
type: 217.103.94.40:6881
type: 77.51.18.60:6881
type: 188.77.199.5:6881
type: 176.213.181.97:6881
type: 37.193.131.103:6881
type: 46.35.247.112:6881
type: 37.27.49.32:6881
type: 35.155.156.153:6881
type: 18.190.61.127:6881
type: 74.48.140.189:6881
type: 82.215.110.194:6881
type: 54.214.105.212:6881
type: 82.61.205.48:6881
type: 13.58.27.33:6881
type: 141.98.154.145:6881
type: 195.35.14.152:6881
type: 54.194.137.170:6881
type: 54.194.124.68:6881
type: 114.38.165.235:6881
type: 75.119.138.164:6881
type: 2.51.168.58:6881
type: 18.223.137.220:6881
type: 181.214.58.169:6881
type: 142.169.135.242:6881
type: 151.40.235.71:6881
type: 188.23.180.85:6881
type: 92.255.207.140:6881
type: 217.121.231.94:59625
type: 97.179.200.52:41156
type: 130.239.18.158:8521
type: 185.132.133.141:6886
type: 65.108.143.34:54273
type: 185.145.245.151:8646
type: 130.239.18.158:8508
type: 72.10.207.37:51413
type: 79.143.17.42:51413
type: 198.100.146.43:51413
type: 149.202.77.174:51413
type: 176.213.127.248:51413
type: 164.132.164.8:51413
type: 51.158.154.77:51413
type: 37.187.20.193:51413
type: 5.39.82.183:51413
type: 193.32.23.235:51413
type: 47.95.12.74:51413
type: 42.48.87.132:51413
type: 93.171.169.7:51413
type: 176.31.250.123:51413
type: 45.8.200.180:51413
type: 62.210.99.234:5706
type: 23.162.56.55:10048
type: 84.25.245.42:43782
type: 65.109.14.244:9005
type: 95.24.176.212:64077
type: 62.210.201.217:8642
type: 76.69.64.76:48002
type: 74.50.88.173:35540
type: 86.229.159.184:25059
type: 94.75.207.13:49971
type: 64.99.199.174:46032
type: 185.149.91.151:51539
type: 114.23.92.201:59990
type: 71.232.105.163:50419
type: 23.158.56.120:12015
type: 185.180.223.89:8999
type: 65.60.132.61:8999
type: 102.129.234.172:8999
type: 172.111.38.128:14043
type: 69.50.95.40:12067
type: 62.210.76.120:54827
type: 185.132.179.9:6884
type: 122.192.133.196:6884
type: 69.50.95.40:12079
type: 37.27.119.244:50000
type: 37.27.103.249:50000
type: 135.181.213.91:50000
type: 135.181.238.57:50000
type: 65.108.10.56:50000
type: 37.27.119.242:50000
type: 37.27.117.50:50000
type: 45.131.79.79:64060
type: 45.87.251.6:28001
type: 185.203.56.55:61704
type: 45.87.251.132:28129
type: 178.162.174.96:28007
type: 46.232.210.175:22709
type: 14.39.175.151:33072
type: 185.203.56.73:60546
type: 185.203.56.28:23376
type: 169.150.251.169:64005
type: 220.80.54.115:40952
type: 178.46.214.159:1359
type: 199.126.128.191:41785
type: 152.44.216.130:39399
type: 37.27.113.233:28640
type: 144.76.175.153:28640
type: 95.158.14.209:61413
type: 77.99.79.110:51488
type: 221.163.80.130:8087
type: 5.39.85.155:52825
type: 160.86.152.206:11254
type: 178.75.58.99:32069
type: 37.46.16.67:51327
type: 89.149.200.92:28020
type: 130.239.18.158:8500
type: 130.239.18.158:8516
type: 130.239.18.158:8507
type: 130.239.18.158:8537
type: 51.158.206.73:6904
type: 5.79.78.96:62930
type: 185.145.245.121:8687
type: 185.145.245.127:8645
type: 178.162.173.108:28002
type: 178.162.174.222:28014
type: 178.162.174.224:28014
type: 178.162.174.43:28004
type: 130.239.18.158:8524
type: 130.239.18.158:8515
type: 65.108.143.34:41985
type: 144.76.175.153:41985
type: 195.154.172.179:28654
type: 37.27.113.233:58369
type: 65.108.143.34:58370
type: 144.76.175.153:58370
type: 37.27.113.233:41986
type: 65.108.143.34:41986
type: 65.108.143.34:45024
type: 195.154.172.179:23316
type: 65.108.143.34:45023
type: 144.76.175.153:45023
type: 37.27.113.233:28639
type: 65.108.143.34:28639
type: 69.10.195.79:51422
type: 178.162.173.56:28003
type: 178.162.173.66:28003
type: 213.227.152.137:28003
type: 130.239.18.158:8510
type: 46.232.210.29:63353
type: 46.232.210.119:64100
type: 81.171.17.43:62664
type: 195.154.237.24:46187
type: 178.162.148.91:50545
type: 45.154.87.194:50171
type: 89.149.226.88:58738
type: 84.70.231.139:18799
type: 178.162.173.224:28013
type: 81.171.22.205:28013
type: 185.203.56.67:22598
type: 62.176.110.224:29075
type: 220.135.28.240:19222
type: 72.21.17.22:59280
type: 14.199.197.81:26092
type: 5.39.85.50:51556
type: 81.243.201.147:49001
type: 46.21.50.68:49001
type: 37.139.219.4:49001
type: 31.162.196.5:49001
type: 164.215.95.133:49001
type: 84.40.111.23:6100
type: 79.127.160.179:39369
type: 72.21.17.8:64215
type: 119.193.176.122:8113
type: 27.82.217.117:21614
type: 5.79.69.185:28011
type: 89.168.23.136:8081
type: 23.95.213.206:36789
type: 85.17.84.59:28008
type: 178.162.174.141:28008
type: 178.162.174.5:28012
type: 46.188.52.10:43278
type: 109.248.253.156:12989
type: 88.97.221.243:50241
type: 176.31.101.157:63694
type: 223.181.240.236:12241
type: 197.206.95.71:44401
type: 46.72.119.170:38408
type: 176.52.58.142:2048
type: 104.36.20.99:26659
type: 178.64.26.179:58364
type: 175.195.63.71:7841
type: 107.189.7.205:59917
type: 188.165.197.21:51000
type: 217.123.9.89:50159
type: 142.198.168.58:20420
type: 83.255.188.209:53996
type: 1.46.140.146:52207
type: 50.71.41.61:6896
type: 158.174.111.89:46649
type: 78.190.100.33:38735
type: 90.157.16.235:20483
type: 210.178.152.103:7885
type: 37.48.111.235:61180
type: 191.58.134.44:12834
type: 49.204.128.251:43427
type: 41.212.116.186:47599
type: 185.42.180.134:25266
type: 27.125.249.94:21627
type: 219.89.226.160:6889
type: 79.3.80.72:6889
type: 148.63.75.74:6889
type: 120.138.140.162:32531
type: 46.232.211.199:64045
type: 68.229.131.191:40908
type: 46.116.171.97:24671
type: 92.125.5.230:26342
type: 83.223.18.93:23412
type: 152.136.153.242:60020
type: 23.90.132.30:60020
type: 46.72.132.113:22210
type: 106.205.152.101:15654
type: 190.236.31.32:39459
type: 176.115.42.243:1044
type: 188.113.228.121:41994
type: 54.194.135.233:6992
type: 13.114.205.93:6992
type: 94.60.33.50:57535
type: 89.134.31.80:44158
type: 187.245.69.147:13225
type: 191.188.118.151:3715
type: 54.39.52.64:39450
type: 192.210.231.24:6880
type: 89.64.10.139:23254
type: 85.15.108.84:22470
type: 95.26.227.76:1826
type: 60.50.184.227:13239
type: 37.27.113.233:41990
type: 54.39.52.64:40452
type: 65.108.143.34:37986
type: 65.108.143.34:54348
type: 152.53.52.107:10240
type: 194.29.101.83:10240
type: 65.108.143.34:37953
type: 65.108.143.34:37965
type: 31.58.51.146:6987
type: 137.74.200.136:32126
type: 130.239.18.158:8539
type: 51.159.106.3:56709
type: 188.165.198.46:52523
type: 95.84.198.15:20490
type: 118.106.218.246:20491
type: 109.209.40.174:48586
type: 221.159.9.52:41046
type: 94.23.215.83:6882
type: 112.87.174.115:6882
type: 190.224.92.105:25242
type: 104.128.94.19:6927
type: 222.113.17.222:9092
type: 178.140.94.171:55040
type: 46.164.220.74:1281
type: 185.104.251.165:41149
type: 92.124.206.207:1685
type: 204.157.203.105:35147
type: 174.91.203.155:63586
type: 98.124.25.5:16851
type: 109.167.232.77:60348
type: 144.76.175.153:28611
type: 176.63.3.198:4692
type: 220.136.211.187:41980
type: 176.214.114.33:33869
type: 78.63.105.0:4552
type: 85.30.146.198:3347
type: 89.179.245.210:30353
type: 46.59.69.50:60058
type: 180.216.209.88:33105
type: 46.232.211.44:58021
type: 60.226.158.62:60312
type: 162.154.253.181:64602
type: 212.116.75.229:55776
type: 14.39.23.200:49171
type: 46.232.211.44:58048
type: 95.211.94.225:62460
type: 181.214.153.117:22673
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5ca587aa-eae2-4ecd-a657-4aa8722c2654
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1712478
Signature
Executes the "crontab" command typically for achieving persistence
Multi AV Scanner detection for submitted file
Opens /sys/class/net/* files useful for querying network interface information
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to persist itself using cron
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1712478 Sample: mips.elf Startdate: 11/06/2025 Architecture: LINUX Score: 64 38 45.149.235.223, 26159 WS171-ASRU Italy 2->38 40 148.63.75.74, 6881, 6889 VODAFONE-PTVodafonePortugalPT Portugal 2->40 42 102 other IPs or domains 2->42 44 Multi AV Scanner detection for submitted file 2->44 10 mips.elf configuration 2->10         started        signatures3 process4 process5 12 mips.elf sh 10->12         started        14 configuration 10->14         started        17 mips.elf sh 10->17         started        signatures6 19 sh crontab 12->19         started        23 sh 12->23         started        52 Opens /sys/class/net/* files useful for querying network interface information 14->52 54 Sample reads /proc/mounts (often used for finding a writable filesystem) 14->54 25 configuration 14->25         started        27 sh crontab 17->27         started        process7 file8 36 /var/spool/cron/crontabs/tmp.j7fG5J, ASCII 19->36 dropped 46 Sample tries to persist itself using cron 19->46 48 Executes the "crontab" command typically for achieving persistence 19->48 29 sh crontab 23->29         started        32 configuration 25->32         started        signatures9 process10 signatures11 50 Executes the "crontab" command typically for achieving persistence 29->50 34 configuration 32->34         started        process12
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/f77df4e3e05680a354f001e0286b5301094ea0e885a7289c3f303b562a231b08
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f77df4e3e05680a354f001e0286b5301094ea0e885a7289c3f303b562a231b08/
Threat name:
Linux.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2025-06-11 16:00:38 UTC
File Type:
ELF32 Big (Exe)
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6567jy7ak2akgvhqahqcq22taeeu5ihiqwtsrhb7ga5vmkrddmea._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
antivm defense_evasion discovery execution persistence privilege_escalation
Link:
https://tria.ge/reports/250611-tfxgjstp12/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Checks CPU configuration
Reads CPU attributes
Checks hardware identifiers (DMI)
Creates/modifies Cron job
Enumerates running processes
Reads MAC address of network interface
Reads hardware information
Renames itself
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/39ec0de2-7bd4-4662-9672-bc43b2a56b52
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf f77df4e3e05680a354f001e0286b5301094ea0e885a7289c3f303b562a231b08

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3558223/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh

Comments