MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa5e3a2f13f093a2bdd5b27507ff7b1a501f466c462d8b41383c7f66ff5678c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa5e3a2f13f093a2bdd5b27507ff7b1a501f466c462d8b41383c7f66ff5678c7
SHA3-384 hash: 2246c006b93106a86a3f2fd3563457953d8f8a2202b8fda629627086d5c2f9b509cf32fe73c008b8c76c3055b1139be8
SHA1 hash: 1480dfb75b98fc5114a5a91c0a53a8c5f849ed97
MD5 hash: 4096708776d2650cc3f60e4ec7bbd7e6
humanhash: india-early-shade-asparagus
File name:i686
Download: download sample
File size:587'764 bytes
First seen:2025-06-21 12:44:03 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 12288:5D+Azf/CVCW3ISw+hRNb3W/aTyA9VV/cZWLnR98V+:5D+AznCVNIZ+vNbG/WYWrR98V
TLSH T13AC42241EAB7C0F2F65349320103E7BF8F33C9099165D2A6D742F661EDB1B424A9E66C
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf

Intelligence

File Origin
# of uploads :
1
# of downloads :
110
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.32058.LX.BOT.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.31951.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Siggen.9095.28767.31159.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6856a93832ed47a3a8d671d0linux22vpnfull_triage
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Sends data to a server
Changes the time when the file was created, accessed, or modified
Opens a port
DNS request
Connection attempt
Locks files
Changes access rights for a written file
Creating a process from a recently created file
Launching a process
Collects information on the CPU
Receives data from a server
Creates directories
Creating a file in the %temp% directory
Runs as daemon
Creates or modifies files in /cron to set up autorun
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
base64 exploit gcc lolbin remote
Link:
https://www.filescan.io/uploads/6856a92e3faf8fcd7d39d039/reports/36cdb338-e76c-4191-83eb-750d991cf5a3/overview
Verdict:
Malicious
Uses P2P?:
true
Uses anti-vm?:
true
Architecture:
x86
Packer:
custom
Botnet:
unknown
Number of open files:
72
Number of processes launched:
10
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/fa5e3a2f13f093a2bdd5b27507ff7b1a501f466c462d8b41383c7f66ff5678c7
Behaviour
Anti-VM
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
type: 162.159.200.123:123
type: 130.239.18.158:6881
type: 67.215.246.10:6881
type: 178.69.209.93:6881
type: 87.212.44.220:6881
type: 176.125.139.123:6881
type: 89.207.71.47:6881
type: 188.42.55.92:6881
type: 73.208.41.226:6881
type: 212.83.150.167:6881
type: 218.161.37.216:6881
type: 77.237.244.133:6881
type: 84.28.2.133:6881
type: 88.85.202.75:6881
type: 213.88.12.218:6881
type: 109.233.200.128:6881
type: 37.187.121.149:6881
type: 69.113.10.212:6881
type: 122.199.28.151:6881
type: 87.13.101.136:6881
type: 146.200.122.72:6881
type: 2.122.169.166:6881
type: 180.222.17.23:6881
type: 54.194.137.170:6881
type: 72.105.72.236:6881
type: 5.15.72.123:6881
type: 92.125.148.146:6881
type: 54.214.62.55:6881
type: 148.135.106.206:6881
type: 18.190.61.127:6881
type: 5.196.70.116:6881
type: 54.214.105.212:6881
type: 23.95.192.22:6881
type: 178.22.197.34:6881
type: 98.220.19.72:6881
type: 88.5.53.7:6881
type: 106.168.85.35:6881
type: 18.188.31.0:6881
type: 18.191.2.28:6881
type: 178.162.174.222:28014
type: 178.162.174.77:28014
type: 178.162.174.136:28014
type: 141.95.53.34:8648
type: 130.239.18.158:8515
type: 45.203.208.35:6880
type: 173.230.130.111:6880
type: 195.154.233.74:6880
type: 3.21.238.91:6880
type: 45.203.206.54:6880
type: 44.216.7.139:6880
type: 185.149.91.21:51118
type: 135.181.227.244:50000
type: 135.181.238.57:50000
type: 37.27.103.179:50000
type: 162.55.86.180:50000
type: 37.27.119.120:50000
type: 65.21.128.233:50000
type: 65.21.128.218:50000
type: 37.27.107.125:50000
type: 37.27.117.59:50000
type: 65.21.128.248:50000
type: 37.27.107.61:50000
type: 65.21.129.43:50000
type: 65.21.128.247:50000
type: 65.108.199.73:50000
type: 37.27.119.176:50000
type: 37.27.117.177:50000
type: 37.27.103.252:50000
type: 37.27.119.190:50000
type: 37.27.117.56:50000
type: 135.181.223.104:50000
type: 65.21.129.56:50000
type: 37.27.117.248:50000
type: 135.181.238.118:50000
type: 163.172.32.21:20076
type: 130.239.18.158:8524
type: 5.135.156.163:56843
type: 178.162.174.43:28004
type: 178.162.174.228:28004
type: 178.162.173.200:28004
type: 95.211.247.101:28009
type: 178.162.173.231:28009
type: 46.232.211.193:58017
type: 95.31.43.219:51413
type: 84.217.73.58:51413
type: 198.27.67.208:51413
type: 188.90.169.20:51413
type: 37.59.41.212:51413
type: 94.23.254.109:51413
type: 163.172.13.241:51413
type: 188.166.98.93:51413
type: 176.212.21.138:51413
type: 2.236.169.3:51413
type: 81.4.100.140:51413
type: 103.136.42.96:51413
type: 85.164.94.20:51413
type: 1.199.235.164:51413
type: 130.239.18.158:8516
type: 178.162.174.143:28000
type: 178.162.173.141:28000
type: 178.162.174.221:28000
type: 79.160.139.53:28000
type: 45.87.251.132:28008
type: 178.162.173.145:28008
type: 83.149.84.32:28008
type: 178.162.173.10:28008
type: 92.254.99.44:50321
type: 37.48.95.194:41493
type: 178.162.174.222:28011
type: 178.162.174.6:28011
type: 81.171.7.65:28011
type: 178.162.173.98:28011
type: 178.162.174.185:28011
type: 45.91.208.243:51936
type: 178.162.174.1:28006
type: 178.162.174.211:28006
type: 178.162.174.229:28006
type: 37.48.89.181:48531
type: 185.107.71.103:44737
type: 178.162.174.228:28007
type: 178.162.173.102:28007
type: 37.48.71.178:28007
type: 153.179.206.103:26856
type: 130.239.18.158:8513
type: 95.168.162.161:42670
type: 178.162.173.231:28001
type: 178.162.173.89:28001
type: 178.162.173.91:28001
type: 89.149.202.17:28001
type: 178.162.174.178:28003
type: 178.162.173.91:28003
type: 178.162.173.105:28003
type: 130.239.18.158:8539
type: 130.239.18.158:8580
type: 203.56.145.9:64328
type: 139.5.0.183:54938
type: 170.239.52.187:51525
type: 35.144.52.58:51525
type: 115.129.160.13:33185
type: 113.211.213.232:12928
type: 77.105.147.74:8999
type: 213.232.235.11:8999
type: 174.164.17.158:8999
type: 116.23.59.141:8999
type: 62.45.126.43:6885
type: 114.80.9.230:6885
type: 58.241.139.175:6885
type: 194.42.112.78:21161
type: 217.121.231.94:59625
type: 130.239.18.158:8508
type: 130.239.18.158:8521
type: 69.50.95.40:12053
type: 23.162.56.55:10091
type: 195.201.163.227:56881
type: 178.162.173.25:28005
type: 178.162.174.236:28005
type: 178.162.174.46:28013
type: 37.48.70.4:28013
type: 185.203.56.68:62927
type: 172.96.121.2:6884
type: 82.162.63.25:6884
type: 114.80.9.230:6884
type: 178.162.174.45:28015
type: 178.162.173.75:28015
type: 91.199.227.108:10325
type: 178.162.173.138:28012
type: 178.162.174.6:28012
type: 185.149.91.159:20019
type: 185.149.91.145:51509
type: 31.10.158.193:54413
type: 87.155.86.227:65432
type: 152.53.22.181:32482
type: 220.123.178.159:64262
type: 5.79.66.11:54337
type: 103.174.9.66:3691
type: 110.151.79.57:16804
type: 72.21.17.92:56045
type: 5.79.67.44:55706
type: 192.99.17.194:7881
type: 218.153.77.38:33158
type: 37.48.95.51:47509
type: 185.21.216.197:53800
type: 217.149.161.173:35462
type: 175.180.88.152:23489
type: 126.88.10.51:12205
type: 188.2.149.170:37808
type: 176.29.202.146:6648
type: 45.152.209.84:49643
type: 182.226.231.166:40980
type: 155.4.103.27:25603
type: 172.86.106.65:9773
type: 128.1.52.250:60020
type: 81.241.130.60:61017
type: 185.21.216.159:54793
type: 5.39.85.82:54067
type: 46.232.211.208:58002
type: 213.204.244.6:52701
type: 94.130.38.104:47458
type: 95.211.140.195:44969
type: 185.203.56.69:60028
type: 59.16.120.102:41143
type: 185.203.56.72:15352
type: 178.71.209.100:49001
type: 176.215.125.115:49001
type: 218.9.94.67:49001
type: 178.207.24.74:49001
type: 109.238.109.181:49001
type: 92.125.49.138:49001
type: 131.147.160.91:42129
type: 188.78.70.32:47812
type: 65.109.159.171:24384
type: 210.203.205.50:10199
type: 142.179.72.190:51414
type: 88.236.178.21:34183
type: 5.79.67.10:62580
type: 181.91.86.242:16264
type: 208.111.79.204:6889
type: 80.229.171.35:6889
type: 193.221.219.128:6889
type: 217.165.177.77:6889
type: 106.211.243.208:11767
type: 46.39.94.116:21240
type: 84.40.235.167:6165
type: 172.251.103.100:14082
type: 212.252.119.25:28671
type: 118.38.252.53:41152
type: 142.129.108.72:32956
type: 187.183.46.40:8682
type: 43.240.149.123:32681
type: 80.192.92.207:41963
type: 54.77.218.23:6992
type: 144.76.175.153:41058
type: 102.141.161.179:20285
type: 170.78.173.112:44356
type: 112.159.24.251:58216
type: 196.75.131.170:19732
type: 213.55.243.141:22328
type: 37.11.24.91:15618
type: 116.122.198.12:34893
type: 106.211.214.155:59016
type: 62.3.74.142:63029
type: 95.214.53.172:1688
type: 125.238.62.55:44892
type: 5.29.15.99:18477
type: 193.77.143.99:51100
type: 176.29.20.146:11051
type: 120.159.124.53:42379
type: 178.162.174.9:28002
type: 178.162.173.67:28010
type: 185.203.56.67:62422
type: 37.48.111.218:48315
type: 71.10.242.54:39582
type: 157.180.2.225:32994
type: 38.22.137.71:35246
type: 212.32.226.26:47688
type: 177.171.26.231:41369
type: 180.150.7.232:1212
type: 196.251.69.72:33755
type: 61.238.194.138:16344
type: 77.141.158.117:49113
type: 46.232.211.96:25109
type: 72.21.17.91:64322
type: 169.150.223.223:64297
type: 172.218.204.9:56005
type: 57.129.45.77:8652
type: 200.106.133.62:26339
type: 124.208.113.154:31858
type: 182.220.209.201:40954
type: 112.168.125.43:7958
type: 188.165.231.168:59380
type: 62.108.198.254:45261
type: 46.22.56.243:5114
type: 5.135.138.216:37331
type: 5.79.77.183:56908
type: 5.79.85.89:64158
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/ba992232-84f7-421c-94c7-823ac1542520
Behavior Graph:
Download SVG
%3 guuid=4b2d33e4-1800-0000-a614-26b802130000 pid=4866 /usr/bin/sudo guuid=4bb8bce5-1800-0000-a614-26b809130000 pid=4873 /root/.sys/configuration guuid=4b2d33e4-1800-0000-a614-26b802130000 pid=4866->guuid=4bb8bce5-1800-0000-a614-26b809130000 pid=4873 execve guuid=38e5d5e5-1800-0000-a614-26b80b130000 pid=4875 /usr/bin/dash guuid=4bb8bce5-1800-0000-a614-26b809130000 pid=4873->guuid=38e5d5e5-1800-0000-a614-26b80b130000 pid=4875 execve guuid=ac240ce6-1800-0000-a614-26b80d130000 pid=4877 /usr/bin/dash guuid=4bb8bce5-1800-0000-a614-26b809130000 pid=4873->guuid=ac240ce6-1800-0000-a614-26b80d130000 pid=4877 execve guuid=445867e6-1800-0000-a614-26b811130000 pid=4881 /root/.sys/configuration zombie guuid=4bb8bce5-1800-0000-a614-26b809130000 pid=4873->guuid=445867e6-1800-0000-a614-26b811130000 pid=4881 clone guuid=125a32e6-1800-0000-a614-26b80e130000 pid=4878 /usr/bin/dash guuid=ac240ce6-1800-0000-a614-26b80d130000 pid=4877->guuid=125a32e6-1800-0000-a614-26b80e130000 pid=4878 clone guuid=3bb036e6-1800-0000-a614-26b80f130000 pid=4879 /usr/bin/dash guuid=ac240ce6-1800-0000-a614-26b80d130000 pid=4877->guuid=3bb036e6-1800-0000-a614-26b80f130000 pid=4879 clone guuid=298632ec-1800-0000-a614-26b82b130000 pid=4907 /root/.sys/configuration guuid=445867e6-1800-0000-a614-26b811130000 pid=4881->guuid=298632ec-1800-0000-a614-26b82b130000 pid=4907 clone guuid=2dbd48ec-1800-0000-a614-26b82c130000 pid=4908 /root/.sys/configuration guuid=298632ec-1800-0000-a614-26b82b130000 pid=4907->guuid=2dbd48ec-1800-0000-a614-26b82c130000 pid=4908 clone guuid=f1ee70ec-1800-0000-a614-26b82e130000 pid=4910 /root/.sys/configuration dns net net-scan send-data guuid=2dbd48ec-1800-0000-a614-26b82c130000 pid=4908->guuid=f1ee70ec-1800-0000-a614-26b82e130000 pid=4910 clone d316b2ae-0a7e-5b43-8de6-745900c90c54 127.0.0.1:65535 guuid=f1ee70ec-1800-0000-a614-26b82e130000 pid=4910->d316b2ae-0a7e-5b43-8de6-745900c90c54 con 38a4910e-6f05-5afe-a8e3-398c2eb18329 time.cloudflare.com:123 guuid=f1ee70ec-1800-0000-a614-26b82e130000 pid=4910->38a4910e-6f05-5afe-a8e3-398c2eb18329 send: 48B 71de9b5c-9ab8-58c6-b1cc-f943862166c6 31.200.249.227:31979 guuid=f1ee70ec-1800-0000-a614-26b82e130000 pid=4910->71de9b5c-9ab8-58c6-b1cc-f943862166c6 send: 68B guuid=f1ee70ec-1800-0000-a614-26b82e130000 pid=4910|send-data send-data to 268 IP addresses review logs to see them all guuid=f1ee70ec-1800-0000-a614-26b82e130000 pid=4910->guuid=f1ee70ec-1800-0000-a614-26b82e130000 pid=4910|send-data send
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/db178fe4-f7f4-41d4-a4ce-ad4a94081fad
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1719875
Signature
Connects to many ports of the same IP (likely port scanning)
Executes the "crontab" command typically for achieving persistence
Multi AV Scanner detection for submitted file
Opens /sys/class/net/* files useful for querying network interface information
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to persist itself using cron
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1719875 Sample: i686.elf Startdate: 21/06/2025 Architecture: LINUX Score: 68 38 5.17.0.195, 49001, 6881 ZTELECOM-ASRU Russian Federation 2->38 40 45.187.174.229, 11997, 6881 YOUPLOADTELECOMLTDAMEBR unknown 2->40 42 102 other IPs or domains 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Connects to many ports of the same IP (likely port scanning) 2->46 10 i686.elf configuration 2->10         started        signatures3 process4 process5 12 i686.elf sh 10->12         started        14 configuration 10->14         started        17 i686.elf sh 10->17         started        signatures6 19 sh crontab 12->19         started        23 sh 12->23         started        54 Opens /sys/class/net/* files useful for querying network interface information 14->54 56 Sample reads /proc/mounts (often used for finding a writable filesystem) 14->56 25 configuration 14->25         started        27 sh crontab 17->27         started        process7 file8 36 /var/spool/cron/crontabs/tmp.6PpdD0, ASCII 19->36 dropped 48 Sample tries to persist itself using cron 19->48 50 Executes the "crontab" command typically for achieving persistence 19->50 29 sh crontab 23->29         started        32 configuration 25->32         started        signatures9 process10 signatures11 52 Executes the "crontab" command typically for achieving persistence 29->52 34 configuration 32->34         started        process12
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/fa5e3a2f13f093a2bdd5b27507ff7b1a501f466c462d8b41383c7f66ff5678c7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fa5e3a2f13f093a2bdd5b27507ff7b1a501f466c462d8b41383c7f66ff5678c7/
Threat name:
Linux.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2025-06-21 12:44:32 UTC
File Type:
ELF32 Little (Exe)
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7jpdulyt6cj2fpovwj2qp733djib6rtmiywywqjyhr7wn72wpddq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
antivm defense_evasion discovery execution linux persistence privilege_escalation
Link:
https://tria.ge/reports/250621-pyp3zassas/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to tmp directory
Checks CPU configuration
Checks hardware identifiers (DMI)
Creates/modifies Cron job
Enumerates running processes
Reads MAC address of network interface
Reads hardware information
Renames itself
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ac27f4e2-0164-4680-9ee6-a98c8047fe9d
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.20
Link:
https://yomi.yoroi.company/submissions/fa5e3a2f13f093a2bdd5b27507ff7b1a501f466c462d8b41383c7f66ff5678c7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf fa5e3a2f13f093a2bdd5b27507ff7b1a501f466c462d8b41383c7f66ff5678c7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3558224/
  
Delivery method
Distributed via web download

Comments