MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff22d067dd6576071e209e33f15baf078f04f737b8c321f3c8121a65ddc59a62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff22d067dd6576071e209e33f15baf078f04f737b8c321f3c8121a65ddc59a62
SHA3-384 hash: 573edd800fe60f83d709005e5b24ee942cbcb65dae37da1cbb50d51a113a249d63d746d8d1912bdfc1655effcd7eff16
SHA1 hash: 3f8ebc9340caee3a9554b24d901635b0037e9cdb
MD5 hash: 134cfb97947091f7d77cf2a4d833654a
humanhash: oklahoma-monkey-twelve-finch
File name:i686
Download: download sample
File size:587'764 bytes
First seen:2025-06-27 10:06:34 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 12288:5D+Azf/CVCW3ISw+hRNb3W/aTyA9VV/cZWLnR98V+:5D+AznCVNIZ+vNbG/WYWrR98V
TLSH T106C42241EAB7C0F2F65349320103E7BF8F33C9099165D2A6DB42F661EDB1B42469E66C
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.32058.LX.BOT.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.31951.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Siggen.9095.16607.7174.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=685e6d5c37c3436779468ae9linux22vpnfull_triage
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Sends data to a server
Changes the time when the file was created, accessed, or modified
Opens a port
DNS request
Connection attempt
Locks files
Changes access rights for a written file
Creating a process from a recently created file
Launching a process
Collects information on the CPU
Receives data from a server
Creates directories
Creating a file in the %temp% directory
Runs as daemon
Creates or modifies files in /cron to set up autorun
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
base64 exploit gcc lolbin remote
Link:
https://www.filescan.io/uploads/685e6d5bf3dd31f50d7f7c59/reports/aa12c74a-360a-400b-bc9a-06d2f599036f/overview
Verdict:
Malicious
Uses P2P?:
true
Uses anti-vm?:
true
Architecture:
x86
Packer:
custom
Botnet:
unknown
Number of open files:
72
Number of processes launched:
10
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/ff22d067dd6576071e209e33f15baf078f04f737b8c321f3c8121a65ddc59a62
Behaviour
Anti-VM
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
type: 162.159.200.1:123
type: 130.239.18.158:6881
type: 67.215.246.10:6881
type: 84.28.2.133:6881
type: 95.79.250.103:6881
type: 188.187.99.27:6881
type: 94.190.121.108:6881
type: 188.150.45.193:6881
type: 188.42.55.92:6881
type: 172.96.121.2:6881
type: 176.125.139.123:6881
type: 89.207.71.47:6881
type: 153.133.34.42:6881
type: 109.111.144.194:6881
type: 178.69.209.93:6881
type: 37.140.199.38:6881
type: 88.101.93.63:6881
type: 89.115.3.105:6881
type: 185.110.211.46:6881
type: 3.92.204.118:6881
type: 94.106.171.11:6881
type: 139.216.231.240:6881
type: 51.210.99.234:6881
type: 173.182.187.220:6881
type: 213.126.62.202:6881
type: 95.142.44.138:6881
type: 95.165.69.123:6881
type: 176.193.201.35:6881
type: 93.56.207.73:6881
type: 81.111.89.17:6881
type: 86.52.52.171:6881
type: 93.108.178.159:6881
type: 185.56.20.30:6881
type: 5.79.98.203:6881
type: 217.120.137.113:6881
type: 82.20.36.50:6881
type: 69.239.59.80:6881
type: 75.119.138.164:6881
type: 220.240.180.47:6881
type: 35.155.156.153:6881
type: 24.200.58.86:6881
type: 144.217.72.98:6881
type: 46.73.164.47:6881
type: 211.248.250.194:6881
type: 168.70.106.18:6881
type: 198.91.252.242:6881
type: 130.239.18.158:8516
type: 140.245.76.181:9081
type: 130.239.18.158:8513
type: 148.153.188.242:6880
type: 195.154.233.74:6880
type: 45.203.212.13:6880
type: 3.15.85.168:6880
type: 45.203.155.80:6880
type: 173.230.130.111:6880
type: 192.210.231.24:6880
type: 178.162.173.91:28003
type: 178.162.174.178:28003
type: 178.162.173.48:28003
type: 130.239.18.158:8580
type: 130.239.18.158:8524
type: 211.48.118.223:40883
type: 178.162.173.103:28010
type: 178.162.173.138:28010
type: 178.162.174.226:28010
type: 178.162.173.117:28010
type: 178.162.173.214:28010
type: 178.162.173.231:28001
type: 135.181.238.48:50000
type: 37.27.104.56:50000
type: 135.181.227.244:50000
type: 142.132.202.190:50000
type: 142.132.193.163:50000
type: 65.108.198.44:50000
type: 37.27.117.115:50000
type: 95.216.13.53:50000
type: 65.21.33.212:50000
type: 65.21.33.208:50000
type: 135.181.238.57:50000
type: 135.181.227.245:50000
type: 65.109.112.139:50000
type: 37.27.117.240:50000
type: 37.27.103.183:50000
type: 37.27.117.247:50000
type: 163.172.38.214:51413
type: 31.193.93.97:51413
type: 185.183.195.40:51413
type: 37.187.1.102:51413
type: 151.80.44.142:51413
type: 51.158.153.124:51413
type: 180.147.146.238:51413
type: 213.240.239.48:51413
type: 62.210.123.69:51413
type: 147.192.247.203:51413
type: 73.212.30.2:51413
type: 217.26.169.125:51413
type: 95.31.12.179:51413
type: 5.135.185.206:51413
type: 91.122.42.146:51413
type: 218.47.175.227:51413
type: 112.84.67.167:51413
type: 37.48.111.159:51413
type: 85.113.215.14:51413
type: 152.165.110.36:51413
type: 46.25.84.252:51413
type: 128.241.231.45:19272
type: 124.244.233.97:22068
type: 162.251.63.120:10030
type: 23.162.56.83:14031
type: 220.246.76.166:12943
type: 185.203.56.49:22887
type: 178.162.174.8:28009
type: 213.227.153.16:28009
type: 178.162.174.88:28009
type: 69.50.95.40:12096
type: 69.50.95.40:12040
type: 69.50.95.40:12001
type: 178.162.173.160:28012
type: 81.171.22.85:28016
type: 114.34.138.206:51417
type: 213.130.93.8:4369
type: 178.162.173.225:28005
type: 178.162.173.102:28005
type: 178.162.174.53:28006
type: 178.162.173.117:28007
type: 178.162.173.38:28007
type: 178.162.173.147:28007
type: 62.212.81.227:28013
type: 81.171.22.205:28013
type: 185.203.56.7:63571
type: 37.48.64.29:28011
type: 185.107.71.97:44819
type: 97.103.36.212:58974
type: 37.48.116.206:55201
type: 163.172.13.241:58761
type: 130.239.18.158:8508
type: 178.162.173.220:28014
type: 178.162.174.222:28014
type: 46.232.211.190:13709
type: 104.195.12.36:1434
type: 79.106.231.163:1434
type: 130.239.18.158:8501
type: 83.105.62.43:61249
type: 46.232.211.130:16609
type: 130.239.18.158:8531
type: 178.162.173.98:28000
type: 178.162.174.234:28000
type: 95.168.162.161:42670
type: 130.239.18.158:8539
type: 130.239.18.158:8554
type: 130.239.18.158:8510
type: 178.162.174.43:28004
type: 130.239.18.158:8515
type: 95.87.28.99:13014
type: 51.159.104.68:7606
type: 95.211.20.1:21170
type: 59.26.206.160:33228
type: 138.64.199.122:24026
type: 58.82.218.113:22376
type: 31.104.185.29:7190
type: 188.163.4.162:64252
type: 185.203.56.35:26426
type: 82.209.144.206:46184
type: 134.90.167.183:64017
type: 94.190.254.2:8999
type: 76.86.109.106:8999
type: 62.73.73.187:47230
type: 185.149.91.47:51047
type: 220.123.122.253:34896
type: 124.87.10.48:6889
type: 87.26.244.72:6889
type: 213.34.228.201:6889
type: 95.159.91.129:7099
type: 216.243.58.236:55212
type: 83.149.84.32:28018
type: 51.159.104.84:7303
type: 151.237.141.112:37457
type: 58.70.65.41:54325
type: 5.135.178.41:52537
type: 157.181.25.235:38930
type: 112.162.31.14:56637
type: 141.11.159.210:55784
type: 178.162.174.17:28008
type: 84.25.47.55:50060
type: 175.199.172.165:40782
type: 46.232.210.28:64057
type: 45.136.229.81:50171
type: 178.162.174.34:28002
type: 177.230.64.105:5364
type: 122.106.149.176:6882
type: 86.145.172.118:6882
type: 94.23.215.83:6882
type: 119.199.205.101:32695
type: 14.3.36.87:47813
type: 72.21.17.84:50990
type: 121.173.125.86:7776
type: 124.53.36.165:28455
type: 87.139.220.14:65159
type: 142.117.235.118:65534
type: 69.250.41.237:60162
type: 185.94.216.113:29950
type: 125.133.161.57:41043
type: 74.128.201.173:50107
type: 5.39.85.82:53457
type: 187.43.209.76:3402
type: 169.150.223.205:64065
type: 46.232.211.70:23359
type: 175.198.247.197:15230
type: 85.73.119.173:50413
type: 93.108.178.159:19143
type: 92.63.30.29:49001
type: 178.224.33.253:49001
type: 92.37.194.101:49001
type: 185.203.56.59:65340
type: 149.34.172.3:19929
type: 173.171.245.61:20248
type: 187.85.18.151:26345
type: 77.222.158.84:52193
type: 109.175.99.25:12686
type: 211.230.64.139:32844
type: 89.22.226.106:6937
type: 65.108.143.34:42357
type: 139.47.83.218:43225
type: 14.199.126.162:16683
type: 169.150.223.205:64043
type: 185.235.103.165:21279
type: 185.255.237.2:31672
type: 78.142.231.133:6767
type: 35.171.49.86:6992
type: 158.69.224.81:36034
type: 194.29.101.83:10240
type: 54.39.52.64:39450
type: 47.89.251.173:7777
type: 72.21.17.19:64450
type: 69.50.95.40:10039
type: 23.162.56.55:24050
type: 177.249.21.13:52343
type: 179.253.51.172:54450
type: 131.226.98.72:15052
type: 185.203.56.27:17457
type: 45.148.253.47:19617
type: 46.232.211.182:64269
type: 61.192.3.33:25128
type: 111.250.206.228:25619
type: 176.38.45.106:25162
type: 172.97.253.23:10714
type: 78.190.10.39:55386
type: 24.40.103.177:32132
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/d5708eb8-d171-4996-a057-6dc7dc459d1f
Behavior Graph:
Download SVG
%3 guuid=ef8cc911-1a00-0000-c7e0-9fa664090000 pid=2404 /usr/bin/sudo guuid=a3c3ec14-1a00-0000-c7e0-9fa66c090000 pid=2412 /root/.sys/configuration guuid=ef8cc911-1a00-0000-c7e0-9fa664090000 pid=2404->guuid=a3c3ec14-1a00-0000-c7e0-9fa66c090000 pid=2412 execve guuid=2a652a15-1a00-0000-c7e0-9fa66d090000 pid=2413 /usr/bin/dash guuid=a3c3ec14-1a00-0000-c7e0-9fa66c090000 pid=2412->guuid=2a652a15-1a00-0000-c7e0-9fa66d090000 pid=2413 execve guuid=ce06e515-1a00-0000-c7e0-9fa670090000 pid=2416 /usr/bin/dash guuid=a3c3ec14-1a00-0000-c7e0-9fa66c090000 pid=2412->guuid=ce06e515-1a00-0000-c7e0-9fa670090000 pid=2416 execve guuid=636a4a16-1a00-0000-c7e0-9fa674090000 pid=2420 /root/.sys/configuration zombie guuid=a3c3ec14-1a00-0000-c7e0-9fa66c090000 pid=2412->guuid=636a4a16-1a00-0000-c7e0-9fa674090000 pid=2420 clone guuid=25f60f16-1a00-0000-c7e0-9fa671090000 pid=2417 /usr/bin/dash guuid=ce06e515-1a00-0000-c7e0-9fa670090000 pid=2416->guuid=25f60f16-1a00-0000-c7e0-9fa671090000 pid=2417 clone guuid=9fd31c16-1a00-0000-c7e0-9fa672090000 pid=2418 /usr/bin/dash guuid=ce06e515-1a00-0000-c7e0-9fa670090000 pid=2416->guuid=9fd31c16-1a00-0000-c7e0-9fa672090000 pid=2418 clone guuid=8c662720-1a00-0000-c7e0-9fa686090000 pid=2438 /root/.sys/configuration guuid=636a4a16-1a00-0000-c7e0-9fa674090000 pid=2420->guuid=8c662720-1a00-0000-c7e0-9fa686090000 pid=2438 clone guuid=28343420-1a00-0000-c7e0-9fa688090000 pid=2440 /root/.sys/configuration guuid=8c662720-1a00-0000-c7e0-9fa686090000 pid=2438->guuid=28343420-1a00-0000-c7e0-9fa688090000 pid=2440 clone guuid=40d84920-1a00-0000-c7e0-9fa689090000 pid=2441 /root/.sys/configuration dns net net-scan send-data guuid=28343420-1a00-0000-c7e0-9fa688090000 pid=2440->guuid=40d84920-1a00-0000-c7e0-9fa689090000 pid=2441 clone d316b2ae-0a7e-5b43-8de6-745900c90c54 127.0.0.1:65535 guuid=40d84920-1a00-0000-c7e0-9fa689090000 pid=2441->d316b2ae-0a7e-5b43-8de6-745900c90c54 con 38a4910e-6f05-5afe-a8e3-398c2eb18329 time.cloudflare.com:123 guuid=40d84920-1a00-0000-c7e0-9fa689090000 pid=2441->38a4910e-6f05-5afe-a8e3-398c2eb18329 send: 48B 44a5c9db-f601-52e5-8d78-f6d6895368ca 212.102.37.49:63808 guuid=40d84920-1a00-0000-c7e0-9fa689090000 pid=2441->44a5c9db-f601-52e5-8d78-f6d6895368ca send: 68B b2898425-1443-5a59-b7d8-ad5ccab9e931 31.200.249.233:31795 guuid=40d84920-1a00-0000-c7e0-9fa689090000 pid=2441->b2898425-1443-5a59-b7d8-ad5ccab9e931 send: 68B 77c99925-70b5-5eaa-9a59-f5aa8a2aafd7 37.113.252.171:48562 guuid=40d84920-1a00-0000-c7e0-9fa689090000 pid=2441->77c99925-70b5-5eaa-9a59-f5aa8a2aafd7 con 6627df54-84e3-51ae-92c2-564df005a58f 212.102.37.49:1 guuid=40d84920-1a00-0000-c7e0-9fa689090000 pid=2441->6627df54-84e3-51ae-92c2-564df005a58f send: 68B f1961dcb-262a-590b-96db-b720926aa14f 93.35.146.187:48562 guuid=40d84920-1a00-0000-c7e0-9fa689090000 pid=2441->f1961dcb-262a-590b-96db-b720926aa14f con guuid=40d84920-1a00-0000-c7e0-9fa689090000 pid=2441|send-data send-data to 297 IP addresses review logs to see them all guuid=40d84920-1a00-0000-c7e0-9fa689090000 pid=2441->guuid=40d84920-1a00-0000-c7e0-9fa689090000 pid=2441|send-data send
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/83b7dae1-2283-44f2-8c11-0ad544811a00
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1724092
Signature
Executes the "crontab" command typically for achieving persistence
Opens /sys/class/net/* files useful for querying network interface information
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to persist itself using cron
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1724092 Sample: i686.elf Startdate: 27/06/2025 Architecture: LINUX Score: 56 43 82.200.40.75, 60352 ZSTTKASNovosibirskRussiaRU Russian Federation 2->43 45 46.189.177.139, 39744, 6881 VODAFONE-PTVodafonePortugalPT Portugal 2->45 47 102 other IPs or domains 2->47 9 i686.elf configuration 2->9         started        11 dash rm 2->11         started        13 dash head 2->13         started        15 8 other processes 2->15 process3 process4 17 i686.elf sh 9->17         started        19 configuration 9->19         started        22 i686.elf sh 9->22         started        signatures5 24 sh crontab 17->24         started        28 sh 17->28         started        51 Opens /sys/class/net/* files useful for querying network interface information 19->51 53 Sample reads /proc/mounts (often used for finding a writable filesystem) 19->53 30 configuration 19->30         started        32 sh crontab 22->32         started        process6 file7 41 /var/spool/cron/crontabs/tmp.udqnD5, ASCII 24->41 dropped 55 Sample tries to persist itself using cron 24->55 57 Executes the "crontab" command typically for achieving persistence 24->57 34 sh crontab 28->34         started        37 configuration 30->37         started        signatures8 process9 signatures10 49 Executes the "crontab" command typically for achieving persistence 34->49 39 configuration 37->39         started        process11
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/ff22d067dd6576071e209e33f15baf078f04f737b8c321f3c8121a65ddc59a62
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff22d067dd6576071e209e33f15baf078f04f737b8c321f3c8121a65ddc59a62/
Threat name:
Linux.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2025-06-27 10:07:15 UTC
File Type:
ELF32 Little (Exe)
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=74rnaz65mv3aohratyz7cw5pa6hqj5zxxdbsd46icinglxoftjra._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
antivm defense_evasion discovery execution linux persistence privilege_escalation
Link:
https://tria.ge/reports/250627-l5skwsal6z/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to tmp directory
Checks CPU configuration
Checks hardware identifiers (DMI)
Creates/modifies Cron job
Enumerates running processes
Reads MAC address of network interface
Reads hardware information
Renames itself
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/64410d6f-5bad-4beb-a657-977dee59b8db
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff22d067dd6576071e209e33f15baf078f04f737b8c321f3c8121a65ddc59a62

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf ff22d067dd6576071e209e33f15baf078f04f737b8c321f3c8121a65ddc59a62

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3558224/
  
Delivery method
Distributed via web download

Comments