MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff32bc1c756d560d8a9815db458f438d63b1dcb7e9930ef5b8639a55fa7762c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ThemeForestRAT


Vendor detections: 6


Intelligence 6 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff32bc1c756d560d8a9815db458f438d63b1dcb7e9930ef5b8639a55fa7762c9
SHA3-384 hash: c023fafb9ea2b34cf24337433f729044dbf06696e3d685de0a2cfbddac27db3b0a3c59db87a92f5c49bb3ea0b3ba46cd
SHA1 hash: abeb2abdf0eb7bcab61605bae95618f394ba8835
MD5 hash: 2cf6a67e6043747d90e1bc0ce69a974a
humanhash: cup-table-east-delta
File name:ff32bc1c756d560d8a9815db458f438d63b1dcb7e9930ef5b8639a55fa7762c9_linux_themeforestrat.bin
Download: download sample
Signature ThemeForestRAT
Create hunting rule
File size:2'836'616 bytes
First seen:2025-09-12 11:20:45 UTC
Last seen:2025-09-12 11:34:51 UTC
File type: elf
MIME type:application/x-executable
ssdeep 49152:dKPcExw05ddaJOLYKahMwU6aJfzEpRU5GmBQMEP/AyMa6cThM55eFY1rRd0hdzk5:UPc04OsKQU6aJfzYZmBPobMa6/55eFYz
TLSH T1F1D57C16BAA718AEC5D6C834876F9172AD71B45C1321AD7B3180EE343E97F241F1DB22
telfhash t1f211eb06a83d8aa946e24d648c150bd3109bdb76a572ea18ff94ded054af446f118c8f
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter SRT
Tags:elf Lazarus RAT ThemeForestRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
45
Origin country :
NL NL
Vendor Threat Intelligence
Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Collects information on the RAM
Connection attempt
Launching a process
Collects information on the OS
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
gcc lolbin masquerade remote threat
Link:
https://www.filescan.io/uploads/68c42c700d1238ff0aaae143/reports/55e8d749-98b3-4068-adc2-d9f2e6696011/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
true
Architecture:
x86
Packer:
not packed
Botnet:
unknown
Number of open files:
36
Number of processes launched:
7
Processes remaning?
true
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/ff32bc1c756d560d8a9815db458f438d63b1dcb7e9930ef5b8639a55fa7762c9
Behaviour
Anti-VM
Process Renaming
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Malicious
File Type:
elf.64.le
First seen:
2025-09-13T12:58:00Z UTC
Last seen:
2025-09-13T12:58:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/ff32bc1c756d560d8a9815db458f438d63b1dcb7e9930ef5b8639a55fa7762c9/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/50170fde-6224-4e7c-bbe0-2dfab10803e3
Behavior Graph:
Download SVG
%3 guuid=13f8b6b8-1600-0000-49d8-b1292c0d0000 pid=3372 /usr/bin/sudo guuid=3eb511bb-1600-0000-49d8-b129320d0000 pid=3378 /tmp/sample.bin guuid=13f8b6b8-1600-0000-49d8-b1292c0d0000 pid=3372->guuid=3eb511bb-1600-0000-49d8-b129320d0000 pid=3378 execve guuid=306cd2bc-1600-0000-49d8-b129380d0000 pid=3384 /usr/bin/dash guuid=3eb511bb-1600-0000-49d8-b129320d0000 pid=3378->guuid=306cd2bc-1600-0000-49d8-b129380d0000 pid=3384 execve guuid=3eb511bb-1600-0000-49d8-b129320d0000 pid=3408 /tmp/sample.bin dns net send-data guuid=3eb511bb-1600-0000-49d8-b129320d0000 pid=3378->guuid=3eb511bb-1600-0000-49d8-b129320d0000 pid=3408 clone guuid=3eb511bb-1600-0000-49d8-b129320d0000 pid=5278 /tmp/sample.bin dns net send-data guuid=3eb511bb-1600-0000-49d8-b129320d0000 pid=3378->guuid=3eb511bb-1600-0000-49d8-b129320d0000 pid=5278 clone guuid=acc4fcbc-1600-0000-49d8-b1293a0d0000 pid=3386 /usr/bin/lsb_release guuid=306cd2bc-1600-0000-49d8-b129380d0000 pid=3384->guuid=acc4fcbc-1600-0000-49d8-b1293a0d0000 pid=3386 execve guuid=44a82ebd-1600-0000-49d8-b1293b0d0000 pid=3387 /usr/bin/getopt guuid=acc4fcbc-1600-0000-49d8-b1293a0d0000 pid=3386->guuid=44a82ebd-1600-0000-49d8-b1293b0d0000 pid=3387 execve guuid=c33c7ebd-1600-0000-49d8-b1293d0d0000 pid=3389 /usr/bin/dash guuid=acc4fcbc-1600-0000-49d8-b1293a0d0000 pid=3386->guuid=c33c7ebd-1600-0000-49d8-b1293d0d0000 pid=3389 clone guuid=79f40abe-1600-0000-49d8-b129420d0000 pid=3394 /usr/bin/dash guuid=acc4fcbc-1600-0000-49d8-b1293a0d0000 pid=3386->guuid=79f40abe-1600-0000-49d8-b129420d0000 pid=3394 clone guuid=a9ce68be-1600-0000-49d8-b129460d0000 pid=3398 /usr/bin/dash guuid=acc4fcbc-1600-0000-49d8-b1293a0d0000 pid=3386->guuid=a9ce68be-1600-0000-49d8-b129460d0000 pid=3398 clone guuid=7562ecbe-1600-0000-49d8-b1294b0d0000 pid=3403 /usr/bin/dash guuid=acc4fcbc-1600-0000-49d8-b1293a0d0000 pid=3386->guuid=7562ecbe-1600-0000-49d8-b1294b0d0000 pid=3403 clone guuid=e30a99bd-1600-0000-49d8-b1293e0d0000 pid=3390 /usr/bin/dash guuid=c33c7ebd-1600-0000-49d8-b1293d0d0000 pid=3389->guuid=e30a99bd-1600-0000-49d8-b1293e0d0000 pid=3390 clone guuid=95f1a1bd-1600-0000-49d8-b1293f0d0000 pid=3391 /usr/bin/cut guuid=c33c7ebd-1600-0000-49d8-b1293d0d0000 pid=3389->guuid=95f1a1bd-1600-0000-49d8-b1293f0d0000 pid=3391 execve guuid=e08aaabd-1600-0000-49d8-b129400d0000 pid=3392 /usr/bin/tr guuid=c33c7ebd-1600-0000-49d8-b1293d0d0000 pid=3389->guuid=e08aaabd-1600-0000-49d8-b129400d0000 pid=3392 execve guuid=a1de15be-1600-0000-49d8-b129430d0000 pid=3395 /usr/bin/dash guuid=79f40abe-1600-0000-49d8-b129420d0000 pid=3394->guuid=a1de15be-1600-0000-49d8-b129430d0000 pid=3395 clone guuid=ae351bbe-1600-0000-49d8-b129440d0000 pid=3396 /usr/bin/cut guuid=79f40abe-1600-0000-49d8-b129420d0000 pid=3394->guuid=ae351bbe-1600-0000-49d8-b129440d0000 pid=3396 execve guuid=746f75be-1600-0000-49d8-b129470d0000 pid=3399 /usr/bin/dash guuid=a9ce68be-1600-0000-49d8-b129460d0000 pid=3398->guuid=746f75be-1600-0000-49d8-b129470d0000 pid=3399 clone guuid=de687abe-1600-0000-49d8-b129490d0000 pid=3401 /usr/bin/tr guuid=a9ce68be-1600-0000-49d8-b129460d0000 pid=3398->guuid=de687abe-1600-0000-49d8-b129490d0000 pid=3401 execve guuid=4d4ef5be-1600-0000-49d8-b1294c0d0000 pid=3404 /usr/bin/dash guuid=7562ecbe-1600-0000-49d8-b1294b0d0000 pid=3403->guuid=4d4ef5be-1600-0000-49d8-b1294c0d0000 pid=3404 clone guuid=c7d0f9be-1600-0000-49d8-b1294e0d0000 pid=3406 /usr/bin/tr guuid=7562ecbe-1600-0000-49d8-b1294b0d0000 pid=3403->guuid=c7d0f9be-1600-0000-49d8-b1294e0d0000 pid=3406 execve 4f6baed0-9587-596c-82b3-fd721afe4cc1 10.0.2.3:53 guuid=3eb511bb-1600-0000-49d8-b129320d0000 pid=3408->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 132B guuid=3eb511bb-1600-0000-49d8-b129320d0000 pid=5278->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 132B
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/6b5ce33d-fb1e-46c7-991c-1239a235c6d8
Score:
62%
Verdict:
Susipicious
File Type:
ELF
Link:
https://malprob.io/report/ff32bc1c756d560d8a9815db458f438d63b1dcb7e9930ef5b8639a55fa7762c9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff32bc1c756d560d8a9815db458f438d63b1dcb7e9930ef5b8639a55fa7762c9/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=74zlyhdvnvla3cuycxnuld2drvr3dxfx5gjq55nymonfl6txmleq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery linux
Link:
https://tria.ge/reports/250912-rn8hnsyvb1/
Behaviour
Reads runtime system information
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c23bb7f9-7aec-4747-9d6a-ba43ee6ee89d
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lazarus
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff32bc1c756d560d8a9815db458f438d63b1dcb7e9930ef5b8639a55fa7762c9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:F01_s1ckrule
Create hunting rule
Author:s1ckb017
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:setsockopt
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for setsockopt() red flags
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments