MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19eeec3564cf12de584d47f3e3850506b71b3a33dd83f8681c14bd2ec1b0d1bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	19eeec3564cf12de584d47f3e3850506b71b3a33dd83f8681c14bd2ec1b0d1bd
SHA3-384 hash:	c02a77cd2841cb0fcbc236ddc65c862b1db416f4fbaa762eda30a724a9365fb245d2cb4556a3ea23464c69798b48bb37
SHA1 hash:	cf6b2878e3046e67cb8d185b85a0c00172c37cc1
MD5 hash:	5289a65c7938fe15f3d442dbec5aecb2
humanhash:	floor-shade-johnny-massachusetts
File name:	to
Download:	download sample
Signature	Mirai Create hunting rule
File size:	888 bytes
First seen:	2025-05-02 09:51:38 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	12:3rWKIw+4sNPs+DNkcRZgKZDPgjDNkcRZgNPg+DNkcRZs95IjDPs95IMDNkcRZsN3:yRlkWWKZsFkWWGkkWGLnkWEI3CIykWd
TLSH	T1D411E3CF11198072A4408CEDF5E3A9B46809CCD619CA4E8AA9CE06B1E6CCD4CB4A0F96
Magika	txt
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://103.188.82.240/lol.arm	a5f373d08117f2649b6e5eb1cdd2594fdddc2a2000c19a98718de3b924f0fce1	Mirai	elf mirai
http://103.188.82.240/lol.mips	f1b28e62c492e270fd7fc9869efc4dc682e5b8f141a8b65c01a374451713498a	Gafgyt	elf gafgyt ua-wget
http://103.188.82.240/lol.mpsl	n/a	n/a	elf ua-wget
http://103.188.82.240/lol.arm5	n/a	n/a	elf
http://103.188.82.240/lol.arm7	f166e9e934173288ebc53565bccda8e8677c5ec32db06e4f8dd8dc1c691826fc	Mirai	elf mirai

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6814bdb5d5cdbfe0eb6833d7linux22vpnfull_triage

Tags:

downloader virus shell

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/681495cebab2591d06533f6d/reports/3498c99b-a398-41c3-a24c-18db0ddab859/overview

Verdict:

Malicious

Labled as:

Downloader/Shell.Generic

Link:

https://www.hybrid-analysis.com/sample/19eeec3564cf12de584d47f3e3850506b71b3a33dd83f8681c14bd2ec1b0d1bd

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/19eeec3564cf12de584d47f3e3850506b71b3a33dd83f8681c14bd2ec1b0d1bd

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/19eeec3564cf12de584d47f3e3850506b71b3a33dd83f8681c14bd2ec1b0d1bd/

Threat name:

Linux.Downloader.ShellAgnt

Status:

Malicious

First seen:

2025-05-02 09:34:05 UTC

File Type:

Text (Shell)

AV detection:

13 of 35 (37.14%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dhxoynlez4jn4wcni7z6hbifa23rwort3wb7q2a4cs6s5qnq2g6q._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/250502-pmrsesz1g1/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/19eeec3564cf12de584d47f3e3850506b71b3a33dd83f8681c14bd2ec1b0d1bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.