MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2afea218713c7540b59e2f38e6de421b4b7f7979f2b019db625bd23c44eac37d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	2afea218713c7540b59e2f38e6de421b4b7f7979f2b019db625bd23c44eac37d
SHA3-384 hash:	5993337daf1559fc60000d5a3723c3a7fcade45fcde343a783b05d39e0c6cdaca23bad46663ee70f6d3ed921c99e70ee
SHA1 hash:	fcd79c02bcf584f6358bb7c812f31c2076c1557f
MD5 hash:	7c611921e183e471d8f98bebc2ad4455
humanhash:	black-high-purple-sink
File name:	n
Download:	download sample
File size:	1'290 bytes
First seen:	2025-05-30 23:46:23 UTC
Last seen:	2025-05-31 20:12:15 UTC
File type:	sh
MIME type:	text/plain
ssdeep	24:yRk5zOt+MB08xJxDkgSxnkxnmkgSx3xJkgSxSx0kgCxjZ4xokgSxDxNkgi6jn:4k5CEA0gzDkgOomkgOhJkgOO0kgejZ0T
TLSH	T17C213ECF40A8CD31A8409EDD35D31A1564C68AD956CF8FCBE48E01B9E1CCA0DB691F7A
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://94.26.90.217/vv/armv4l	a82594f321a14d22c63b44b8b3f4e5dcb725aeda14db201cfe59d6b37cb8093f	Mirai	elf gafgyt mirai ua-wget
http://94.26.90.217/vv/armv5l	d64ce359bc97c9643e66057dbd0ea9ed69d5272487e873119dc7a01134f852bc	Mirai	elf gafgyt mirai ua-wget
http://94.26.90.217/vv/armv6l	176858d674f19ed1c385ebfd952caea9f6a76f4b44828d6b8f21985476a35df0	Mirai	elf gafgyt mirai ua-wget
http://94.26.90.217/vv/armv7l	ae5dbccdfcd0e48e2065b462be5879d1c103e3dc9c553ce8eb319c6385580d78	Mirai	elf gafgyt mirai ua-wget
http://94.26.90.217/vv/mips	c9e4443effd31a916b1a5f2b44c2ed541edccd396e74e91df965d11bdd1e4c90	Mirai	elf gafgyt mirai ua-wget
http://94.26.90.217/vv/mipsel	520a8d6ba4d9f083361e3c4758e0edb59a865e772571b91500a511a13fb9295b	Mirai	elf gafgyt mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=683a4571acf88f5815e95008linux22vpnfull_triage

Tags:

agent hype sage

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/2afea218713c7540b59e2f38e6de421b4b7f7979f2b019db625bd23c44eac37d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2afea218713c7540b59e2f38e6de421b4b7f7979f2b019db625bd23c44eac37d/

Threat name:

Linux.Downloader.Generic

Status:

Suspicious

First seen:

2025-05-30 23:48:25 UTC

File Type:

Text (Shell)

AV detection:

5 of 24 (20.83%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fl7kegdrhr2ubnm6f44onxscdnfx66lz6kybtw3clpjdyrhkyn6q._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/250530-3tl3eazjs5/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2afea218713c7540b59e2f38e6de421b4b7f7979f2b019db625bd23c44eac37d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.