MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e8ddd675c8da6e3811609cb436b8b2d978afe0aa5c6ac3eec12d49de331d6b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	2e8ddd675c8da6e3811609cb436b8b2d978afe0aa5c6ac3eec12d49de331d6b5
SHA3-384 hash:	8119cc699e25f9018d1cd45334ecea49703812906cedbf496e65ec1e5b831610b68e5e785e94183b6f304f502ca6bb5a
SHA1 hash:	4d933f52661f9d32a8a7453eba75988a070e5719
MD5 hash:	9d824e7523534cb96957add5f21cfe59
humanhash:	mississippi-tennessee-blue-apart
File name:	t
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'109 bytes
First seen:	2025-04-04 15:47:15 UTC
Last seen:	2025-04-05 13:30:25 UTC
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:g9SgfIjoBsoIoAhXCWoCJoPtyVHwmfH8xVHWGCdVHZl+ZfP:w5I9VCgyEVH/ExVHHCdVHZl+ZfP
TLSH	T14F51D2CC729AD29F4F8D5843AD4D8DAD2166C36B56C0BB43879CFDAD144AB85D50C488
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://154.205.128.91/zd2/arm	1a6802bea6ffdc55432fc3d7908e79ac74163868d3e6d027e33b27d723b4febc	Mirai	elf mirai ua-wget
http://154.205.128.91/zd2/arm5	2fe73469585483a503006d519deaa40b780cc4874a583d7e568173bc4bece315	Mirai	elf mirai ua-wget
http://154.205.128.91/zd2/arm6	n/a	n/a	elf ua-wget
http://154.205.128.91/zd2/arm7	e84c7c625a0bad135fbb696ae39cd0df03e34bb20508b9b7ef3dcb03cb9d595b	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Linux.Downloader-36.UNOFFICIAL

Verdict:

Malicious

Score:

91.7%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67f02378cfd0a37f830e3146linux22vpnfull_triage

Tags:

malware

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox evasive expand lolbin remote

Link:

https://www.filescan.io/uploads/67efff392d430c849e072252/reports/85c58688-02be-43b0-9b01-7abcada44588/overview

Verdict:

Malicious

Labled as:

Downloader/Shell.Generic

Link:

https://www.hybrid-analysis.com/sample/2e8ddd675c8da6e3811609cb436b8b2d978afe0aa5c6ac3eec12d49de331d6b5

Score:

28%

Verdict:

Benign

File Type:

SCRIPT

Link:

https://malprob.io/report/2e8ddd675c8da6e3811609cb436b8b2d978afe0aa5c6ac3eec12d49de331d6b5

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2e8ddd675c8da6e3811609cb436b8b2d978afe0aa5c6ac3eec12d49de331d6b5/

Threat name:

Win32.Trojan.Vigorf

Status:

Malicious

First seen:

2025-04-04 15:23:18 UTC

File Type:

Text (Shell)

AV detection:

7 of 24 (29.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=f2g52z24rwtohaiwbhfug24lfwlyv7qkuxdkypxmclkj3yzr222q._file

Result

Malware family:

n/a

Score:

9/10

Tags:

credential_access defense_evasion discovery linux

Link:

https://tria.ge/reports/250404-wxqrfa11ex/

Behaviour

Reads runtime system information

Writes file to tmp directory

Changes its process name

Reads system network configuration

Reads process memory

Enumerates active TCP sockets

Enumerates running processes

File and Directory Permissions Modification

Executes dropped EXE

Renames itself

Unexpected DNS network traffic destination

Creates a large amount of network flows

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2e8ddd675c8da6e3811609cb436b8b2d978afe0aa5c6ac3eec12d49de331d6b5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 2e8ddd675c8da6e3811609cb436b8b2d978afe0aa5c6ac3eec12d49de331d6b5

(this sample)

Mirai

elf 1a6802bea6ffdc55432fc3d7908e79ac74163868d3e6d027e33b27d723b4febc

URLhaus

https://urlhaus.abuse.ch/url/3501122/

Delivery method

Distributed via web download

Dropping

MD5 fb66aa5b88ab1098a22937a90a016bd7

Dropping

SHA256 1a6802bea6ffdc55432fc3d7908e79ac74163868d3e6d027e33b27d723b4febc

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample