MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b60235adbed0380f8d11f1b5c13eec42a2e8fcf42f75d0d802eefe273e2f717. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	4b60235adbed0380f8d11f1b5c13eec42a2e8fcf42f75d0d802eefe273e2f717
SHA3-384 hash:	2e93242e2a20eba29a39401384f527416069fc3ad3b0edbee14f96a702dfab478c73f8785acadcee3bb0fec84cdf56b2
SHA1 hash:	07737dce04d7f61ca0169961cd6bcde5e69a155c
MD5 hash:	e421cd973072440a230d9a259b184e75
humanhash:	uniform-fix-october-spring
File name:	curl.sh
Download:	download sample
File size:	790 bytes
First seen:	2025-11-22 12:14:56 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	12:KhI5W3CtI1/TbN/pBwBt/G1npLOhc/U26/AliAE//hqlHW/zoJi5/I3bQW/5ecr:KOQyS1bbjB/1npLOZEliAuqlOoJFbCcr
TLSH	T1CA01DBC842615673D34CDE1FB693807E422AF2CC50261BD4F9A746798680BC5F518A77
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://196.251.100.22/arm	e6c563c09c5b0d3ece466e66741c73e24763c901a9511f2664128ba80ee653af	Mirai	32-bit elf mirai Mozi
http://196.251.100.22/arm5	07ad16f0878b5af7f123753058da3660d83cac7a6244038fa82a5279ecbcdec7	Mirai	elf mirai ua-wget
http://196.251.100.22/arm7	0feffdb13c3bce429c074cf1b5d10a33001b34a4e21d014d5f5151a9d01283f6	Mirai	elf mirai ua-wget
http://196.251.100.22/mips	7496c6976b0e8438ea6f69e103f1af1e6d501a7fe26380914cbfc4010d6cf5b5	Mirai	32-bit elf mirai Mozi
http://196.251.100.22/mpsl	1e8f3cf5b4d3f882baf522d62bf9fc105fc34ad3562f0d2dca48dad26f5e2b26	Mirai	elf mirai ua-wget
http://196.251.100.22/arc	d633d1ca4811f232d0594a19e7fb1caff2af4de4c229d06a60e0ae31068a5bd6	Mirai	elf mirai ua-wget
http://196.251.100.22/aarch64	f5433635d351bd7e97ec67483b7bbd10618996afac326c6c65cb12bbb7b1a28e	Mirai	elf mirai ua-wget
http://196.251.100.22/powerpc	n/a	n/a	elf ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive mirai

Link:

https://www.filescan.io/uploads/6921a9615d3feebe12d78c76/reports/efed820a-4b1b-4b10-9d9d-42a763e3583f/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-11-22T09:30:00Z UTC

Last seen:

2025-11-23T10:38:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/4b60235adbed0380f8d11f1b5c13eec42a2e8fcf42f75d0d802eefe273e2f717/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/a8ff4dba-ae64-409e-bc17-6d05f6ada1bc

Behavior Graph:

Download SVG

Score:

86%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/4b60235adbed0380f8d11f1b5c13eec42a2e8fcf42f75d0d802eefe273e2f717

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4b60235adbed0380f8d11f1b5c13eec42a2e8fcf42f75d0d802eefe273e2f717/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/4b60235adbed0380f8d11f1b5c13eec42a2e8fcf42f75d0d802eefe273e2f717

Threat name:

Document-HTML.Trojan.Vigorf

Status:

Malicious

First seen:

2025-11-22 12:07:52 UTC

File Type:

Text (Shell)

AV detection:

12 of 24 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jnqcgww35ubyb6grd4nvye7oyqvc5d6pil3v2dmaf3x6e47c64lq._file

Result

Malware family:

n/a

Score:

9/10

Tags:

antivm credential_access defense_evasion discovery linux

Link:

https://tria.ge/reports/251122-pe5djswrhy/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

Reads process memory

Enumerates running processes

File and Directory Permissions Modification

Deletes system logs

Executes dropped EXE

Renames itself

Unexpected DNS network traffic destination

Contacts a large (32519) amount of remote hosts

Creates a large amount of network flows

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.75

Link:

https://yomi.yoroi.company/submissions/4b60235adbed0380f8d11f1b5c13eec42a2e8fcf42f75d0d802eefe273e2f717

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 4b60235adbed0380f8d11f1b5c13eec42a2e8fcf42f75d0d802eefe273e2f717

(this sample)

Mirai

elf 39ccf5403edb501d79b7d765ec915f3bf78840ecc9ae4ded56e205a539b33ff1

URLhaus

https://urlhaus.abuse.ch/url/3713974/

Delivery method

Distributed via web download

Dropping

MD5 ee47c39eaec4a0d16d33095620acba41

Dropping

SHA256 39ccf5403edb501d79b7d765ec915f3bf78840ecc9ae4ded56e205a539b33ff1

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample