MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e887e661cf9998713dc3f9fd5f3040352ee75b23f4f8bb4289b8c3ee5d5ce37. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	4e887e661cf9998713dc3f9fd5f3040352ee75b23f4f8bb4289b8c3ee5d5ce37
SHA3-384 hash:	d3b9104bcde8c944dec219d21551b1946745412b74dea0dbd96245b79085a3e001503489562e6744005f15bbd1f1cf55
SHA1 hash:	cb9b260a352b37f5d8327b49a416c78d0ca65e9e
MD5 hash:	92311feabfb6dfc9bf754d91719f7fbb
humanhash:	charlie-foxtrot-don-six
File name:	z.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	560 bytes
First seen:	2025-02-19 16:26:50 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	6:hD6FXX+YJrOg6FaE59Cu6FeSso+d26FNx0FiTPPJV6Fm8xHL6FuNFITTTABCM:2X+iOMoCaSso+dT8iT3JP8x3cPM9
TLSH	T1A3F012CB15A4AF404012D96E326B5AE82195C7CF2D4FDFD4EDBE093EE588D5CB818A48
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://83.150.218.193/12	n/a	n/a	n/a
http://83.150.218.193/b2	2c577a591c4656fa4426e8ee040cce64052b53c01f7da044bc580630be883bc8	Mirai	elf mirai ua-wget
http://83.150.218.193/b3	57c6b7c1422806dc37c1aa9cf20a151d1ec2f514cdbee65939ab292934397f59	Mirai	elf mirai ua-wget
http://83.150.218.193/b4	abd6abe413e7d646311df6fb5b9f0a1760b5753a976355ac81072200b05dc14c	Mirai	elf mirai ua-wget
http://83.150.218.193/b5	34c56a87e3f9fb244587cdeb232a0b0c5d5c17c6a62ce8214c5c795b05727f2a	Mirai	elf mirai ua-wget
http://83.150.218.193/b6	66bdd791941a9696efd797bae16fc8e2342e973e70eee2eb5fe9970cd6754288	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Linux.Downloader-35.UNOFFICIAL

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67b6073328ab76d43a5bef09linux22vpnfull_triage

Tags:

agent hype sage

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive

Link:

https://www.filescan.io/uploads/67b60896c39c4a5beb86d4d4/reports/fc8eb824-3868-4d90-a42e-3994081d382d/overview

Result

Verdict:

MALICIOUS

Score:

Verdict:

Benign

File Type:

SCRIPT

Link:

https://malprob.io/report/4e887e661cf9998713dc3f9fd5f3040352ee75b23f4f8bb4289b8c3ee5d5ce37

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4e887e661cf9998713dc3f9fd5f3040352ee75b23f4f8bb4289b8c3ee5d5ce37/

Threat name:

Linux.Trojan.Multiverze

Status:

Malicious

First seen:

2025-02-19 16:27:16 UTC

File Type:

Text (Shell)

AV detection:

13 of 24 (54.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=j2eh4zq47gmyoe64h6p5l4yeanjo45nsh5hyxnbitogd5zovzy3q._file

Result

Malware family:

n/a

Score:

7/10

Tags:

defense_evasion discovery linux

Link:

https://tria.ge/reports/250219-tycvvsvkfm/

Behaviour

Reads runtime system information

Writes file to tmp directory

Changes its process name

Reads system network configuration

Enumerates active TCP sockets

Enumerates running processes

File and Directory Permissions Modification

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4e887e661cf9998713dc3f9fd5f3040352ee75b23f4f8bb4289b8c3ee5d5ce37

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.