MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 512c85432f47149b04a2620dea12b2520857884e398b886d768468a16ced73d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Xorbot

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	512c85432f47149b04a2620dea12b2520857884e398b886d768468a16ced73d5
SHA3-384 hash:	785d00faa2fd2e69c4d7f11b5a5976387059c802c53ecb34f4bbcb36be9554251f5ff293de926df7aab2ddb794dca413
SHA1 hash:	bde31e4db33a17ed1e37364a26242e12f6b0bbbb
MD5 hash:	1f4d23e931eb2509fb595dbf127fdfe2
humanhash:	helium-speaker-solar-burger
File name:	bins.sh
Download:	download sample
Signature	Xorbot Create hunting rule
File size:	10'494 bytes
First seen:	2025-02-28 19:17:06 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	192:1N5dmvfK3Q3k3x3+3e3rzHkJpgD5B5Z5uFpYFwIva22k0iOaQCTjPLaL2Lzm+zw+:1N5dmvfK3Q3k3x3+3e3rzHkJpgDf7JFJ
TLSH	T1D522FDD8368390625701CF2E7DB6E8286053E2852DE1AB50D8EC5CED4CCDE9DB16CE5E
Magika	shell
Reporter	abuse_ch
Tags:	sh Xorbot

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://37.44.238.88/bins/tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G	dd01a1365a9f35501e09e0144ed1d4d8b00dcf20aa66cf6dc186e94d7dbe4b47	Mirai	elf mirai ua-wget
http://37.44.238.88/bins/59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv	8bc5e3bff5150738699927ca2b95f3e3bfd87aed44c30fc61fac788248528579	Mirai	elf mirai ua-wget
http://37.44.238.88/bins/l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E	n/a	n/a	n/a
http://37.44.238.88/bins/1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki	ff851250b0bd7e6f2c445b08d858d840b554caf75a37ada2a970ea4d317ba588	Mirai	elf mirai ua-wget
http://37.44.238.88/bins/z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr	n/a	n/a	n/a
http://37.44.238.88/bins/kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX	94a19b33124cbbc1c570b3338f4dfbb2bf1a9335a72acf22be02a9bb8a323cc9	Mirai	elf mirai ua-wget
http://37.44.238.88/bins/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA	n/a	n/a	n/a
http://37.44.238.88/bins/y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q	2d63c81a782853efe672a1d9cb00a339ec57207b4075754a1baf1df9af466948	Mirai	elf mirai ua-wget
http://37.44.238.88/bins/wk7VTKwCVeEQJUdhBBXEYBpypx8AKzXuTR	54302d130cd356fb19ea5a763c5ab6b0892fc234118f10ba3196ec4245c83b4d	Mirai	elf mirai ua-wget
http://37.44.238.88/bins/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75	n/a	n/a	n/a
http://37.44.238.88/bins/j5pF2uRAfRIrxFbSnk6Wcqg8sFoHfAcw0f	043df61baf17d6a2353b418c5f87eebea4ca1c3fd6b63eaccc34d9bcd0556832	Mirai	elf mirai ua-wget
http://37.44.238.88/bins/7QHC5pMEH9TTTNrssZuZWwCur8ig80hgfa	0cbb1e62423a82d17a7b1c9def6a5570a8414f36e2623f1d82cd4e6281930944	Mirai	elf mirai ua-wget
http://37.44.238.88/bins/qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb	2cb1fa4742268fb0196613aee7a39a08a0707b3ef8853280d5060c44f3650d70	Mirai	elf mirai ua-wget
http://37.44.238.88/bins/ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q	5fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Sanesecurity.Malware.30787.LX.BOT.UNOFFICIAL

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67c20cee4e50050b2e6f1a88linux22vpnfull_triage

Tags:

agent hype sage

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox evasive

Link:

https://www.filescan.io/uploads/67c20bbd3c5f644bd93cff9e/reports/a52431e5-fb39-4b11-9d03-d1948959f3fc/overview

Result

Verdict:

UNKNOWN

Score:

Verdict:

Benign

File Type:

SCRIPT

Link:

https://malprob.io/report/512c85432f47149b04a2620dea12b2520857884e398b886d768468a16ced73d5

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/512c85432f47149b04a2620dea12b2520857884e398b886d768468a16ced73d5/

Threat name:

Win32.Trojan.Mirai

Status:

Malicious

First seen:

2025-02-28 19:17:17 UTC

File Type:

Text (Shell)

AV detection:

16 of 38 (42.11%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kewikqzpi4kjwbfcmig6uevskiefpccohgfyq3lwqrukc3hnopkq._file

Result

Malware family:

xorbot

Score:

10/10

Tags:

family:xorbot antivm botnet defense_evasion discovery execution linux persistence privilege_escalation trojan

Link:

https://tria.ge/reports/250228-xzgf8awjw6/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

Creates a large amount of network flows

Creates/modifies Cron job

Enumerates running processes

File and Directory Permissions Modification

Executes dropped EXE

Renames itself

Contacts a large (570) amount of remote hosts

Detects Xorbot

Xorbot

Xorbot family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/512c85432f47/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/512c85432f47149b04a2620dea12b2520857884e398b886d768468a16ced73d5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.