MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 58030f683db6ba49e440965f120aa29a7fffaff0113b9ec3e22c9cf539bc3a55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	58030f683db6ba49e440965f120aa29a7fffaff0113b9ec3e22c9cf539bc3a55
SHA3-384 hash:	8ba1a7cd3c9b41175936d3c660f919e814ca67607bd5c7f7e8b0e5f1be3a3667c1043758ed162d401128111a3fc35a6c
SHA1 hash:	4dd15505ea11a6361e4c9e35276e25d86b60b214
MD5 hash:	b6daa50a4a86c3cabb5213fd5f2a2d7f
humanhash:	fillet-fourteen-oscar-fourteen
File name:	wget.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	4'572 bytes
First seen:	2025-03-06 03:36:59 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	48:1tLNBLJ8LlLJGL9YqLkDLnly325BN1idt0xYgwHrMw61YYiCwlPlLEDahpSTFv:1xHMpmqcenP5z0d+WgGrBlPyjTFv
TLSH	T18E91D4AC3A514FB64E16DF2AE331C65A604294AB06B14F1464ED70F8FFBED84F210967
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://42.112.26.36/mips	d0a8950232e943e951c209a7ac06f99d76b59839b11ac5b0678ab5667a4c245b	Mirai	ddos elf gafgyt mirai
http://42.112.26.36/mpsl	994cd87c6f0f7edd7efcc88aa5d5ee7b21f2c273cbe8c887363e28f7727a1166	Gafgyt	ddos elf gafgyt mirai
http://42.112.26.36/i686	5f44e47e6ed228ac92fcedc659d8ec02c542a363651d55942a2b355f06fbcb7d	Mirai	ddos elf gafgyt mirai
http://42.112.26.36/arm	153a8a2ddd3d18b9a864a7360b8514ceac65ae64ee4e0f058e9ec361ae91d732	Mirai	elf mirai
http://42.112.26.36/arm5	72eb6026c66c96d050f30a3da54cb3c85fad70f9f5b805ea8cf543835ab38dcd	Gafgyt	elf gafgyt mirai
http://42.112.26.36/arm6	ebfbcbe0c33d53b3f5b5f5e4ac1ec5a8f858ed2aef69c141437e202e3cac75ae	Gafgyt	elf gafgyt mirai
http://42.112.26.36/arm7	5c0cefe3a02543464efb9a60941a8c28b9359b8d715dcf0c3a9c9094b27d3764	Mirai	elf mirai
ftp://2.112.26.36:8021/mips	n/a	n/a	n/a
ftp://2.112.26.36:8021/mpsl	n/a	n/a	n/a
ftp://2.112.26.36:8021/i686	n/a	n/a	n/a
ftp://2.112.26.36:8021/arm	n/a	n/a	n/a
ftp://2.112.26.36:8021/arm5	n/a	n/a	n/a
ftp://2.112.26.36:8021/arm7	n/a	n/a	n/a
ftp://2.112.26.36:8021/arm6	n/a	n/a	n/a

Intelligence

File Origin

# of uploads :

1

# of downloads :

84

Origin country :

DE

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67c9196cc8d04e92a4bf41e5linux22vpnfull_triage

Tags:

phishing agent overt remo

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox evasive expand lolbin remote

Link:

https://www.filescan.io/uploads/67c918713c5f644bd9455d5e/reports/222294c7-7804-4a32-860d-39d881725f31/overview

Result

Verdict:

MALICIOUS

Score:

42%

Verdict:

Susipicious

File Type:

SCRIPT

Link:

https://malprob.io/report/58030f683db6ba49e440965f120aa29a7fffaff0113b9ec3e22c9cf539bc3a55

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/58030f683db6ba49e440965f120aa29a7fffaff0113b9ec3e22c9cf539bc3a55/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2025-03-06 03:37:22 UTC

File Type:

Text (Shell)

AV detection:

12 of 24 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=labq62b5w25etzcaszprecvctj777l7qce5z5q7cfsopkon4hjkq._file

Result

Malware family:

n/a

Score:

3/10

Tags:

discovery

Link:

https://tria.ge/reports/250306-d6kbxaw1hv/

Behaviour

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/58030f683db6ba49e440965f120aa29a7fffaff0113b9ec3e22c9cf539bc3a55

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 58030f683db6ba49e440965f120aa29a7fffaff0113b9ec3e22c9cf539bc3a55

(this sample)

elf e4a2df64fcf2b40aac24cca355a7252cd6efbbc3cc834d1c3e9f5744fee1ed0b

URLhaus

https://urlhaus.abuse.ch/url/3469045/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3469046/

URLhaus

https://urlhaus.abuse.ch/url/3469047/

Dropping

MD5 71a6fd6601834d6903cc1a3ac28d99f2

Dropping

SHA256 e4a2df64fcf2b40aac24cca355a7252cd6efbbc3cc834d1c3e9f5744fee1ed0b

URLhaus

https://urlhaus.abuse.ch/url/3469376/

URLhaus

https://urlhaus.abuse.ch/url/3469388/

URLhaus

https://urlhaus.abuse.ch/url/3469419/

URLhaus

https://urlhaus.abuse.ch/url/3469370/

URLhaus

https://urlhaus.abuse.ch/url/3469449/

URLhaus

https://urlhaus.abuse.ch/url/3469405/

URLhaus

https://urlhaus.abuse.ch/url/3469384/

URLhaus

https://urlhaus.abuse.ch/url/3469425/

URLhaus

https://urlhaus.abuse.ch/url/3469440/

URLhaus

https://urlhaus.abuse.ch/url/3469391/

URLhaus

https://urlhaus.abuse.ch/url/3469434/

URLhaus

https://urlhaus.abuse.ch/url/3469395/

URLhaus

https://urlhaus.abuse.ch/url/3469417/

URLhaus

https://urlhaus.abuse.ch/url/3469420/

URLhaus

https://urlhaus.abuse.ch/url/3469418/

URLhaus

https://urlhaus.abuse.ch/url/3469411/

URLhaus

https://urlhaus.abuse.ch/url/3469393/

URLhaus

https://urlhaus.abuse.ch/url/3469369/

URLhaus

https://urlhaus.abuse.ch/url/3469430/

URLhaus

https://urlhaus.abuse.ch/url/3469386/

URLhaus

https://urlhaus.abuse.ch/url/3469451/

URLhaus

https://urlhaus.abuse.ch/url/3469439/

URLhaus

https://urlhaus.abuse.ch/url/3469383/

URLhaus

https://urlhaus.abuse.ch/url/3469438/

URLhaus

https://urlhaus.abuse.ch/url/3469409/

URLhaus

https://urlhaus.abuse.ch/url/3469421/

URLhaus

https://urlhaus.abuse.ch/url/3469385/

URLhaus

https://urlhaus.abuse.ch/url/3469402/

URLhaus

https://urlhaus.abuse.ch/url/3469441/

URLhaus

https://urlhaus.abuse.ch/url/3469390/

URLhaus

https://urlhaus.abuse.ch/url/3469410/

URLhaus

https://urlhaus.abuse.ch/url/3469375/

URLhaus

https://urlhaus.abuse.ch/url/3469380/

URLhaus

https://urlhaus.abuse.ch/url/3469398/

URLhaus

https://urlhaus.abuse.ch/url/3469414/

URLhaus

https://urlhaus.abuse.ch/url/3469399/

URLhaus

https://urlhaus.abuse.ch/url/3469382/

URLhaus

https://urlhaus.abuse.ch/url/3469415/

URLhaus

https://urlhaus.abuse.ch/url/3469427/

URLhaus

https://urlhaus.abuse.ch/url/3469373/

URLhaus

https://urlhaus.abuse.ch/url/3469432/

URLhaus

https://urlhaus.abuse.ch/url/3469374/

URLhaus

https://urlhaus.abuse.ch/url/3469450/

URLhaus

https://urlhaus.abuse.ch/url/3469445/

URLhaus

https://urlhaus.abuse.ch/url/3469400/

URLhaus

https://urlhaus.abuse.ch/url/3469396/

URLhaus

https://urlhaus.abuse.ch/url/3469379/

URLhaus

https://urlhaus.abuse.ch/url/3469437/

URLhaus

https://urlhaus.abuse.ch/url/3469408/

URLhaus

https://urlhaus.abuse.ch/url/3469407/

URLhaus

https://urlhaus.abuse.ch/url/3469422/

URLhaus

https://urlhaus.abuse.ch/url/3469378/

URLhaus

https://urlhaus.abuse.ch/url/3469387/

URLhaus

https://urlhaus.abuse.ch/url/3469443/

URLhaus

https://urlhaus.abuse.ch/url/3469371/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample