MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 665618db858c303cc4d0085e31db15fcc2bdf10a66e12b14c3ee1fbee962ba5f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 665618db858c303cc4d0085e31db15fcc2bdf10a66e12b14c3ee1fbee962ba5f
SHA3-384 hash: 2e364c32102834938d1d28e9b264dd413526fdd645a7dda0ef2e9e0ff469388f1c3b54f9944c099ba7523e63d37cb5b9
SHA1 hash: 74b2a1cd2cefda0e78087c033fdde64886907430
MD5 hash: 511e4a9300ac1c3a863dd483434e87ae
humanhash: winner-failed-eighteen-twelve
File name:ISIS.sh
Download: download sample
File size:2'007 bytes
First seen:2025-03-29 15:53:49 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:vpdnth4t/pdPaLaMalspzHdHp4H/3pqc9opOQfEp1ja17pNfQ9prlkXpIA/Fipdo:v/th4t/3aLaMalspdpe/4c9oMQfE3jaV
TLSH T109418686249106B07CA6D4777369AD1430D4A24EA8CA7F8FBBDC38E54C8CEB5B5347C6
Magika shell
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://176.65.143.172/m-i.p-s.ISIS5ab7d0747d7abb86b1b3642e6aeb7b6518981615158bc4e0c0473a96b1b76e2d Gafgytcensys elf gafgyt
http://176.65.143.172/m-p.s-l.ISISdeba9d554691fac161260399758e6c04ac8e9be64d8adbc0d1d5f87d11a9411c Gafgytcensys elf gafgyt
http://176.65.143.172/s-h.4-.ISISea64b76a0290db2e306762b3ab6ee7af51009328f17d5f35fe5b7a42042c4a6a Gafgytcensys elf gafgyt
http://176.65.143.172/x-8.6-.ISISc9aa871ebf966c38b24b140853a18c66b023de4b803cd214e166a92db11a7ec8 Gafgytcensys elf gafgyt
http://176.65.143.172/a-r.m-6.ISISc040c79ae778f6d24c0a3b0d46d3bdc5bf36ef599976843054080df72423426a Gafgytcensys elf gafgyt
http://176.65.143.172/x-3.2-.ISIS585af71cafd52836796d3285345090c5f9e806983070b033292816626fb843b7 Gafgytcensys elf gafgyt
http://176.65.143.172/a-r.m-7.ISISc2cd5138a78d2aa5d481400bab9e0e7cf1145bdd2a86b32079b8fb38cc38af20 Gafgytcensys elf gafgyt
http://176.65.143.172/p-p.c-.ISIS65c425de48067e59a8050a7c661c58b094c0e113ae57df01bc743f6833e2be00 Gafgytcensys elf gafgyt
http://176.65.143.172/i-5.8-6.ISIS1c6410cee2f745fa52cdfb349adbd801650a1fa1dd1a08ed60adeed491c9df81 Gafgytcensys elf gafgyt
http://176.65.143.172/m-6.8-k.ISIS2bf9715f2071b8504588a7e001b843c7b2bb0dbd8cced6406f0e10dd32850add Gafgytcensys elf gafgyt
http://176.65.143.172/a-r.m-4.ISIS65c425de48067e59a8050a7c661c58b094c0e113ae57df01bc743f6833e2be00 Gafgytcensys elf gafgyt
http://176.65.143.172/a-r.m-5.ISIS84f198dba0d95044db735cabd182ce7a633a22f1add39dccda481f9a9d607712 Gafgytcensys elf gafgyt

Intelligence

File Origin
# of uploads :
1
# of downloads :
46
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e81a85855e5ec52409a5f0linux22vpnfull_triage
Tags:
trojandownloader trojware agent
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive
Link:
https://www.filescan.io/uploads/67e817b8f274bf2d8e288b2f/reports/bd6a6fbf-d0a4-480e-a6ba-643d2350dd16/overview
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/665618db858c303cc4d0085e31db15fcc2bdf10a66e12b14c3ee1fbee962ba5f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/665618db858c303cc4d0085e31db15fcc2bdf10a66e12b14c3ee1fbee962ba5f/
Threat name:
Linux.Downloader.Morila
Create hunting rule
Status:
Malicious
First seen:
2025-03-29 15:54:28 UTC
File Type:
Text (Shell)
AV detection:
17 of 24 (70.83%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mzlbrw4frqydzrgqbbpddwyv7tbl34ikm3qswfgd5yp352lcxjpq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion linux
Link:
https://tria.ge/reports/250329-tcb2fawzaw/
Behaviour
File and Directory Permissions Modification
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 665618db858c303cc4d0085e31db15fcc2bdf10a66e12b14c3ee1fbee962ba5f

(this sample)

Mirai

elf afca317318519fb2ae15ca6f5fd62c6739a8fbdb22cd45b8a7708f268ad38ffe

  
URLhaus
https://urlhaus.abuse.ch/url/3495033/
  
Delivery method
Distributed via web download
  
Dropping
MD5 623e553119da511dd4a7add5faa03ca0
  
Dropping
SHA256 afca317318519fb2ae15ca6f5fd62c6739a8fbdb22cd45b8a7708f268ad38ffe

Comments