MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 684f2521235470d19da62f352264ea20c89f2261fc9ffc2f9c41291079ec2e9e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	684f2521235470d19da62f352264ea20c89f2261fc9ffc2f9c41291079ec2e9e
SHA3-384 hash:	2e1a9b0e822d29d6afe4164642e53fd2d8e8e5d88d63d146d8769118250bef02ff6693a7df430357695c2d532a2f99da
SHA1 hash:	228626405ecb4ab4fd8ea67aa8ad9b3387de88fd
MD5 hash:	07b25e0a2df1bec5ea2d908efa684a3d
humanhash:	william-pasta-one-september
File name:	f
Download:	download sample
File size:	1'298 bytes
First seen:	2025-05-09 23:27:41 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	24:yRk5zOt+MB0A1DkgSxnkxnmkgSx3xJkgmm0kg2jZEokgm/Nkgi6jn:4k5CEA0OkgOomkgOhJkgekgIZVkg4kg/
TLSH	T18521E7CF0158CC71A4409DDD35D35915758E86F96ACBCF8B648E01F9A4CDF0CB291EAA
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://185.218.87.28/vv/armv4l	35c14500814ac5bc2c71312bb1323f3be34afa878c7f06cefb0bf26f983564db	Mirai	elf gafgyt mirai ua-wget
http://94.26.90.217/vv/armv5l	d64ce359bc97c9643e66057dbd0ea9ed69d5272487e873119dc7a01134f852bc	Mirai	elf gafgyt mirai ua-wget
http://94.26.90.217/vv/armv6l	176858d674f19ed1c385ebfd952caea9f6a76f4b44828d6b8f21985476a35df0	Mirai	elf gafgyt mirai ua-wget
http://185.218.87.28/vv/armv7l	200e571bc0a6d2562563022dfcc60ac5ac8c2e40eb73a053be8555349a674a69	Mirai	elf gafgyt mirai ua-wget
http://185.218.87.28/vv/mips	n/a	n/a	elf gafgyt ua-wget
http://185.218.87.28/vv/mipsel	a49f50fdba0de9c330d0980f6cce815c1525d0800adeab6c3d82a7954923ef02	Mirai	elf gafgyt mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

131

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=681e90b44a59e5a2ce037b2elinux22vpnfull_triage

Tags:

agent hype sage

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox evasive obfuscated

Link:

https://www.filescan.io/uploads/681e8f870b64e174c42060d4/reports/d14b3cfb-f1d1-45bf-b0a3-987ccfb96ded/overview

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/684f2521235470d19da62f352264ea20c89f2261fc9ffc2f9c41291079ec2e9e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/684f2521235470d19da62f352264ea20c89f2261fc9ffc2f9c41291079ec2e9e/

Threat name:

Script-Shell.Trojan.Heuristic

Status:

Malicious

First seen:

2025-05-09 23:30:10 UTC

File Type:

Text (Shell)

AV detection:

7 of 35 (20.00%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nbhskijdkryndhngf42sezhkedej6itb7sp7yl44ieura6pmf2pa._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/250509-3g7tcaslx2/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/684f2521235470d19da62f352264ea20c89f2261fc9ffc2f9c41291079ec2e9e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.