MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 925d5525563d3438245bfc9bd409a5b126b96cf449f7d540bffe284f56d5745d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Ngioweb


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 925d5525563d3438245bfc9bd409a5b126b96cf449f7d540bffe284f56d5745d
SHA3-384 hash: bb8c985633c2378fd3db03157821337e97acf99146cb47661c2c19c981e9f8b06962e69dc0b58c17e51b45e6091d580e
SHA1 hash: 70056edf336bfffe9e202f2c3ef7c6a3f340da35
MD5 hash: fb151744ccc778f6ca910d0b586bc687
humanhash: table-speaker-connecticut-mirror
File name:router-atemi-rep.sh
Download: download sample
Signature Ngioweb
Create hunting rule
File size:824 bytes
First seen:2025-11-08 13:38:08 UTC
Last seen:2025-11-08 23:17:35 UTC
File type: sh
MIME type:text/plain
ssdeep 24:pFAHDxXHDx4HDxWHDxlHDxOHDxv7HDx47He:p8Dx3DxaDxoDxtDxADxDDxOe
TLSH T10F01407E3D5F69D4C55CE700F870B5215188CB8730A13B14719C5D3584EAA847B2AF26
Magika batch
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://87.121.84.80/frost.armv7d0ca62e68e235aca958e3877ae7ed505c5667207c95d34907bc806e5ffa0b21b Ngiowebelf geofenced Ngioweb ua-wget USA
http://87.121.84.80/frost.armv6f08d8c43beedbc8d45ea133b44dd09e13d80d725846eac7615141dee9064907e Ngiowebelf geofenced Ngioweb ua-wget USA
http://87.121.84.80/frost.armv5966770e3938bb350119a960948a15421d9c6e0944c4d49f5aa631d3bd9fee703 Ngiowebelf geofenced Ngioweb ua-wget USA
http://87.121.84.80/frost.mipsn/an/aelf geofenced ua-wget USA
http://87.121.84.80/frost.mipsel8758eddd99d34eae170f69fe5c58231a546fef0f56a7e30eefac59ef10ca906b Miraielf geofenced mirai ua-wget USA
http://87.121.84.80/frost.aarch647997eca9041eb31e0264e9273d28e3b672f6f6cb206919ea1167610cfa601f93 Miraielf geofenced mirai ua-wget USA
http://87.121.84.80/frost.x86296d6af5b711aada05ec72d517af8b677c32d4f894fda2934ad5289b7f671619 Miraielf geofenced mirai ua-wget USA
http://87.121.84.80/frost.x86_64a85c562d0b13602adfad63635f895ba1fcd8f4780121f7f98febc10fbfba1819 Miraielf geofenced mirai ua-wget USA

Intelligence

File Origin
# of uploads :
3
# of downloads :
36
Origin country :
DE DE
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive mirai
Link:
https://www.filescan.io/uploads/690f47c6f6e846549f3916c2/reports/e182b7bc-3d56-40d1-9ab4-3a5573c5ba00/overview
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-11-08T11:06:00Z UTC
Last seen:
2025-11-08T12:09:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/925d5525563d3438245bfc9bd409a5b126b96cf449f7d540bffe284f56d5745d/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/52278b83-3c08-4c62-ba8a-deb43e321a05
Behavior Graph:
Download SVG
%3 guuid=c5b9aa80-1600-0000-2520-835584100000 pid=4228 /usr/bin/sudo guuid=84276f82-1600-0000-2520-83558e100000 pid=4238 /tmp/sample.bin guuid=c5b9aa80-1600-0000-2520-835584100000 pid=4228->guuid=84276f82-1600-0000-2520-83558e100000 pid=4238 execve guuid=99a2a282-1600-0000-2520-835590100000 pid=4240 /usr/bin/wget net send-data write-file guuid=84276f82-1600-0000-2520-83558e100000 pid=4238->guuid=99a2a282-1600-0000-2520-835590100000 pid=4240 execve guuid=b36ca4d0-1600-0000-2520-8355f8110000 pid=4600 /usr/bin/chmod guuid=84276f82-1600-0000-2520-83558e100000 pid=4238->guuid=b36ca4d0-1600-0000-2520-8355f8110000 pid=4600 execve guuid=37b4e6d0-1600-0000-2520-8355f9110000 pid=4601 /usr/bin/dash guuid=84276f82-1600-0000-2520-83558e100000 pid=4238->guuid=37b4e6d0-1600-0000-2520-8355f9110000 pid=4601 clone guuid=6b8061d1-1600-0000-2520-8355fd110000 pid=4605 /usr/bin/rm delete-file guuid=84276f82-1600-0000-2520-83558e100000 pid=4238->guuid=6b8061d1-1600-0000-2520-8355fd110000 pid=4605 execve guuid=42999dd1-1600-0000-2520-8355fe110000 pid=4606 /usr/bin/wget net send-data write-file guuid=84276f82-1600-0000-2520-83558e100000 pid=4238->guuid=42999dd1-1600-0000-2520-8355fe110000 pid=4606 execve guuid=bfa3ace2-1600-0000-2520-835546120000 pid=4678 /usr/bin/chmod guuid=84276f82-1600-0000-2520-83558e100000 pid=4238->guuid=bfa3ace2-1600-0000-2520-835546120000 pid=4678 execve guuid=0f19eee2-1600-0000-2520-83554a120000 pid=4682 /usr/bin/dash guuid=84276f82-1600-0000-2520-83558e100000 pid=4238->guuid=0f19eee2-1600-0000-2520-83554a120000 pid=4682 clone guuid=54f58fe4-1600-0000-2520-835551120000 pid=4689 /usr/bin/rm delete-file guuid=84276f82-1600-0000-2520-83558e100000 pid=4238->guuid=54f58fe4-1600-0000-2520-835551120000 pid=4689 execve guuid=5463cde4-1600-0000-2520-835552120000 pid=4690 /usr/bin/wget net send-data write-file guuid=84276f82-1600-0000-2520-83558e100000 pid=4238->guuid=5463cde4-1600-0000-2520-835552120000 pid=4690 execve guuid=b2c7baf6-1600-0000-2520-83558c120000 pid=4748 /usr/bin/chmod guuid=84276f82-1600-0000-2520-83558e100000 pid=4238->guuid=b2c7baf6-1600-0000-2520-83558c120000 pid=4748 execve guuid=a539f3f6-1600-0000-2520-83558e120000 pid=4750 /usr/bin/dash guuid=84276f82-1600-0000-2520-83558e100000 pid=4238->guuid=a539f3f6-1600-0000-2520-83558e120000 pid=4750 clone guuid=0f4374f7-1600-0000-2520-835592120000 pid=4754 /usr/bin/rm delete-file guuid=84276f82-1600-0000-2520-83558e100000 pid=4238->guuid=0f4374f7-1600-0000-2520-835592120000 pid=4754 execve guuid=f5cab1f7-1600-0000-2520-835594120000 pid=4756 /usr/bin/wget net send-data write-file guuid=84276f82-1600-0000-2520-83558e100000 pid=4238->guuid=f5cab1f7-1600-0000-2520-835594120000 pid=4756 execve guuid=0fb41820-1700-0000-2520-835518130000 pid=4888 /usr/bin/chmod guuid=84276f82-1600-0000-2520-83558e100000 pid=4238->guuid=0fb41820-1700-0000-2520-835518130000 pid=4888 execve guuid=02a24d20-1700-0000-2520-83551a130000 pid=4890 /usr/bin/dash guuid=84276f82-1600-0000-2520-83558e100000 pid=4238->guuid=02a24d20-1700-0000-2520-83551a130000 pid=4890 clone guuid=0395ca20-1700-0000-2520-83551f130000 pid=4895 /usr/bin/rm delete-file guuid=84276f82-1600-0000-2520-83558e100000 pid=4238->guuid=0395ca20-1700-0000-2520-83551f130000 pid=4895 execve guuid=bedc0121-1700-0000-2520-835521130000 pid=4897 /usr/bin/wget net send-data write-file guuid=84276f82-1600-0000-2520-83558e100000 pid=4238->guuid=bedc0121-1700-0000-2520-835521130000 pid=4897 execve guuid=2773747d-1700-0000-2520-835579140000 pid=5241 /usr/bin/chmod guuid=84276f82-1600-0000-2520-83558e100000 pid=4238->guuid=2773747d-1700-0000-2520-835579140000 pid=5241 execve guuid=e421b17d-1700-0000-2520-83557a140000 pid=5242 /usr/bin/dash guuid=84276f82-1600-0000-2520-83558e100000 pid=4238->guuid=e421b17d-1700-0000-2520-83557a140000 pid=5242 clone guuid=bc3e2d7e-1700-0000-2520-83557c140000 pid=5244 /usr/bin/rm delete-file guuid=84276f82-1600-0000-2520-83558e100000 pid=4238->guuid=bc3e2d7e-1700-0000-2520-83557c140000 pid=5244 execve guuid=ae0d687e-1700-0000-2520-83557d140000 pid=5245 /usr/bin/wget net send-data write-file guuid=84276f82-1600-0000-2520-83558e100000 pid=4238->guuid=ae0d687e-1700-0000-2520-83557d140000 pid=5245 execve guuid=b92c3baa-1700-0000-2520-83557e140000 pid=5246 /usr/bin/chmod guuid=84276f82-1600-0000-2520-83558e100000 pid=4238->guuid=b92c3baa-1700-0000-2520-83557e140000 pid=5246 execve guuid=10af89aa-1700-0000-2520-83557f140000 pid=5247 /usr/bin/dash guuid=84276f82-1600-0000-2520-83558e100000 pid=4238->guuid=10af89aa-1700-0000-2520-83557f140000 pid=5247 clone guuid=47ed1aab-1700-0000-2520-835581140000 pid=5249 /usr/bin/rm delete-file guuid=84276f82-1600-0000-2520-83558e100000 pid=4238->guuid=47ed1aab-1700-0000-2520-835581140000 pid=5249 execve guuid=201562ab-1700-0000-2520-835582140000 pid=5250 /usr/bin/wget net send-data write-file guuid=84276f82-1600-0000-2520-83558e100000 pid=4238->guuid=201562ab-1700-0000-2520-835582140000 pid=5250 execve guuid=c8ee5dc2-1700-0000-2520-835583140000 pid=5251 /usr/bin/chmod guuid=84276f82-1600-0000-2520-83558e100000 pid=4238->guuid=c8ee5dc2-1700-0000-2520-835583140000 pid=5251 execve guuid=44f8a6c2-1700-0000-2520-835584140000 pid=5252 /tmp/siyb delete-file guuid=84276f82-1600-0000-2520-83558e100000 pid=4238->guuid=44f8a6c2-1700-0000-2520-835584140000 pid=5252 execve guuid=3e98c2c2-1700-0000-2520-835586140000 pid=5254 /usr/bin/rm guuid=84276f82-1600-0000-2520-83558e100000 pid=4238->guuid=3e98c2c2-1700-0000-2520-835586140000 pid=5254 execve guuid=671030c3-1700-0000-2520-835587140000 pid=5255 /usr/bin/wget net send-data write-file guuid=84276f82-1600-0000-2520-83558e100000 pid=4238->guuid=671030c3-1700-0000-2520-835587140000 pid=5255 execve guuid=f69710d1-1700-0000-2520-835588140000 pid=5256 /usr/bin/chmod guuid=84276f82-1600-0000-2520-83558e100000 pid=4238->guuid=f69710d1-1700-0000-2520-835588140000 pid=5256 execve guuid=f10e5ad1-1700-0000-2520-835589140000 pid=5257 /tmp/siyb delete-file guuid=84276f82-1600-0000-2520-83558e100000 pid=4238->guuid=f10e5ad1-1700-0000-2520-835589140000 pid=5257 execve guuid=451177d1-1700-0000-2520-83558b140000 pid=5259 /usr/bin/rm guuid=84276f82-1600-0000-2520-83558e100000 pid=4238->guuid=451177d1-1700-0000-2520-83558b140000 pid=5259 execve 8a0fa304-c855-5f37-833d-84ef77e0b826 87.121.84.80:80 guuid=99a2a282-1600-0000-2520-835590100000 pid=4240->8a0fa304-c855-5f37-833d-84ef77e0b826 send: 138B guuid=42999dd1-1600-0000-2520-8355fe110000 pid=4606->8a0fa304-c855-5f37-833d-84ef77e0b826 send: 138B guuid=5463cde4-1600-0000-2520-835552120000 pid=4690->8a0fa304-c855-5f37-833d-84ef77e0b826 send: 138B guuid=f5cab1f7-1600-0000-2520-835594120000 pid=4756->8a0fa304-c855-5f37-833d-84ef77e0b826 send: 137B guuid=bedc0121-1700-0000-2520-835521130000 pid=4897->8a0fa304-c855-5f37-833d-84ef77e0b826 send: 139B guuid=ae0d687e-1700-0000-2520-83557d140000 pid=5245->8a0fa304-c855-5f37-833d-84ef77e0b826 send: 140B guuid=201562ab-1700-0000-2520-835582140000 pid=5250->8a0fa304-c855-5f37-833d-84ef77e0b826 send: 136B guuid=d514bcc2-1700-0000-2520-835585140000 pid=5253 /tmp/siyb send-data zombie guuid=44f8a6c2-1700-0000-2520-835584140000 pid=5252->guuid=d514bcc2-1700-0000-2520-835585140000 pid=5253 clone 74e4e219-c467-5008-a212-50a3f10516d3 114.114.115.115:53 guuid=d514bcc2-1700-0000-2520-835585140000 pid=5253->74e4e219-c467-5008-a212-50a3f10516d3 send: 56B ab7b7b79-1dfc-52b2-b0c8-4756a62bd7f5 208.67.220.220:53 guuid=d514bcc2-1700-0000-2520-835585140000 pid=5253->ab7b7b79-1dfc-52b2-b0c8-4756a62bd7f5 send: 27B ac570862-0b5b-558b-b43c-fb15134a62c4 114.114.114.114:53 guuid=d514bcc2-1700-0000-2520-835585140000 pid=5253->ac570862-0b5b-558b-b43c-fb15134a62c4 send: 27B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=d514bcc2-1700-0000-2520-835585140000 pid=5253->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 29B guuid=671030c3-1700-0000-2520-835587140000 pid=5255->8a0fa304-c855-5f37-833d-84ef77e0b826 send: 139B guuid=c0c16dd1-1700-0000-2520-83558a140000 pid=5258 /tmp/siyb send-data zombie guuid=f10e5ad1-1700-0000-2520-835589140000 pid=5257->guuid=c0c16dd1-1700-0000-2520-83558a140000 pid=5258 clone guuid=c0c16dd1-1700-0000-2520-83558a140000 pid=5258->ac570862-0b5b-558b-b43c-fb15134a62c4 send: 29B 54d92a3b-1447-55af-b534-047898c60c8d 1.1.1.1:53 guuid=c0c16dd1-1700-0000-2520-83558a140000 pid=5258->54d92a3b-1447-55af-b534-047898c60c8d send: 56B b0abba15-9a34-51cb-a2ff-3008f7e59616 208.67.222.222:53 guuid=c0c16dd1-1700-0000-2520-83558a140000 pid=5258->b0abba15-9a34-51cb-a2ff-3008f7e59616 send: 58B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/925d5525563d3438245bfc9bd409a5b126b96cf449f7d540bffe284f56d5745d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/925d5525563d3438245bfc9bd409a5b126b96cf449f7d540bffe284f56d5745d/
Threat name:
Linux.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-11-08 13:38:16 UTC
File Type:
Text (Shell)
AV detection:
12 of 37 (32.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sjovkjkwhu2dqjc37sn5icnfwetls3hujh35kqf77yue6vwvoroq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/251108-qxf94swnfz/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Ngioweb

sh 925d5525563d3438245bfc9bd409a5b126b96cf449f7d540bffe284f56d5745d

(this sample)

Ngioweb

elf d0ca62e68e235aca958e3877ae7ed505c5667207c95d34907bc806e5ffa0b21b

  
URLhaus
https://urlhaus.abuse.ch/url/3700352/
  
Delivery method
Distributed via web download
  
Dropping
MD5 e11a30fbc51aa29573f1bf62762beb1f
  
Dropping
SHA256 d0ca62e68e235aca958e3877ae7ed505c5667207c95d34907bc806e5ffa0b21b

Comments