MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a321f42ba172b145065299e35f35007815b57f652bd5ab3486ce2a4bb73475cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a321f42ba172b145065299e35f35007815b57f652bd5ab3486ce2a4bb73475cf
SHA3-384 hash: 6f4a7aa93c5056d124c258b7bc836c2d22b199671c41002bedd9a3bc3bfde01957605e28578e25eba9e87e8fcfe824eb
SHA1 hash: 967199e46677692708b6913342bb6d816dc8b73b
MD5 hash: 92df1b150a8b5e2861c1bf81452e3e59
humanhash: lion-eighteen-tennessee-bacon
File name:t
Download: download sample
File size:2'253 bytes
First seen:2025-04-22 15:17:51 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 48:4k5CEA02f7k1Uk14k1Qk1gZtk14k1ak1uk1Qk17fgk1ak1oqak10k18j:tCEA0lNRJ1JPLZ1Pz1q
TLSH T1FA41BFEF01EC4411E841CDAD76D388E4A68D89CE2CC9CA4B646F4523B8CC95F3C94F8A
Magika shell
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://82.24.200.71/tt/armv4l34bf22669c899430ece4cf3272594d75c29d8bdb1ebb26b2bf0f997f9980fdbf Miraielf gafgyt mirai ua-wget
http://82.24.200.71/tt/armv5l7c2198f1d618c12cd7c30328f2c0821d1b0c948adba0b437c529a8272c8d612c Gafgytelf gafgyt ua-wget
http://82.24.200.71/tt/armv6l55173c8faa1f6bc92874c55fd280be21f7e581c1076ac50f238ff1c97b9f3a9f Gafgytelf gafgyt ua-wget
http://82.24.200.71/tt/armv7lae3d740fc5a9fac12d1ef7c9204a0e25574d095a803baa988e093b8f577fb3bc Miraielf gafgyt mirai ua-wget
http://82.24.200.71/tt/mipsn/an/aelf gafgyt ua-wget
http://82.24.200.71/tt/mipsela49f50fdba0de9c330d0980f6cce815c1525d0800adeab6c3d82a7954923ef02 Miraielf gafgyt mirai ua-wget
http://82.24.200.71/tt/sh4b71d233c1ccc47ea7d2b3300680e113278a7dc23345a2c40f7ab31e95a1f835f Gafgytelf gafgyt ua-wget
http://82.24.200.71/tt/sparcac2d50248dc2a39a5c1ffaceaa71fc3914526beb7ff7c8e334855258b4fab2bd Miraielf gafgyt mirai ua-wget
http://82.24.200.71/tt/riscv3277b63db3ecf5222275cc98a68606b7d5313528e695b193257a601b7d30d837ba Miraielf gafgyt mirai ua-wget
http://82.24.200.71/tt/powerpcaaa59a329b7d9ace426ce5afbfeb6b15f5a8010865de4bad68e3ec03aa1f5a59 Miraielf gafgyt mirai ua-wget
http://82.24.200.71/tt/armv4eb14f18f18dcf6196d11f6d2be53bf18291d8c60ab174f58068444766dbac34d75 Gafgytelf gafgyt ua-wget
http://82.24.200.71/tt/arcdab7fc4d48eb479c2c58e1fbd10dcec31b8ace12091be9b81eac08dc085e12fe Miraielf gafgyt mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
DE DE
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6807b444a37ff28e12980caelinux22vpnfull_triage
Tags:
agent hype sage
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
busybox evasive
Link:
https://www.filescan.io/uploads/6807b34f90767142c3e00e25/reports/d1f4fcea-f1ec-4876-a82a-193a59a7fade/overview
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/a321f42ba172b145065299e35f35007815b57f652bd5ab3486ce2a4bb73475cf
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a321f42ba172b145065299e35f35007815b57f652bd5ab3486ce2a4bb73475cf/
Threat name:
Script-Shell.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2025-04-22 15:20:35 UTC
File Type:
Text (Shell)
AV detection:
10 of 38 (26.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=umq7ik5bokyukbssthrv6niapak3k73ffpk2wnegzyvexnzuoxhq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/250422-sq1fhstjw2/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a321f42ba172b145065299e35f35007815b57f652bd5ab3486ce2a4bb73475cf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh a321f42ba172b145065299e35f35007815b57f652bd5ab3486ce2a4bb73475cf

(this sample)

Mirai

elf 34bf22669c899430ece4cf3272594d75c29d8bdb1ebb26b2bf0f997f9980fdbf

  
URLhaus
https://urlhaus.abuse.ch/url/3521956/
  
Delivery method
Distributed via web download
  
Dropping
MD5 7857c0f728fa3a1db2d6fcd9783d2e39
  
Dropping
SHA256 34bf22669c899430ece4cf3272594d75c29d8bdb1ebb26b2bf0f997f9980fdbf

Comments