MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c8e5199d370257776a8ed95f956756ed8d867c2d1c704664989d38339c4141fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 5

Intelligence 5 IOCs YARA 1 File information Comments

SHA256 hash:	c8e5199d370257776a8ed95f956756ed8d867c2d1c704664989d38339c4141fc
SHA3-384 hash:	5ddba488a96071163cf8cd91726173eded4b1355e7098e525ccecc2f356290dc01bba8e97c5854f0b0e46cd4332acc26
SHA1 hash:	4881e93f456ab1e7ab714d3e40b7c5c9b8c5372f
MD5 hash:	b5fa0fab775995f860fcecb930969f44
humanhash:	romeo-comet-berlin-jupiter
File name:	t
Download:	download sample
File size:	675 bytes
First seen:	2025-12-07 07:16:46 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	12:q+ZDa3HW0paaHW0JzvaJzMHW0vIjDavIMHW0aDarHWp:/ZkWkW0zSzGWonhWPwWp
TLSH	T17A0171FF445605B91980A91AF9560834F0275BEB94E9CF8E9D4F3E322B8D6683021F68
Magika	batch
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://213.209.143.115/mips	e25da70731e7b364c13a7b8d445b94e5c6d4cf19e7582c4026ed131bfb3c18f2	Mirai	32-bit elf mirai Mozi
http://213.209.143.115/mpsl	449e30caaa96c2833e4f381071095addc874ad4bab41e21225acf6356145c0ed	Mirai	elf mirai ua-wget
http://213.209.143.115/arm4	a3d5e3c3e422d72ef0e095e164f2706e250839eaf52e24dd7624f6e3e250f8da	Mirai	elf mirai ua-wget
http://213.209.143.115/arm5	6e8fe7eb62a0b5bfaf5c1781118f169c63491fd9505fb8ab29ab76f21be2bf11	Mirai	elf mirai ua-wget
http://213.209.143.115/arm7	993920f995d1d60d9bf063876b2ffb03ba3106110070a64f8d66575c39154fed	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

File Type:

text

First seen:

2025-12-07T05:26:00Z UTC

Last seen:

2025-12-07T06:45:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/c8e5199d370257776a8ed95f956756ed8d867c2d1c704664989d38339c4141fc/results?tab=lookup

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/c8e5199d370257776a8ed95f956756ed8d867c2d1c704664989d38339c4141fc

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c8e5199d370257776a8ed95f956756ed8d867c2d1c704664989d38339c4141fc/

Threat name:

Linux.Downloader.Generic

Status:

Suspicious

First seen:

2025-12-07 03:56:52 UTC

File Type:

Text (Shell)

AV detection:

12 of 36 (33.33%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zdsrthjxajlxo2uo3fpzkz2w5wgym7bndryemzeytu4dhhcbih6a._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/251207-h5lkssvrek/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/c8e5199d370257776a8ed95f956756ed8d867c2d1c704664989d38339c4141fc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.