MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1e561586f25b4e5a49cff92ce47ea07fbdd7bb5e5a4978da35eb5ee91ce96bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1e561586f25b4e5a49cff92ce47ea07fbdd7bb5e5a4978da35eb5ee91ce96bf
SHA3-384 hash: 406eb14965590b7d01a60eb3ad6fd7b64b5514177e17a12b4e3adaf5111f929793269c1f7c02ffa521d7a797f7d714ce
SHA1 hash: 2fe6d21e0023a527d60c095add08aac5e5f9e151
MD5 hash: 1ecb66b812afc91faac199dc0d66d04f
humanhash: black-delaware-princess-spaghetti
File name:c.sh
Download: download sample
File size:1'116 bytes
First seen:2025-12-21 09:31:36 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 24:3J3UE5QEcfNIZEtzAEVKT8EHyEOrMETt+3E3e/EKuEzBE1gEkzA:tWHDQJ+rpt+EedX02E
TLSH T11621D68F015CB99B160DCF15716750DC77F0D2E8A0B2A943B414B9F3AA882432575EFB
Magika batch
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://91.92.243.68/Fantazy.armn/an/acensys elf ua-wget
http://91.92.243.68/Fantazy.arm5ecc57dad5f28e2f8b0cb3182917d3e985894130c8ad4f640f28dad25a3dd8ccb Miraicensys elf mirai ua-wget
http://91.92.243.68/Fantazy.arm69b51caf8e94f32dab03ffef1c66022182ce2876bd1ce474721f52c3f336e03fc Miraicensys elf mirai ua-wget
http://91.92.243.68/Fantazy.arm7d0e69826172390416075ecef3feb17d339b41888896f3868f3d206da1a26bf85 Miraielf mirai ua-wget
http://91.92.243.68/Fantazy.m68kde368b33b9e3f721e2f25faa827ab02ad9e834d8e79a5c032bc8230b9e1175a1 Miraicensys elf mirai ua-wget
http://91.92.243.68/Fantazy.mips0f6b0327fb3d814eab9fb2a7674195a381936da4e4c4dcad7f42553d37dc0b28 Miraicensys elf mirai ua-wget
http://91.92.243.68/Fantazy.mpslf43e3602afc7424afe5aa04e34f5a6603a220696cf9954afc849bd16d17fe54a Miraicensys elf mirai ua-wget
http://91.92.243.68/Fantazy.ppcdc9650fb46972e8461b462ed2e2c9ce6e90157c15743f63f1e977459a7b5bad9 Miraicensys elf mirai ua-wget
http://91.92.243.68/Fantazy.sh49e794fdbae88d594f54e5b2c4d568e2d552e14063cb66963b21f78504a248434 Miraicensys elf mirai ua-wget
http://91.92.243.68/Fantazy.spcaab2354eb4373b0b6ac3b4ffbd9fcace62ec787b473f231f55976594757cbdf5 Miraicensys elf mirai ua-wget
http://91.92.243.68/Fantazy.x86165e9ae4a6cb930e7560a3e88063642a1e5c356cbd6be7d6545ab1d50f7c1a0b Miraielf mirai ua-wget
http://91.92.243.68/Fantazy.x86_648e40e40a596baaa7a901898832a4508f9b0f7ca527ce42fabd80ce01cf8452de Miraicensys elf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
31
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Linux.Downloader-33.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
mirai
Link:
https://www.filescan.io/uploads/6947beb4e126b9ff438a970d/reports/89fe9201-142c-4cb4-9183-1a5574534fda/overview
Verdict:
Malicious
File Type:
ps1
First seen:
2025-12-21T07:17:00Z UTC
Last seen:
2025-12-21T12:48:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/d1e561586f25b4e5a49cff92ce47ea07fbdd7bb5e5a4978da35eb5ee91ce96bf/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/4799a7aa-0230-4280-b320-419d524f91a3
Behavior Graph:
Download SVG
%3 guuid=2b0775c0-1700-0000-4462-7000d90c0000 pid=3289 /usr/bin/sudo guuid=87c84ec2-1700-0000-4462-7000df0c0000 pid=3295 /tmp/sample.bin guuid=2b0775c0-1700-0000-4462-7000d90c0000 pid=3289->guuid=87c84ec2-1700-0000-4462-7000df0c0000 pid=3295 execve guuid=dad6abc2-1700-0000-4462-7000e10c0000 pid=3297 /usr/bin/curl net send-data guuid=87c84ec2-1700-0000-4462-7000df0c0000 pid=3295->guuid=dad6abc2-1700-0000-4462-7000e10c0000 pid=3297 execve guuid=c57a0ecf-1700-0000-4462-7000ff0c0000 pid=3327 /usr/bin/chmod guuid=87c84ec2-1700-0000-4462-7000df0c0000 pid=3295->guuid=c57a0ecf-1700-0000-4462-7000ff0c0000 pid=3327 execve guuid=de898ccf-1700-0000-4462-7000010d0000 pid=3329 /usr/bin/dash guuid=87c84ec2-1700-0000-4462-7000df0c0000 pid=3295->guuid=de898ccf-1700-0000-4462-7000010d0000 pid=3329 clone guuid=67259fcf-1700-0000-4462-7000020d0000 pid=3330 /usr/bin/curl net send-data guuid=87c84ec2-1700-0000-4462-7000df0c0000 pid=3295->guuid=67259fcf-1700-0000-4462-7000020d0000 pid=3330 execve guuid=ab2b70dd-1700-0000-4462-70000b0d0000 pid=3339 /usr/bin/chmod guuid=87c84ec2-1700-0000-4462-7000df0c0000 pid=3295->guuid=ab2b70dd-1700-0000-4462-70000b0d0000 pid=3339 execve guuid=159db5dd-1700-0000-4462-70000c0d0000 pid=3340 /usr/bin/dash guuid=87c84ec2-1700-0000-4462-7000df0c0000 pid=3295->guuid=159db5dd-1700-0000-4462-70000c0d0000 pid=3340 clone guuid=e309c8dd-1700-0000-4462-70000e0d0000 pid=3342 /usr/bin/curl net send-data guuid=87c84ec2-1700-0000-4462-7000df0c0000 pid=3295->guuid=e309c8dd-1700-0000-4462-70000e0d0000 pid=3342 execve guuid=3f3d07ed-1700-0000-4462-7000350d0000 pid=3381 /usr/bin/chmod guuid=87c84ec2-1700-0000-4462-7000df0c0000 pid=3295->guuid=3f3d07ed-1700-0000-4462-7000350d0000 pid=3381 execve guuid=2cc443ed-1700-0000-4462-7000370d0000 pid=3383 /usr/bin/dash guuid=87c84ec2-1700-0000-4462-7000df0c0000 pid=3295->guuid=2cc443ed-1700-0000-4462-7000370d0000 pid=3383 clone guuid=157b49ed-1700-0000-4462-7000380d0000 pid=3384 /usr/bin/curl net send-data guuid=87c84ec2-1700-0000-4462-7000df0c0000 pid=3295->guuid=157b49ed-1700-0000-4462-7000380d0000 pid=3384 execve guuid=8d2247fe-1700-0000-4462-7000710d0000 pid=3441 /usr/bin/chmod guuid=87c84ec2-1700-0000-4462-7000df0c0000 pid=3295->guuid=8d2247fe-1700-0000-4462-7000710d0000 pid=3441 execve guuid=151687fe-1700-0000-4462-7000730d0000 pid=3443 /usr/bin/dash guuid=87c84ec2-1700-0000-4462-7000df0c0000 pid=3295->guuid=151687fe-1700-0000-4462-7000730d0000 pid=3443 clone guuid=050593fe-1700-0000-4462-7000740d0000 pid=3444 /usr/bin/curl net send-data guuid=87c84ec2-1700-0000-4462-7000df0c0000 pid=3295->guuid=050593fe-1700-0000-4462-7000740d0000 pid=3444 execve guuid=1765130c-1800-0000-4462-7000a20d0000 pid=3490 /usr/bin/chmod guuid=87c84ec2-1700-0000-4462-7000df0c0000 pid=3295->guuid=1765130c-1800-0000-4462-7000a20d0000 pid=3490 execve guuid=8272500c-1800-0000-4462-7000a40d0000 pid=3492 /usr/bin/dash guuid=87c84ec2-1700-0000-4462-7000df0c0000 pid=3295->guuid=8272500c-1800-0000-4462-7000a40d0000 pid=3492 clone guuid=142c570c-1800-0000-4462-7000a50d0000 pid=3493 /usr/bin/curl net send-data guuid=87c84ec2-1700-0000-4462-7000df0c0000 pid=3295->guuid=142c570c-1800-0000-4462-7000a50d0000 pid=3493 execve guuid=8f01ff1b-1800-0000-4462-7000c90d0000 pid=3529 /usr/bin/chmod guuid=87c84ec2-1700-0000-4462-7000df0c0000 pid=3295->guuid=8f01ff1b-1800-0000-4462-7000c90d0000 pid=3529 execve guuid=9da53b1c-1800-0000-4462-7000cb0d0000 pid=3531 /usr/bin/dash guuid=87c84ec2-1700-0000-4462-7000df0c0000 pid=3295->guuid=9da53b1c-1800-0000-4462-7000cb0d0000 pid=3531 clone guuid=0a49451c-1800-0000-4462-7000cc0d0000 pid=3532 /usr/bin/curl net send-data guuid=87c84ec2-1700-0000-4462-7000df0c0000 pid=3295->guuid=0a49451c-1800-0000-4462-7000cc0d0000 pid=3532 execve guuid=cc369f2c-1800-0000-4462-7000f10d0000 pid=3569 /usr/bin/chmod guuid=87c84ec2-1700-0000-4462-7000df0c0000 pid=3295->guuid=cc369f2c-1800-0000-4462-7000f10d0000 pid=3569 execve guuid=cc39da2c-1800-0000-4462-7000f30d0000 pid=3571 /usr/bin/dash guuid=87c84ec2-1700-0000-4462-7000df0c0000 pid=3295->guuid=cc39da2c-1800-0000-4462-7000f30d0000 pid=3571 clone guuid=f725e32c-1800-0000-4462-7000f40d0000 pid=3572 /usr/bin/curl net send-data guuid=87c84ec2-1700-0000-4462-7000df0c0000 pid=3295->guuid=f725e32c-1800-0000-4462-7000f40d0000 pid=3572 execve guuid=e4b2db39-1800-0000-4462-70001b0e0000 pid=3611 /usr/bin/chmod guuid=87c84ec2-1700-0000-4462-7000df0c0000 pid=3295->guuid=e4b2db39-1800-0000-4462-70001b0e0000 pid=3611 execve guuid=daeb173a-1800-0000-4462-70001d0e0000 pid=3613 /usr/bin/dash guuid=87c84ec2-1700-0000-4462-7000df0c0000 pid=3295->guuid=daeb173a-1800-0000-4462-70001d0e0000 pid=3613 clone guuid=45cd223a-1800-0000-4462-70001f0e0000 pid=3615 /usr/bin/curl net send-data guuid=87c84ec2-1700-0000-4462-7000df0c0000 pid=3295->guuid=45cd223a-1800-0000-4462-70001f0e0000 pid=3615 execve guuid=389f4256-1800-0000-4462-7000620e0000 pid=3682 /usr/bin/chmod guuid=87c84ec2-1700-0000-4462-7000df0c0000 pid=3295->guuid=389f4256-1800-0000-4462-7000620e0000 pid=3682 execve guuid=482d9656-1800-0000-4462-7000650e0000 pid=3685 /usr/bin/dash guuid=87c84ec2-1700-0000-4462-7000df0c0000 pid=3295->guuid=482d9656-1800-0000-4462-7000650e0000 pid=3685 clone guuid=2131a356-1800-0000-4462-7000660e0000 pid=3686 /usr/bin/curl net send-data guuid=87c84ec2-1700-0000-4462-7000df0c0000 pid=3295->guuid=2131a356-1800-0000-4462-7000660e0000 pid=3686 execve guuid=b0b84465-1800-0000-4462-70007c0e0000 pid=3708 /usr/bin/chmod guuid=87c84ec2-1700-0000-4462-7000df0c0000 pid=3295->guuid=b0b84465-1800-0000-4462-70007c0e0000 pid=3708 execve guuid=49828665-1800-0000-4462-70007d0e0000 pid=3709 /usr/bin/dash guuid=87c84ec2-1700-0000-4462-7000df0c0000 pid=3295->guuid=49828665-1800-0000-4462-70007d0e0000 pid=3709 clone guuid=84359565-1800-0000-4462-70007e0e0000 pid=3710 /usr/bin/curl net send-data guuid=87c84ec2-1700-0000-4462-7000df0c0000 pid=3295->guuid=84359565-1800-0000-4462-70007e0e0000 pid=3710 execve guuid=3adb0d75-1800-0000-4462-70007f0e0000 pid=3711 /usr/bin/chmod guuid=87c84ec2-1700-0000-4462-7000df0c0000 pid=3295->guuid=3adb0d75-1800-0000-4462-70007f0e0000 pid=3711 execve guuid=8f778275-1800-0000-4462-7000800e0000 pid=3712 /usr/bin/dash guuid=87c84ec2-1700-0000-4462-7000df0c0000 pid=3295->guuid=8f778275-1800-0000-4462-7000800e0000 pid=3712 clone guuid=bdfc9075-1800-0000-4462-7000810e0000 pid=3713 /usr/bin/curl net send-data guuid=87c84ec2-1700-0000-4462-7000df0c0000 pid=3295->guuid=bdfc9075-1800-0000-4462-7000810e0000 pid=3713 execve guuid=87cc318e-1800-0000-4462-7000820e0000 pid=3714 /usr/bin/chmod guuid=87c84ec2-1700-0000-4462-7000df0c0000 pid=3295->guuid=87cc318e-1800-0000-4462-7000820e0000 pid=3714 execve guuid=4a617e8e-1800-0000-4462-7000830e0000 pid=3715 /usr/bin/dash guuid=87c84ec2-1700-0000-4462-7000df0c0000 pid=3295->guuid=4a617e8e-1800-0000-4462-7000830e0000 pid=3715 clone guuid=c9c0918e-1800-0000-4462-7000840e0000 pid=3716 /usr/bin/rm guuid=87c84ec2-1700-0000-4462-7000df0c0000 pid=3295->guuid=c9c0918e-1800-0000-4462-7000840e0000 pid=3716 execve 0019fe1c-758c-5273-830a-1cc9dac5b043 91.92.243.68:80 guuid=dad6abc2-1700-0000-4462-7000e10c0000 pid=3297->0019fe1c-758c-5273-830a-1cc9dac5b043 send: 87B guuid=67259fcf-1700-0000-4462-7000020d0000 pid=3330->0019fe1c-758c-5273-830a-1cc9dac5b043 send: 88B guuid=e309c8dd-1700-0000-4462-70000e0d0000 pid=3342->0019fe1c-758c-5273-830a-1cc9dac5b043 send: 88B guuid=157b49ed-1700-0000-4462-7000380d0000 pid=3384->0019fe1c-758c-5273-830a-1cc9dac5b043 send: 88B guuid=050593fe-1700-0000-4462-7000740d0000 pid=3444->0019fe1c-758c-5273-830a-1cc9dac5b043 send: 88B guuid=142c570c-1800-0000-4462-7000a50d0000 pid=3493->0019fe1c-758c-5273-830a-1cc9dac5b043 send: 88B guuid=0a49451c-1800-0000-4462-7000cc0d0000 pid=3532->0019fe1c-758c-5273-830a-1cc9dac5b043 send: 88B guuid=f725e32c-1800-0000-4462-7000f40d0000 pid=3572->0019fe1c-758c-5273-830a-1cc9dac5b043 send: 87B guuid=45cd223a-1800-0000-4462-70001f0e0000 pid=3615->0019fe1c-758c-5273-830a-1cc9dac5b043 send: 87B guuid=2131a356-1800-0000-4462-7000660e0000 pid=3686->0019fe1c-758c-5273-830a-1cc9dac5b043 send: 87B guuid=84359565-1800-0000-4462-70007e0e0000 pid=3710->0019fe1c-758c-5273-830a-1cc9dac5b043 send: 87B guuid=bdfc9075-1800-0000-4462-7000810e0000 pid=3713->0019fe1c-758c-5273-830a-1cc9dac5b043 send: 90B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/d1e561586f25b4e5a49cff92ce47ea07fbdd7bb5e5a4978da35eb5ee91ce96bf
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d1e561586f25b4e5a49cff92ce47ea07fbdd7bb5e5a4978da35eb5ee91ce96bf/
Threat name:
Win32.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2025-12-21 09:32:24 UTC
File Type:
Text
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2hswcwdpew2olje476jm4r7ka755265v4wsjpdndl2265eoos27q._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/251223-lbyvta1pgs/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/d1e561586f25b4e5a49cff92ce47ea07fbdd7bb5e5a4978da35eb5ee91ce96bf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh d1e561586f25b4e5a49cff92ce47ea07fbdd7bb5e5a4978da35eb5ee91ce96bf

(this sample)

Mirai

elf ecc57dad5f28e2f8b0cb3182917d3e985894130c8ad4f640f28dad25a3dd8ccb

  
URLhaus
https://urlhaus.abuse.ch/url/3738745/
  
Delivery method
Distributed via web download
  
Dropping
MD5 0d4f854cbdaa7495c863028baf2a9223
  
Dropping
SHA256 ecc57dad5f28e2f8b0cb3182917d3e985894130c8ad4f640f28dad25a3dd8ccb

Comments