MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d38c1a2f7cff1e5188eb3cf98f0e515a82fd368d77229bec1c1d41c899ed2b62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Ngioweb


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d38c1a2f7cff1e5188eb3cf98f0e515a82fd368d77229bec1c1d41c899ed2b62
SHA3-384 hash: 3e1db83d40f56f4904d87f1c05294a66b934448086cd1656223b743d78988c7ed7331bffe6d266ef47c67d8a71554cd0
SHA1 hash: 61c182782ccf095ca1c164749c917ae2f94ee3ce
MD5 hash: ef0db40d9e29034759d5000bcc418c08
humanhash: oranges-connecticut-undress-quebec
File name:dvr.lilin-rep.sh
Download: download sample
Signature Ngioweb
Create hunting rule
File size:800 bytes
First seen:2025-11-08 07:05:42 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 12:78CtbSECwbSECHbSECpbSECX6bSEChbSEC7bUbSEC7kUb/:p2pYSz6vt4W
TLSH T1BE01218E351316B4E118EE4079A4FB0B511D834955807BE7A0981D37C3AD7497B45E79
Magika txt
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://87.121.84.80/frost.armv7d0ca62e68e235aca958e3877ae7ed505c5667207c95d34907bc806e5ffa0b21b Ngiowebelf geofenced Ngioweb ua-wget USA
http://87.121.84.80/frost.armv6f08d8c43beedbc8d45ea133b44dd09e13d80d725846eac7615141dee9064907e Ngiowebelf geofenced Ngioweb ua-wget USA
http://87.121.84.80/frost.armv5966770e3938bb350119a960948a15421d9c6e0944c4d49f5aa631d3bd9fee703 Ngiowebelf geofenced Ngioweb ua-wget USA
http://87.121.84.80/frost.mipsn/an/aelf geofenced ua-wget USA
http://87.121.84.80/frost.mipsel8758eddd99d34eae170f69fe5c58231a546fef0f56a7e30eefac59ef10ca906b Miraielf geofenced mirai ua-wget USA
http://87.121.84.80/frost.aarch647997eca9041eb31e0264e9273d28e3b672f6f6cb206919ea1167610cfa601f93 Miraielf geofenced mirai ua-wget USA
http://87.121.84.80/frost.x86296d6af5b711aada05ec72d517af8b677c32d4f894fda2934ad5289b7f671619 Miraielf geofenced mirai ua-wget USA
http://87.121.84.80/frost.x86_64a85c562d0b13602adfad63635f895ba1fcd8f4780121f7f98febc10fbfba1819 Miraielf geofenced mirai ua-wget USA

Intelligence

File Origin
# of uploads :
1
# of downloads :
38
Origin country :
DE DE
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive mirai
Link:
https://www.filescan.io/uploads/690eebe78938e2fe2215c1a3/reports/48300eac-f877-465b-9099-44856e44f782/overview
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-11-08T04:41:00Z UTC
Last seen:
2025-11-08T06:37:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/d38c1a2f7cff1e5188eb3cf98f0e515a82fd368d77229bec1c1d41c899ed2b62/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/3e544334-1989-4156-a28e-407e624514c4
Behavior Graph:
Download SVG
%3 guuid=0cfc8bc6-1600-0000-3a01-d7dfa90c0000 pid=3241 /usr/bin/sudo guuid=6853a8c8-1600-0000-3a01-d7dfaa0c0000 pid=3242 /tmp/sample.bin guuid=0cfc8bc6-1600-0000-3a01-d7dfa90c0000 pid=3241->guuid=6853a8c8-1600-0000-3a01-d7dfaa0c0000 pid=3242 execve guuid=f8e422c9-1600-0000-3a01-d7dfab0c0000 pid=3243 /usr/bin/wget net send-data write-file guuid=6853a8c8-1600-0000-3a01-d7dfaa0c0000 pid=3242->guuid=f8e422c9-1600-0000-3a01-d7dfab0c0000 pid=3243 execve guuid=fee684d7-1600-0000-3a01-d7dfca0c0000 pid=3274 /usr/bin/chmod guuid=6853a8c8-1600-0000-3a01-d7dfaa0c0000 pid=3242->guuid=fee684d7-1600-0000-3a01-d7dfca0c0000 pid=3274 execve guuid=7994c9d7-1600-0000-3a01-d7dfcc0c0000 pid=3276 /usr/bin/dash guuid=6853a8c8-1600-0000-3a01-d7dfaa0c0000 pid=3242->guuid=7994c9d7-1600-0000-3a01-d7dfcc0c0000 pid=3276 clone guuid=8a1c5dd8-1600-0000-3a01-d7dfd00c0000 pid=3280 /usr/bin/rm delete-file guuid=6853a8c8-1600-0000-3a01-d7dfaa0c0000 pid=3242->guuid=8a1c5dd8-1600-0000-3a01-d7dfd00c0000 pid=3280 execve guuid=ec47abd8-1600-0000-3a01-d7dfd20c0000 pid=3282 /usr/bin/wget net send-data write-file guuid=6853a8c8-1600-0000-3a01-d7dfaa0c0000 pid=3242->guuid=ec47abd8-1600-0000-3a01-d7dfd20c0000 pid=3282 execve guuid=22aa25e5-1600-0000-3a01-d7dfee0c0000 pid=3310 /usr/bin/chmod guuid=6853a8c8-1600-0000-3a01-d7dfaa0c0000 pid=3242->guuid=22aa25e5-1600-0000-3a01-d7dfee0c0000 pid=3310 execve guuid=a9c26ee5-1600-0000-3a01-d7dff00c0000 pid=3312 /usr/bin/dash guuid=6853a8c8-1600-0000-3a01-d7dfaa0c0000 pid=3242->guuid=a9c26ee5-1600-0000-3a01-d7dff00c0000 pid=3312 clone guuid=b98ecbe6-1600-0000-3a01-d7dff40c0000 pid=3316 /usr/bin/rm delete-file guuid=6853a8c8-1600-0000-3a01-d7dfaa0c0000 pid=3242->guuid=b98ecbe6-1600-0000-3a01-d7dff40c0000 pid=3316 execve guuid=d87619e7-1600-0000-3a01-d7dff60c0000 pid=3318 /usr/bin/wget net send-data write-file guuid=6853a8c8-1600-0000-3a01-d7dfaa0c0000 pid=3242->guuid=d87619e7-1600-0000-3a01-d7dff60c0000 pid=3318 execve guuid=bd31d2f0-1600-0000-3a01-d7dffd0c0000 pid=3325 /usr/bin/chmod guuid=6853a8c8-1600-0000-3a01-d7dfaa0c0000 pid=3242->guuid=bd31d2f0-1600-0000-3a01-d7dffd0c0000 pid=3325 execve guuid=8eaf24f1-1600-0000-3a01-d7dffe0c0000 pid=3326 /usr/bin/dash guuid=6853a8c8-1600-0000-3a01-d7dfaa0c0000 pid=3242->guuid=8eaf24f1-1600-0000-3a01-d7dffe0c0000 pid=3326 clone guuid=9ab7edf1-1600-0000-3a01-d7df010d0000 pid=3329 /usr/bin/rm delete-file guuid=6853a8c8-1600-0000-3a01-d7dfaa0c0000 pid=3242->guuid=9ab7edf1-1600-0000-3a01-d7df010d0000 pid=3329 execve guuid=ebe08bf2-1600-0000-3a01-d7df020d0000 pid=3330 /usr/bin/wget net send-data write-file guuid=6853a8c8-1600-0000-3a01-d7dfaa0c0000 pid=3242->guuid=ebe08bf2-1600-0000-3a01-d7df020d0000 pid=3330 execve guuid=f79f9b02-1700-0000-3a01-d7df1f0d0000 pid=3359 /usr/bin/chmod guuid=6853a8c8-1600-0000-3a01-d7dfaa0c0000 pid=3242->guuid=f79f9b02-1700-0000-3a01-d7df1f0d0000 pid=3359 execve guuid=8e6ffc02-1700-0000-3a01-d7df200d0000 pid=3360 /usr/bin/dash guuid=6853a8c8-1600-0000-3a01-d7dfaa0c0000 pid=3242->guuid=8e6ffc02-1700-0000-3a01-d7df200d0000 pid=3360 clone guuid=edeb2904-1700-0000-3a01-d7df250d0000 pid=3365 /usr/bin/rm delete-file guuid=6853a8c8-1600-0000-3a01-d7dfaa0c0000 pid=3242->guuid=edeb2904-1700-0000-3a01-d7df250d0000 pid=3365 execve guuid=7e588b04-1700-0000-3a01-d7df270d0000 pid=3367 /usr/bin/wget net send-data write-file guuid=6853a8c8-1600-0000-3a01-d7dfaa0c0000 pid=3242->guuid=7e588b04-1700-0000-3a01-d7df270d0000 pid=3367 execve guuid=1bd3da11-1700-0000-3a01-d7df3e0d0000 pid=3390 /usr/bin/chmod guuid=6853a8c8-1600-0000-3a01-d7dfaa0c0000 pid=3242->guuid=1bd3da11-1700-0000-3a01-d7df3e0d0000 pid=3390 execve guuid=fa455112-1700-0000-3a01-d7df400d0000 pid=3392 /usr/bin/dash guuid=6853a8c8-1600-0000-3a01-d7dfaa0c0000 pid=3242->guuid=fa455112-1700-0000-3a01-d7df400d0000 pid=3392 clone guuid=adf12413-1700-0000-3a01-d7df430d0000 pid=3395 /usr/bin/rm delete-file guuid=6853a8c8-1600-0000-3a01-d7dfaa0c0000 pid=3242->guuid=adf12413-1700-0000-3a01-d7df430d0000 pid=3395 execve guuid=317d8013-1700-0000-3a01-d7df450d0000 pid=3397 /usr/bin/wget net send-data write-file guuid=6853a8c8-1600-0000-3a01-d7dfaa0c0000 pid=3242->guuid=317d8013-1700-0000-3a01-d7df450d0000 pid=3397 execve guuid=30414128-1700-0000-3a01-d7df7c0d0000 pid=3452 /usr/bin/chmod guuid=6853a8c8-1600-0000-3a01-d7dfaa0c0000 pid=3242->guuid=30414128-1700-0000-3a01-d7df7c0d0000 pid=3452 execve guuid=6a5ea228-1700-0000-3a01-d7df7e0d0000 pid=3454 /usr/bin/dash guuid=6853a8c8-1600-0000-3a01-d7dfaa0c0000 pid=3242->guuid=6a5ea228-1700-0000-3a01-d7df7e0d0000 pid=3454 clone guuid=c7db5a29-1700-0000-3a01-d7df820d0000 pid=3458 /usr/bin/rm delete-file guuid=6853a8c8-1600-0000-3a01-d7dfaa0c0000 pid=3242->guuid=c7db5a29-1700-0000-3a01-d7df820d0000 pid=3458 execve guuid=d53fa429-1700-0000-3a01-d7df840d0000 pid=3460 /usr/bin/wget net send-data write-file guuid=6853a8c8-1600-0000-3a01-d7dfaa0c0000 pid=3242->guuid=d53fa429-1700-0000-3a01-d7df840d0000 pid=3460 execve guuid=734d6333-1700-0000-3a01-d7dfa00d0000 pid=3488 /usr/bin/chmod guuid=6853a8c8-1600-0000-3a01-d7dfaa0c0000 pid=3242->guuid=734d6333-1700-0000-3a01-d7dfa00d0000 pid=3488 execve guuid=bb40cb33-1700-0000-3a01-d7dfa20d0000 pid=3490 /tmp/lohb delete-file guuid=6853a8c8-1600-0000-3a01-d7dfaa0c0000 pid=3242->guuid=bb40cb33-1700-0000-3a01-d7dfa20d0000 pid=3490 execve guuid=69b8ee33-1700-0000-3a01-d7dfa50d0000 pid=3493 /usr/bin/rm guuid=6853a8c8-1600-0000-3a01-d7dfaa0c0000 pid=3242->guuid=69b8ee33-1700-0000-3a01-d7dfa50d0000 pid=3493 execve guuid=ce5b3e34-1700-0000-3a01-d7dfa60d0000 pid=3494 /usr/bin/wget net send-data write-file guuid=6853a8c8-1600-0000-3a01-d7dfaa0c0000 pid=3242->guuid=ce5b3e34-1700-0000-3a01-d7dfa60d0000 pid=3494 execve guuid=a846413d-1700-0000-3a01-d7dfb90d0000 pid=3513 /usr/bin/chmod guuid=6853a8c8-1600-0000-3a01-d7dfaa0c0000 pid=3242->guuid=a846413d-1700-0000-3a01-d7dfb90d0000 pid=3513 execve guuid=22f1a13d-1700-0000-3a01-d7dfba0d0000 pid=3514 /tmp/lohb delete-file guuid=6853a8c8-1600-0000-3a01-d7dfaa0c0000 pid=3242->guuid=22f1a13d-1700-0000-3a01-d7dfba0d0000 pid=3514 execve guuid=5cfcc63d-1700-0000-3a01-d7dfbc0d0000 pid=3516 /usr/bin/rm guuid=6853a8c8-1600-0000-3a01-d7dfaa0c0000 pid=3242->guuid=5cfcc63d-1700-0000-3a01-d7dfbc0d0000 pid=3516 execve 8a0fa304-c855-5f37-833d-84ef77e0b826 87.121.84.80:80 guuid=f8e422c9-1600-0000-3a01-d7dfab0c0000 pid=3243->8a0fa304-c855-5f37-833d-84ef77e0b826 send: 138B guuid=ec47abd8-1600-0000-3a01-d7dfd20c0000 pid=3282->8a0fa304-c855-5f37-833d-84ef77e0b826 send: 138B guuid=d87619e7-1600-0000-3a01-d7dff60c0000 pid=3318->8a0fa304-c855-5f37-833d-84ef77e0b826 send: 138B guuid=ebe08bf2-1600-0000-3a01-d7df020d0000 pid=3330->8a0fa304-c855-5f37-833d-84ef77e0b826 send: 137B guuid=7e588b04-1700-0000-3a01-d7df270d0000 pid=3367->8a0fa304-c855-5f37-833d-84ef77e0b826 send: 139B guuid=317d8013-1700-0000-3a01-d7df450d0000 pid=3397->8a0fa304-c855-5f37-833d-84ef77e0b826 send: 140B guuid=d53fa429-1700-0000-3a01-d7df840d0000 pid=3460->8a0fa304-c855-5f37-833d-84ef77e0b826 send: 136B guuid=f999e433-1700-0000-3a01-d7dfa30d0000 pid=3491 /tmp/lohb net send-data zombie guuid=bb40cb33-1700-0000-3a01-d7dfa20d0000 pid=3490->guuid=f999e433-1700-0000-3a01-d7dfa30d0000 pid=3491 clone 5964582a-537a-5ab9-bea4-3571985c6152 69.5.189.168:5555 guuid=f999e433-1700-0000-3a01-d7dfa30d0000 pid=3491->5964582a-537a-5ab9-bea4-3571985c6152 con b0abba15-9a34-51cb-a2ff-3008f7e59616 208.67.222.222:53 guuid=f999e433-1700-0000-3a01-d7dfa30d0000 pid=3491->b0abba15-9a34-51cb-a2ff-3008f7e59616 send: 29B guuid=ce5b3e34-1700-0000-3a01-d7dfa60d0000 pid=3494->8a0fa304-c855-5f37-833d-84ef77e0b826 send: 139B guuid=e585b83d-1700-0000-3a01-d7dfbb0d0000 pid=3515 /tmp/lohb net send-data zombie guuid=22f1a13d-1700-0000-3a01-d7dfba0d0000 pid=3514->guuid=e585b83d-1700-0000-3a01-d7dfbb0d0000 pid=3515 clone guuid=e585b83d-1700-0000-3a01-d7dfbb0d0000 pid=3515->5964582a-537a-5ab9-bea4-3571985c6152 send: 64B 54d92a3b-1447-55af-b534-047898c60c8d 1.1.1.1:53 guuid=e585b83d-1700-0000-3a01-d7dfbb0d0000 pid=3515->54d92a3b-1447-55af-b534-047898c60c8d send: 29B guuid=e585b83d-1700-0000-3a01-d7dfbb0d0000 pid=3621 /tmp/lohb net net-scan send-data zombie guuid=e585b83d-1700-0000-3a01-d7dfbb0d0000 pid=3515->guuid=e585b83d-1700-0000-3a01-d7dfbb0d0000 pid=3621 clone 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=e585b83d-1700-0000-3a01-d7dfbb0d0000 pid=3621->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con 117962a2-f196-5f96-9b03-ea356dd360a4 52.222.209.29:80 guuid=e585b83d-1700-0000-3a01-d7dfbb0d0000 pid=3621->117962a2-f196-5f96-9b03-ea356dd360a4 send: 124B 4b773118-8468-5a64-98af-712037d09e87 210.117.144.123:80 guuid=e585b83d-1700-0000-3a01-d7dfbb0d0000 pid=3621->4b773118-8468-5a64-98af-712037d09e87 send: 128B f92df5a3-ea88-58b6-89b7-a4a11df59810 184.176.209.107:80 guuid=e585b83d-1700-0000-3a01-d7dfbb0d0000 pid=3621->f92df5a3-ea88-58b6-89b7-a4a11df59810 send: 128B 7610f167-3745-5ae7-932c-7ea1cc3afc34 18.132.48.129:80 guuid=e585b83d-1700-0000-3a01-d7dfbb0d0000 pid=3621->7610f167-3745-5ae7-932c-7ea1cc3afc34 send: 124B 11a2042b-e212-5f66-9e04-f94f85849167 34.196.227.123:80 guuid=e585b83d-1700-0000-3a01-d7dfbb0d0000 pid=3621->11a2042b-e212-5f66-9e04-f94f85849167 send: 126B d8ff15fd-2bee-5ba4-b0a1-0df66c42d84a 18.165.192.126:80 guuid=e585b83d-1700-0000-3a01-d7dfbb0d0000 pid=3621->d8ff15fd-2bee-5ba4-b0a1-0df66c42d84a send: 126B 0698d07e-969f-508a-9a5e-0ecc905b9505 142.168.203.151:80 guuid=e585b83d-1700-0000-3a01-d7dfbb0d0000 pid=3621->0698d07e-969f-508a-9a5e-0ecc905b9505 send: 304B 555b6867-e6b9-52ca-96d0-84c332a0792d 34.120.198.169:80 guuid=e585b83d-1700-0000-3a01-d7dfbb0d0000 pid=3621->555b6867-e6b9-52ca-96d0-84c332a0792d send: 126B 84651974-41fa-50ee-a975-bdab9ebee087 34.127.114.50:80 guuid=e585b83d-1700-0000-3a01-d7dfbb0d0000 pid=3621->84651974-41fa-50ee-a975-bdab9ebee087 send: 124B 506ea147-acdc-55ce-b267-a063d531b4ce 34.210.111.237:80 guuid=e585b83d-1700-0000-3a01-d7dfbb0d0000 pid=3621->506ea147-acdc-55ce-b267-a063d531b4ce send: 126B 6526b52d-d87b-5eb3-9840-cfada5fb7f00 34.217.211.18:80 guuid=e585b83d-1700-0000-3a01-d7dfbb0d0000 pid=3621->6526b52d-d87b-5eb3-9840-cfada5fb7f00 send: 124B f9e7908e-8678-52c5-bb16-750fa6452d58 18.160.197.208:80 guuid=e585b83d-1700-0000-3a01-d7dfbb0d0000 pid=3621->f9e7908e-8678-52c5-bb16-750fa6452d58 send: 126B 2e5f9281-645b-5981-9038-99d85d0e0921 34.141.6.237:80 guuid=e585b83d-1700-0000-3a01-d7dfbb0d0000 pid=3621->2e5f9281-645b-5981-9038-99d85d0e0921 send: 122B bc9d6f79-7dff-5ceb-b947-38e5b9726d70 154.95.239.175:80 guuid=e585b83d-1700-0000-3a01-d7dfbb0d0000 pid=3621->bc9d6f79-7dff-5ceb-b947-38e5b9726d70 send: 126B 9258aa21-1045-534f-8b27-8f2cda6c7e5f 122.188.44.187:80 guuid=e585b83d-1700-0000-3a01-d7dfbb0d0000 pid=3621->9258aa21-1045-534f-8b27-8f2cda6c7e5f send: 126B f103ed4d-cd59-55c8-a6c9-fd11d36e9760 18.163.15.153:80 guuid=e585b83d-1700-0000-3a01-d7dfbb0d0000 pid=3621->f103ed4d-cd59-55c8-a6c9-fd11d36e9760 con guuid=e585b83d-1700-0000-3a01-d7dfbb0d0000 pid=3621|send-data send-data to 4063 IP addresses review logs to see them all guuid=e585b83d-1700-0000-3a01-d7dfbb0d0000 pid=3621->guuid=e585b83d-1700-0000-3a01-d7dfbb0d0000 pid=3621|send-data send
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/d38c1a2f7cff1e5188eb3cf98f0e515a82fd368d77229bec1c1d41c899ed2b62
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d38c1a2f7cff1e5188eb3cf98f0e515a82fd368d77229bec1c1d41c899ed2b62/
Threat name:
Linux.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-11-08 07:06:16 UTC
File Type:
Text (Shell)
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ogbul3474pfdchlht4y6dsrlkbp2nuno4rjx3a4dva4rgpnfnra._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/251108-hw58vavjbt/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/d38c1a2f7cff1e5188eb3cf98f0e515a82fd368d77229bec1c1d41c899ed2b62

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Ngioweb

sh d38c1a2f7cff1e5188eb3cf98f0e515a82fd368d77229bec1c1d41c899ed2b62

(this sample)

Ngioweb

elf d0ca62e68e235aca958e3877ae7ed505c5667207c95d34907bc806e5ffa0b21b

  
URLhaus
https://urlhaus.abuse.ch/url/3699266/
  
Delivery method
Distributed via web download
  
Dropping
MD5 e11a30fbc51aa29573f1bf62762beb1f
  
Dropping
SHA256 d0ca62e68e235aca958e3877ae7ed505c5667207c95d34907bc806e5ffa0b21b

Comments