MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d60f07966072cc1bcf8bb07023301233a9e8024cb30d40d167d78ecb6e731e0e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Prometei


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d60f07966072cc1bcf8bb07023301233a9e8024cb30d40d167d78ecb6e731e0e
SHA3-384 hash: e81d5a8070a4ee42213c462e5e80712c558183cf1cd444f788d98eced9b722a6b4271fc73ab445cf4ef5095fe008e393
SHA1 hash: 8abed0d5818c690241f8145f625ef7271ac1e067
MD5 hash: d38ca536050b41c7942b078e5990e112
humanhash: mississippi-queen-cardinal-wisconsin
File name:d60f07966072cc1bcf8bb07023301233a9e8024cb30d40d167d78ecb6e731e0e
Download: download sample
Signature Prometei
Create hunting rule
File size:1'846 bytes
First seen:2026-05-31 07:57:12 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:vMVdxtzGG1eCFeZdzVKN5Q1f/neHuDmmlBFInKIYgQAul4N7vGxk:vGdXIu2mQlGaL2nKI3QaTGW
TLSH T1EC31A0CA79A3D871978BC4381FD6E101E35664430995DDD8B05EBC303F5D560FCA1E56
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter c2hunter
Tags:Prometei sh wraith

Intelligence

File Origin
# of uploads :
1
# of downloads :
56
Origin country :
US US
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Linux.DownLoader.2650.14460.6466.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
File Type:
unix shell
First seen:
2026-05-31T05:18:00Z UTC
Last seen:
2026-06-01T17:28:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/d60f07966072cc1bcf8bb07023301233a9e8024cb30d40d167d78ecb6e731e0e/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/c5997905-c636-453a-ab30-21e378c4c1a7
Behavior Graph:
Download SVG
%3 guuid=945d1bf9-1a00-0000-5631-1aff6c0b0000 pid=2924 /usr/bin/sudo guuid=15890cfc-1a00-0000-5631-1aff6f0b0000 pid=2927 /tmp/sample.bin guuid=945d1bf9-1a00-0000-5631-1aff6c0b0000 pid=2924->guuid=15890cfc-1a00-0000-5631-1aff6f0b0000 pid=2927 execve guuid=5fab40fc-1a00-0000-5631-1aff710b0000 pid=2929 /usr/bin/dash guuid=15890cfc-1a00-0000-5631-1aff6f0b0000 pid=2927->guuid=5fab40fc-1a00-0000-5631-1aff710b0000 pid=2929 clone guuid=9ecd07fd-1a00-0000-5631-1aff760b0000 pid=2934 /usr/bin/dash guuid=15890cfc-1a00-0000-5631-1aff6f0b0000 pid=2927->guuid=9ecd07fd-1a00-0000-5631-1aff760b0000 pid=2934 clone guuid=b98d1dfd-1a00-0000-5631-1aff780b0000 pid=2936 /usr/bin/rm guuid=15890cfc-1a00-0000-5631-1aff6f0b0000 pid=2927->guuid=b98d1dfd-1a00-0000-5631-1aff780b0000 pid=2936 execve guuid=62965dfd-1a00-0000-5631-1aff790b0000 pid=2937 /usr/bin/wget net send-data write-file guuid=15890cfc-1a00-0000-5631-1aff6f0b0000 pid=2927->guuid=62965dfd-1a00-0000-5631-1aff790b0000 pid=2937 execve guuid=f24e9819-1b00-0000-5631-1affa50b0000 pid=2981 /usr/bin/chmod guuid=15890cfc-1a00-0000-5631-1aff6f0b0000 pid=2927->guuid=f24e9819-1b00-0000-5631-1affa50b0000 pid=2981 execve guuid=f78d161a-1b00-0000-5631-1affa60b0000 pid=2982 /dev/shm/.kworker_u8 net send-data write-file zombie guuid=15890cfc-1a00-0000-5631-1aff6f0b0000 pid=2927->guuid=f78d161a-1b00-0000-5631-1affa60b0000 pid=2982 execve guuid=b5744afc-1a00-0000-5631-1aff720b0000 pid=2930 /usr/bin/dash guuid=5fab40fc-1a00-0000-5631-1aff710b0000 pid=2929->guuid=b5744afc-1a00-0000-5631-1aff720b0000 pid=2930 clone guuid=ec735afc-1a00-0000-5631-1aff730b0000 pid=2931 /usr/bin/uname guuid=b5744afc-1a00-0000-5631-1aff720b0000 pid=2930->guuid=ec735afc-1a00-0000-5631-1aff730b0000 pid=2931 execve guuid=547665fc-1a00-0000-5631-1aff740b0000 pid=2932 /usr/bin/tr guuid=b5744afc-1a00-0000-5631-1aff720b0000 pid=2930->guuid=547665fc-1a00-0000-5631-1aff740b0000 pid=2932 execve 5461f1f2-e196-5b3b-917a-536f13b47f96 185.220.177.59:80 guuid=62965dfd-1a00-0000-5631-1aff790b0000 pid=2937->5461f1f2-e196-5b3b-917a-536f13b47f96 send: 144B 4f6baed0-9587-596c-82b3-fd721afe4cc1 10.0.2.3:53 guuid=f78d161a-1b00-0000-5631-1affa60b0000 pid=2982->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 49B 65c5c8b7-db80-5a48-bab7-86030423a164 127.0.0.1:443 guuid=f78d161a-1b00-0000-5631-1affa60b0000 pid=2982->65c5c8b7-db80-5a48-bab7-86030423a164 con 68be2212-4fc4-5131-93cb-d738da932b65 speed.cloudflare.com:80 guuid=f78d161a-1b00-0000-5631-1affa60b0000 pid=2982->68be2212-4fc4-5131-93cb-d738da932b65 send: 84B guuid=f78d161a-1b00-0000-5631-1affa60b0000 pid=3042 /dev/shm/.kworker_u8 zombie guuid=f78d161a-1b00-0000-5631-1affa60b0000 pid=2982->guuid=f78d161a-1b00-0000-5631-1affa60b0000 pid=3042 clone guuid=f78d161a-1b00-0000-5631-1affa60b0000 pid=3043 /dev/shm/.kworker_u8 guuid=f78d161a-1b00-0000-5631-1affa60b0000 pid=2982->guuid=f78d161a-1b00-0000-5631-1affa60b0000 pid=3043 clone guuid=f78d161a-1b00-0000-5631-1affa60b0000 pid=3044 /dev/shm/.kworker_u8 net send-data zombie guuid=f78d161a-1b00-0000-5631-1affa60b0000 pid=2982->guuid=f78d161a-1b00-0000-5631-1affa60b0000 pid=3044 clone guuid=f78d161a-1b00-0000-5631-1affa60b0000 pid=3045 /dev/shm/.kworker_u8 dns net write-file zombie guuid=f78d161a-1b00-0000-5631-1affa60b0000 pid=2982->guuid=f78d161a-1b00-0000-5631-1affa60b0000 pid=3045 clone guuid=f78d161a-1b00-0000-5631-1affa60b0000 pid=3044->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 49B guuid=f78d161a-1b00-0000-5631-1affa60b0000 pid=3044->65c5c8b7-db80-5a48-bab7-86030423a164 con guuid=f78d161a-1b00-0000-5631-1affa60b0000 pid=3045->65c5c8b7-db80-5a48-bab7-86030423a164 con guuid=f78d161a-1b00-0000-5631-1affa60b0000 pid=3045->68be2212-4fc4-5131-93cb-d738da932b65 con b619669b-6add-5aba-88d3-b4e40271df50 speed.cloudflare.com:53 guuid=f78d161a-1b00-0000-5631-1affa60b0000 pid=3045->b619669b-6add-5aba-88d3-b4e40271df50 con
Score:
9%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/d60f07966072cc1bcf8bb07023301233a9e8024cb30d40d167d78ecb6e731e0e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d60f07966072cc1bcf8bb07023301233a9e8024cb30d40d167d78ecb6e731e0e/
Threat name:
Win32.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2026-05-31 07:57:47 UTC
File Type:
Text (Shell)
AV detection:
10 of 23 (43.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2yhqpftaolgbxt4lwbycgmasgou6qasmwmgubulh26hmw3ttdyha._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery linux upx
Link:
https://tria.ge/reports/260531-jtf2lsex2n/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to shm directory
Writes file to tmp directory
UPX packed file
Enumerates running processes
File and Directory Permissions Modification
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.39
Link:
https://yomi.yoroi.company/submissions/d60f07966072cc1bcf8bb07023301233a9e8024cb30d40d167d78ecb6e731e0e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
http://185.220.177.59/loader.sh

Comments