MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ddf7d9d35587298f3ed39fd66b421df9835418e3033d5d1550ba67a615c0eed5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	ddf7d9d35587298f3ed39fd66b421df9835418e3033d5d1550ba67a615c0eed5
SHA3-384 hash:	862699525dc1c06907c4facaf6a5f08efa0ee43a2379445155700f50fe69f4bda78e1413b1b719a1061953f82dea70cb
SHA1 hash:	725e951fcb56796303f316b7735abb8843fc0d6b
MD5 hash:	52b545b457243f7d28356f4a9ede584e
humanhash:	glucose-jersey-harry-sierra
File name:	l
Download:	download sample
File size:	862 bytes
First seen:	2025-05-14 09:47:48 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	12:eTLk6Ne5mBFLy+684bLlxM+6vLrLt26dcLO6UmLC+6Lv:evpeYsHApztfe2M6v
TLSH	T1971108D5A1D14A7A2C90AE0BB16B8C5D30AB7A8F09C28F8898CC30B9255CD41B061F03
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://213.209.143.24/mpsl	c081dbcab79688429efe181b099a18cd061bf0fd33da3d9f8b6bddf82bb99032	Mirai	elf mirai
http://213.209.143.24/mips	01453889de074520278d104c051ba80147706206ac12ccb4da2f07dc660872bb	Mirai	elf mirai
http://213.209.143.24/arm4	3b6bce64630d32a5372d776f043de20307aa7999c24cff8edfec52bc76078c5f	Mirai	elf mirai
http://213.209.143.24/arm5	6d04d6cc458082f1dd5233ac5b8b048c7d67c6a2a431e4750cf2b4366a0bdb74	Mirai	elf mirai
http://213.209.143.24/arm6	3b50d951810dc7e8bb7b9cf9d95d33ffaf55e50ca4ff15dded98a4198ecdef4e	Mirai	elf mirai
http://213.209.143.24/arm7	5d11b9be5daa65fe010cc7900d5d5eead7f62a7885e862a5971a005856ae9878	Mirai	elf mirai

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68246890e16384d6a704512dlinux22vpnfull_triage

Tags:

trojan hype sage

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox evasive mirai

Link:

https://www.filescan.io/uploads/682466db8bd61140fb6fd1d7/reports/74c78fcc-aee9-4337-97b4-2f875f47540a/overview

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/ddf7d9d35587298f3ed39fd66b421df9835418e3033d5d1550ba67a615c0eed5

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ddf7d9d35587298f3ed39fd66b421df9835418e3033d5d1550ba67a615c0eed5/

Threat name:

Linux.Downloader.SAgnt

Status:

Malicious

First seen:

2025-05-11 18:00:59 UTC

File Type:

Text (Shell)

AV detection:

17 of 36 (47.22%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3x35tu2vq4uy6pwtt7lgwqq57gbvighdam6v2fkqxjt2mfoa53kq._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/250514-lt13wswkx8/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ddf7d9d35587298f3ed39fd66b421df9835418e3033d5d1550ba67a615c0eed5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.