MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1c3f7b42e3266079e0800de42709d05cd0a509fe179ab6b078a6bb4a19a2407. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Ngioweb


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e1c3f7b42e3266079e0800de42709d05cd0a509fe179ab6b078a6bb4a19a2407
SHA3-384 hash: e0179e2f3cdb7649d70a849a98afe99e707ba5555bb6d70ef75cde3f199408e155cacaff331b806bcc5f949c3d495ed2
SHA1 hash: cb5bb45cb20d91a6af86608d94ab93f527d89611
MD5 hash: 59062b7ab0a869aeae0b6e0f1da96145
humanhash: burger-twelve-friend-florida
File name:router-atemi-rep.sh
Download: download sample
Signature Ngioweb
Create hunting rule
File size:824 bytes
First seen:2025-11-08 07:54:33 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 24:1Ul44Fl44ql44Yl44zl44uZl44vRl444PZlG:1UlBFlBqlBYlBzlBuZlBZlBoZlG
TLSH T1E10148E934967594D038C740B951D8CE5181DBAE11E21B10B36CDF71805EA9EB06DB06
Magika batch
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://69.5.189.168/frost.armv7ddebe545870ecfe87f0d403a1a1bbf0343c4b9ea4e727e2bdb1915f966658435 Ngiowebelf Ngioweb ua-wget
http://69.5.189.168/frost.armv63f2c0e2becb201a5b2cd23b66deaa39b78fbea6cdc64e539edb442b99f5373d4 Ngiowebelf Ngioweb ua-wget
http://69.5.189.168/frost.armv576e670a4333b77d5f69f0a51440618974bfb545309d57d00e6ca847e85631c86 Ngiowebelf Ngioweb ua-wget
http://69.5.189.168/frost.mips8a9b339fd801c708cb76a8204ccce25fa81d06703371c28f832220426886aaf9 Ngiowebelf ua-wget
http://69.5.189.168/frost.mipselcc5dfc104697e85043a20833fc7928418e8a7321b7b6368b37632fd13b1ec4fa Ngiowebelf mirai Ngioweb ua-wget
http://69.5.189.168/frost.aarch641bb57d84b79bdca142f788f2317f6afa1f8071386ac4febc7529214ed995e964 Ngiowebelf mirai Ngioweb ua-wget
http://69.5.189.168/frost.x86eeac99d3cb2e9e9c6c030c9964afccc0886688a0390a7849994146ac0c9604da Ngiowebelf mirai Ngioweb ua-wget
http://69.5.189.168/frost.x86_6407ddef2fde289218f356264bdf1d4409ffa44168c8e98c03ae3c5015ed62fbb4 Ngiowebelf mirai Ngioweb ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
37
Origin country :
DE DE
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive mirai
Link:
https://www.filescan.io/uploads/690ef7688938e2fe2215d219/reports/bb8aabcc-c3c1-4ca4-8dd6-43f9e726e22a/overview
Verdict:
Malicious
File Type:
text
First seen:
2025-11-08T05:23:00Z UTC
Last seen:
2025-11-08T06:37:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/e1c3f7b42e3266079e0800de42709d05cd0a509fe179ab6b078a6bb4a19a2407/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/9feb372f-7c33-4453-adc2-72d76b4e6e61
Behavior Graph:
Download SVG
%3 guuid=a91ff46c-1a00-0000-e085-ea35a00c0000 pid=3232 /usr/bin/sudo guuid=e3358f71-1a00-0000-e085-ea35a20c0000 pid=3234 /tmp/sample.bin guuid=a91ff46c-1a00-0000-e085-ea35a00c0000 pid=3232->guuid=e3358f71-1a00-0000-e085-ea35a20c0000 pid=3234 execve guuid=8f99de71-1a00-0000-e085-ea35a30c0000 pid=3235 /usr/bin/wget net send-data write-file guuid=e3358f71-1a00-0000-e085-ea35a20c0000 pid=3234->guuid=8f99de71-1a00-0000-e085-ea35a30c0000 pid=3235 execve guuid=60e0da7a-1a00-0000-e085-ea35b60c0000 pid=3254 /usr/bin/chmod guuid=e3358f71-1a00-0000-e085-ea35a20c0000 pid=3234->guuid=60e0da7a-1a00-0000-e085-ea35b60c0000 pid=3254 execve guuid=b23b127b-1a00-0000-e085-ea35b80c0000 pid=3256 /usr/bin/dash guuid=e3358f71-1a00-0000-e085-ea35a20c0000 pid=3234->guuid=b23b127b-1a00-0000-e085-ea35b80c0000 pid=3256 clone guuid=ed98ce7b-1a00-0000-e085-ea35bb0c0000 pid=3259 /usr/bin/rm delete-file guuid=e3358f71-1a00-0000-e085-ea35a20c0000 pid=3234->guuid=ed98ce7b-1a00-0000-e085-ea35bb0c0000 pid=3259 execve guuid=2c23577c-1a00-0000-e085-ea35bc0c0000 pid=3260 /usr/bin/wget net send-data write-file guuid=e3358f71-1a00-0000-e085-ea35a20c0000 pid=3234->guuid=2c23577c-1a00-0000-e085-ea35bc0c0000 pid=3260 execve guuid=a73aed83-1a00-0000-e085-ea35bf0c0000 pid=3263 /usr/bin/chmod guuid=e3358f71-1a00-0000-e085-ea35a20c0000 pid=3234->guuid=a73aed83-1a00-0000-e085-ea35bf0c0000 pid=3263 execve guuid=95cb2f84-1a00-0000-e085-ea35c10c0000 pid=3265 /usr/bin/dash guuid=e3358f71-1a00-0000-e085-ea35a20c0000 pid=3234->guuid=95cb2f84-1a00-0000-e085-ea35c10c0000 pid=3265 clone guuid=9606b284-1a00-0000-e085-ea35c50c0000 pid=3269 /usr/bin/rm delete-file guuid=e3358f71-1a00-0000-e085-ea35a20c0000 pid=3234->guuid=9606b284-1a00-0000-e085-ea35c50c0000 pid=3269 execve guuid=faaef484-1a00-0000-e085-ea35c70c0000 pid=3271 /usr/bin/wget net send-data write-file guuid=e3358f71-1a00-0000-e085-ea35a20c0000 pid=3234->guuid=faaef484-1a00-0000-e085-ea35c70c0000 pid=3271 execve guuid=177d728b-1a00-0000-e085-ea35da0c0000 pid=3290 /usr/bin/chmod guuid=e3358f71-1a00-0000-e085-ea35a20c0000 pid=3234->guuid=177d728b-1a00-0000-e085-ea35da0c0000 pid=3290 execve guuid=226cc98b-1a00-0000-e085-ea35db0c0000 pid=3291 /usr/bin/dash guuid=e3358f71-1a00-0000-e085-ea35a20c0000 pid=3234->guuid=226cc98b-1a00-0000-e085-ea35db0c0000 pid=3291 clone guuid=16318b8d-1a00-0000-e085-ea35e20c0000 pid=3298 /usr/bin/rm delete-file guuid=e3358f71-1a00-0000-e085-ea35a20c0000 pid=3234->guuid=16318b8d-1a00-0000-e085-ea35e20c0000 pid=3298 execve guuid=68e0ee8d-1a00-0000-e085-ea35e50c0000 pid=3301 /usr/bin/wget net send-data write-file guuid=e3358f71-1a00-0000-e085-ea35a20c0000 pid=3234->guuid=68e0ee8d-1a00-0000-e085-ea35e50c0000 pid=3301 execve guuid=c8db0c96-1a00-0000-e085-ea35f50c0000 pid=3317 /usr/bin/chmod guuid=e3358f71-1a00-0000-e085-ea35a20c0000 pid=3234->guuid=c8db0c96-1a00-0000-e085-ea35f50c0000 pid=3317 execve guuid=7cd99696-1a00-0000-e085-ea35f70c0000 pid=3319 /usr/bin/dash guuid=e3358f71-1a00-0000-e085-ea35a20c0000 pid=3234->guuid=7cd99696-1a00-0000-e085-ea35f70c0000 pid=3319 clone guuid=efec2d98-1a00-0000-e085-ea35fd0c0000 pid=3325 /usr/bin/rm delete-file guuid=e3358f71-1a00-0000-e085-ea35a20c0000 pid=3234->guuid=efec2d98-1a00-0000-e085-ea35fd0c0000 pid=3325 execve guuid=881a9698-1a00-0000-e085-ea35000d0000 pid=3328 /usr/bin/wget net send-data write-file guuid=e3358f71-1a00-0000-e085-ea35a20c0000 pid=3234->guuid=881a9698-1a00-0000-e085-ea35000d0000 pid=3328 execve guuid=33545ca1-1a00-0000-e085-ea35130d0000 pid=3347 /usr/bin/chmod guuid=e3358f71-1a00-0000-e085-ea35a20c0000 pid=3234->guuid=33545ca1-1a00-0000-e085-ea35130d0000 pid=3347 execve guuid=a9c7c9a1-1a00-0000-e085-ea35140d0000 pid=3348 /usr/bin/dash guuid=e3358f71-1a00-0000-e085-ea35a20c0000 pid=3234->guuid=a9c7c9a1-1a00-0000-e085-ea35140d0000 pid=3348 clone guuid=45d3d2a3-1a00-0000-e085-ea35160d0000 pid=3350 /usr/bin/rm delete-file guuid=e3358f71-1a00-0000-e085-ea35a20c0000 pid=3234->guuid=45d3d2a3-1a00-0000-e085-ea35160d0000 pid=3350 execve guuid=0f0f22a4-1a00-0000-e085-ea35170d0000 pid=3351 /usr/bin/wget net send-data write-file guuid=e3358f71-1a00-0000-e085-ea35a20c0000 pid=3234->guuid=0f0f22a4-1a00-0000-e085-ea35170d0000 pid=3351 execve guuid=887838ab-1a00-0000-e085-ea351d0d0000 pid=3357 /usr/bin/chmod guuid=e3358f71-1a00-0000-e085-ea35a20c0000 pid=3234->guuid=887838ab-1a00-0000-e085-ea351d0d0000 pid=3357 execve guuid=b32d75ab-1a00-0000-e085-ea351f0d0000 pid=3359 /usr/bin/dash guuid=e3358f71-1a00-0000-e085-ea35a20c0000 pid=3234->guuid=b32d75ab-1a00-0000-e085-ea351f0d0000 pid=3359 clone guuid=1bfbf2ab-1a00-0000-e085-ea35220d0000 pid=3362 /usr/bin/rm delete-file guuid=e3358f71-1a00-0000-e085-ea35a20c0000 pid=3234->guuid=1bfbf2ab-1a00-0000-e085-ea35220d0000 pid=3362 execve guuid=526540ac-1a00-0000-e085-ea35240d0000 pid=3364 /usr/bin/wget net send-data write-file guuid=e3358f71-1a00-0000-e085-ea35a20c0000 pid=3234->guuid=526540ac-1a00-0000-e085-ea35240d0000 pid=3364 execve guuid=4c666eb3-1a00-0000-e085-ea35330d0000 pid=3379 /usr/bin/chmod guuid=e3358f71-1a00-0000-e085-ea35a20c0000 pid=3234->guuid=4c666eb3-1a00-0000-e085-ea35330d0000 pid=3379 execve guuid=37a1b0b3-1a00-0000-e085-ea35350d0000 pid=3381 /tmp/ldta delete-file guuid=e3358f71-1a00-0000-e085-ea35a20c0000 pid=3234->guuid=37a1b0b3-1a00-0000-e085-ea35350d0000 pid=3381 execve guuid=094eccb3-1a00-0000-e085-ea35380d0000 pid=3384 /usr/bin/rm guuid=e3358f71-1a00-0000-e085-ea35a20c0000 pid=3234->guuid=094eccb3-1a00-0000-e085-ea35380d0000 pid=3384 execve guuid=b14736b4-1a00-0000-e085-ea353a0d0000 pid=3386 /usr/bin/wget net send-data write-file guuid=e3358f71-1a00-0000-e085-ea35a20c0000 pid=3234->guuid=b14736b4-1a00-0000-e085-ea353a0d0000 pid=3386 execve guuid=8e8cd6bb-1a00-0000-e085-ea35480d0000 pid=3400 /usr/bin/chmod guuid=e3358f71-1a00-0000-e085-ea35a20c0000 pid=3234->guuid=8e8cd6bb-1a00-0000-e085-ea35480d0000 pid=3400 execve guuid=39181ebc-1a00-0000-e085-ea35490d0000 pid=3401 /tmp/ldta delete-file guuid=e3358f71-1a00-0000-e085-ea35a20c0000 pid=3234->guuid=39181ebc-1a00-0000-e085-ea35490d0000 pid=3401 execve guuid=96183ebc-1a00-0000-e085-ea354b0d0000 pid=3403 /usr/bin/rm guuid=e3358f71-1a00-0000-e085-ea35a20c0000 pid=3234->guuid=96183ebc-1a00-0000-e085-ea354b0d0000 pid=3403 execve 4e9b299b-312c-5d23-bb91-8d9ae7fb883a 69.5.189.168:80 guuid=8f99de71-1a00-0000-e085-ea35a30c0000 pid=3235->4e9b299b-312c-5d23-bb91-8d9ae7fb883a send: 138B guuid=2c23577c-1a00-0000-e085-ea35bc0c0000 pid=3260->4e9b299b-312c-5d23-bb91-8d9ae7fb883a send: 138B guuid=faaef484-1a00-0000-e085-ea35c70c0000 pid=3271->4e9b299b-312c-5d23-bb91-8d9ae7fb883a send: 138B guuid=68e0ee8d-1a00-0000-e085-ea35e50c0000 pid=3301->4e9b299b-312c-5d23-bb91-8d9ae7fb883a send: 137B guuid=881a9698-1a00-0000-e085-ea35000d0000 pid=3328->4e9b299b-312c-5d23-bb91-8d9ae7fb883a send: 139B guuid=0f0f22a4-1a00-0000-e085-ea35170d0000 pid=3351->4e9b299b-312c-5d23-bb91-8d9ae7fb883a send: 140B guuid=526540ac-1a00-0000-e085-ea35240d0000 pid=3364->4e9b299b-312c-5d23-bb91-8d9ae7fb883a send: 136B guuid=d214c6b3-1a00-0000-e085-ea35370d0000 pid=3383 /tmp/ldta net send-data zombie guuid=37a1b0b3-1a00-0000-e085-ea35350d0000 pid=3381->guuid=d214c6b3-1a00-0000-e085-ea35370d0000 pid=3383 clone 5964582a-537a-5ab9-bea4-3571985c6152 69.5.189.168:5555 guuid=d214c6b3-1a00-0000-e085-ea35370d0000 pid=3383->5964582a-537a-5ab9-bea4-3571985c6152 con 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=d214c6b3-1a00-0000-e085-ea35370d0000 pid=3383->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 29B guuid=b14736b4-1a00-0000-e085-ea353a0d0000 pid=3386->4e9b299b-312c-5d23-bb91-8d9ae7fb883a send: 139B guuid=933c32bc-1a00-0000-e085-ea354a0d0000 pid=3402 /tmp/ldta net send-data zombie guuid=39181ebc-1a00-0000-e085-ea35490d0000 pid=3401->guuid=933c32bc-1a00-0000-e085-ea354a0d0000 pid=3402 clone guuid=933c32bc-1a00-0000-e085-ea354a0d0000 pid=3402->5964582a-537a-5ab9-bea4-3571985c6152 con 54d92a3b-1447-55af-b534-047898c60c8d 1.1.1.1:53 guuid=933c32bc-1a00-0000-e085-ea354a0d0000 pid=3402->54d92a3b-1447-55af-b534-047898c60c8d send: 27B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/e1c3f7b42e3266079e0800de42709d05cd0a509fe179ab6b078a6bb4a19a2407
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e1c3f7b42e3266079e0800de42709d05cd0a509fe179ab6b078a6bb4a19a2407/
Threat name:
Linux.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-11-08 07:55:21 UTC
File Type:
Text (Shell)
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4hb7pnbogjtaphqiadpee4e5axgquue74f42w2yhrjv3jim2eqdq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/251108-jr9adavkav/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/e1c3f7b42e3266079e0800de42709d05cd0a509fe179ab6b078a6bb4a19a2407

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Ngioweb

sh e1c3f7b42e3266079e0800de42709d05cd0a509fe179ab6b078a6bb4a19a2407

(this sample)

Ngioweb

elf d0ca62e68e235aca958e3877ae7ed505c5667207c95d34907bc806e5ffa0b21b

  
URLhaus
https://urlhaus.abuse.ch/url/3700353/
  
Delivery method
Distributed via web download
  
Dropping
MD5 e11a30fbc51aa29573f1bf62762beb1f
  
Dropping
SHA256 d0ca62e68e235aca958e3877ae7ed505c5667207c95d34907bc806e5ffa0b21b

Comments