MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e513b052f35bbac9e2678b3197867ee47ec0354c58af44d6c1574633f96de934. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Ngioweb

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	e513b052f35bbac9e2678b3197867ee47ec0354c58af44d6c1574633f96de934
SHA3-384 hash:	e39423187940939c7bb6c91f81838a645d392273f4a51be9614bc1f2eff5f9e9214fcd0735c34e0119be7ee8bf0e652a
SHA1 hash:	d409869449cfe7c2e9534c548e60507fc30b73ef
MD5 hash:	f65141a8bb9c8cd5018d3a116fe83cff
humanhash:	south-purple-ohio-oxygen
File name:	router-atemi-rep.sh
Download:	download sample
Signature	Ngioweb Create hunting rule
File size:	824 bytes
First seen:	2025-11-08 11:43:38 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	12:7RDV5MjwlCDk5MjwlCDX5MjwlCDR5MjwlCDXO5MjwlCDp5MjwlCD7bo5MjwlCD7l:1nlKulK5lKjlKIlKblKvClK4ClV
TLSH	T1D90140BA0CBD65D4A41DD740BCA61887D201E3CFB0ED1B10B37C7D72C0A9A14F0666A6
Magika	batch
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://69.5.189.168/frost.armv7	ddebe545870ecfe87f0d403a1a1bbf0343c4b9ea4e727e2bdb1915f966658435	Ngioweb	elf Ngioweb ua-wget
http://69.5.189.168/frost.armv6	3f2c0e2becb201a5b2cd23b66deaa39b78fbea6cdc64e539edb442b99f5373d4	Ngioweb	elf Ngioweb ua-wget
http://69.5.189.168/frost.armv5	76e670a4333b77d5f69f0a51440618974bfb545309d57d00e6ca847e85631c86	Ngioweb	elf Ngioweb ua-wget
http://69.5.189.168/frost.mips	8a9b339fd801c708cb76a8204ccce25fa81d06703371c28f832220426886aaf9	Ngioweb	elf ua-wget
http://69.5.189.168/frost.mipsel	cc5dfc104697e85043a20833fc7928418e8a7321b7b6368b37632fd13b1ec4fa	Ngioweb	elf mirai Ngioweb ua-wget
http://69.5.189.168/frost.aarch64	1bb57d84b79bdca142f788f2317f6afa1f8071386ac4febc7529214ed995e964	Ngioweb	elf mirai Ngioweb ua-wget
http://69.5.189.168/frost.x86	eeac99d3cb2e9e9c6c030c9964afccc0886688a0390a7849994146ac0c9604da	Ngioweb	elf mirai Ngioweb ua-wget
http://69.5.189.168/frost.x86_64	07ddef2fde289218f356264bdf1d4409ffa44168c8e98c03ae3c5015ed62fbb4	Ngioweb	elf mirai Ngioweb ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive mirai

Link:

https://www.filescan.io/uploads/690f2d128938e2fe221621bb/reports/bb408503-0464-4dfb-9c18-aa95421cc0ee/overview

Verdict:

Malicious

File Type:

text

First seen:

2025-11-08T10:16:00Z UTC

Last seen:

2025-11-09T01:27:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/e513b052f35bbac9e2678b3197867ee47ec0354c58af44d6c1574633f96de934/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/7723870b-27af-4216-ba64-7179fcaf10c5

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/e513b052f35bbac9e2678b3197867ee47ec0354c58af44d6c1574633f96de934

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e513b052f35bbac9e2678b3197867ee47ec0354c58af44d6c1574633f96de934/

Threat name:

Linux.Trojan.Generic

Status:

Suspicious

First seen:

2025-11-08 11:44:22 UTC

File Type:

Text (Shell)

AV detection:

11 of 24 (45.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4uj3auxtlo5mtythrmyzpbt64r7mankmlcxujvwbk5ddh6ln5e2a._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/251108-nwa1laxrhk/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/e513b052f35bbac9e2678b3197867ee47ec0354c58af44d6c1574633f96de934

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Ngioweb

sh e513b052f35bbac9e2678b3197867ee47ec0354c58af44d6c1574633f96de934

(this sample)

Ngioweb

elf d0ca62e68e235aca958e3877ae7ed505c5667207c95d34907bc806e5ffa0b21b

URLhaus

https://urlhaus.abuse.ch/url/3700353/

Delivery method

Distributed via web download

Dropping

MD5 e11a30fbc51aa29573f1bf62762beb1f

Dropping

SHA256 d0ca62e68e235aca958e3877ae7ed505c5667207c95d34907bc806e5ffa0b21b

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample