MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6117d38803d87bb1b5a1e1df4e5c6f981a8dcfcc37f49bf70c098b230a42e62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	e6117d38803d87bb1b5a1e1df4e5c6f981a8dcfcc37f49bf70c098b230a42e62
SHA3-384 hash:	f319bbf1f383c938ae3a2e5c9f065e72502322ef18e3953f02c8cc7ff22cf18b1d6870a96bacb786a807b4f09238e1a1
SHA1 hash:	dcf1b5d41b0c67dec9fc002fdce5bbb3cdfb0dc8
MD5 hash:	5d1110a8e2e4730dbc0fa6f95aa10113
humanhash:	diet-juliet-fifteen-fanta
File name:	d
Download:	download sample
File size:	682 bytes
First seen:	2026-04-29 11:17:51 UTC
Last seen:	2026-04-29 11:35:53 UTC
File type:	sh
MIME type:	text/plain
ssdeep	12:3WKDyPIacxQZrKwMIAZrKCCAZrKGrEQAZrKGcCWTAZrKVqZZrKr:GIYcxQZe4AZeCCAZecZAZeIWTAZeVqZy
TLSH	T18201A2C5F4E1AAA2D404AF92B061840780EBFFDD17790FD85A9D38F68C9D904B453F09
Magika	txt
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://195.178.110.204/armv4l	0d0c3335d2e29a6b7d121727fe015d53ab8179c4fc0930e7ee5d7f899199a8c1	Mirai	elf mirai ua-wget
http://195.178.110.204/armv5l	5186c9f224236fcd06a7e44e54836cdc3766e0c943b6c280fb5f57fdca1a5ac7	Mirai	elf mirai ua-wget
http://195.178.110.204/armv6l	5186c9f224236fcd06a7e44e54836cdc3766e0c943b6c280fb5f57fdca1a5ac7	Mirai	elf mirai ua-wget
http://195.178.110.204/armv7l	77b0b59d2733125c03a25e10bdd7b1b5629cbf80b8627c9aec61b07164d984d0	Mirai	elf mirai ua-wget
http://195.178.110.204/mips	ae164e666d4752c40f28d0a75adf03cc16e9123ce965fd60d7267745405f76a6	Mirai	elf mirai ua-wget
http://195.178.110.204/mipsel	e3637f0db2bd19be2eecbe94ff4ff34e35bce8a4d2f3325c0eabac2811fd47bc	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive

Link:

https://www.filescan.io/uploads/69f1ed88594172aacc5023e9/reports/651f73d3-7a34-49a3-9efc-398b1dcfd7af/overview

Verdict:

Malicious

File Type:

text

First seen:

2026-04-29T08:47:00Z UTC

Last seen:

2026-04-29T23:51:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/e6117d38803d87bb1b5a1e1df4e5c6f981a8dcfcc37f49bf70c098b230a42e62/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/11f10f08-ea41-4908-97fa-22a77fb902f1

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/e6117d38803d87bb1b5a1e1df4e5c6f981a8dcfcc37f49bf70c098b230a42e62

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e6117d38803d87bb1b5a1e1df4e5c6f981a8dcfcc37f49bf70c098b230a42e62/

Verdict:

Malicious

Threat:

Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/e6117d38803d87bb1b5a1e1df4e5c6f981a8dcfcc37f49bf70c098b230a42e62

Threat name:

Linux.Trojan.Vigorf

Status:

Malicious

First seen:

2026-04-29 11:38:44 UTC

File Type:

Text (Shell)

AV detection:

13 of 24 (54.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4yix2oeahwd3wg22dyo7jzog7ga2rxh4yn7utp3qycmlemfefzra._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/260429-nrgmksfs4r/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/e6117d38803d87bb1b5a1e1df4e5c6f981a8dcfcc37f49bf70c098b230a42e62

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_202412_suspect_bash_script Create hunting rule
Author:	abuse.ch
Description:	Detects suspicious Linux bash scripts

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh