MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e64124e337da6f27f46d7bb35cfd538029a52a4c9207c9a9d4f5342092edc1be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	e64124e337da6f27f46d7bb35cfd538029a52a4c9207c9a9d4f5342092edc1be
SHA3-384 hash:	cce3d1fe4355db99df48f72df2b8ac73be2921353cee240fe0087641c63dc82c7290ae9c4892bdd937ad91f5b6b4bb6e
SHA1 hash:	dfdf877f9e91cfdbadb8d22d6d93340e1a2fc4fe
MD5 hash:	b815127aa7b71abe5e24b8ccc35a36fe
humanhash:	sierra-cat-carbon-double
File name:	dvr.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	346 bytes
First seen:	2025-07-04 10:59:33 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	6:htI1RDjbWUtISpp8GvVbWUtIS3F/F2X/I/PN7IbWUtIS1FSeQ:bIbXP9pJvVPDX+/I/PN7IPzSeQ
TLSH	T149E01AE6E455DFC6986A541C21D7C22CF0AAC3F41AC58A4C6C6E2976C98868CE45398C
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://154.205.133.58/lol.arm	020b87fdaa06a1609bdc0c9bb9c5441241a1ac29ea656f087c19a385e5177766	Mirai	elf mirai ua-wget
http://154.205.133.58/lol.arm5	36796d056ca6b55227eccf5ef5d1bf83ba4b1b516013f98408210c9229169cc5	Mirai	elf mirai ua-wget
http://154.205.133.58/lol.arm7	9c765ec2b4b7ac6f218873fd11916bc996b7f6f443731885bba1108374214eb9	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

1

# of downloads :

17

Origin country :

DE

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Linux.Downloader-36.UNOFFICIAL

Verdict:

Clean

Score:

82.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6867b44d900df8e7f8669a6flinux22vpnfull_triage

Tags:

n/a

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/8c326140-5604-41cc-a307-64a0fc3b770e

Behavior Graph:

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/e64124e337da6f27f46d7bb35cfd538029a52a4c9207c9a9d4f5342092edc1be

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e64124e337da6f27f46d7bb35cfd538029a52a4c9207c9a9d4f5342092edc1be/

Threat name:

Win32.Trojan.Vigorf

Status:

Malicious

First seen:

2025-07-04 11:00:28 UTC

File Type:

Text (Shell)

AV detection:

10 of 24 (41.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4zasjyzx3jxsp5dnpozvz7ktqau2kksmsid4tkou6u2cbexnyg7a._file

Result

Malware family:

n/a

Score:

7/10

Tags:

credential_access defense_evasion discovery linux

Link:

https://tria.ge/reports/250704-m35m4s1rs2/

Behaviour

Reads runtime system information

Writes file to tmp directory

Changes its process name

Reads process memory

File and Directory Permissions Modification

Executes dropped EXE

Renames itself

Unexpected DNS network traffic destination

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.31

Link:

https://yomi.yoroi.company/submissions/e64124e337da6f27f46d7bb35cfd538029a52a4c9207c9a9d4f5342092edc1be

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh e64124e337da6f27f46d7bb35cfd538029a52a4c9207c9a9d4f5342092edc1be

(this sample)

elf a6a6542c34dfa9bdf92f69a35aaae63d5789bc49d99e8c93345838d934b9db33

URLhaus

https://urlhaus.abuse.ch/url/3574806/

Delivery method

Distributed via web download

Dropping

MD5 80cb5600fdb780a5f0dbec30263c2022

Dropping

SHA256 a6a6542c34dfa9bdf92f69a35aaae63d5789bc49d99e8c93345838d934b9db33

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample