MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ecf2fac41855650d30e5b563865904d44b1efb17ae6386bddf61a7780495574c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ecf2fac41855650d30e5b563865904d44b1efb17ae6386bddf61a7780495574c
SHA3-384 hash: 42fa8c4952113343b610639ea5e3b5114a425ae9b1878fdc23b7039306e9ce5cd6f36eb9f8c0d5ab19e0fa42610b845f
SHA1 hash: aaa704dc4bfacc457d80a251639e2114d91d6396
MD5 hash: e508c9dcd34e9444200f6f3073d8f6e4
humanhash: angel-aspen-freddie-venus
File name:v
Download: download sample
File size:2'305 bytes
First seen:2025-05-08 05:06:50 UTC
Last seen:2025-05-09 11:36:45 UTC
File type: sh
MIME type:text/plain
ssdeep 48:4k5CEA0OkAWkAIkAekAIZVkA4kAkkAokA4kA0kAkkAIkA0kA8j:tCEA0lWsCwssgIcs40j
TLSH T17F417DDF025C98211594CEDD36E30814744D96F9A9DBCF4F684E05F9A8CDE0CB298EEA
Magika shell
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://185.218.87.28/vv/armv4l35c14500814ac5bc2c71312bb1323f3be34afa878c7f06cefb0bf26f983564db Miraielf gafgyt mirai ua-wget
http://185.218.87.28/vv/armv5l329b5885b7e275adac37eb18a80ecdb3caf7be655086997faa2dfbc167d32b2f Miraielf gafgyt mirai ua-wget
http://185.218.87.28/vv/armv6lc76d487bbf7cb1a6743d397381529f945b229c7df6b2ec27111d095a448f5402 Miraielf gafgyt mirai ua-wget
http://185.218.87.28/vv/armv7l200e571bc0a6d2562563022dfcc60ac5ac8c2e40eb73a053be8555349a674a69 Miraielf gafgyt mirai ua-wget
http://185.218.87.28/vv/mipsn/an/aelf gafgyt ua-wget
http://185.218.87.28/vv/mipsela49f50fdba0de9c330d0980f6cce815c1525d0800adeab6c3d82a7954923ef02 Miraielf gafgyt mirai ua-wget
http://185.218.87.28/vv/sh4b71d233c1ccc47ea7d2b3300680e113278a7dc23345a2c40f7ab31e95a1f835f Gafgytelf gafgyt ua-wget
http://185.218.87.28/vv/sparcbaec6b1394100795d6c67f6813c16023222a532dd7f94816a5c39d5a6f3b13e0 Miraielf gafgyt mirai ua-wget
http://185.218.87.28/vv/riscv32n/an/aelf gafgyt ua-wget
http://185.218.87.28/vv/powerpcaaa59a329b7d9ace426ce5afbfeb6b15f5a8010865de4bad68e3ec03aa1f5a59 Miraielf gafgyt mirai ua-wget
http://185.218.87.28/vv/armv4ebn/an/aelf gafgyt ua-wget
http://185.218.87.28/vv/arcn/an/aelf gafgyt ua-wget

Intelligence

File Origin
# of uploads :
3
# of downloads :
68
Origin country :
DE DE
Vendor Threat Intelligence
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=681c3d2491991ead82b60f57linux22vpnfull_triage
Tags:
hype sage
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
busybox evasive obfuscated
Link:
https://www.filescan.io/uploads/681c3bfd0b64e174c41d2035/reports/a4921d71-90f0-43e1-aae1-1d87237e1031/overview
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/ecf2fac41855650d30e5b563865904d44b1efb17ae6386bddf61a7780495574c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ecf2fac41855650d30e5b563865904d44b1efb17ae6386bddf61a7780495574c/
Threat name:
Script-Shell.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2025-05-08 05:09:11 UTC
File Type:
Text (Shell)
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5tzpvraykvsq2mhfwvrymwie2rfr56yxvzrynpo7mgtxqbevk5ga._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/250508-fs6n4ayths/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ecf2fac41855650d30e5b563865904d44b1efb17ae6386bddf61a7780495574c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh ecf2fac41855650d30e5b563865904d44b1efb17ae6386bddf61a7780495574c

(this sample)

Mirai

elf 35c14500814ac5bc2c71312bb1323f3be34afa878c7f06cefb0bf26f983564db

  
URLhaus
https://urlhaus.abuse.ch/url/3531249/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3538938/
  
Dropping
MD5 9aff45bce598a65ad3f904f1bda32707
  
Dropping
SHA256 35c14500814ac5bc2c71312bb1323f3be34afa878c7f06cefb0bf26f983564db

Comments