MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f778e9f251fa6fa4fabdef19a275b16fa4576706f429f6308abce8a8a2fed126. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Ladvix

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	f778e9f251fa6fa4fabdef19a275b16fa4576706f429f6308abce8a8a2fed126
SHA3-384 hash:	4d7ececed3c386366b72621dc15b93d6941f1e46f720010f4ed35e2ac979ed0d0a6b7758a2ab63da12942ef80bfe6b8e
SHA1 hash:	3547efffd6ddc06ea59a4580083a8fa08743f393
MD5 hash:	9d183242ee6050eb7f2d12699a736495
humanhash:	white-red-michigan-texas
File name:	run.sh
Download:	download sample
Signature	Ladvix Create hunting rule
File size:	2'881 bytes
First seen:	2026-05-05 14:11:08 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	24:T82JMvZbiBvquZuEXEnE2EhEalPbwm3JUfinhM3G:T82JMvZbiBvquZuucvy/Pbw2nhM3G
TLSH	T131510EAB02158B35D60D864FF7F47174711BA9D6FADBCA04ED48082D4FD9D8C7295E80
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://193.32.208.35/bins/xnxnxnxnxnxnxnxnaarch64xnxn	933168973ff9e26e354cc9bdb4cb37b7ec4ef81947290b89bfc30a8929d2f56a	Ladvix	ladvix
http://193.32.208.35/bins/xnxnxnxnxnxnxnxni386xnxn	423a13213e9e37300727c154bdec1a5d3f240c83ca3695b962365108a1d0097f	Mirai	mirai
http://193.32.208.35/bins/xnxnxnxnxnxnxnxnloongarch64xnxn	1e3e9b2ad36356ce5b7f1fcf4abb66d0cff37fda021a90ad2af41a2bb5275741	Mirai	mirai
http://193.32.208.35/bins/xnxnxnxnxnxnxnxnm68kxnxn	40c93abec87e436c68d609f7a558d2a898a7ba49e9282de1cbdb331a5e81a4fa	Mirai	mirai
http://193.32.208.35/bins/xnxnxnxnxnxnxnxnmicroblazexnxn	e661e40c6814edda59dfca1061d1440d22ab685430ae8e75bb58978b313542fd	Mirai	mirai
http://193.32.208.35/bins/xnxnxnxnxnxnxnxnmipsxnxn	47b351de3cfef8df5820a2c9d968a2864679195f1fdffa34c7ee54da7735ba8f	Mirai	mirai
http://193.32.208.35/bins/xnxnxnxnxnxnxnxnor1kxnxn	be849468b15f8987d74819a3caa088404f22f05a0b9b2f8f9845168b6b45e87c	Mirai	mirai
http://193.32.208.35/bins/xnxnxnxnxnxnxnxnpowerpcxnxn	5976da135be2ac5be7afce28f0f1ae50ce488dfc532a8c5db462a777c5ba8e81	Mirai	mirai
http://193.32.208.35/bins/xnxnxnxnxnxnxnxnriscv32xnxn	1424188500d83476b60306fb61fb54b3eb6b090cace33baced826073c5f2d402	Mirai	mirai
http://193.32.208.35/bins/xnxnxnxnxnxnxnxnriscv64xnxn	913b687d0f4253c9200c2aca376de224c84d630d290e8c722f371d3b5ebb7fe7	Mirai	mirai
http://193.32.208.35/bins/xnxnxnxnxnxnxnxnsh2xnxn	710bc2f818d126bd6a6e809d1bc493b634134fcbd4fe35ea2f8d3e5674766377	Mirai	mirai
http://193.32.208.35/bins/xnxnxnxnxnxnxnxnsh4xnxn	7d1378ea5bf78e4a471779664df21232142400d1567aae516010d2a6f19113a0	Mirai	mirai
http://193.32.208.35/bins/xnxnxnxnxnxnxnxnx86_64xnxn	f61639155c40e20acc672bd3b982757af46e833a62e670852b93ac93698a3699	Ladvix	ladvix

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm evasive mirai

Link:

https://www.filescan.io/uploads/69f9fa8f2fcb905ec2805e4a/reports/3410f545-f5df-446b-91e9-0de24596e93b/overview

Verdict:

Malicious

File Type:

text

First seen:

2026-05-04T22:27:00Z UTC

Last seen:

2026-05-05T13:43:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/f778e9f251fa6fa4fabdef19a275b16fa4576706f429f6308abce8a8a2fed126/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/df6e2516-6ea9-411f-8308-2d92c1807429

Behavior Graph:

Download SVG

Score:

98%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/f778e9f251fa6fa4fabdef19a275b16fa4576706f429f6308abce8a8a2fed126

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f778e9f251fa6fa4fabdef19a275b16fa4576706f429f6308abce8a8a2fed126/

Verdict:

Malicious

Threat:

Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/f778e9f251fa6fa4fabdef19a275b16fa4576706f429f6308abce8a8a2fed126

Threat name:

Script.Trojan.Multiverze

Status:

Malicious

First seen:

2026-05-05 03:08:34 UTC

File Type:

Text (Shell)

AV detection:

10 of 24 (41.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=654ot4sr7jx2j6v554m2e5nrn6sfozyg6qu7mmekxtukrix62eta._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/260505-rhg4jadw7m/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/f778e9f251fa6fa4fabdef19a275b16fa4576706f429f6308abce8a8a2fed126

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.