MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0cf25f68a0a089ad835e89fa0023f2f4c4d9cbf46bb70653c98f494ec1ca790a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0cf25f68a0a089ad835e89fa0023f2f4c4d9cbf46bb70653c98f494ec1ca790a
SHA3-384 hash: cd4e2ac8c5197d2b8cd34241ae8da142a753973e473c98cd525eebe751e48a5bed644b1c8fde78de428a422cdd56ad6e
SHA1 hash: 5d84fc6149e392529931e30d93e7944195aed3ce
MD5 hash: b0207b4e2bb43e5383a34b2f6250f44e
humanhash: victor-minnesota-papa-echo
File name:0cf25f68a0a089ad835e89fa0023f2f4c4d9cbf46bb70653c98f494ec1ca790a.sh
Download: download sample
File size:171 bytes
First seen:2026-06-04 10:52:45 UTC
Last seen:2026-06-05 03:29:59 UTC
File type: sh
MIME type:text/plain
ssdeep 3:KYyMZ9XsgXUjXKIU7GBzSEyLTUWSSfTAumgXUjXKIUh3zSE8IUWAWyfTAv:JyMZRvDIUCIamTnFDIUhWzTK
TLSH T15CC0125794972E40C4087E202D675F06840477C27414D3A85593AC70CCC45043576D01
Magika shell
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://78.153.155.152/mips899c4224d505bcae0735a499cd4b8489ee833608a441ee660a8108aa6ba89b24 Miraicensys elf mirai ua-wget
http://78.153.155.152/mipsel697a35f958553313fad25cba0d3b831cbc5af0376a7a612fb07093c0acce5a47 Miraicensys elf mirai ua-wget

Intelligence

File Origin
# of uploads :
3
# of downloads :
43
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Linux.DownLoader.2650.23810.21171.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6a215927099ef368af1d813c/reports/ba564db9-a8a7-4f4f-b839-2cdb357e0149/overview
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/480eaf24-5828-46e6-bccc-16bcb201b693
Behavior Graph:
Download SVG
%3 guuid=1e66bac3-1a00-0000-8ffe-10927c0b0000 pid=2940 /usr/bin/sudo guuid=4a79a8c6-1a00-0000-8ffe-10927e0b0000 pid=2942 /tmp/sample.bin guuid=1e66bac3-1a00-0000-8ffe-10927c0b0000 pid=2940->guuid=4a79a8c6-1a00-0000-8ffe-10927e0b0000 pid=2942 execve guuid=81ceedc6-1a00-0000-8ffe-10927f0b0000 pid=2943 /usr/bin/rm guuid=4a79a8c6-1a00-0000-8ffe-10927e0b0000 pid=2942->guuid=81ceedc6-1a00-0000-8ffe-10927f0b0000 pid=2943 execve guuid=1beabec7-1a00-0000-8ffe-1092820b0000 pid=2946 /usr/bin/wget net send-data write-file guuid=4a79a8c6-1a00-0000-8ffe-10927e0b0000 pid=2942->guuid=1beabec7-1a00-0000-8ffe-1092820b0000 pid=2946 execve guuid=f67dfce2-1a00-0000-8ffe-1092a00b0000 pid=2976 /usr/bin/chmod guuid=4a79a8c6-1a00-0000-8ffe-10927e0b0000 pid=2942->guuid=f67dfce2-1a00-0000-8ffe-1092a00b0000 pid=2976 execve guuid=957a80e3-1a00-0000-8ffe-1092a20b0000 pid=2978 /usr/bin/dash guuid=4a79a8c6-1a00-0000-8ffe-10927e0b0000 pid=2942->guuid=957a80e3-1a00-0000-8ffe-1092a20b0000 pid=2978 clone guuid=2ead81e5-1a00-0000-8ffe-1092a60b0000 pid=2982 /usr/bin/wget net send-data write-file guuid=4a79a8c6-1a00-0000-8ffe-10927e0b0000 pid=2942->guuid=2ead81e5-1a00-0000-8ffe-1092a60b0000 pid=2982 execve guuid=a99c5105-1b00-0000-8ffe-1092e50b0000 pid=3045 /usr/bin/chmod guuid=4a79a8c6-1a00-0000-8ffe-10927e0b0000 pid=2942->guuid=a99c5105-1b00-0000-8ffe-1092e50b0000 pid=3045 execve guuid=6c292306-1b00-0000-8ffe-1092e90b0000 pid=3049 /usr/bin/dash guuid=4a79a8c6-1a00-0000-8ffe-10927e0b0000 pid=2942->guuid=6c292306-1b00-0000-8ffe-1092e90b0000 pid=3049 clone eb367bc8-8e2f-5598-96be-9fdbfb33c2e9 78.153.155.152:80 guuid=1beabec7-1a00-0000-8ffe-1092820b0000 pid=2946->eb367bc8-8e2f-5598-96be-9fdbfb33c2e9 send: 133B guuid=2ead81e5-1a00-0000-8ffe-1092a60b0000 pid=2982->eb367bc8-8e2f-5598-96be-9fdbfb33c2e9 send: 135B
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/0cf25f68a0a089ad835e89fa0023f2f4c4d9cbf46bb70653c98f494ec1ca790a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0cf25f68a0a089ad835e89fa0023f2f4c4d9cbf46bb70653c98f494ec1ca790a/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/0cf25f68a0a089ad835e89fa0023f2f4c4d9cbf46bb70653c98f494ec1ca790a
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=btzf62fauce23a26rh5aai7s6tcnts7uno3qmu6jr5eu5qokpefa._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/260604-my9q9sdy2r/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/0cf25f68a0a089ad835e89fa0023f2f4c4d9cbf46bb70653c98f494ec1ca790a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 0cf25f68a0a089ad835e89fa0023f2f4c4d9cbf46bb70653c98f494ec1ca790a

(this sample)

Mirai

elf 899c4224d505bcae0735a499cd4b8489ee833608a441ee660a8108aa6ba89b24

  
URLhaus
https://urlhaus.abuse.ch/url/3858620/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3858627/
  
Dropping
MD5 bfb4e438d8f5f540d5672e9defecd4da
  
Dropping
SHA256 899c4224d505bcae0735a499cd4b8489ee833608a441ee660a8108aa6ba89b24

Comments