MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e7af68125450f1a0071d23518fa90f4c9f7d6342d7edd077cc4888e8da1ca2c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	0e7af68125450f1a0071d23518fa90f4c9f7d6342d7edd077cc4888e8da1ca2c
SHA3-384 hash:	14fc931370c3a0e5ed735224d1502f0597f38945f2b9758079f43aec87c77461a3751c62b560a64a2aedaf288a65877b
SHA1 hash:	4bad0a76d2cccc8014461f969e2c108ff1541bf2
MD5 hash:	ab778dde6547652461c88b872b521014
humanhash:	lamp-bacon-golf-lactose
File name:	dddd.sh
Download:	download sample
File size:	2'396 bytes
First seen:	2026-03-19 21:18:26 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:kn5S62iw079ymGW+DKpbuA/MzLoFa9vXyBQlcqD:QXdt6
TLSH	T1B34192CA0B79D832B5D57D18BABAC048DD9DAAC7ACD1041AC5E41F345974AA432C3FE2
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://libs.9tb.org/linux_386	n/a	n/a	elf mirai ua-wget x86
http://libs.9tb.org/linux_aarch64	n/a	n/a	arm elf mirai ua-wget
http://libs.9tb.org/linux_amd64	n/a	n/a	elf mirai ua-wget x86
http://libs.9tb.org/linux_arm5	7b45e5dc85e06ce7d05fef0596066df3a584200b25d9808051253152e886a963	Gafgyt	arm elf mirai ua-wget
http://libs.9tb.org/linux_arm6	8c2ebd1990cb95e7ded08c14cf1a273921fb14a941f280f60e8fbcea4a9961e4	Gafgyt	arm elf mirai ua-wget
http://libs.9tb.org/linux_arm7	0090764bcf2db6ec2c2dfac1726190d219b05174727f330c998452cef71edab2	Gafgyt	arm elf mirai ua-wget
http://libs.9tb.org/linux_mips64	n/a	n/a	elf mips mirai ua-wget
http://libs.9tb.org/linux_mips64el	n/a	n/a	elf mips mirai ua-wget
http://libs.9tb.org/linux_mips_hardfloat	n/a	n/a	elf mips mirai ua-wget
http://libs.9tb.org/linux_mips_softfloat	n/a	n/a	elf mips mirai ua-wget
http://libs.9tb.org/linux_mipsel_hardfloat	n/a	n/a	elf mips mirai ua-wget
http://libs.9tb.org/linux_mipsel_softfloat	n/a	n/a	elf mips mirai ua-wget
http://libs.9tb.org/linux_ppc64	n/a	n/a	elf mirai PowerPC ua-wget
http://libs.9tb.org/linux_ppc64el	n/a	n/a	elf mirai PowerPC ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

SecuriteInfo.com.Linux.DownLoader.680.14967.1194.UNOFFICIAL

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/69bc685b677ac46843a7294c/reports/88082272-2942-4906-a55f-0133169e5183/overview

Verdict:

Malicious

File Type:

unix shell

Detections:

HEUR:Trojan-Downloader.Shell.Agent.gen

Link:

https://opentip.kaspersky.com/0e7af68125450f1a0071d23518fa90f4c9f7d6342d7edd077cc4888e8da1ca2c/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/3644dac5-ee40-4087-89c3-3f20bf8da83d

Behavior Graph:

Download SVG

Score:

94%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/0e7af68125450f1a0071d23518fa90f4c9f7d6342d7edd077cc4888e8da1ca2c

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0e7af68125450f1a0071d23518fa90f4c9f7d6342d7edd077cc4888e8da1ca2c/

Verdict:

Malicious

Threat:

Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/0e7af68125450f1a0071d23518fa90f4c9f7d6342d7edd077cc4888e8da1ca2c

Threat name:

Linux.Downloader.SAgnt

Status:

Malicious

First seen:

2026-03-19 21:19:26 UTC

File Type:

Text (Shell)

AV detection:

14 of 37 (37.84%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bz5pnajfiuhruadr2i2rr6uq6te7pvrufv7n2b34ysei5dnbziwa._file

Result

Malware family:

n/a

Score:

7/10

Tags:

antivm defense_evasion discovery linux persistence privilege_escalation

Link:

https://tria.ge/reports/260319-z6cgysex4j/

Behaviour

Enumerates kernel/hardware configuration

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

Modifies Bash startup script

Creates/modifies environment variables

Modifies init.d

Modifies rc script

File and Directory Permissions Modification

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.36

Link:

https://yomi.yoroi.company/submissions/0e7af68125450f1a0071d23518fa90f4c9f7d6342d7edd077cc4888e8da1ca2c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 0e7af68125450f1a0071d23518fa90f4c9f7d6342d7edd077cc4888e8da1ca2c

(this sample)

elf c8f3b84814fe469e2d551c141b37bf74e350bfeafb31a530d2582788cc445789

URLhaus

https://urlhaus.abuse.ch/url/3800082/

Delivery method

Distributed via web download

Dropping

MD5 ee30809a5cc4babb5ba13424005149b8

Dropping

SHA256 c8f3b84814fe469e2d551c141b37bf74e350bfeafb31a530d2582788cc445789

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample