MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11261321ec75bcde1aa101a0670998ee095a1c3927351ec047a2ae2c024c64a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	11261321ec75bcde1aa101a0670998ee095a1c3927351ec047a2ae2c024c64a9
SHA3-384 hash:	1254ee43325b1c7936625ffd1cca81148f1256cd71a028a5dae5592a374240326618a993f91c5eeba394dd760e00300b
SHA1 hash:	84df2becbe18ec2fdaa0db28fe780e2c87b34c09
MD5 hash:	916a95bafbf319ef89c5d95128b77456
humanhash:	zebra-alanine-robert-two
File name:	dick.sh
Download:	download sample
File size:	1'968 bytes
First seen:	2026-03-03 02:18:27 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:vyGnDL/dLJLYWRL9LgoLRLlbLC0+MfnLAR9RG3RFBHLlbL1Lrchig:vyanpNJhgKVtTlAR9R4RFBrtZC
TLSH	T12C415ED7189909742CDDD9AB33BB681034D4D09B2BC5AF0F68EE38E4098DD85B8C4BD2
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://77.90.61.79/m-i.p-s.dick	876577bcd50061d0ae066c6b6c328af673595233441df9c9197e440add1a09dd	Mirai	elf mirai ua-wget
http://77.90.61.79/m-p.s-l.dick	3c924ae8905ee297be06c3eb02fd6340d22b902e1f8e34a831996c71d3b6231a	Mirai	elf mirai ua-wget
http://77.90.61.79/s-h.4-.dick	58968266f92ea06e3f064e23e58d689cc9d6841082581e06876d36d4a14228ca	Mirai	elf mirai ua-wget
http://77.90.61.79/x-8.6-.dick	bc0b175fc6ca68475397d362b5c556c60ac2d1bac7b207fb016ba2fb9ace771e	Mirai	elf mirai ua-wget
http://77.90.61.79/a-r.m-6.dick	4bf771b4d750b3d3beb1aaa1311d7890f1b83a9242f5183fe72e7dfe2a02ea70	Mirai	elf mirai ua-wget
http://77.90.61.79/x-3.2-.dick	ef15218a93fd7274e3904f9e58831fea865d69020a91635b0bed69379b22ab41	Mirai	elf mirai ua-wget
http://77.90.61.79/a-r.m-7.dick	3d5add2acceb6d8ffec49932f7bfa31e2c945dcf366e1317fe9c998dfb37fce3	Mirai	elf mirai ua-wget
http://77.90.61.79/p-p.c-.dick	448452d8804f49777e0d8d1f31b1bfe9bf6e73965574dc30dce6e8a58f1ca5bc	Gafgyt	elf gafgyt ua-wget
http://77.90.61.79/i-5.8-6.dick	1ec4349dc3a07ecfc1d86980b30bd00f5fa978748d6fa8e2c5e1deb2c86adfc1	Mirai	elf mirai ua-wget
http://77.90.61.79/m-6.8-k.dick	60d896fd063131c40e1036d648989147f787f46d17e33decff8a24c08651d35d	Mirai	elf mirai ua-wget
http://77.90.61.79/a-r.m-4.dick	448452d8804f49777e0d8d1f31b1bfe9bf6e73965574dc30dce6e8a58f1ca5bc	Gafgyt	elf gafgyt ua-wget
http://77.90.61.79/a-r.m-5.dick	0fd0434d337188f1ccc4babaa0889494948ebbf59545eb67e1767f2430e66e4b	Gafgyt	elf gafgyt ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive medusa mirai obfuscated

Link:

https://www.filescan.io/uploads/69a6452110e80629d4f98563/reports/69c62d90-e64b-4d8d-9cfa-fd26a49bfd06/overview

Result

Gathering data

Verdict:

Unknown

File Type:

Link:

https://opentip.kaspersky.com/11261321ec75bcde1aa101a0670998ee095a1c3927351ec047a2ae2c024c64a9/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/fd855349-0315-4e57-bf3a-f71e429656be

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/11261321ec75bcde1aa101a0670998ee095a1c3927351ec047a2ae2c024c64a9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/11261321ec75bcde1aa101a0670998ee095a1c3927351ec047a2ae2c024c64a9/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/11261321ec75bcde1aa101a0670998ee095a1c3927351ec047a2ae2c024c64a9

Threat name:

Linux.Downloader.Morila

Status:

Malicious

First seen:

2026-03-03 02:19:27 UTC

File Type:

Text (Shell)

AV detection:

23 of 36 (63.89%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cetbgipmow6n4gvbagqgocmy5yevuhbze42r5qchukxcyasmmsuq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

defense_evasion linux

Link:

https://tria.ge/reports/260303-cry13sht7h/

Behaviour

Writes file to tmp directory

Changes its process name

File and Directory Permissions Modification

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.36

Link:

https://yomi.yoroi.company/submissions/11261321ec75bcde1aa101a0670998ee095a1c3927351ec047a2ae2c024c64a9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.