MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12d21a05761d45451811d19a624fdbdd9e046ff01bb44c3e117149a6ab15ea4c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 12d21a05761d45451811d19a624fdbdd9e046ff01bb44c3e117149a6ab15ea4c
SHA3-384 hash: d1c1b9d6fa98d491bb318a66bf976bf17be163e1ed1c08f8d3a183243402318c77e1869888c04e1353202a1987eb261d
SHA1 hash: d78854e47ce242d159f8d401c92a5edbee2eb74f
MD5 hash: 906643fda63e9f3facd4b9dd0ed5324d
humanhash: purple-jersey-table-nebraska
File name:wget.sh
Download: download sample
File size:813 bytes
First seen:2026-03-24 03:48:22 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 12:xyx9weZNIjlT8KCiKl2PF5At99UFG109f6ChJKJjhsjBMln:4xCiNIpBKl9fo6KsEiln
TLSH T15A011BDF01A11F71D30CCF8CBB6548245056A9E0F6633A88994B447A4DC478AB725FD7
Magika txt
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://94.156.152.233/bins/parm538b798e82d1fea1a0d81cf15ffd31c5d6e08324caf4f3b1526d090f3bd4e46c Miraielf mirai
http://94.156.152.233/bins/parm5a09006bd59a03472033d3e8fd71c160f37d3870dd04e94a0ab09fe15ee32db5b Miraielf mirai
http://94.156.152.233/bins/parm6d95cca527e3456768495a4cb89661b01910cff465e520b9ed73143dd8068db6f Miraielf mirai
http://94.156.152.233/bins/parm79a7d4e38fc85a72456e53d87d8c9f566d9d298f930ed3be442a1df852e341ab9 Miraielf mirai
http://94.156.152.233/bins/pm68k7819509e1693d0fb4a35a95ab4b2e8adac2ad66c0e77a602c8d670eda66c0808 Miraielf mirai
http://94.156.152.233/bins/pmipsc8fd4bfc20af78f548302c064270bd845617516981a9e992604f0bee83643f61 Miraielf mirai
http://94.156.152.233/bins/pmpsl93b23bac5ea8cd4bfdcd435d23fe604bdd8f0b92b9400bdb9ef2a28d7a100dda Miraielf mirai
http://94.156.152.233/bins/pppcbfd5367b17bfd9ef62f0627526ec992abdd32bd67fc6b6ec1cf6bac534d87e66 Miraielf mirai
http://94.156.152.233/bins/psh4a8ef8939500969a844d1eb892e35b713ddd34a98af911127c1d75633127a68c4 Miraielf mirai
http://94.156.152.233/bins/pspc0966580098f016ee4499ef66fd202e54126d6211ba0cd1fa16d8d7f0f0e4c4ed Miraielf mirai
http://94.156.152.233/bins/px86e263164bda5eabffd2b58639673308262ddb75acd83b70dd873774922fbf3fa0 Miraielf mirai
http://94.156.152.233/bins/px86_64n/an/an/a

Intelligence

File Origin
# of uploads :
1
# of downloads :
49
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
mirai
Link:
https://www.filescan.io/uploads/69c209b6367b6bc6ee7fad82/reports/e91cd9ef-b24c-484c-8ebb-8ce0cb188335/overview
Result
Gathering data
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/e8d5b1b9-b8b7-4254-9e97-37ab81593425
Behavior Graph:
Download SVG
%3 guuid=8bf86eae-1a00-0000-11b2-d5a7a50a0000 pid=2725 /usr/bin/sudo guuid=ba51bcb0-1a00-0000-11b2-d5a7ac0a0000 pid=2732 /tmp/sample.bin guuid=8bf86eae-1a00-0000-11b2-d5a7a50a0000 pid=2725->guuid=ba51bcb0-1a00-0000-11b2-d5a7ac0a0000 pid=2732 execve guuid=7538f4b0-1a00-0000-11b2-d5a7ad0a0000 pid=2733 /usr/bin/wget net send-data write-file guuid=ba51bcb0-1a00-0000-11b2-d5a7ac0a0000 pid=2732->guuid=7538f4b0-1a00-0000-11b2-d5a7ad0a0000 pid=2733 execve guuid=b13bf2be-1a00-0000-11b2-d5a7c70a0000 pid=2759 /usr/bin/chmod guuid=ba51bcb0-1a00-0000-11b2-d5a7ac0a0000 pid=2732->guuid=b13bf2be-1a00-0000-11b2-d5a7c70a0000 pid=2759 execve guuid=32a3c9bf-1a00-0000-11b2-d5a7ca0a0000 pid=2762 /usr/bin/dash guuid=ba51bcb0-1a00-0000-11b2-d5a7ac0a0000 pid=2732->guuid=32a3c9bf-1a00-0000-11b2-d5a7ca0a0000 pid=2762 clone guuid=f607f6c0-1a00-0000-11b2-d5a7ce0a0000 pid=2766 /usr/bin/wget net send-data write-file guuid=ba51bcb0-1a00-0000-11b2-d5a7ac0a0000 pid=2732->guuid=f607f6c0-1a00-0000-11b2-d5a7ce0a0000 pid=2766 execve guuid=7047e7cc-1a00-0000-11b2-d5a7df0a0000 pid=2783 /usr/bin/chmod guuid=ba51bcb0-1a00-0000-11b2-d5a7ac0a0000 pid=2732->guuid=7047e7cc-1a00-0000-11b2-d5a7df0a0000 pid=2783 execve guuid=6bec34cd-1a00-0000-11b2-d5a7e00a0000 pid=2784 /usr/bin/dash guuid=ba51bcb0-1a00-0000-11b2-d5a7ac0a0000 pid=2732->guuid=6bec34cd-1a00-0000-11b2-d5a7e00a0000 pid=2784 clone guuid=25b615cf-1a00-0000-11b2-d5a7e30a0000 pid=2787 /usr/bin/wget net send-data write-file guuid=ba51bcb0-1a00-0000-11b2-d5a7ac0a0000 pid=2732->guuid=25b615cf-1a00-0000-11b2-d5a7e30a0000 pid=2787 execve guuid=f16fcada-1a00-0000-11b2-d5a7fc0a0000 pid=2812 /usr/bin/chmod guuid=ba51bcb0-1a00-0000-11b2-d5a7ac0a0000 pid=2732->guuid=f16fcada-1a00-0000-11b2-d5a7fc0a0000 pid=2812 execve guuid=1add1fdb-1a00-0000-11b2-d5a7fd0a0000 pid=2813 /usr/bin/dash guuid=ba51bcb0-1a00-0000-11b2-d5a7ac0a0000 pid=2732->guuid=1add1fdb-1a00-0000-11b2-d5a7fd0a0000 pid=2813 clone guuid=48761fdc-1a00-0000-11b2-d5a7ff0a0000 pid=2815 /usr/bin/wget net send-data write-file guuid=ba51bcb0-1a00-0000-11b2-d5a7ac0a0000 pid=2732->guuid=48761fdc-1a00-0000-11b2-d5a7ff0a0000 pid=2815 execve guuid=52d714ec-1a00-0000-11b2-d5a7180b0000 pid=2840 /usr/bin/chmod guuid=ba51bcb0-1a00-0000-11b2-d5a7ac0a0000 pid=2732->guuid=52d714ec-1a00-0000-11b2-d5a7180b0000 pid=2840 execve guuid=d6c189ec-1a00-0000-11b2-d5a7190b0000 pid=2841 /usr/bin/dash guuid=ba51bcb0-1a00-0000-11b2-d5a7ac0a0000 pid=2732->guuid=d6c189ec-1a00-0000-11b2-d5a7190b0000 pid=2841 clone guuid=741316ed-1a00-0000-11b2-d5a71d0b0000 pid=2845 /usr/bin/wget net send-data write-file guuid=ba51bcb0-1a00-0000-11b2-d5a7ac0a0000 pid=2732->guuid=741316ed-1a00-0000-11b2-d5a71d0b0000 pid=2845 execve guuid=6fc854fc-1a00-0000-11b2-d5a7330b0000 pid=2867 /usr/bin/chmod guuid=ba51bcb0-1a00-0000-11b2-d5a7ac0a0000 pid=2732->guuid=6fc854fc-1a00-0000-11b2-d5a7330b0000 pid=2867 execve guuid=0afeadfc-1a00-0000-11b2-d5a7350b0000 pid=2869 /usr/bin/dash guuid=ba51bcb0-1a00-0000-11b2-d5a7ac0a0000 pid=2732->guuid=0afeadfc-1a00-0000-11b2-d5a7350b0000 pid=2869 clone guuid=032b62fe-1a00-0000-11b2-d5a73a0b0000 pid=2874 /usr/bin/wget net send-data write-file guuid=ba51bcb0-1a00-0000-11b2-d5a7ac0a0000 pid=2732->guuid=032b62fe-1a00-0000-11b2-d5a73a0b0000 pid=2874 execve guuid=1be3cd0a-1b00-0000-11b2-d5a7560b0000 pid=2902 /usr/bin/chmod guuid=ba51bcb0-1a00-0000-11b2-d5a7ac0a0000 pid=2732->guuid=1be3cd0a-1b00-0000-11b2-d5a7560b0000 pid=2902 execve guuid=1d58240b-1b00-0000-11b2-d5a7580b0000 pid=2904 /usr/bin/dash guuid=ba51bcb0-1a00-0000-11b2-d5a7ac0a0000 pid=2732->guuid=1d58240b-1b00-0000-11b2-d5a7580b0000 pid=2904 clone guuid=ce93e90b-1b00-0000-11b2-d5a75d0b0000 pid=2909 /usr/bin/wget net send-data write-file guuid=ba51bcb0-1a00-0000-11b2-d5a7ac0a0000 pid=2732->guuid=ce93e90b-1b00-0000-11b2-d5a75d0b0000 pid=2909 execve guuid=a2096c17-1b00-0000-11b2-d5a7780b0000 pid=2936 /usr/bin/chmod guuid=ba51bcb0-1a00-0000-11b2-d5a7ac0a0000 pid=2732->guuid=a2096c17-1b00-0000-11b2-d5a7780b0000 pid=2936 execve guuid=217aa717-1b00-0000-11b2-d5a77a0b0000 pid=2938 /usr/bin/dash guuid=ba51bcb0-1a00-0000-11b2-d5a7ac0a0000 pid=2732->guuid=217aa717-1b00-0000-11b2-d5a77a0b0000 pid=2938 clone guuid=019a2d18-1b00-0000-11b2-d5a77e0b0000 pid=2942 /usr/bin/wget net send-data write-file guuid=ba51bcb0-1a00-0000-11b2-d5a7ac0a0000 pid=2732->guuid=019a2d18-1b00-0000-11b2-d5a77e0b0000 pid=2942 execve guuid=0a3ea923-1b00-0000-11b2-d5a78b0b0000 pid=2955 /usr/bin/chmod guuid=ba51bcb0-1a00-0000-11b2-d5a7ac0a0000 pid=2732->guuid=0a3ea923-1b00-0000-11b2-d5a78b0b0000 pid=2955 execve guuid=ca161424-1b00-0000-11b2-d5a78d0b0000 pid=2957 /usr/bin/dash guuid=ba51bcb0-1a00-0000-11b2-d5a7ac0a0000 pid=2732->guuid=ca161424-1b00-0000-11b2-d5a78d0b0000 pid=2957 clone guuid=ddb2ce24-1b00-0000-11b2-d5a7910b0000 pid=2961 /usr/bin/wget net send-data write-file guuid=ba51bcb0-1a00-0000-11b2-d5a7ac0a0000 pid=2732->guuid=ddb2ce24-1b00-0000-11b2-d5a7910b0000 pid=2961 execve guuid=f1c45635-1b00-0000-11b2-d5a7af0b0000 pid=2991 /usr/bin/chmod guuid=ba51bcb0-1a00-0000-11b2-d5a7ac0a0000 pid=2732->guuid=f1c45635-1b00-0000-11b2-d5a7af0b0000 pid=2991 execve guuid=42289f35-1b00-0000-11b2-d5a7b00b0000 pid=2992 /usr/bin/dash guuid=ba51bcb0-1a00-0000-11b2-d5a7ac0a0000 pid=2732->guuid=42289f35-1b00-0000-11b2-d5a7b00b0000 pid=2992 clone guuid=3d68ba37-1b00-0000-11b2-d5a7b70b0000 pid=2999 /usr/bin/wget net send-data write-file guuid=ba51bcb0-1a00-0000-11b2-d5a7ac0a0000 pid=2732->guuid=3d68ba37-1b00-0000-11b2-d5a7b70b0000 pid=2999 execve guuid=33ce1f47-1b00-0000-11b2-d5a7d80b0000 pid=3032 /usr/bin/chmod guuid=ba51bcb0-1a00-0000-11b2-d5a7ac0a0000 pid=2732->guuid=33ce1f47-1b00-0000-11b2-d5a7d80b0000 pid=3032 execve guuid=44666e47-1b00-0000-11b2-d5a7d90b0000 pid=3033 /usr/bin/dash guuid=ba51bcb0-1a00-0000-11b2-d5a7ac0a0000 pid=2732->guuid=44666e47-1b00-0000-11b2-d5a7d90b0000 pid=3033 clone guuid=2f929e49-1b00-0000-11b2-d5a7e00b0000 pid=3040 /usr/bin/wget net send-data write-file guuid=ba51bcb0-1a00-0000-11b2-d5a7ac0a0000 pid=2732->guuid=2f929e49-1b00-0000-11b2-d5a7e00b0000 pid=3040 execve guuid=78f60165-1b00-0000-11b2-d5a72a0c0000 pid=3114 /usr/bin/chmod guuid=ba51bcb0-1a00-0000-11b2-d5a7ac0a0000 pid=2732->guuid=78f60165-1b00-0000-11b2-d5a72a0c0000 pid=3114 execve guuid=1dc74c65-1b00-0000-11b2-d5a72c0c0000 pid=3116 /home/sandbox/px86 delete-file net guuid=ba51bcb0-1a00-0000-11b2-d5a7ac0a0000 pid=2732->guuid=1dc74c65-1b00-0000-11b2-d5a72c0c0000 pid=3116 execve guuid=f4380d66-1b00-0000-11b2-d5a7300c0000 pid=3120 /usr/bin/wget net send-data guuid=ba51bcb0-1a00-0000-11b2-d5a7ac0a0000 pid=2732->guuid=f4380d66-1b00-0000-11b2-d5a7300c0000 pid=3120 execve guuid=0d8f7c6e-1b00-0000-11b2-d5a7430c0000 pid=3139 /usr/bin/chmod guuid=ba51bcb0-1a00-0000-11b2-d5a7ac0a0000 pid=2732->guuid=0d8f7c6e-1b00-0000-11b2-d5a7430c0000 pid=3139 execve guuid=262acc6e-1b00-0000-11b2-d5a7450c0000 pid=3141 /usr/bin/dash guuid=ba51bcb0-1a00-0000-11b2-d5a7ac0a0000 pid=2732->guuid=262acc6e-1b00-0000-11b2-d5a7450c0000 pid=3141 clone guuid=e3b8da6e-1b00-0000-11b2-d5a7460c0000 pid=3142 /usr/bin/rm delete-file guuid=ba51bcb0-1a00-0000-11b2-d5a7ac0a0000 pid=2732->guuid=e3b8da6e-1b00-0000-11b2-d5a7460c0000 pid=3142 execve 72af6dc9-e0e7-5186-a050-4a3a967dfc62 94.156.152.233:80 guuid=7538f4b0-1a00-0000-11b2-d5a7ad0a0000 pid=2733->72af6dc9-e0e7-5186-a050-4a3a967dfc62 send: 138B guuid=f607f6c0-1a00-0000-11b2-d5a7ce0a0000 pid=2766->72af6dc9-e0e7-5186-a050-4a3a967dfc62 send: 139B guuid=25b615cf-1a00-0000-11b2-d5a7e30a0000 pid=2787->72af6dc9-e0e7-5186-a050-4a3a967dfc62 send: 139B guuid=48761fdc-1a00-0000-11b2-d5a7ff0a0000 pid=2815->72af6dc9-e0e7-5186-a050-4a3a967dfc62 send: 139B guuid=741316ed-1a00-0000-11b2-d5a71d0b0000 pid=2845->72af6dc9-e0e7-5186-a050-4a3a967dfc62 send: 139B guuid=032b62fe-1a00-0000-11b2-d5a73a0b0000 pid=2874->72af6dc9-e0e7-5186-a050-4a3a967dfc62 send: 139B guuid=ce93e90b-1b00-0000-11b2-d5a75d0b0000 pid=2909->72af6dc9-e0e7-5186-a050-4a3a967dfc62 send: 139B guuid=019a2d18-1b00-0000-11b2-d5a77e0b0000 pid=2942->72af6dc9-e0e7-5186-a050-4a3a967dfc62 send: 138B guuid=ddb2ce24-1b00-0000-11b2-d5a7910b0000 pid=2961->72af6dc9-e0e7-5186-a050-4a3a967dfc62 send: 138B guuid=3d68ba37-1b00-0000-11b2-d5a7b70b0000 pid=2999->72af6dc9-e0e7-5186-a050-4a3a967dfc62 send: 138B guuid=2f929e49-1b00-0000-11b2-d5a7e00b0000 pid=3040->72af6dc9-e0e7-5186-a050-4a3a967dfc62 send: 138B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=1dc74c65-1b00-0000-11b2-d5a72c0c0000 pid=3116->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=16ef0166-1b00-0000-11b2-d5a72f0c0000 pid=3119 /home/sandbox/px86 net send-data zombie guuid=1dc74c65-1b00-0000-11b2-d5a72c0c0000 pid=3116->guuid=16ef0166-1b00-0000-11b2-d5a72f0c0000 pid=3119 clone guuid=16ef0166-1b00-0000-11b2-d5a72f0c0000 pid=3119->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con 9a84751b-fec6-5c61-8d2a-f11015e11dad 94.156.152.233:18129 guuid=16ef0166-1b00-0000-11b2-d5a72f0c0000 pid=3119->9a84751b-fec6-5c61-8d2a-f11015e11dad send: 10B guuid=b8171966-1b00-0000-11b2-d5a7310c0000 pid=3121 /home/sandbox/px86 guuid=16ef0166-1b00-0000-11b2-d5a72f0c0000 pid=3119->guuid=b8171966-1b00-0000-11b2-d5a7310c0000 pid=3121 clone guuid=95401c66-1b00-0000-11b2-d5a7320c0000 pid=3122 /home/sandbox/px86 guuid=16ef0166-1b00-0000-11b2-d5a72f0c0000 pid=3119->guuid=95401c66-1b00-0000-11b2-d5a7320c0000 pid=3122 clone guuid=f4380d66-1b00-0000-11b2-d5a7300c0000 pid=3120->72af6dc9-e0e7-5186-a050-4a3a967dfc62 send: 141B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/12d21a05761d45451811d19a624fdbdd9e046ff01bb44c3e117149a6ab15ea4c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/12d21a05761d45451811d19a624fdbdd9e046ff01bb44c3e117149a6ab15ea4c/
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/12d21a05761d45451811d19a624fdbdd9e046ff01bb44c3e117149a6ab15ea4c
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cljbublwdvcukgar2gnget633wpai37qdo2eypqrofe2nkyv5jga._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/260324-ederdsaw7t/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/12d21a05761d45451811d19a624fdbdd9e046ff01bb44c3e117149a6ab15ea4c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 12d21a05761d45451811d19a624fdbdd9e046ff01bb44c3e117149a6ab15ea4c

(this sample)

Mirai

elf 81fcb882ab914cb3c3dbe2948f229f67311de0091650c9f3b2eb4f7240cbc908

Mirai

elf 538b798e82d1fea1a0d81cf15ffd31c5d6e08324caf4f3b1526d090f3bd4e46c

  
URLhaus
https://urlhaus.abuse.ch/url/3794368/
  
Delivery method
Distributed via web download
  
Dropping
MD5 1bd1eb17f144729896e807affc3384b2
  
Dropping
SHA256 538b798e82d1fea1a0d81cf15ffd31c5d6e08324caf4f3b1526d090f3bd4e46c

Comments