MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1fe59cd7e8497685844ad7d97874a7254f6be4fb1537ab7eaa099f85c0e30344. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash: 1fe59cd7e8497685844ad7d97874a7254f6be4fb1537ab7eaa099f85c0e30344
SHA3-384 hash: 2a1f68106df4f05e856674fddfc52c30b39cb04d541bfd66eb2b6c1d5d4b9e0e906043e7034971bb7e8ef350a25014dc
SHA1 hash: cc888942d99912ad23c14387035965b1febbbb33
MD5 hash: f7c1d1d27ff5072ff18139bfcab097f4
humanhash: twenty-foxtrot-social-texas
File name:1fe59cd7e8497685844ad7d97874a7254f6be4fb1537ab7eaa099f85c0e30344
Download: download sample
File size:4'230 bytes
First seen:2026-07-02 10:53:02 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 24:vt7m717m7Qwtft7m7Y7m7TNBft7m7027m70daft7m7N7m7oWft7m7e7m7lhJ1ftq:vj1gtgShINvsQtknZxr7C2/
TLSH T1B891858C1160A3343C7A9D7779D50D18A282C3B2A6E52FD17ED6FDA457C8E372B88681
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter JAMESWT_WT
Tags:igmc-duckdns-org sh
URLMalware sample (SHA256 hash)SignatureTags
http://179.43.182.70/KKveTTgaAAsecNNaaaa/KKveTTgaAAsecNNaaaa.x86n/an/aelf ua-wget
http://179.43.182.70/KKveTTgaAAsecNNaaaa/KKveTTgaAAsecNNaaaa.mipsn/an/aelf ua-wget
http://179.43.182.70/KKveTTgaAAsecNNaaaa/KKveTTgaAAsecNNaaaa.mpsln/an/aelf ua-wget
http://179.43.182.70/KKveTTgaAAsecNNaaaa/KKveTTgaAAsecNNaaaa.armn/an/aelf ua-wget
http://179.43.182.70/KKveTTgaAAsecNNaaaa/KKveTTgaAAsecNNaaaa.arm5n/an/aelf ua-wget
http://179.43.182.70/KKveTTgaAAsecNNaaaa/KKveTTgaAAsecNNaaaa.arm6n/an/aelf ua-wget
http://179.43.182.70/KKveTTgaAAsecNNaaaa/KKveTTgaAAsecNNaaaa.arm7n/an/aelf ua-wget
http://179.43.182.70/KKveTTgaAAsecNNaaaa/KKveTTgaAAsecNNaaaa.ppcn/an/aelf ua-wget
http://179.43.182.70/KKveTTgaAAsecNNaaaa/KKveTTgaAAsecNNaaaa.m68kn/an/aelf ua-wget
http://179.43.182.70/KKveTTgaAAsecNNaaaa/KKveTTgaAAsecNNaaaa.sh4n/an/aelf ua-wget
http://179.43.182.70/KKveTTgaAAsecNNaaaa/KKveTTgaAAsecNNaaaa.spcn/an/aelf ua-wget
http://179.43.182.70/KKveTTgaAAsecNNaaaa/KKveTTgaAAsecNNaaaa.arcn/an/aelf ua-wget
http://179.43.182.70/KKveTTgaAAsecNNaaaa/KKveTTgaAAsecNNaaaa.x86_64n/an/aelf ua-wget
http://179.43.182.70/KKveTTgaAAsecNNaaaa/KKveTTgaAAsecNNaaaa.i686n/an/aelf ua-wget
http://179.43.182.70/KKveTTgaAAsecNNaaaa/KKveTTgaAAsecNNaaaa.i486n/an/aelf ua-wget

Intelligence


File Origin
# of uploads :
1
# of downloads :
53
Origin country :
IT IT
Vendor Threat Intelligence
No detections
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-05-23T12:45:00Z UTC
Last seen:
2026-05-23T13:25:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a
Status:
terminated
Behavior Graph:
%3 guuid=d22adb88-2300-0000-1d59-736b2e140000 pid=5166 /usr/bin/sudo guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167 /tmp/sample.bin guuid=d22adb88-2300-0000-1d59-736b2e140000 pid=5166->guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167 execve guuid=927d6a8c-2300-0000-1d59-736b30140000 pid=5168 /usr/bin/wget net send-data guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=927d6a8c-2300-0000-1d59-736b30140000 pid=5168 execve guuid=361f1d92-2300-0000-1d59-736b39140000 pid=5177 /usr/bin/curl net send-data write-file guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=361f1d92-2300-0000-1d59-736b39140000 pid=5177 execve guuid=2c054399-2300-0000-1d59-736b3a140000 pid=5178 /usr/bin/cat guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=2c054399-2300-0000-1d59-736b3a140000 pid=5178 execve guuid=9adb9299-2300-0000-1d59-736b3b140000 pid=5179 /usr/bin/chmod guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=9adb9299-2300-0000-1d59-736b3b140000 pid=5179 execve guuid=6a33e199-2300-0000-1d59-736b3c140000 pid=5180 /usr/bin/bash guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=6a33e199-2300-0000-1d59-736b3c140000 pid=5180 clone guuid=3b3c0d9a-2300-0000-1d59-736b3d140000 pid=5181 /usr/bin/wget net send-data guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=3b3c0d9a-2300-0000-1d59-736b3d140000 pid=5181 execve guuid=6fad2d9e-2300-0000-1d59-736b3e140000 pid=5182 /usr/bin/curl net send-data write-file guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=6fad2d9e-2300-0000-1d59-736b3e140000 pid=5182 execve guuid=79c2faa4-2300-0000-1d59-736b3f140000 pid=5183 /usr/bin/cat guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=79c2faa4-2300-0000-1d59-736b3f140000 pid=5183 execve guuid=0bfd9ca5-2300-0000-1d59-736b40140000 pid=5184 /usr/bin/chmod guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=0bfd9ca5-2300-0000-1d59-736b40140000 pid=5184 execve guuid=2d8057a6-2300-0000-1d59-736b41140000 pid=5185 /usr/bin/bash guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=2d8057a6-2300-0000-1d59-736b41140000 pid=5185 clone guuid=cb8bc3a6-2300-0000-1d59-736b42140000 pid=5186 /usr/bin/wget net send-data guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=cb8bc3a6-2300-0000-1d59-736b42140000 pid=5186 execve guuid=c948acac-2300-0000-1d59-736b43140000 pid=5187 /usr/bin/curl net send-data write-file guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=c948acac-2300-0000-1d59-736b43140000 pid=5187 execve guuid=22baa7b4-2300-0000-1d59-736b44140000 pid=5188 /usr/bin/cat guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=22baa7b4-2300-0000-1d59-736b44140000 pid=5188 execve guuid=b6ef1db5-2300-0000-1d59-736b45140000 pid=5189 /usr/bin/chmod guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=b6ef1db5-2300-0000-1d59-736b45140000 pid=5189 execve guuid=5dac82b5-2300-0000-1d59-736b46140000 pid=5190 /usr/bin/bash guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=5dac82b5-2300-0000-1d59-736b46140000 pid=5190 clone guuid=620cd1b5-2300-0000-1d59-736b47140000 pid=5191 /usr/bin/wget net send-data guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=620cd1b5-2300-0000-1d59-736b47140000 pid=5191 execve guuid=b60ddbba-2300-0000-1d59-736b48140000 pid=5192 /usr/bin/curl net send-data write-file guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=b60ddbba-2300-0000-1d59-736b48140000 pid=5192 execve guuid=1e3a08c1-2300-0000-1d59-736b49140000 pid=5193 /usr/bin/cat guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=1e3a08c1-2300-0000-1d59-736b49140000 pid=5193 execve guuid=27b37ac1-2300-0000-1d59-736b4a140000 pid=5194 /usr/bin/chmod guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=27b37ac1-2300-0000-1d59-736b4a140000 pid=5194 execve guuid=debef9c1-2300-0000-1d59-736b4b140000 pid=5195 /usr/bin/bash guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=debef9c1-2300-0000-1d59-736b4b140000 pid=5195 clone guuid=90bf49c2-2300-0000-1d59-736b4c140000 pid=5196 /usr/bin/wget net send-data guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=90bf49c2-2300-0000-1d59-736b4c140000 pid=5196 execve guuid=187da6c6-2300-0000-1d59-736b4d140000 pid=5197 /usr/bin/curl net send-data write-file guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=187da6c6-2300-0000-1d59-736b4d140000 pid=5197 execve guuid=e43964cc-2300-0000-1d59-736b4e140000 pid=5198 /usr/bin/cat guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=e43964cc-2300-0000-1d59-736b4e140000 pid=5198 execve guuid=5787c8cc-2300-0000-1d59-736b4f140000 pid=5199 /usr/bin/chmod guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=5787c8cc-2300-0000-1d59-736b4f140000 pid=5199 execve guuid=e24325cd-2300-0000-1d59-736b50140000 pid=5200 /usr/bin/bash guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=e24325cd-2300-0000-1d59-736b50140000 pid=5200 clone guuid=319061cd-2300-0000-1d59-736b51140000 pid=5201 /usr/bin/wget net send-data guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=319061cd-2300-0000-1d59-736b51140000 pid=5201 execve guuid=3dc4d0d1-2300-0000-1d59-736b52140000 pid=5202 /usr/bin/curl net send-data write-file guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=3dc4d0d1-2300-0000-1d59-736b52140000 pid=5202 execve guuid=9f4775d8-2300-0000-1d59-736b53140000 pid=5203 /usr/bin/cat guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=9f4775d8-2300-0000-1d59-736b53140000 pid=5203 execve guuid=5b42dad8-2300-0000-1d59-736b54140000 pid=5204 /usr/bin/chmod guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=5b42dad8-2300-0000-1d59-736b54140000 pid=5204 execve guuid=ae4129d9-2300-0000-1d59-736b55140000 pid=5205 /usr/bin/bash guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=ae4129d9-2300-0000-1d59-736b55140000 pid=5205 clone guuid=aa205bd9-2300-0000-1d59-736b56140000 pid=5206 /usr/bin/wget net send-data guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=aa205bd9-2300-0000-1d59-736b56140000 pid=5206 execve guuid=5d4c29de-2300-0000-1d59-736b57140000 pid=5207 /usr/bin/curl net send-data write-file guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=5d4c29de-2300-0000-1d59-736b57140000 pid=5207 execve guuid=a74f08e4-2300-0000-1d59-736b58140000 pid=5208 /usr/bin/cat guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=a74f08e4-2300-0000-1d59-736b58140000 pid=5208 execve guuid=702868e4-2300-0000-1d59-736b59140000 pid=5209 /usr/bin/chmod guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=702868e4-2300-0000-1d59-736b59140000 pid=5209 execve guuid=42ddf4e4-2300-0000-1d59-736b5a140000 pid=5210 /usr/bin/bash guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=42ddf4e4-2300-0000-1d59-736b5a140000 pid=5210 clone guuid=df6e40e5-2300-0000-1d59-736b5b140000 pid=5211 /usr/bin/wget net send-data guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=df6e40e5-2300-0000-1d59-736b5b140000 pid=5211 execve guuid=877520ea-2300-0000-1d59-736b5c140000 pid=5212 /usr/bin/curl net send-data write-file guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=877520ea-2300-0000-1d59-736b5c140000 pid=5212 execve guuid=a9eebdef-2300-0000-1d59-736b5d140000 pid=5213 /usr/bin/cat guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=a9eebdef-2300-0000-1d59-736b5d140000 pid=5213 execve guuid=c8be44f0-2300-0000-1d59-736b5e140000 pid=5214 /usr/bin/chmod guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=c8be44f0-2300-0000-1d59-736b5e140000 pid=5214 execve guuid=60ab97f0-2300-0000-1d59-736b5f140000 pid=5215 /usr/bin/bash guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=60ab97f0-2300-0000-1d59-736b5f140000 pid=5215 clone guuid=6688bef0-2300-0000-1d59-736b60140000 pid=5216 /usr/bin/wget net send-data guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=6688bef0-2300-0000-1d59-736b60140000 pid=5216 execve guuid=ef37fcf4-2300-0000-1d59-736b61140000 pid=5217 /usr/bin/curl net send-data write-file guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=ef37fcf4-2300-0000-1d59-736b61140000 pid=5217 execve guuid=02aa89fc-2300-0000-1d59-736b62140000 pid=5218 /usr/bin/cat guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=02aa89fc-2300-0000-1d59-736b62140000 pid=5218 execve guuid=7d0c03fd-2300-0000-1d59-736b63140000 pid=5219 /usr/bin/chmod guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=7d0c03fd-2300-0000-1d59-736b63140000 pid=5219 execve guuid=be5783fd-2300-0000-1d59-736b64140000 pid=5220 /usr/bin/bash guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=be5783fd-2300-0000-1d59-736b64140000 pid=5220 clone guuid=6c61b6fd-2300-0000-1d59-736b65140000 pid=5221 /usr/bin/wget net send-data guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=6c61b6fd-2300-0000-1d59-736b65140000 pid=5221 execve guuid=46a11e02-2400-0000-1d59-736b66140000 pid=5222 /usr/bin/curl net send-data write-file guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=46a11e02-2400-0000-1d59-736b66140000 pid=5222 execve guuid=2527ab07-2400-0000-1d59-736b67140000 pid=5223 /usr/bin/cat guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=2527ab07-2400-0000-1d59-736b67140000 pid=5223 execve guuid=ce7c1e08-2400-0000-1d59-736b68140000 pid=5224 /usr/bin/chmod guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=ce7c1e08-2400-0000-1d59-736b68140000 pid=5224 execve guuid=2a028508-2400-0000-1d59-736b69140000 pid=5225 /usr/bin/bash guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=2a028508-2400-0000-1d59-736b69140000 pid=5225 clone guuid=d5d7ce08-2400-0000-1d59-736b6a140000 pid=5226 /usr/bin/wget net send-data guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=d5d7ce08-2400-0000-1d59-736b6a140000 pid=5226 execve guuid=eed8480d-2400-0000-1d59-736b6b140000 pid=5227 /usr/bin/curl net send-data write-file guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=eed8480d-2400-0000-1d59-736b6b140000 pid=5227 execve guuid=30a64714-2400-0000-1d59-736b6c140000 pid=5228 /usr/bin/cat guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=30a64714-2400-0000-1d59-736b6c140000 pid=5228 execve guuid=eb8a5240-2400-0000-1d59-736b6d140000 pid=5229 /usr/bin/chmod guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=eb8a5240-2400-0000-1d59-736b6d140000 pid=5229 execve guuid=62f8c040-2400-0000-1d59-736b6e140000 pid=5230 /usr/bin/bash guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=62f8c040-2400-0000-1d59-736b6e140000 pid=5230 clone guuid=0a45fd40-2400-0000-1d59-736b6f140000 pid=5231 /usr/bin/wget net send-data guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=0a45fd40-2400-0000-1d59-736b6f140000 pid=5231 execve guuid=2ce4bf45-2400-0000-1d59-736b70140000 pid=5232 /usr/bin/curl net send-data write-file guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=2ce4bf45-2400-0000-1d59-736b70140000 pid=5232 execve guuid=f35db84b-2400-0000-1d59-736b71140000 pid=5233 /usr/bin/cat guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=f35db84b-2400-0000-1d59-736b71140000 pid=5233 execve guuid=cb50244c-2400-0000-1d59-736b72140000 pid=5234 /usr/bin/chmod guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=cb50244c-2400-0000-1d59-736b72140000 pid=5234 execve guuid=5115804c-2400-0000-1d59-736b73140000 pid=5235 /usr/bin/bash guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=5115804c-2400-0000-1d59-736b73140000 pid=5235 clone guuid=f40cbb4c-2400-0000-1d59-736b74140000 pid=5236 /usr/bin/wget net send-data guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=f40cbb4c-2400-0000-1d59-736b74140000 pid=5236 execve guuid=7c8cdd52-2400-0000-1d59-736b75140000 pid=5237 /usr/bin/curl net send-data write-file guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=7c8cdd52-2400-0000-1d59-736b75140000 pid=5237 execve guuid=bca53e5b-2400-0000-1d59-736b76140000 pid=5238 /usr/bin/cat guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=bca53e5b-2400-0000-1d59-736b76140000 pid=5238 execve guuid=392bbd5b-2400-0000-1d59-736b77140000 pid=5239 /usr/bin/chmod guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=392bbd5b-2400-0000-1d59-736b77140000 pid=5239 execve guuid=d56d325c-2400-0000-1d59-736b78140000 pid=5240 /usr/bin/bash guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=d56d325c-2400-0000-1d59-736b78140000 pid=5240 clone guuid=9fee7e5c-2400-0000-1d59-736b79140000 pid=5241 /usr/bin/wget net send-data guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=9fee7e5c-2400-0000-1d59-736b79140000 pid=5241 execve guuid=5a337061-2400-0000-1d59-736b7a140000 pid=5242 /usr/bin/curl net send-data write-file guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=5a337061-2400-0000-1d59-736b7a140000 pid=5242 execve guuid=6508da66-2400-0000-1d59-736b7b140000 pid=5243 /usr/bin/cat guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=6508da66-2400-0000-1d59-736b7b140000 pid=5243 execve guuid=3a9b3e67-2400-0000-1d59-736b7c140000 pid=5244 /usr/bin/chmod guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=3a9b3e67-2400-0000-1d59-736b7c140000 pid=5244 execve guuid=0bf1b267-2400-0000-1d59-736b7d140000 pid=5245 /usr/bin/bash guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=0bf1b267-2400-0000-1d59-736b7d140000 pid=5245 clone guuid=d25dfc67-2400-0000-1d59-736b7e140000 pid=5246 /usr/bin/wget net send-data guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=d25dfc67-2400-0000-1d59-736b7e140000 pid=5246 execve guuid=73ed986c-2400-0000-1d59-736b7f140000 pid=5247 /usr/bin/curl net send-data write-file guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=73ed986c-2400-0000-1d59-736b7f140000 pid=5247 execve guuid=f19aab73-2400-0000-1d59-736b80140000 pid=5248 /usr/bin/cat guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=f19aab73-2400-0000-1d59-736b80140000 pid=5248 execve guuid=8c112274-2400-0000-1d59-736b81140000 pid=5249 /usr/bin/chmod guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=8c112274-2400-0000-1d59-736b81140000 pid=5249 execve guuid=66e5af74-2400-0000-1d59-736b82140000 pid=5250 /usr/bin/bash guuid=82ce4f8b-2300-0000-1d59-736b2f140000 pid=5167->guuid=66e5af74-2400-0000-1d59-736b82140000 pid=5250 clone faee40e7-df29-56b3-ad54-ba2fec10aa6c 179.43.182.70:80 guuid=927d6a8c-2300-0000-1d59-736b30140000 pid=5168->faee40e7-df29-56b3-ad54-ba2fec10aa6c send: 171B guuid=361f1d92-2300-0000-1d59-736b39140000 pid=5177->faee40e7-df29-56b3-ad54-ba2fec10aa6c send: 120B guuid=3b3c0d9a-2300-0000-1d59-736b3d140000 pid=5181->faee40e7-df29-56b3-ad54-ba2fec10aa6c send: 172B guuid=6fad2d9e-2300-0000-1d59-736b3e140000 pid=5182->faee40e7-df29-56b3-ad54-ba2fec10aa6c send: 121B guuid=cb8bc3a6-2300-0000-1d59-736b42140000 pid=5186->faee40e7-df29-56b3-ad54-ba2fec10aa6c send: 172B guuid=c948acac-2300-0000-1d59-736b43140000 pid=5187->faee40e7-df29-56b3-ad54-ba2fec10aa6c send: 121B guuid=620cd1b5-2300-0000-1d59-736b47140000 pid=5191->faee40e7-df29-56b3-ad54-ba2fec10aa6c send: 171B guuid=b60ddbba-2300-0000-1d59-736b48140000 pid=5192->faee40e7-df29-56b3-ad54-ba2fec10aa6c send: 120B guuid=90bf49c2-2300-0000-1d59-736b4c140000 pid=5196->faee40e7-df29-56b3-ad54-ba2fec10aa6c send: 172B guuid=187da6c6-2300-0000-1d59-736b4d140000 pid=5197->faee40e7-df29-56b3-ad54-ba2fec10aa6c send: 121B guuid=319061cd-2300-0000-1d59-736b51140000 pid=5201->faee40e7-df29-56b3-ad54-ba2fec10aa6c send: 172B guuid=3dc4d0d1-2300-0000-1d59-736b52140000 pid=5202->faee40e7-df29-56b3-ad54-ba2fec10aa6c send: 121B guuid=aa205bd9-2300-0000-1d59-736b56140000 pid=5206->faee40e7-df29-56b3-ad54-ba2fec10aa6c send: 172B guuid=5d4c29de-2300-0000-1d59-736b57140000 pid=5207->faee40e7-df29-56b3-ad54-ba2fec10aa6c send: 121B guuid=df6e40e5-2300-0000-1d59-736b5b140000 pid=5211->faee40e7-df29-56b3-ad54-ba2fec10aa6c send: 171B guuid=877520ea-2300-0000-1d59-736b5c140000 pid=5212->faee40e7-df29-56b3-ad54-ba2fec10aa6c send: 120B guuid=6688bef0-2300-0000-1d59-736b60140000 pid=5216->faee40e7-df29-56b3-ad54-ba2fec10aa6c send: 172B guuid=ef37fcf4-2300-0000-1d59-736b61140000 pid=5217->faee40e7-df29-56b3-ad54-ba2fec10aa6c send: 121B guuid=6c61b6fd-2300-0000-1d59-736b65140000 pid=5221->faee40e7-df29-56b3-ad54-ba2fec10aa6c send: 171B guuid=46a11e02-2400-0000-1d59-736b66140000 pid=5222->faee40e7-df29-56b3-ad54-ba2fec10aa6c send: 120B guuid=d5d7ce08-2400-0000-1d59-736b6a140000 pid=5226->faee40e7-df29-56b3-ad54-ba2fec10aa6c send: 171B guuid=eed8480d-2400-0000-1d59-736b6b140000 pid=5227->faee40e7-df29-56b3-ad54-ba2fec10aa6c send: 120B guuid=0a45fd40-2400-0000-1d59-736b6f140000 pid=5231->faee40e7-df29-56b3-ad54-ba2fec10aa6c send: 171B guuid=2ce4bf45-2400-0000-1d59-736b70140000 pid=5232->faee40e7-df29-56b3-ad54-ba2fec10aa6c send: 120B guuid=f40cbb4c-2400-0000-1d59-736b74140000 pid=5236->faee40e7-df29-56b3-ad54-ba2fec10aa6c send: 174B guuid=7c8cdd52-2400-0000-1d59-736b75140000 pid=5237->faee40e7-df29-56b3-ad54-ba2fec10aa6c send: 123B guuid=9fee7e5c-2400-0000-1d59-736b79140000 pid=5241->faee40e7-df29-56b3-ad54-ba2fec10aa6c send: 172B guuid=5a337061-2400-0000-1d59-736b7a140000 pid=5242->faee40e7-df29-56b3-ad54-ba2fec10aa6c send: 121B guuid=d25dfc67-2400-0000-1d59-736b7e140000 pid=5246->faee40e7-df29-56b3-ad54-ba2fec10aa6c send: 172B guuid=73ed986c-2400-0000-1d59-736b7f140000 pid=5247->faee40e7-df29-56b3-ad54-ba2fec10aa6c send: 121B
Threat name:
Linux.Downloader.Medusa
Status:
Malicious
First seen:
2026-05-23 15:59:29 UTC
File Type:
Text (Shell)
AV detection:
22 of 36 (61.11%)
Threat level:
  3/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
antivm defense_evasion discovery linux
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Checks CPU configuration
File and Directory Permissions Modification
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders
Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments