MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2085f3bedbcecc3cf67563dd35d6a856a56f62ef90b69ebf0522fc50e78f3f64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash: 2085f3bedbcecc3cf67563dd35d6a856a56f62ef90b69ebf0522fc50e78f3f64
SHA3-384 hash: c34348bb779c9e2026a287d3e04051b161cdaa99d1ad431b0ebdf71faa76541042066da952c4c3c22b0c8a5d8bf8a0f9
SHA1 hash: 091a1abfdfe576d3c939a5345e535499e3387fe4
MD5 hash: a2e9ef3eca1a7e561403196727afaf0f
humanhash: august-cardinal-equal-red
File name:sample
Download: download sample
File size:4'310 bytes
First seen:2026-07-05 10:27:01 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:/wUQxwuQDOou9OCuvLel2vqJir+FOPtwPnCn/aZ/e24Wt2SWHlIX6/Pirpi1VtfN:4tKnC9wDw9YbwwT+O
TLSH T1C29139CF03B5867A84EFCEA172B7E9479D0B4D9832D05E1DFA98683666C6D443127F20
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuserobot66609
URLMalware sample (SHA256 hash)SignatureTags
http://141.11.88.108:81/xpe.x86_64n/an/aelf ua-wget
http://141.11.88.108:81/xpe.aarch64n/an/aelf ua-wget
http://141.11.88.108:81/xpe.m68kn/an/aelf ua-wget
http://141.11.88.108:81/xpe.mipsn/an/aelf ua-wget
http://141.11.88.108:81/xpe.mipseln/an/aelf ua-wget
http://141.11.88.108:81/xpe.powerpcn/an/aelf ua-wget
http://141.11.88.108:81/xpe.sparcn/an/aelf ua-wget
http://141.11.88.108:81/xpe.sh4n/an/aelf ua-wget
http://141.11.88.108:81/xpe.arcn/an/aelf ua-wget
http://141.11.88.108:81/xpe.i486n/an/aelf ua-wget
http://141.11.88.108:81/xpe.armv4ln/an/aelf ua-wget
http://141.11.88.108:81/xpe.armv5ln/an/aelf ua-wget
http://141.11.88.108:81/xpe.armv6ln/an/aelf ua-wget
http://141.11.88.108:81/xpe.armv7ln/an/aelf ua-wget

Intelligence


File Origin
# of uploads :
1
# of downloads :
52
Origin country :
US US
Vendor Threat Intelligence
No detections
Verdict:
Malicious
File Type:
Script
Detections:
HEUR:Trojan-Downloader.Shell.Agent.a
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Threat name:
Script-BAT.Downloader.Heuristic
Status:
Malicious
First seen:
2026-07-05 10:28:23 UTC
File Type:
Text (Shell)
AV detection:
8 of 36 (22.22%)
Threat level:
  2/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
antivm defense_evasion discovery linux
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Checks CPU configuration
Enumerates running processes
File and Directory Permissions Modification
Deletes itself
Executes dropped EXE
Unexpected DNS network traffic destination
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 2085f3bedbcecc3cf67563dd35d6a856a56f62ef90b69ebf0522fc50e78f3f64

(this sample)

  
Delivery method
Distributed via web download

Comments