MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24d0d3d9346bc42fc669ab17c3b0cd7cb7fd5b04587842eccdecd40309eb7fd7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	24d0d3d9346bc42fc669ab17c3b0cd7cb7fd5b04587842eccdecd40309eb7fd7
SHA3-384 hash:	ed8306a0df74b70a6c43586f86e087469d0560ac8ae6ec51bde85422f9173655045a6f73f2f7ddb34da1616b9e66ee02
SHA1 hash:	85d59627014366e8ea595d37d5659bb01557784c
MD5 hash:	bb283d5e3cbb8a5c9dde2b06e8efc213
humanhash:	florida-speaker-nine-romeo
File name:	w.sh
Download:	download sample
File size:	943 bytes
First seen:	2026-04-01 05:51:31 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	12:KzFEkUfEEFKNI5rEy3cKrEj+kafaE+oDI/DrHFIgnIqVedIIeIBc/wWI9KI7XU:MNIOKPkAGoUbrSgI8Ehc/Z+U
TLSH	T19511B1DD70A9245DAC119E4270918DA0A145F2FF7DA79F48AC884DB1F58BBB4302DB85
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	adliwahid

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://5.175.223.249/data.arm4	5c88d830c55a5d9cf20e9dfec55d0b3def1037d478c44fca159512b5599c3aaa	Mirai	mirai
http://5.175.223.249/data.arm5	04f0c5f71d4b934159b2bf2d8e13862a032a910704f5596422e5161b9181ee8d	Mirai	mirai
http://5.175.223.249/data.arm6	37c9c694f3fa721f213069d5ab032bb6c3772f41ed6e91c7525a4e1aa5abd7c3	Mirai	mirai
http://5.175.223.249/data.arm7	5ba17425e52ed385298524a49a8a12e8b69b0d28df79311f4ef20c9db7810dcd	Mirai	mirai
http://5.175.223.249/data.aarch64	e561415a538e1a064a0efc1bfccc637340702eb6f05a34a965e14ca1ae0b3d0c	Mirai	mirai
http://5.175.223.249/data.mips	03439a4f19441041a4e6a7ca4194e89c3abdabf119f5f60e753794aa937582a3	Mirai	mirai
http://5.175.223.249/data.mipsel	b6e16730d6d3ef3922e0a41f3e8c972ea1685baa08263b57c2664883e81a244a	Mirai	mirai
http://5.175.223.249/data.mips-uclibc	b4fb9c7262d93538464cb8f92c2ae3fbc16e7dd96d92badcb87cec1aed08be05	Mirai	mirai
http://5.175.223.249/data.mipsel-uclibc	04c81f45441c3a817bb5e655abf3b48768e1b175c68945b9cc4e9b461429c806	Mirai	mirai
http://5.175.223.249/data.powerpc	22609df256833834d36c6d61e263fa78b6d625c05faf1460c289ff971b8e1e31	Mirai	mirai
http://5.175.223.249/data.x86	cfe30f2b3a18b72405c7e982aae6fd2f272a5e4fbd6703674715bd050b6de296	Mirai	mirai
http://5.175.223.249/data.x86_64	505d429c30920de8738ec53459ffe674a47554091c6c0a45d0076d456c1407db	DDoSAgent	DDoSAgent

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Gathering data

Verdict:

Malicious

File Type:

unix shell

First seen:

2026-03-31T00:54:00Z UTC

Last seen:

2026-03-31T01:28:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/24d0d3d9346bc42fc669ab17c3b0cd7cb7fd5b04587842eccdecd40309eb7fd7/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/2583e7af-d1f1-42ea-b603-052c69caaf9e

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/24d0d3d9346bc42fc669ab17c3b0cd7cb7fd5b04587842eccdecd40309eb7fd7

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/24d0d3d9346bc42fc669ab17c3b0cd7cb7fd5b04587842eccdecd40309eb7fd7/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/24d0d3d9346bc42fc669ab17c3b0cd7cb7fd5b04587842eccdecd40309eb7fd7

Threat name:

Document-HTML.Trojan.Vigorf

Status:

Malicious

First seen:

2026-04-01 05:52:46 UTC

File Type:

Text (Shell)

AV detection:

13 of 24 (54.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=etinhwjunpcc7rtjvml4hmgnps372wyelb4ef3gn5tkagcplp7lq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

credential_access defense_evasion discovery linux

Link:

https://tria.ge/reports/260401-gkzfgsby5t/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Reads system network configuration

Reads process memory

Enumerates active TCP sockets

Enumerates running processes

File and Directory Permissions Modification

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.31

Link:

https://yomi.yoroi.company/submissions/24d0d3d9346bc42fc669ab17c3b0cd7cb7fd5b04587842eccdecd40309eb7fd7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh