MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3230f1e944294c3acc4d3594ab5e6db269b76cc600478a1055e132976fba766f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3230f1e944294c3acc4d3594ab5e6db269b76cc600478a1055e132976fba766f
SHA3-384 hash: 8fc6c8323270419038626c68e5b5cc4b0ec2cdb8dc51ad3b60fe6bbf56dd416b43196cdb6682043fc3fea1690e2e6259
SHA1 hash: 9a5b24722f59e64f81aec8b3bd264a198970496a
MD5 hash: 47ed52b9552aa9fbb1362ce3132fc2a3
humanhash: alabama-artist-oven-texas
File name:a.sh
Download: download sample
File size:1'241 bytes
First seen:2025-12-21 11:28:36 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 12:oQVYmVCBgQVVmVvY5gQVjNimVjNNI1hHgQVLmVa6YgQV/rmVhy5gQVemVsbgQVaN:o2CCcNHNNIfAHyzCEdsq+NBNpdOx9
TLSH T15321EDCE00115FF29B6F9F1CE3B7E8B4E017D1D2F6430A969A4B0825CC49B11BA05EC1
Magika batch
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://94.156.152.67/armn/an/aelf ua-wget
http://94.156.152.67/arm5n/an/aelf ua-wget
http://94.156.152.67/arm6n/an/aelf ua-wget
http://94.156.152.67/arm7n/an/aelf ua-wget
http://94.156.152.67/sh4n/an/aelf ua-wget
http://94.156.152.67/arcn/an/aelf ua-wget
http://94.156.152.67/mipsn/an/aelf ua-wget
http://94.156.152.67/mpsln/an/aelf ua-wget
http://94.156.152.67/sparcn/an/aelf ua-wget
http://94.156.152.67/.x86n/an/aelf ua-wget
http://94.156.152.67/i686n/an/aelf ua-wget
http://94.156.152.67/i586n/an/aelf ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
29
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Linux.Downloader-35.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
medusa mirai
Link:
https://www.filescan.io/uploads/6947da043f8fdbf8e94d83f7/reports/a60513fd-1c02-43fa-a3c3-afa0b0901c1c/overview
Verdict:
Malicious
File Type:
text
First seen:
2025-12-20T15:58:00Z UTC
Last seen:
2025-12-21T11:12:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/3230f1e944294c3acc4d3594ab5e6db269b76cc600478a1055e132976fba766f/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/3e2720e4-d70a-4ab7-87e4-1742cec3c1f0
Behavior Graph:
Download SVG
%3 guuid=5282d3dc-1700-0000-4a68-9428990c0000 pid=3225 /usr/bin/sudo guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230 /tmp/sample.bin guuid=5282d3dc-1700-0000-4a68-9428990c0000 pid=3225->guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230 execve guuid=93d8ddde-1700-0000-4a68-94289f0c0000 pid=3231 /usr/bin/wget net send-data guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=93d8ddde-1700-0000-4a68-94289f0c0000 pid=3231 execve guuid=fe3819e6-1700-0000-4a68-9428a10c0000 pid=3233 /usr/bin/curl net send-data write-file guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=fe3819e6-1700-0000-4a68-9428a10c0000 pid=3233 execve guuid=c29143f2-1700-0000-4a68-9428b60c0000 pid=3254 /usr/bin/chmod guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=c29143f2-1700-0000-4a68-9428b60c0000 pid=3254 execve guuid=3c8495f2-1700-0000-4a68-9428b70c0000 pid=3255 /tmp/arm guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=3c8495f2-1700-0000-4a68-9428b70c0000 pid=3255 execve guuid=d667dbf2-1700-0000-4a68-9428b80c0000 pid=3256 /usr/bin/wget net send-data guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=d667dbf2-1700-0000-4a68-9428b80c0000 pid=3256 execve guuid=5c6605f9-1700-0000-4a68-9428c10c0000 pid=3265 /usr/bin/curl net send-data write-file guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=5c6605f9-1700-0000-4a68-9428c10c0000 pid=3265 execve guuid=f2553400-1800-0000-4a68-9428cf0c0000 pid=3279 /usr/bin/chmod guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=f2553400-1800-0000-4a68-9428cf0c0000 pid=3279 execve guuid=a4b97000-1800-0000-4a68-9428d00c0000 pid=3280 /tmp/arm5 guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=a4b97000-1800-0000-4a68-9428d00c0000 pid=3280 execve guuid=5042a200-1800-0000-4a68-9428d20c0000 pid=3282 /usr/bin/wget net send-data guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=5042a200-1800-0000-4a68-9428d20c0000 pid=3282 execve guuid=70864906-1800-0000-4a68-9428e40c0000 pid=3300 /usr/bin/curl net send-data write-file guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=70864906-1800-0000-4a68-9428e40c0000 pid=3300 execve guuid=1c336f0e-1800-0000-4a68-9428fa0c0000 pid=3322 /usr/bin/chmod guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=1c336f0e-1800-0000-4a68-9428fa0c0000 pid=3322 execve guuid=8cb7a90e-1800-0000-4a68-9428fc0c0000 pid=3324 /tmp/arm6 guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=8cb7a90e-1800-0000-4a68-9428fc0c0000 pid=3324 execve guuid=2d23dd0e-1800-0000-4a68-9428fe0c0000 pid=3326 /usr/bin/wget net send-data guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=2d23dd0e-1800-0000-4a68-9428fe0c0000 pid=3326 execve guuid=3d9dcd14-1800-0000-4a68-9428080d0000 pid=3336 /usr/bin/curl net send-data write-file guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=3d9dcd14-1800-0000-4a68-9428080d0000 pid=3336 execve guuid=99ed561c-1800-0000-4a68-94280a0d0000 pid=3338 /usr/bin/chmod guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=99ed561c-1800-0000-4a68-94280a0d0000 pid=3338 execve guuid=286d9c1c-1800-0000-4a68-94280b0d0000 pid=3339 /tmp/arm7 guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=286d9c1c-1800-0000-4a68-94280b0d0000 pid=3339 execve guuid=43dfce1c-1800-0000-4a68-94280d0d0000 pid=3341 /usr/bin/wget net send-data guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=43dfce1c-1800-0000-4a68-94280d0d0000 pid=3341 execve guuid=39d75822-1800-0000-4a68-94281e0d0000 pid=3358 /usr/bin/curl net send-data write-file guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=39d75822-1800-0000-4a68-94281e0d0000 pid=3358 execve guuid=92a6682a-1800-0000-4a68-9428350d0000 pid=3381 /usr/bin/chmod guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=92a6682a-1800-0000-4a68-9428350d0000 pid=3381 execve guuid=dd08a32a-1800-0000-4a68-9428370d0000 pid=3383 /tmp/sh4 guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=dd08a32a-1800-0000-4a68-9428370d0000 pid=3383 execve guuid=d449d52a-1800-0000-4a68-9428390d0000 pid=3385 /usr/bin/wget net send-data guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=d449d52a-1800-0000-4a68-9428390d0000 pid=3385 execve guuid=5fc38b30-1800-0000-4a68-94284c0d0000 pid=3404 /usr/bin/curl net send-data write-file guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=5fc38b30-1800-0000-4a68-94284c0d0000 pid=3404 execve guuid=ef758d3a-1800-0000-4a68-9428660d0000 pid=3430 /usr/bin/chmod guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=ef758d3a-1800-0000-4a68-9428660d0000 pid=3430 execve guuid=3380e23a-1800-0000-4a68-9428680d0000 pid=3432 /tmp/arc guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=3380e23a-1800-0000-4a68-9428680d0000 pid=3432 execve guuid=24382b3b-1800-0000-4a68-9428690d0000 pid=3433 /usr/bin/wget net send-data guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=24382b3b-1800-0000-4a68-9428690d0000 pid=3433 execve guuid=58625d41-1800-0000-4a68-94287b0d0000 pid=3451 /usr/bin/curl net send-data write-file guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=58625d41-1800-0000-4a68-94287b0d0000 pid=3451 execve guuid=82595d48-1800-0000-4a68-94288f0d0000 pid=3471 /usr/bin/chmod guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=82595d48-1800-0000-4a68-94288f0d0000 pid=3471 execve guuid=5232ce48-1800-0000-4a68-9428910d0000 pid=3473 /tmp/mips guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=5232ce48-1800-0000-4a68-9428910d0000 pid=3473 execve guuid=09c42249-1800-0000-4a68-9428930d0000 pid=3475 /usr/bin/wget net send-data guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=09c42249-1800-0000-4a68-9428930d0000 pid=3475 execve guuid=750b994f-1800-0000-4a68-9428a30d0000 pid=3491 /usr/bin/curl net send-data write-file guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=750b994f-1800-0000-4a68-9428a30d0000 pid=3491 execve guuid=6bff8758-1800-0000-4a68-9428bc0d0000 pid=3516 /usr/bin/chmod guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=6bff8758-1800-0000-4a68-9428bc0d0000 pid=3516 execve guuid=a53fc858-1800-0000-4a68-9428bd0d0000 pid=3517 /tmp/mpsl guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=a53fc858-1800-0000-4a68-9428bd0d0000 pid=3517 execve guuid=2539f558-1800-0000-4a68-9428be0d0000 pid=3518 /usr/bin/wget net send-data guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=2539f558-1800-0000-4a68-9428be0d0000 pid=3518 execve guuid=97ddc05e-1800-0000-4a68-9428cc0d0000 pid=3532 /usr/bin/curl net send-data write-file guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=97ddc05e-1800-0000-4a68-9428cc0d0000 pid=3532 execve guuid=a2836667-1800-0000-4a68-9428dd0d0000 pid=3549 /usr/bin/chmod guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=a2836667-1800-0000-4a68-9428dd0d0000 pid=3549 execve guuid=7d3ed067-1800-0000-4a68-9428df0d0000 pid=3551 /tmp/sparc guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=7d3ed067-1800-0000-4a68-9428df0d0000 pid=3551 execve guuid=42342768-1800-0000-4a68-9428e10d0000 pid=3553 /usr/bin/wget net send-data guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=42342768-1800-0000-4a68-9428e10d0000 pid=3553 execve guuid=9a0c916f-1800-0000-4a68-9428ea0d0000 pid=3562 /usr/bin/curl net send-data write-file guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=9a0c916f-1800-0000-4a68-9428ea0d0000 pid=3562 execve guuid=e8c98276-1800-0000-4a68-9428fe0d0000 pid=3582 /usr/bin/chmod guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=e8c98276-1800-0000-4a68-9428fe0d0000 pid=3582 execve guuid=1650d976-1800-0000-4a68-9428000e0000 pid=3584 /usr/bin/dash guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=1650d976-1800-0000-4a68-9428000e0000 pid=3584 clone guuid=8075e976-1800-0000-4a68-9428010e0000 pid=3585 /usr/bin/wget net send-data guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=8075e976-1800-0000-4a68-9428010e0000 pid=3585 execve guuid=c7c7b67d-1800-0000-4a68-9428120e0000 pid=3602 /usr/bin/curl net send-data write-file guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=c7c7b67d-1800-0000-4a68-9428120e0000 pid=3602 execve guuid=dcfe5886-1800-0000-4a68-9428240e0000 pid=3620 /usr/bin/chmod guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=dcfe5886-1800-0000-4a68-9428240e0000 pid=3620 execve guuid=78519e86-1800-0000-4a68-9428260e0000 pid=3622 /tmp/i686 guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=78519e86-1800-0000-4a68-9428260e0000 pid=3622 execve guuid=7518d486-1800-0000-4a68-9428280e0000 pid=3624 /usr/bin/wget net send-data guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=7518d486-1800-0000-4a68-9428280e0000 pid=3624 execve guuid=b8ea3c8e-1800-0000-4a68-9428390e0000 pid=3641 /usr/bin/curl net send-data write-file guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=b8ea3c8e-1800-0000-4a68-9428390e0000 pid=3641 execve guuid=4075fe95-1800-0000-4a68-94284f0e0000 pid=3663 /usr/bin/chmod guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=4075fe95-1800-0000-4a68-94284f0e0000 pid=3663 execve guuid=e2c0ac96-1800-0000-4a68-9428500e0000 pid=3664 /tmp/i586 guuid=488c94de-1700-0000-4a68-94289e0c0000 pid=3230->guuid=e2c0ac96-1800-0000-4a68-9428500e0000 pid=3664 execve a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 94.156.152.67:80 guuid=93d8ddde-1700-0000-4a68-94289f0c0000 pid=3231->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 131B guuid=fe3819e6-1700-0000-4a68-9428a10c0000 pid=3233->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 80B guuid=d667dbf2-1700-0000-4a68-9428b80c0000 pid=3256->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 132B guuid=5c6605f9-1700-0000-4a68-9428c10c0000 pid=3265->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 81B guuid=5042a200-1800-0000-4a68-9428d20c0000 pid=3282->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 132B guuid=70864906-1800-0000-4a68-9428e40c0000 pid=3300->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 81B guuid=2d23dd0e-1800-0000-4a68-9428fe0c0000 pid=3326->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 132B guuid=3d9dcd14-1800-0000-4a68-9428080d0000 pid=3336->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 81B guuid=43dfce1c-1800-0000-4a68-94280d0d0000 pid=3341->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 131B guuid=39d75822-1800-0000-4a68-94281e0d0000 pid=3358->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 80B guuid=d449d52a-1800-0000-4a68-9428390d0000 pid=3385->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 131B guuid=5fc38b30-1800-0000-4a68-94284c0d0000 pid=3404->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 80B guuid=24382b3b-1800-0000-4a68-9428690d0000 pid=3433->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 132B guuid=58625d41-1800-0000-4a68-94287b0d0000 pid=3451->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 81B guuid=09c42249-1800-0000-4a68-9428930d0000 pid=3475->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 132B guuid=750b994f-1800-0000-4a68-9428a30d0000 pid=3491->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 81B guuid=2539f558-1800-0000-4a68-9428be0d0000 pid=3518->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 133B guuid=97ddc05e-1800-0000-4a68-9428cc0d0000 pid=3532->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 82B guuid=42342768-1800-0000-4a68-9428e10d0000 pid=3553->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 132B guuid=9a0c916f-1800-0000-4a68-9428ea0d0000 pid=3562->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 81B guuid=8075e976-1800-0000-4a68-9428010e0000 pid=3585->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 132B guuid=c7c7b67d-1800-0000-4a68-9428120e0000 pid=3602->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 81B guuid=7518d486-1800-0000-4a68-9428280e0000 pid=3624->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 132B guuid=b8ea3c8e-1800-0000-4a68-9428390e0000 pid=3641->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 81B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/3230f1e944294c3acc4d3594ab5e6db269b76cc600478a1055e132976fba766f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3230f1e944294c3acc4d3594ab5e6db269b76cc600478a1055e132976fba766f/
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2025-12-20 20:52:51 UTC
File Type:
Text (Shell)
AV detection:
13 of 24 (54.17%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=giypd2keffgdvtcngwkkwxtnwju3o3ggabdyuecv4ezjo352ozxq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/251223-lgswra1ra1/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/3230f1e944294c3acc4d3594ab5e6db269b76cc600478a1055e132976fba766f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 3230f1e944294c3acc4d3594ab5e6db269b76cc600478a1055e132976fba766f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3738233/
  
Delivery method
Distributed via web download

Comments