MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 38ac059fb99684f3bffe4227b4aef3d46bb3e6d8d7b9d206062b3f62db2ace7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 38ac059fb99684f3bffe4227b4aef3d46bb3e6d8d7b9d206062b3f62db2ace7a
SHA3-384 hash: e0135a8929d1835a91006c993edfc99bbe2580d4325757c56551c81c39ddfdd23fb7d3f5350594175bfffeb3845442ef
SHA1 hash: 60d74cdc27f50d50f4731a416db935e6a6050cb7
MD5 hash: 4793dafde6bad53eb2b63072a0d42f12
humanhash: green-bluebird-helium-double
File name:iphone
Download: download sample
File size:1'571 bytes
First seen:2026-05-30 16:43:51 UTC
Last seen:2026-05-30 17:48:18 UTC
File type: sh
MIME type:text/plain
ssdeep 24:sF+l/2rvnT/2exc/2rAd/25Ytl/2nrt/22Ns/2/X/2DS7/20R/2z+O/2w:eiO7MxNJKZtMgSWXURt
TLSH T1C731A1CA51A086B67CD49E8B365BCC0E7056F58F1EC94F8AAECD30FA548CD81B052B13
Magika batch
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://139.177.197.168/x86_647e0d2f07bd4352603e9e99a4aedc597448dc02f75cb2c14928226b4551ae403f Miraielf mirai
http://139.177.197.168/mpsl73d23e3291eca6018be1e0c85b13aa48e9cd9e36cebcc642cfed72e6fdd8a17f Miraielf mirai
http://139.177.197.168/mips4e589892f95fe0035dbda7f3c189adee300dd94ee2de6bff873822f450080696 Miraielf mirai
http://139.177.197.168/arm4a2d3763d65108aea92fcbea331ae846d7f9d4ce0e8da0102b807b74eaecc7b7b Miraielf mirai
http://139.177.197.168/arm54b556c1816c13581e8391b6db17a9c1b1541adb871a29885129883e85f23b41a Miraielf mirai
http://139.177.197.168/arm6d36f3c629742f780da8f8a520381eb82bd8b3df8ad89a3b95d133354b3c836f0 Miraielf mirai
http://139.177.197.168/arm71037110be4c7ed0ab6be853d1bf99d95faac02e9ffdb5b3e8420ad5c3750bd8d Gafgytbotnet gafgyt mirai
http://139.177.197.168/m68kn/an/aelf mirai
http://139.177.197.168/x865356de50d524ed4ff2f4c815ee2e0d389542df51eda110feca31615e4aca7c31 Miraielf mirai
http://139.177.197.168/spcb23980490a512200d8d9b799a7f6a11279859862a5a151730a9548bdd079565e Gafgytelf mirai
http://139.177.197.168/ppcc2d57db0733962630a62af61e4c5150469715c967439ab17b224a5e0e28e8915 Miraielf mirai

Intelligence

File Origin
# of uploads :
43
# of downloads :
11
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
busybox evasive
Link:
https://www.filescan.io/uploads/6a1b232512da0d249c5eedc6/reports/1c0e0066-5b7b-4af1-ae48-aec1a9555654/overview
Verdict:
Malicious
File Type:
text
First seen:
2024-04-14T16:45:00Z UTC
Last seen:
2026-05-31T23:44:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/38ac059fb99684f3bffe4227b4aef3d46bb3e6d8d7b9d206062b3f62db2ace7a/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/cb32f7e2-ed18-45e8-8db4-f3e5db53edad
Behavior Graph:
Download SVG
%3 guuid=a7bb3713-1b00-0000-d90e-b7fbee090000 pid=2542 /usr/bin/sudo guuid=9c133e16-1b00-0000-d90e-b7fbf1090000 pid=2545 /tmp/sample.bin guuid=a7bb3713-1b00-0000-d90e-b7fbee090000 pid=2542->guuid=9c133e16-1b00-0000-d90e-b7fbf1090000 pid=2545 execve guuid=9b5b7b16-1b00-0000-d90e-b7fbf3090000 pid=2547 /usr/bin/rm guuid=9c133e16-1b00-0000-d90e-b7fbf1090000 pid=2545->guuid=9b5b7b16-1b00-0000-d90e-b7fbf3090000 pid=2547 execve guuid=bd464c17-1b00-0000-d90e-b7fbf6090000 pid=2550 /usr/bin/busybox guuid=9c133e16-1b00-0000-d90e-b7fbf1090000 pid=2545->guuid=bd464c17-1b00-0000-d90e-b7fbf6090000 pid=2550 execve
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/38ac059fb99684f3bffe4227b4aef3d46bb3e6d8d7b9d206062b3f62db2ace7a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/38ac059fb99684f3bffe4227b4aef3d46bb3e6d8d7b9d206062b3f62db2ace7a/
Threat name:
Linux.Downloader.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-07-04 04:23:08 UTC
File Type:
Text (Shell)
AV detection:
17 of 36 (47.22%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hcwalh5zs2cphp76iit3jlxt2rv3hzwy2645ebqgfm7wfwzkzz5a._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/260530-wd77dacv3r/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/38ac059fb99684f3bffe4227b4aef3d46bb3e6d8d7b9d206062b3f62db2ace7a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts
Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 38ac059fb99684f3bffe4227b4aef3d46bb3e6d8d7b9d206062b3f62db2ace7a

(this sample)

Mirai

elf 7e0d2f07bd4352603e9e99a4aedc597448dc02f75cb2c14928226b4551ae403f

  
URLhaus
https://urlhaus.abuse.ch/url/3855866/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3855892/
  
Dropping
MD5 fcfef12901b0eb48e34e9a238d163089
  
Dropping
SHA256 7e0d2f07bd4352603e9e99a4aedc597448dc02f75cb2c14928226b4551ae403f

Comments