MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3bafef50de6d5509751b4c0653ab9946223d5b18406c7674137a14fcc4432dde. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3bafef50de6d5509751b4c0653ab9946223d5b18406c7674137a14fcc4432dde
SHA3-384 hash: 5d9779b2b311df307471dae9f5b2a2158805d41bcafe52f72245c3c3feb68d0839b4964ca505bd62081e994403c51669
SHA1 hash: e9266b60863e5ff886f730e7a38fc377bfe3e84e
MD5 hash: 19ca544ded1a9a63f5a05ba33b200821
humanhash: shade-alaska-king-william
File name:l
Download: download sample
File size:983 bytes
First seen:2025-06-22 16:57:24 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 24:yRk5zFt+MB08xSx0kpxSxJxDkpxSxnkxnmkpxSx3xJkpxd:4k5REA0gO0kpxOzDkpxOomkpxOhJkpxd
TLSH T17511CBCF50A4DE7268404EDD31935A1A68C6C9DD07CF8FC6E44E01A9A1CCD4D7661E7A
Magika shell
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://94.26.90.217/vv/armv7lae5dbccdfcd0e48e2065b462be5879d1c103e3dc9c553ce8eb319c6385580d78 Miraielf gafgyt mirai ua-wget
http://94.26.90.217/vv/armv4la82594f321a14d22c63b44b8b3f4e5dcb725aeda14db201cfe59d6b37cb8093f Miraielf gafgyt mirai ua-wget
http://94.26.90.217/vv/armv5ld64ce359bc97c9643e66057dbd0ea9ed69d5272487e873119dc7a01134f852bc Miraielf gafgyt mirai ua-wget
http://94.26.90.217/vv/armv6l176858d674f19ed1c385ebfd952caea9f6a76f4b44828d6b8f21985476a35df0 Miraielf gafgyt mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
44
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.32050.LX.Sh.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6858367232ed47a3a8d68925linux22vpnfull_triage
Tags:
agent hype sage
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/0f451c8d-4521-4526-a709-8e97fd8df342
Behavior Graph:
Download SVG
%3 guuid=e96a3756-1800-0000-8914-449d3d0c0000 pid=3133 /usr/bin/sudo guuid=171abe57-1800-0000-8914-449d440c0000 pid=3140 /tmp/sample.bin guuid=e96a3756-1800-0000-8914-449d3d0c0000 pid=3133->guuid=171abe57-1800-0000-8914-449d440c0000 pid=3140 execve guuid=f3793558-1800-0000-8914-449d480c0000 pid=3144 /usr/bin/dash guuid=171abe57-1800-0000-8914-449d440c0000 pid=3140->guuid=f3793558-1800-0000-8914-449d480c0000 pid=3144 clone guuid=168b4859-1800-0000-8914-449d4e0c0000 pid=3150 /usr/bin/rm delete-file guuid=171abe57-1800-0000-8914-449d440c0000 pid=3140->guuid=168b4859-1800-0000-8914-449d4e0c0000 pid=3150 execve guuid=712a8659-1800-0000-8914-449d4f0c0000 pid=3151 /usr/bin/rm delete-file guuid=171abe57-1800-0000-8914-449d440c0000 pid=3140->guuid=712a8659-1800-0000-8914-449d4f0c0000 pid=3151 execve guuid=273bc559-1800-0000-8914-449d500c0000 pid=3152 /usr/bin/rm delete-file guuid=171abe57-1800-0000-8914-449d440c0000 pid=3140->guuid=273bc559-1800-0000-8914-449d500c0000 pid=3152 execve guuid=ae69065a-1800-0000-8914-449d520c0000 pid=3154 /usr/bin/rm guuid=171abe57-1800-0000-8914-449d440c0000 pid=3140->guuid=ae69065a-1800-0000-8914-449d520c0000 pid=3154 execve guuid=0a80415a-1800-0000-8914-449d530c0000 pid=3155 /usr/bin/dash guuid=171abe57-1800-0000-8914-449d440c0000 pid=3140->guuid=0a80415a-1800-0000-8914-449d530c0000 pid=3155 clone guuid=f8fab25a-1800-0000-8914-449d570c0000 pid=3159 /usr/bin/dash guuid=171abe57-1800-0000-8914-449d440c0000 pid=3140->guuid=f8fab25a-1800-0000-8914-449d570c0000 pid=3159 clone guuid=8824f45a-1800-0000-8914-449d5a0c0000 pid=3162 /usr/bin/dash guuid=171abe57-1800-0000-8914-449d440c0000 pid=3140->guuid=8824f45a-1800-0000-8914-449d5a0c0000 pid=3162 clone guuid=3d8821a9-1800-0000-8914-449da80c0000 pid=3240 /usr/bin/chmod guuid=171abe57-1800-0000-8914-449d440c0000 pid=3140->guuid=3d8821a9-1800-0000-8914-449da80c0000 pid=3240 execve guuid=4be1a2a9-1800-0000-8914-449daa0c0000 pid=3242 /usr/bin/dash guuid=171abe57-1800-0000-8914-449d440c0000 pid=3140->guuid=4be1a2a9-1800-0000-8914-449daa0c0000 pid=3242 clone guuid=f16534ab-1800-0000-8914-449dad0c0000 pid=3245 /usr/bin/dash guuid=171abe57-1800-0000-8914-449d440c0000 pid=3140->guuid=f16534ab-1800-0000-8914-449dad0c0000 pid=3245 clone guuid=f8b09ce7-1800-0000-8914-449df60c0000 pid=3318 /usr/bin/chmod guuid=171abe57-1800-0000-8914-449d440c0000 pid=3140->guuid=f8b09ce7-1800-0000-8914-449df60c0000 pid=3318 execve guuid=a00af6e7-1800-0000-8914-449df80c0000 pid=3320 /usr/bin/dash guuid=171abe57-1800-0000-8914-449d440c0000 pid=3140->guuid=a00af6e7-1800-0000-8914-449df80c0000 pid=3320 clone guuid=a1410ce9-1800-0000-8914-449dfb0c0000 pid=3323 /usr/bin/dash guuid=171abe57-1800-0000-8914-449d440c0000 pid=3140->guuid=a1410ce9-1800-0000-8914-449dfb0c0000 pid=3323 clone guuid=80368724-1900-0000-8914-449d640d0000 pid=3428 /usr/bin/chmod guuid=171abe57-1800-0000-8914-449d440c0000 pid=3140->guuid=80368724-1900-0000-8914-449d640d0000 pid=3428 execve guuid=4499cf24-1900-0000-8914-449d660d0000 pid=3430 /usr/bin/dash guuid=171abe57-1800-0000-8914-449d440c0000 pid=3140->guuid=4499cf24-1900-0000-8914-449d660d0000 pid=3430 clone guuid=6d108e25-1900-0000-8914-449d6a0d0000 pid=3434 /usr/bin/dash guuid=171abe57-1800-0000-8914-449d440c0000 pid=3140->guuid=6d108e25-1900-0000-8914-449d6a0d0000 pid=3434 clone guuid=656bbb78-1900-0000-8914-449ded0d0000 pid=3565 /usr/bin/chmod guuid=171abe57-1800-0000-8914-449d440c0000 pid=3140->guuid=656bbb78-1900-0000-8914-449ded0d0000 pid=3565 execve guuid=f1201b79-1900-0000-8914-449def0d0000 pid=3567 /usr/bin/dash guuid=171abe57-1800-0000-8914-449d440c0000 pid=3140->guuid=f1201b79-1900-0000-8914-449def0d0000 pid=3567 clone guuid=58d34658-1800-0000-8914-449d490c0000 pid=3145 /usr/bin/cat guuid=f3793558-1800-0000-8914-449d480c0000 pid=3144->guuid=58d34658-1800-0000-8914-449d490c0000 pid=3145 execve guuid=aca84f58-1800-0000-8914-449d4a0c0000 pid=3146 /usr/bin/grep guuid=f3793558-1800-0000-8914-449d480c0000 pid=3144->guuid=aca84f58-1800-0000-8914-449d4a0c0000 pid=3146 execve guuid=b0695658-1800-0000-8914-449d4b0c0000 pid=3147 /usr/bin/grep guuid=f3793558-1800-0000-8914-449d480c0000 pid=3144->guuid=b0695658-1800-0000-8914-449d4b0c0000 pid=3147 execve guuid=58e55c58-1800-0000-8914-449d4c0c0000 pid=3148 /usr/bin/grep guuid=f3793558-1800-0000-8914-449d480c0000 pid=3144->guuid=58e55c58-1800-0000-8914-449d4c0c0000 pid=3148 execve guuid=8f726358-1800-0000-8914-449d4d0c0000 pid=3149 /usr/bin/cut guuid=f3793558-1800-0000-8914-449d480c0000 pid=3144->guuid=8f726358-1800-0000-8914-449d4d0c0000 pid=3149 execve guuid=2c5f465a-1800-0000-8914-449d540c0000 pid=3156 /usr/bin/cp write-file guuid=0a80415a-1800-0000-8914-449d530c0000 pid=3155->guuid=2c5f465a-1800-0000-8914-449d540c0000 pid=3156 execve guuid=67ccb95a-1800-0000-8914-449d580c0000 pid=3160 /usr/bin/chmod guuid=f8fab25a-1800-0000-8914-449d570c0000 pid=3159->guuid=67ccb95a-1800-0000-8914-449d580c0000 pid=3160 execve guuid=6971fd5a-1800-0000-8914-449d5b0c0000 pid=3163 /usr/bin/wget net send-data write-file guuid=8824f45a-1800-0000-8914-449d5a0c0000 pid=3162->guuid=6971fd5a-1800-0000-8914-449d5b0c0000 pid=3163 execve fbb9a6c5-a595-5199-8d51-c1632aa72f16 94.26.90.217:80 guuid=6971fd5a-1800-0000-8914-449d5b0c0000 pid=3163->fbb9a6c5-a595-5199-8d51-c1632aa72f16 send: 136B guuid=4d1b41ab-1800-0000-8914-449dae0c0000 pid=3246 /usr/bin/wget net send-data write-file guuid=f16534ab-1800-0000-8914-449dad0c0000 pid=3245->guuid=4d1b41ab-1800-0000-8914-449dae0c0000 pid=3246 execve guuid=4d1b41ab-1800-0000-8914-449dae0c0000 pid=3246->fbb9a6c5-a595-5199-8d51-c1632aa72f16 send: 136B guuid=a25517e9-1800-0000-8914-449dfc0c0000 pid=3324 /usr/bin/wget net send-data write-file guuid=a1410ce9-1800-0000-8914-449dfb0c0000 pid=3323->guuid=a25517e9-1800-0000-8914-449dfc0c0000 pid=3324 execve guuid=a25517e9-1800-0000-8914-449dfc0c0000 pid=3324->fbb9a6c5-a595-5199-8d51-c1632aa72f16 send: 136B guuid=d2ff9525-1900-0000-8914-449d6b0d0000 pid=3435 /usr/bin/wget net send-data write-file guuid=6d108e25-1900-0000-8914-449d6a0d0000 pid=3434->guuid=d2ff9525-1900-0000-8914-449d6b0d0000 pid=3435 execve guuid=d2ff9525-1900-0000-8914-449d6b0d0000 pid=3435->fbb9a6c5-a595-5199-8d51-c1632aa72f16 send: 136B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/3bafef50de6d5509751b4c0653ab9946223d5b18406c7674137a14fcc4432dde
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3bafef50de6d5509751b4c0653ab9946223d5b18406c7674137a14fcc4432dde/
Threat name:
Linux.Downloader.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-06-22 16:59:29 UTC
File Type:
Text (Shell)
AV detection:
8 of 24 (33.33%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hox66ug6nvkqs5i3jqdfhk4ziyrd2wyyibwhm5atpikpzrcdfxpa._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/250622-vhlnhagn5w/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3bafef50de6d5509751b4c0653ab9946223d5b18406c7674137a14fcc4432dde

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 3bafef50de6d5509751b4c0653ab9946223d5b18406c7674137a14fcc4432dde

(this sample)

Mirai

elf ae5dbccdfcd0e48e2065b462be5879d1c103e3dc9c553ce8eb319c6385580d78

  
URLhaus
https://urlhaus.abuse.ch/url/3531257/
  
Delivery method
Distributed via web download
  
Dropping
MD5 4fbb5c5a0cfeb4132d1cac1d9efb6279
  
Dropping
SHA256 ae5dbccdfcd0e48e2065b462be5879d1c103e3dc9c553ce8eb319c6385580d78

Comments