MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f496ed8617d5dd02f42198dd2de10881d4296647fe06e2e3bd6139f723a0750. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4f496ed8617d5dd02f42198dd2de10881d4296647fe06e2e3bd6139f723a0750
SHA3-384 hash: f380228c9a0302a82620a4803eb00b74c0eac5f8ad9f64c77b58a53e835ab2195d6c635817f7ec7b43ef0371a5fbc213
SHA1 hash: d869e3ba459dcdc6b87c38522469477ee6ae8f27
MD5 hash: 35840867e230bf31363bf4652f8784e0
humanhash: carolina-july-king-low
File name:bbc
Download: download sample
File size:526 bytes
First seen:2026-02-03 20:19:38 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 6:hLgjJ5Ja/+YcLN7+Y3JMF/+Ye0IdyJ44LIXLoO4eGLw+v+YdF/vNnQz2JMIykwFV:lSjkOLZpqjW3bo/8pqF82Q/NiTZA20t
TLSH T1C7F0E90FA04BF03AD08419E8E761FB55AC30B86B5373CD5C78407650FFD64247962240
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://130.12.180.120/file/n/an/an/a

Intelligence

File Origin
# of uploads :
1
# of downloads :
54
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
busybox soft-404
Link:
https://www.filescan.io/uploads/6982fa3b981ff1d38a47b4b4/reports/a50e09d2-bad9-4614-9c80-8d8241d9297b/overview
Verdict:
Malicious
Labled as:
TrojanDownloader/Linux.Agent
Link:
https://www.hybrid-analysis.com/sample/4f496ed8617d5dd02f42198dd2de10881d4296647fe06e2e3bd6139f723a0750
Result
Gathering data
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/310c7125-e69c-4f7d-97d8-b5eeda9f6d14
Behavior Graph:
Download SVG
%3 guuid=6fd8dd1c-1b00-0000-c0e6-728a340b0000 pid=2868 /usr/bin/sudo guuid=1d25a420-1b00-0000-c0e6-728a400b0000 pid=2880 /tmp/sample.bin guuid=6fd8dd1c-1b00-0000-c0e6-728a340b0000 pid=2868->guuid=1d25a420-1b00-0000-c0e6-728a400b0000 pid=2880 execve guuid=e13df420-1b00-0000-c0e6-728a410b0000 pid=2881 /usr/bin/uname guuid=1d25a420-1b00-0000-c0e6-728a400b0000 pid=2880->guuid=e13df420-1b00-0000-c0e6-728a410b0000 pid=2881 execve guuid=60905321-1b00-0000-c0e6-728a430b0000 pid=2883 /usr/bin/pgrep guuid=1d25a420-1b00-0000-c0e6-728a400b0000 pid=2880->guuid=60905321-1b00-0000-c0e6-728a430b0000 pid=2883 execve guuid=587b2c25-1b00-0000-c0e6-728a4d0b0000 pid=2893 /usr/bin/rm guuid=1d25a420-1b00-0000-c0e6-728a400b0000 pid=2880->guuid=587b2c25-1b00-0000-c0e6-728a4d0b0000 pid=2893 execve guuid=6cbc7825-1b00-0000-c0e6-728a4f0b0000 pid=2895 /usr/bin/busybox net send-data write-file guuid=1d25a420-1b00-0000-c0e6-728a400b0000 pid=2880->guuid=6cbc7825-1b00-0000-c0e6-728a4f0b0000 pid=2895 execve guuid=8fb8a53e-1b00-0000-c0e6-728a800b0000 pid=2944 /usr/bin/chmod guuid=1d25a420-1b00-0000-c0e6-728a400b0000 pid=2880->guuid=8fb8a53e-1b00-0000-c0e6-728a800b0000 pid=2944 execve guuid=4020283f-1b00-0000-c0e6-728a820b0000 pid=2946 /tmp/data.x86_64 net guuid=1d25a420-1b00-0000-c0e6-728a400b0000 pid=2880->guuid=4020283f-1b00-0000-c0e6-728a820b0000 pid=2946 execve guuid=6ba57a3f-1b00-0000-c0e6-728a850b0000 pid=2949 /usr/bin/rm delete-file guuid=1d25a420-1b00-0000-c0e6-728a400b0000 pid=2880->guuid=6ba57a3f-1b00-0000-c0e6-728a850b0000 pid=2949 execve guuid=5f7af63f-1b00-0000-c0e6-728a880b0000 pid=2952 /usr/bin/rm delete-file guuid=1d25a420-1b00-0000-c0e6-728a400b0000 pid=2880->guuid=5f7af63f-1b00-0000-c0e6-728a880b0000 pid=2952 execve 0f537a80-cc81-5272-886c-f3fdbe796b84 130.12.180.120:80 guuid=6cbc7825-1b00-0000-c0e6-728a4f0b0000 pid=2895->0f537a80-cc81-5272-886c-f3fdbe796b84 send: 93B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=4020283f-1b00-0000-c0e6-728a820b0000 pid=2946->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=862e683f-1b00-0000-c0e6-728a830b0000 pid=2947 /tmp/data.x86_64 zombie guuid=4020283f-1b00-0000-c0e6-728a820b0000 pid=2946->guuid=862e683f-1b00-0000-c0e6-728a830b0000 pid=2947 clone guuid=e781783f-1b00-0000-c0e6-728a840b0000 pid=2948 /tmp/data.x86_64 zombie guuid=862e683f-1b00-0000-c0e6-728a830b0000 pid=2947->guuid=e781783f-1b00-0000-c0e6-728a840b0000 pid=2948 clone guuid=1b7da43f-1b00-0000-c0e6-728a860b0000 pid=2950 /tmp/data.x86_64 net send-data zombie guuid=e781783f-1b00-0000-c0e6-728a840b0000 pid=2948->guuid=1b7da43f-1b00-0000-c0e6-728a860b0000 pid=2950 clone guuid=1b7da43f-1b00-0000-c0e6-728a860b0000 pid=2950->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 70B d1a83efe-dd58-5c17-acde-6788494f9732 176.65.139.20:25565 guuid=1b7da43f-1b00-0000-c0e6-728a860b0000 pid=2950->d1a83efe-dd58-5c17-acde-6788494f9732 send: 14B guuid=803bad3f-1b00-0000-c0e6-728a870b0000 pid=2951 /tmp/data.x86_64 guuid=1b7da43f-1b00-0000-c0e6-728a860b0000 pid=2950->guuid=803bad3f-1b00-0000-c0e6-728a870b0000 pid=2951 clone guuid=527cdc41-1b00-0000-c0e6-728a8f0b0000 pid=2959 /usr/bin/dash guuid=1b7da43f-1b00-0000-c0e6-728a860b0000 pid=2950->guuid=527cdc41-1b00-0000-c0e6-728a8f0b0000 pid=2959 execve guuid=e2d9ee4d-1b00-0000-c0e6-728aad0b0000 pid=2989 /usr/bin/dash guuid=1b7da43f-1b00-0000-c0e6-728a860b0000 pid=2950->guuid=e2d9ee4d-1b00-0000-c0e6-728aad0b0000 pid=2989 execve guuid=f6ee7a4e-2200-0000-c0e6-728aa9140000 pid=5289 /usr/bin/dash guuid=1b7da43f-1b00-0000-c0e6-728a860b0000 pid=2950->guuid=f6ee7a4e-2200-0000-c0e6-728aa9140000 pid=5289 execve guuid=9648324f-2200-0000-c0e6-728aab140000 pid=5291 /usr/bin/dash guuid=1b7da43f-1b00-0000-c0e6-728a860b0000 pid=2950->guuid=9648324f-2200-0000-c0e6-728aab140000 pid=5291 execve guuid=41b50c42-1b00-0000-c0e6-728a910b0000 pid=2961 /usr/sbin/xtables-nft-multi guuid=527cdc41-1b00-0000-c0e6-728a8f0b0000 pid=2959->guuid=41b50c42-1b00-0000-c0e6-728a910b0000 pid=2961 execve guuid=e24c364e-1b00-0000-c0e6-728aaf0b0000 pid=2991 /usr/sbin/xtables-nft-multi guuid=e2d9ee4d-1b00-0000-c0e6-728aad0b0000 pid=2989->guuid=e24c364e-1b00-0000-c0e6-728aaf0b0000 pid=2991 execve guuid=694cb74e-2200-0000-c0e6-728aaa140000 pid=5290 /usr/sbin/xtables-nft-multi guuid=f6ee7a4e-2200-0000-c0e6-728aa9140000 pid=5289->guuid=694cb74e-2200-0000-c0e6-728aaa140000 pid=5290 execve guuid=3ff0904f-2200-0000-c0e6-728aac140000 pid=5292 /usr/sbin/xtables-nft-multi guuid=9648324f-2200-0000-c0e6-728aab140000 pid=5291->guuid=3ff0904f-2200-0000-c0e6-728aac140000 pid=5292 execve
Score:
31%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/4f496ed8617d5dd02f42198dd2de10881d4296647fe06e2e3bd6139f723a0750
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4f496ed8617d5dd02f42198dd2de10881d4296647fe06e2e3bd6139f723a0750/
Threat name:
Win32.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2026-02-03 21:23:59 UTC
File Type:
Text (Shell)
AV detection:
7 of 36 (19.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j5ew5wdbpvo5al2cdgg5fxqqraoufftep7qg4lr32yjz64r2a5ia._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4f496ed8617d5dd02f42198dd2de10881d4296647fe06e2e3bd6139f723a0750

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 4f496ed8617d5dd02f42198dd2de10881d4296647fe06e2e3bd6139f723a0750

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3771796/
  
Delivery method
Distributed via web download

Comments