MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5072556c254ee9e46e00da8a2ece41f12f23e612b101e8c6f19c5ab8d70b4c9c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5072556c254ee9e46e00da8a2ece41f12f23e612b101e8c6f19c5ab8d70b4c9c
SHA3-384 hash: 44081fc012f1defac9e91197f6b219a643cbc4e24052a1d088c95ee22632d879bc2b27bd8c8019b0d612fe2f503286ab
SHA1 hash: a340b6088200200ffe79166de108f88d0c09255f
MD5 hash: 82b44600367e23f2554de4a2d5d7709a
humanhash: louisiana-jupiter-iowa-march
File name:abc3.sh
Download: download sample
File size:797 bytes
First seen:2026-02-17 17:12:41 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 12:U1eLqU0cjU0iNIl5zAU0P0LKjU0uOsU0iCU0c/U06cSEU0otaKAU0K/iAU0KtfAy:D7xglNI75tKgtixDT8LcEhtBlb/abh9
TLSH T155012DCE2B94B1554C4C9D40F16A862C7944ABD031B40E9D6B9CB4B2A9CCD28F9A5F4C
Magika txt
Reporter abuse_ch
Tags:sh

Intelligence

File Origin
# of uploads :
1
# of downloads :
50
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
busybox mirai
Link:
https://www.filescan.io/uploads/6994a1ba981ff1d38a59263e/reports/c6389fd8-de4d-4f6d-95d4-cd810a5969a6/overview
Result
Gathering data
Verdict:
Malicious
File Type:
text
Detections:
HEUR:Trojan-Downloader.Shell.Agent.a
Link:
https://opentip.kaspersky.com/5072556c254ee9e46e00da8a2ece41f12f23e612b101e8c6f19c5ab8d70b4c9c/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/ff4d8dcd-8320-4b01-9a70-d2bd745d34ef
Behavior Graph:
Download SVG
%3 guuid=a663e66c-1900-0000-9c48-7496fc080000 pid=2300 /usr/bin/sudo guuid=1bb88d6f-1900-0000-9c48-749601090000 pid=2305 /tmp/sample.bin guuid=a663e66c-1900-0000-9c48-7496fc080000 pid=2300->guuid=1bb88d6f-1900-0000-9c48-749601090000 pid=2305 execve guuid=dbcecb6f-1900-0000-9c48-749602090000 pid=2306 /usr/bin/busybox net send-data write-file guuid=1bb88d6f-1900-0000-9c48-749601090000 pid=2305->guuid=dbcecb6f-1900-0000-9c48-749602090000 pid=2306 execve guuid=2eba3ed2-1900-0000-9c48-74969c090000 pid=2460 /usr/bin/chmod guuid=1bb88d6f-1900-0000-9c48-749601090000 pid=2305->guuid=2eba3ed2-1900-0000-9c48-74969c090000 pid=2460 execve guuid=217777d2-1900-0000-9c48-74969d090000 pid=2461 /usr/bin/dash guuid=1bb88d6f-1900-0000-9c48-749601090000 pid=2305->guuid=217777d2-1900-0000-9c48-74969d090000 pid=2461 clone guuid=915064d3-1900-0000-9c48-7496a1090000 pid=2465 /usr/bin/busybox net send-data write-file guuid=1bb88d6f-1900-0000-9c48-749601090000 pid=2305->guuid=915064d3-1900-0000-9c48-7496a1090000 pid=2465 execve guuid=88f4144f-1a00-0000-9c48-7496c80a0000 pid=2760 /usr/bin/chmod guuid=1bb88d6f-1900-0000-9c48-749601090000 pid=2305->guuid=88f4144f-1a00-0000-9c48-7496c80a0000 pid=2760 execve guuid=dd467d4f-1a00-0000-9c48-7496c90a0000 pid=2761 /usr/bin/dash guuid=1bb88d6f-1900-0000-9c48-749601090000 pid=2305->guuid=dd467d4f-1a00-0000-9c48-7496c90a0000 pid=2761 clone guuid=cae05550-1a00-0000-9c48-7496cc0a0000 pid=2764 /usr/bin/busybox net send-data write-file guuid=1bb88d6f-1900-0000-9c48-749601090000 pid=2305->guuid=cae05550-1a00-0000-9c48-7496cc0a0000 pid=2764 execve guuid=ece43a94-1a00-0000-9c48-7496510b0000 pid=2897 /usr/bin/chmod guuid=1bb88d6f-1900-0000-9c48-749601090000 pid=2305->guuid=ece43a94-1a00-0000-9c48-7496510b0000 pid=2897 execve guuid=c7629b94-1a00-0000-9c48-7496530b0000 pid=2899 /usr/bin/dash guuid=1bb88d6f-1900-0000-9c48-749601090000 pid=2305->guuid=c7629b94-1a00-0000-9c48-7496530b0000 pid=2899 clone guuid=3c370c96-1a00-0000-9c48-7496580b0000 pid=2904 /usr/bin/busybox net send-data write-file guuid=1bb88d6f-1900-0000-9c48-749601090000 pid=2305->guuid=3c370c96-1a00-0000-9c48-7496580b0000 pid=2904 execve guuid=6791b8c5-1b00-0000-9c48-7496540d0000 pid=3412 /usr/bin/chmod guuid=1bb88d6f-1900-0000-9c48-749601090000 pid=2305->guuid=6791b8c5-1b00-0000-9c48-7496540d0000 pid=3412 execve guuid=e7737bce-1b00-0000-9c48-7496680d0000 pid=3432 /usr/bin/dash guuid=1bb88d6f-1900-0000-9c48-749601090000 pid=2305->guuid=e7737bce-1b00-0000-9c48-7496680d0000 pid=3432 clone guuid=20cad3cf-1b00-0000-9c48-74966d0d0000 pid=3437 /usr/bin/busybox net send-data write-file guuid=1bb88d6f-1900-0000-9c48-749601090000 pid=2305->guuid=20cad3cf-1b00-0000-9c48-74966d0d0000 pid=3437 execve guuid=43cc073c-1c00-0000-9c48-7496540e0000 pid=3668 /usr/bin/chmod guuid=1bb88d6f-1900-0000-9c48-749601090000 pid=2305->guuid=43cc073c-1c00-0000-9c48-7496540e0000 pid=3668 execve guuid=4b4f4e3c-1c00-0000-9c48-7496560e0000 pid=3670 /usr/bin/dash guuid=1bb88d6f-1900-0000-9c48-749601090000 pid=2305->guuid=4b4f4e3c-1c00-0000-9c48-7496560e0000 pid=3670 clone guuid=be64f13c-1c00-0000-9c48-74965a0e0000 pid=3674 /usr/bin/busybox net send-data write-file guuid=1bb88d6f-1900-0000-9c48-749601090000 pid=2305->guuid=be64f13c-1c00-0000-9c48-74965a0e0000 pid=3674 execve guuid=e3e04e7f-1d00-0000-9c48-749647120000 pid=4679 /usr/bin/chmod guuid=1bb88d6f-1900-0000-9c48-749601090000 pid=2305->guuid=e3e04e7f-1d00-0000-9c48-749647120000 pid=4679 execve guuid=056ebe7f-1d00-0000-9c48-74964a120000 pid=4682 /usr/bin/dash guuid=1bb88d6f-1900-0000-9c48-749601090000 pid=2305->guuid=056ebe7f-1d00-0000-9c48-74964a120000 pid=4682 clone guuid=7d76cc81-1d00-0000-9c48-749651120000 pid=4689 /usr/bin/busybox net send-data write-file guuid=1bb88d6f-1900-0000-9c48-749601090000 pid=2305->guuid=7d76cc81-1d00-0000-9c48-749651120000 pid=4689 execve guuid=0a61c735-1e00-0000-9c48-749643140000 pid=5187 /usr/bin/chmod guuid=1bb88d6f-1900-0000-9c48-749601090000 pid=2305->guuid=0a61c735-1e00-0000-9c48-749643140000 pid=5187 execve guuid=545b0b36-1e00-0000-9c48-749644140000 pid=5188 /usr/bin/dash guuid=1bb88d6f-1900-0000-9c48-749601090000 pid=2305->guuid=545b0b36-1e00-0000-9c48-749644140000 pid=5188 clone guuid=3b16d137-1e00-0000-9c48-74964d140000 pid=5197 /usr/bin/busybox net send-data write-file guuid=1bb88d6f-1900-0000-9c48-749601090000 pid=2305->guuid=3b16d137-1e00-0000-9c48-74964d140000 pid=5197 execve guuid=31583aad-1e00-0000-9c48-749682140000 pid=5250 /usr/bin/chmod guuid=1bb88d6f-1900-0000-9c48-749601090000 pid=2305->guuid=31583aad-1e00-0000-9c48-749682140000 pid=5250 execve guuid=b69f97ad-1e00-0000-9c48-749683140000 pid=5251 /usr/bin/dash guuid=1bb88d6f-1900-0000-9c48-749601090000 pid=2305->guuid=b69f97ad-1e00-0000-9c48-749683140000 pid=5251 clone guuid=f7c74eae-1e00-0000-9c48-749685140000 pid=5253 /usr/bin/busybox net send-data write-file guuid=1bb88d6f-1900-0000-9c48-749601090000 pid=2305->guuid=f7c74eae-1e00-0000-9c48-749685140000 pid=5253 execve guuid=309ca022-1f00-0000-9c48-749686140000 pid=5254 /usr/bin/chmod guuid=1bb88d6f-1900-0000-9c48-749601090000 pid=2305->guuid=309ca022-1f00-0000-9c48-749686140000 pid=5254 execve guuid=ed6cec22-1f00-0000-9c48-749687140000 pid=5255 /usr/bin/dash guuid=1bb88d6f-1900-0000-9c48-749601090000 pid=2305->guuid=ed6cec22-1f00-0000-9c48-749687140000 pid=5255 clone guuid=98b28324-1f00-0000-9c48-749689140000 pid=5257 /usr/bin/busybox net send-data write-file guuid=1bb88d6f-1900-0000-9c48-749601090000 pid=2305->guuid=98b28324-1f00-0000-9c48-749689140000 pid=5257 execve guuid=05715e9f-1f00-0000-9c48-749691140000 pid=5265 /usr/bin/chmod guuid=1bb88d6f-1900-0000-9c48-749601090000 pid=2305->guuid=05715e9f-1f00-0000-9c48-749691140000 pid=5265 execve guuid=6ad581a0-1f00-0000-9c48-749692140000 pid=5266 /home/sandbox/x86 net guuid=1bb88d6f-1900-0000-9c48-749601090000 pid=2305->guuid=6ad581a0-1f00-0000-9c48-749692140000 pid=5266 execve guuid=7c239da4-1f00-0000-9c48-74969a140000 pid=5274 /usr/bin/busybox net send-data write-file guuid=1bb88d6f-1900-0000-9c48-749601090000 pid=2305->guuid=7c239da4-1f00-0000-9c48-74969a140000 pid=5274 execve guuid=ddcf560b-2000-0000-9c48-74969d140000 pid=5277 /usr/bin/chmod guuid=1bb88d6f-1900-0000-9c48-749601090000 pid=2305->guuid=ddcf560b-2000-0000-9c48-74969d140000 pid=5277 execve guuid=421c150c-2000-0000-9c48-74969e140000 pid=5278 /home/sandbox/x86_64 net guuid=1bb88d6f-1900-0000-9c48-749601090000 pid=2305->guuid=421c150c-2000-0000-9c48-74969e140000 pid=5278 execve 3fef5bdb-c5ad-5d10-ba8a-1d0b4a6a5ed7 103.116.52.126:80 guuid=dbcecb6f-1900-0000-9c48-749602090000 pid=2306->3fef5bdb-c5ad-5d10-ba8a-1d0b4a6a5ed7 send: 81B guuid=915064d3-1900-0000-9c48-7496a1090000 pid=2465->3fef5bdb-c5ad-5d10-ba8a-1d0b4a6a5ed7 send: 80B guuid=cae05550-1a00-0000-9c48-7496cc0a0000 pid=2764->3fef5bdb-c5ad-5d10-ba8a-1d0b4a6a5ed7 send: 81B guuid=3c370c96-1a00-0000-9c48-7496580b0000 pid=2904->3fef5bdb-c5ad-5d10-ba8a-1d0b4a6a5ed7 send: 81B guuid=20cad3cf-1b00-0000-9c48-74966d0d0000 pid=3437->3fef5bdb-c5ad-5d10-ba8a-1d0b4a6a5ed7 send: 81B guuid=be64f13c-1c00-0000-9c48-74965a0e0000 pid=3674->3fef5bdb-c5ad-5d10-ba8a-1d0b4a6a5ed7 send: 81B guuid=7d76cc81-1d00-0000-9c48-749651120000 pid=4689->3fef5bdb-c5ad-5d10-ba8a-1d0b4a6a5ed7 send: 81B guuid=3b16d137-1e00-0000-9c48-74964d140000 pid=5197->3fef5bdb-c5ad-5d10-ba8a-1d0b4a6a5ed7 send: 80B guuid=f7c74eae-1e00-0000-9c48-749685140000 pid=5253->3fef5bdb-c5ad-5d10-ba8a-1d0b4a6a5ed7 send: 80B guuid=98b28324-1f00-0000-9c48-749689140000 pid=5257->3fef5bdb-c5ad-5d10-ba8a-1d0b4a6a5ed7 send: 80B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=6ad581a0-1f00-0000-9c48-749692140000 pid=5266->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=3b23b5a0-1f00-0000-9c48-749693140000 pid=5267 /usr/bin/dash guuid=6ad581a0-1f00-0000-9c48-749692140000 pid=5266->guuid=3b23b5a0-1f00-0000-9c48-749693140000 pid=5267 execve guuid=334a8fa4-1f00-0000-9c48-749699140000 pid=5273 /home/sandbox/bin/systemd dns net send-data zombie guuid=6ad581a0-1f00-0000-9c48-749692140000 pid=5266->guuid=334a8fa4-1f00-0000-9c48-749699140000 pid=5273 clone guuid=176e29a1-1f00-0000-9c48-749694140000 pid=5268 /usr/bin/rm guuid=3b23b5a0-1f00-0000-9c48-749693140000 pid=5267->guuid=176e29a1-1f00-0000-9c48-749694140000 pid=5268 execve guuid=6e7c39a2-1f00-0000-9c48-749695140000 pid=5269 /usr/bin/mkdir guuid=3b23b5a0-1f00-0000-9c48-749693140000 pid=5267->guuid=6e7c39a2-1f00-0000-9c48-749695140000 pid=5269 execve guuid=986a2ea3-1f00-0000-9c48-749696140000 pid=5270 /usr/bin/mv guuid=3b23b5a0-1f00-0000-9c48-749693140000 pid=5267->guuid=986a2ea3-1f00-0000-9c48-749696140000 pid=5270 execve guuid=2dad3ea4-1f00-0000-9c48-749697140000 pid=5271 /usr/bin/chmod zombie guuid=3b23b5a0-1f00-0000-9c48-749693140000 pid=5267->guuid=2dad3ea4-1f00-0000-9c48-749697140000 pid=5271 execve guuid=88e444a4-1f00-0000-9c48-749698140000 pid=5272 /usr/bin/dash guuid=3b23b5a0-1f00-0000-9c48-749693140000 pid=5267->guuid=88e444a4-1f00-0000-9c48-749698140000 pid=5272 clone guuid=334a8fa4-1f00-0000-9c48-749699140000 pid=5273->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 31B 95e0242c-d621-5b6a-bf7c-c34dbb755f99 bbos.minet.vn:56999 guuid=334a8fa4-1f00-0000-9c48-749699140000 pid=5273->95e0242c-d621-5b6a-bf7c-c34dbb755f99 send: 14B guuid=3bf30aa5-1f00-0000-9c48-74969b140000 pid=5275 /home/sandbox/bin/systemd guuid=334a8fa4-1f00-0000-9c48-749699140000 pid=5273->guuid=3bf30aa5-1f00-0000-9c48-74969b140000 pid=5275 clone guuid=be9411a5-1f00-0000-9c48-74969c140000 pid=5276 /home/sandbox/bin/systemd net net-scan send-data guuid=334a8fa4-1f00-0000-9c48-749699140000 pid=5273->guuid=be9411a5-1f00-0000-9c48-74969c140000 pid=5276 clone e82b4f26-a3cb-5e04-ae5e-c1ca432bd118 bbos.minet.vn:80 guuid=7c239da4-1f00-0000-9c48-74969a140000 pid=5274->e82b4f26-a3cb-5e04-ae5e-c1ca432bd118 send: 83B guuid=be9411a5-1f00-0000-9c48-74969c140000 pid=5276->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con 3135e91c-0b8d-5a1e-9ccb-9e60b0665872 157.24.82.245:37215 guuid=be9411a5-1f00-0000-9c48-74969c140000 pid=5276->3135e91c-0b8d-5a1e-9ccb-9e60b0665872 send: 854B guuid=be9411a5-1f00-0000-9c48-74969c140000 pid=5276|send-data send-data to 4096 IP addresses review logs to see them all guuid=be9411a5-1f00-0000-9c48-74969c140000 pid=5276->guuid=be9411a5-1f00-0000-9c48-74969c140000 pid=5276|send-data send guuid=421c150c-2000-0000-9c48-74969e140000 pid=5278->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=951b330c-2000-0000-9c48-74969f140000 pid=5279 /usr/bin/dash guuid=421c150c-2000-0000-9c48-74969e140000 pid=5278->guuid=951b330c-2000-0000-9c48-74969f140000 pid=5279 execve guuid=880e8210-2000-0000-9c48-7496a3140000 pid=5283 /home/sandbox/x86_64 dns net send-data zombie guuid=421c150c-2000-0000-9c48-74969e140000 pid=5278->guuid=880e8210-2000-0000-9c48-7496a3140000 pid=5283 clone guuid=7d6aec0c-2000-0000-9c48-7496a0140000 pid=5280 /usr/bin/rm delete-file guuid=951b330c-2000-0000-9c48-74969f140000 pid=5279->guuid=7d6aec0c-2000-0000-9c48-7496a0140000 pid=5280 execve guuid=93c7360e-2000-0000-9c48-7496a1140000 pid=5281 /usr/bin/mkdir guuid=951b330c-2000-0000-9c48-74969f140000 pid=5279->guuid=93c7360e-2000-0000-9c48-7496a1140000 pid=5281 execve guuid=bba8990f-2000-0000-9c48-7496a2140000 pid=5282 /usr/bin/chmod guuid=951b330c-2000-0000-9c48-74969f140000 pid=5279->guuid=bba8990f-2000-0000-9c48-7496a2140000 pid=5282 execve guuid=880e8210-2000-0000-9c48-7496a3140000 pid=5283->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 465B guuid=880e8210-2000-0000-9c48-7496a3140000 pid=5283->95e0242c-d621-5b6a-bf7c-c34dbb755f99 send: 12B guuid=ffb63811-2000-0000-9c48-7496a4140000 pid=5284 /home/sandbox/x86_64 guuid=880e8210-2000-0000-9c48-7496a3140000 pid=5283->guuid=ffb63811-2000-0000-9c48-7496a4140000 pid=5284 clone guuid=ed354311-2000-0000-9c48-7496a5140000 pid=5285 /home/sandbox/x86_64 net net-scan send-data guuid=880e8210-2000-0000-9c48-7496a3140000 pid=5283->guuid=ed354311-2000-0000-9c48-7496a5140000 pid=5285 clone guuid=ed354311-2000-0000-9c48-7496a5140000 pid=5285->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con 060908a6-ebe4-5348-97ee-94a661464eb3 166.104.143.110:37215 guuid=ed354311-2000-0000-9c48-7496a5140000 pid=5285->060908a6-ebe4-5348-97ee-94a661464eb3 send: 40B 09489e16-97a6-5ba7-9934-b6b00249a0ad 157.185.146.116:37215 guuid=ed354311-2000-0000-9c48-7496a5140000 pid=5285->09489e16-97a6-5ba7-9934-b6b00249a0ad send: 40B guuid=ed354311-2000-0000-9c48-7496a5140000 pid=5285|send-data send-data to 4097 IP addresses review logs to see them all guuid=ed354311-2000-0000-9c48-7496a5140000 pid=5285->guuid=ed354311-2000-0000-9c48-7496a5140000 pid=5285|send-data send
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/5072556c254ee9e46e00da8a2ece41f12f23e612b101e8c6f19c5ab8d70b4c9c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5072556c254ee9e46e00da8a2ece41f12f23e612b101e8c6f19c5ab8d70b4c9c/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/5072556c254ee9e46e00da8a2ece41f12f23e612b101e8c6f19c5ab8d70b4c9c
Threat name:
Script-Shell.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2026-02-17 16:44:47 UTC
File Type:
Text (Shell)
AV detection:
13 of 36 (36.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kbzfk3bfj3u6i3qa3kfc5tsb6exshzqswea6rrxrtrnlrvyljsoa._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/260217-vrmbdsft4e/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/5072556c254ee9e46e00da8a2ece41f12f23e612b101e8c6f19c5ab8d70b4c9c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 5072556c254ee9e46e00da8a2ece41f12f23e612b101e8c6f19c5ab8d70b4c9c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3779634/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3779638/

Comments