MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 72ba78aeec34bcd1c4181af54255e33f714d4998970839682ab003fc54dcb893. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 72ba78aeec34bcd1c4181af54255e33f714d4998970839682ab003fc54dcb893
SHA3-384 hash: 40860e2f1353b13a40a4cb9f0cb778dc6713f884160f534206cdfae9cbfbda815f8aa1a1035fe5046b3a703f92ea16bf
SHA1 hash: fe53207c1fba30e8d398f115175cee4604ab0b2d
MD5 hash: e680e5c88f79d7f350994cf459a3fe2c
humanhash: papa-wisconsin-cat-single
File name:bins.sh
Download: download sample
File size:965 bytes
First seen:2026-02-13 18:31:29 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 12:klCTJ1AxXaAocTCJAX9G0iT0qdG3X8ZwiTw4ANxXUYFYSTjuw3XU7jPTZmxXU6FJ:kHRYM9/8V4UYFXuwHU7ZmRUWplUpe
TLSH T1F51112D5C090F3235ADDEE49F6B18258E499B2856CD12C0A9B965EE50C274943DCBB41
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:sh

Intelligence

File Origin
# of uploads :
1
# of downloads :
34
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
expand lolbin
Link:
https://www.filescan.io/uploads/698f6e2e930564ff3c9fed76/reports/5f1aff50-dfb2-4660-b032-477dc53ea3e3/overview
Result
Gathering data
Verdict:
Malicious
File Type:
unix shell
Detections:
HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen
Link:
https://opentip.kaspersky.com/72ba78aeec34bcd1c4181af54255e33f714d4998970839682ab003fc54dcb893/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/a75af438-b652-4a19-b4af-e3bb81a6a407
Behavior Graph:
Download SVG
%3 guuid=8198704b-1600-0000-f03f-6b82330c0000 pid=3123 /usr/bin/sudo guuid=fe472b4d-1600-0000-f03f-6b823c0c0000 pid=3132 /tmp/sample.bin guuid=8198704b-1600-0000-f03f-6b82330c0000 pid=3123->guuid=fe472b4d-1600-0000-f03f-6b823c0c0000 pid=3132 execve guuid=42c69c4d-1600-0000-f03f-6b823d0c0000 pid=3133 /usr/bin/wget net send-data write-file guuid=fe472b4d-1600-0000-f03f-6b823c0c0000 pid=3132->guuid=42c69c4d-1600-0000-f03f-6b823d0c0000 pid=3133 execve guuid=bcf73467-1600-0000-f03f-6b825d0c0000 pid=3165 /usr/bin/curl net send-data write-file guuid=fe472b4d-1600-0000-f03f-6b823c0c0000 pid=3132->guuid=bcf73467-1600-0000-f03f-6b825d0c0000 pid=3165 execve guuid=5dc71482-1600-0000-f03f-6b82740c0000 pid=3188 /usr/bin/cat guuid=fe472b4d-1600-0000-f03f-6b823c0c0000 pid=3132->guuid=5dc71482-1600-0000-f03f-6b82740c0000 pid=3188 execve guuid=a953ad82-1600-0000-f03f-6b82760c0000 pid=3190 /usr/bin/chmod guuid=fe472b4d-1600-0000-f03f-6b823c0c0000 pid=3132->guuid=a953ad82-1600-0000-f03f-6b82760c0000 pid=3190 execve guuid=dbf22383-1600-0000-f03f-6b82780c0000 pid=3192 /tmp/run_x86 net guuid=fe472b4d-1600-0000-f03f-6b823c0c0000 pid=3132->guuid=dbf22383-1600-0000-f03f-6b82780c0000 pid=3192 execve guuid=d0555283-1600-0000-f03f-6b827b0c0000 pid=3195 /usr/bin/wget net send-data write-file guuid=fe472b4d-1600-0000-f03f-6b823c0c0000 pid=3132->guuid=d0555283-1600-0000-f03f-6b827b0c0000 pid=3195 execve guuid=6e7bed97-1600-0000-f03f-6b82880c0000 pid=3208 /usr/bin/curl guuid=fe472b4d-1600-0000-f03f-6b823c0c0000 pid=3132->guuid=6e7bed97-1600-0000-f03f-6b82880c0000 pid=3208 execve guuid=509a2d99-1600-0000-f03f-6b82890c0000 pid=3209 /usr/bin/wget net guuid=fe472b4d-1600-0000-f03f-6b823c0c0000 pid=3132->guuid=509a2d99-1600-0000-f03f-6b82890c0000 pid=3209 execve guuid=6ece4b9c-1600-0000-f03f-6b828d0c0000 pid=3213 /usr/bin/wget net guuid=fe472b4d-1600-0000-f03f-6b823c0c0000 pid=3132->guuid=6ece4b9c-1600-0000-f03f-6b828d0c0000 pid=3213 execve guuid=95c5639f-1600-0000-f03f-6b82930c0000 pid=3219 /usr/bin/wget net guuid=fe472b4d-1600-0000-f03f-6b823c0c0000 pid=3132->guuid=95c5639f-1600-0000-f03f-6b82930c0000 pid=3219 execve guuid=d2bf7ca2-1600-0000-f03f-6b829a0c0000 pid=3226 /usr/bin/wget net guuid=fe472b4d-1600-0000-f03f-6b823c0c0000 pid=3132->guuid=d2bf7ca2-1600-0000-f03f-6b829a0c0000 pid=3226 execve guuid=bc3eb1a5-1600-0000-f03f-6b829c0c0000 pid=3228 /usr/bin/wget net guuid=fe472b4d-1600-0000-f03f-6b823c0c0000 pid=3132->guuid=bc3eb1a5-1600-0000-f03f-6b829c0c0000 pid=3228 execve c8e0c006-6a7f-5455-8202-f02545996027 178.16.52.229:80 guuid=42c69c4d-1600-0000-f03f-6b823d0c0000 pid=3133->c8e0c006-6a7f-5455-8202-f02545996027 send: 134B guuid=bcf73467-1600-0000-f03f-6b825d0c0000 pid=3165->c8e0c006-6a7f-5455-8202-f02545996027 send: 83B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=dbf22383-1600-0000-f03f-6b82780c0000 pid=3192->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=90f34383-1600-0000-f03f-6b827a0c0000 pid=3194 /tmp/run_x86 dns net send-data zombie guuid=dbf22383-1600-0000-f03f-6b82780c0000 pid=3192->guuid=90f34383-1600-0000-f03f-6b827a0c0000 pid=3194 clone c3d58d5e-1f04-5910-85c1-2a9460cd4839 134.195.4.2:53 guuid=90f34383-1600-0000-f03f-6b827a0c0000 pid=3194->c3d58d5e-1f04-5910-85c1-2a9460cd4839 send: 37B 75a7ed0d-f397-5d16-b991-8d7d1603e233 xanax.enzostress.st:35342 guuid=90f34383-1600-0000-f03f-6b827a0c0000 pid=3194->75a7ed0d-f397-5d16-b991-8d7d1603e233 con 1916c8ac-07bf-5360-a6f3-e42acfa320ef 91.217.137.37:53 guuid=90f34383-1600-0000-f03f-6b827a0c0000 pid=3194->1916c8ac-07bf-5360-a6f3-e42acfa320ef send: 370B 3b60cfb2-6ce4-568a-bb03-bf9c526c5851 51.254.162.59:53 guuid=90f34383-1600-0000-f03f-6b827a0c0000 pid=3194->3b60cfb2-6ce4-568a-bb03-bf9c526c5851 send: 37B guuid=6af25d83-1600-0000-f03f-6b827c0c0000 pid=3196 /tmp/run_x86 guuid=90f34383-1600-0000-f03f-6b827a0c0000 pid=3194->guuid=6af25d83-1600-0000-f03f-6b827c0c0000 pid=3196 clone 1d06dfe9-77fa-5202-a3ba-6dafcb2ff31f xanax.enzostress.st:80 guuid=d0555283-1600-0000-f03f-6b827b0c0000 pid=3195->1d06dfe9-77fa-5202-a3ba-6dafcb2ff31f send: 132B guuid=509a2d99-1600-0000-f03f-6b82890c0000 pid=3209->1d06dfe9-77fa-5202-a3ba-6dafcb2ff31f con guuid=6ece4b9c-1600-0000-f03f-6b828d0c0000 pid=3213->1d06dfe9-77fa-5202-a3ba-6dafcb2ff31f con guuid=95c5639f-1600-0000-f03f-6b82930c0000 pid=3219->1d06dfe9-77fa-5202-a3ba-6dafcb2ff31f con guuid=d2bf7ca2-1600-0000-f03f-6b829a0c0000 pid=3226->1d06dfe9-77fa-5202-a3ba-6dafcb2ff31f con guuid=bc3eb1a5-1600-0000-f03f-6b829c0c0000 pid=3228->1d06dfe9-77fa-5202-a3ba-6dafcb2ff31f con
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/72ba78aeec34bcd1c4181af54255e33f714d4998970839682ab003fc54dcb893
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/72ba78aeec34bcd1c4181af54255e33f714d4998970839682ab003fc54dcb893/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/72ba78aeec34bcd1c4181af54255e33f714d4998970839682ab003fc54dcb893
Threat name:
Linux.Downloader.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-02-13 18:27:04 UTC
File Type:
Text (Shell)
AV detection:
9 of 38 (23.68%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ok5hrlxmgs6ndraydl2uevpdh5yu2smys4eds2bkwab7yvg4xcjq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
antivm defense_evasion discovery linux
Link:
https://tria.ge/reports/260213-w6pkqsbz6a/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Checks CPU configuration
Enumerates running processes
File and Directory Permissions Modification
Executes dropped EXE
Unexpected DNS network traffic destination
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 72ba78aeec34bcd1c4181af54255e33f714d4998970839682ab003fc54dcb893

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3776899/
  
Delivery method
Distributed via web download

Comments