MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82d0ce260b0972f28db08a2e617eaa9b29f14494b431e00af7e9b0c53d8b2be0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DDoSAgent


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 82d0ce260b0972f28db08a2e617eaa9b29f14494b431e00af7e9b0c53d8b2be0
SHA3-384 hash: 063e1f4d03d4baf2f223bd19a1f849a6f2503d5cd534f1bd1fa7c056da3ea5b7034644d2d22b3caea973acbfed612e76
SHA1 hash: 1e4396d44331be8b7f75c0856a8898496571b906
MD5 hash: ecc7f4fecc163b74b940dccd05f91f0e
humanhash: east-quiet-island-black
File name:ohshit.sh
Download: download sample
Signature DDoSAgent
Create hunting rule
File size:1'725 bytes
First seen:2026-05-31 19:30:37 UTC
Last seen:2026-06-01 09:47:48 UTC
File type: sh
MIME type:text/x-shellscript
ssdeep 48:syDMn2WaS7N+CfWJY30fWaZ6EVyeYiizCvuY:ZZRr
TLSH T1C73141CD10E0F163D6A8DE00F575C144A84996C632EA3F1CECC57C21D8DA9867899BAE
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://176.65.139.68/x86_64n/an/aelf ua-wget
http://176.65.139.68/aarch64n/an/aelf ua-wget
http://176.65.139.68/m68kn/an/aelf ua-wget
http://176.65.139.68/mips177244573740a3de7ffb6aac2912be53e6ab70a5f70604569a5b93d98e873d3e DDoSAgent176-65-139-68 DDoSAgent elf ua-wget
http://176.65.139.68/mipsel7893cc3dc18323c15b1006aaefcd9fe0a125f18449731eebf278107ad0cad989 Mirai176-65-139-68 DDoSAgent elf mirai ua-wget
http://176.65.139.68/powerpcn/an/aelf ua-wget
http://176.65.139.68/sparcn/an/aelf ua-wget
http://176.65.139.68/sh4n/an/aelf ua-wget
http://176.65.139.68/arcn/an/aelf ua-wget
http://176.65.139.68/i486n/an/aelf ua-wget
http://176.65.139.68/armv4ln/an/aelf ua-wget
http://176.65.139.68/armv5l6509c79702631b1c4742475b512aefc93c506e0703b9c6ffe2fba3ef08a15661 Mirai176-65-139-68 elf mirai ua-wget
http://176.65.139.68/armv6l7e51659cc1a5e184e447e44288ccb46ff7d4383687b187f137aa8442c5766fa9 Mirai176-65-139-68 elf mirai ua-wget
http://176.65.139.68/armv7lcffcb4ec86c2237ccae90f6cc17fecb02e6193f63162e391f64157a359d6feb0 Mirai176-65-139-68 elf mirai ua-wget

Intelligence

File Origin
# of uploads :
3
# of downloads :
50
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bash lolbin
Link:
https://www.filescan.io/uploads/6a1c8c8346e44aecc0c74d29/reports/3028e127-1523-4ef4-a2e4-bc9806e20dca/overview
Verdict:
Malicious
File Type:
Script
Detections:
HEUR:Trojan-Downloader.Shell.Agent.a
Link:
https://opentip.kaspersky.com/82d0ce260b0972f28db08a2e617eaa9b29f14494b431e00af7e9b0c53d8b2be0/results?tab=lookup
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/82d0ce260b0972f28db08a2e617eaa9b29f14494b431e00af7e9b0c53d8b2be0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/82d0ce260b0972f28db08a2e617eaa9b29f14494b431e00af7e9b0c53d8b2be0/
Threat name:
Script-Shell.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-05-31 19:31:40 UTC
File Type:
Text (Shell)
AV detection:
8 of 36 (22.22%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qlim4jqlbfzpfdnqrixgc7vktmu7creuwqy6acxx5gymkpmlfpqa._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
antivm defense_evasion discovery linux persistence
Link:
https://tria.ge/reports/260531-x8h2eaey8w/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Checks CPU configuration
Enumerates running processes
Modifies init.d
File and Directory Permissions Modification
Deletes itself
Executes dropped EXE
Malware family:
BASHLITE
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/82d0ce260b09/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.34
Link:
https://yomi.yoroi.company/submissions/82d0ce260b0972f28db08a2e617eaa9b29f14494b431e00af7e9b0c53d8b2be0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DDoSAgent

sh 82d0ce260b0972f28db08a2e617eaa9b29f14494b431e00af7e9b0c53d8b2be0

(this sample)

DDoSAgent

elf 177244573740a3de7ffb6aac2912be53e6ab70a5f70604569a5b93d98e873d3e

  
URLhaus
https://urlhaus.abuse.ch/url/3855994/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3853870/
  
Dropping
MD5 6a8b7b0ba27da2db4b6b718303fc720d
  
Dropping
SHA256 177244573740a3de7ffb6aac2912be53e6ab70a5f70604569a5b93d98e873d3e

Comments