MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ed925e948b20635a5b6761edc4e4d522cb77d32a5403cbff28a9ebbf27721e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	8ed925e948b20635a5b6761edc4e4d522cb77d32a5403cbff28a9ebbf27721e2
SHA3-384 hash:	cc1e4e4deee5a95be0b2436dc00307118e37a3063a500532f6d71748cde60ef906230f166456438a64721d2a31940523
SHA1 hash:	397527956e202a49a4481585007cccaf462d6c92
MD5 hash:	ee4cb934a3c8e6c215a57faa7e6b5606
humanhash:	gee-winner-potato-bulldog
File name:	dick.sh
Download:	download sample
File size:	1'994 bytes
First seen:	2026-06-15 07:06:51 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:vpCanp5pdpZpxpQKplp9pDlpQR9R4RFBrp9pppS:vkanT3TbGK/fTy/C/BrfTE
TLSH	T15C413AD615A549346CEDD95B33B9980030D4D1969FCA6F9F68EC38E48DCDD84B8C4BC2
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://176.65.148.24/m-i.p-s.dick	42bc0e1e7309a256236ea5e46d0ddba04648f1ed6f930870d79f717c177dcae4	Mirai	elf mirai ua-wget
http://176.65.148.24/m-p.s-l.dick	b6ee6eb7d33a8c2e4963c32e078d3a86e7d3a96a3eb78b699996136f3a4c297a	Mirai	elf mirai ua-wget
http://176.65.148.24/s-h.4-.dick	84dbbefd653fbfb4f0753ceaa757987098a87bf08f792425470d1e8a43bbe0bc	Mirai	elf mirai ua-wget
http://176.65.148.24/x-8.6-.dick	271c4e74701bceebf3afdadf3a9564d29debdc568b3696386637a6c3b1d8b405	Mirai	elf mirai ua-wget
http://176.65.148.24/a-r.m-6.dick	e36505927dcdb61f95ed2b36c3d9620894f57065cd4546137bad6ecce975c3da	Mirai	elf mirai ua-wget
http://176.65.148.24/x-3.2-.dick	da808c541f3d5a295f96863e1b605b23cdb7f69a2e2bc5d017a1c4616c1298cf	Mirai	elf mirai ua-wget
http://176.65.148.24/a-r.m-7.dick	6ed82f4c8f41e9ee28bfeb6aa6e757e85d2d811c4b8ef97476622710c9acf53b	Mirai	elf mirai ua-wget
http://176.65.148.24/p-p.c-.dick	bf814c9f566f3f01e7bfbbd2c92e4b8cf94ff06d0eec2784009f6482301f9ce7	Mirai	elf mirai ua-wget
http://176.65.148.24/i-5.8-6.dick	81bec5933e0561d3f6685358bb9e7362ed3c63c373e6592e3d387664a5081d93	Mirai	elf mirai ua-wget
http://176.65.148.24/m-6.8-k.dick	23b61b7224532d7695a04057f8725e4b7758053d2057eec1a918a7d57080bf98	Mirai	elf mirai ua-wget
http://176.65.148.24/a-r.m-4.dick	bf814c9f566f3f01e7bfbbd2c92e4b8cf94ff06d0eec2784009f6482301f9ce7	Mirai	elf mirai ua-wget
http://176.65.148.24/a-r.m-5.dick	182dc5a1e6dbb9027d11e3d9c78b61a7ada2c85e1a282229b2428a869af2f79f	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive

Link:

https://www.filescan.io/uploads/6a2fa4aabf16337e43c6c709/reports/1e33ef0b-0188-44de-a364-beb0f2d54877/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2026-06-14T13:21:00Z UTC

Last seen:

2026-06-17T00:44:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/8ed925e948b20635a5b6761edc4e4d522cb77d32a5403cbff28a9ebbf27721e2/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/94186ae8-5dcf-4eec-92f4-035f0484ae4b

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/8ed925e948b20635a5b6761edc4e4d522cb77d32a5403cbff28a9ebbf27721e2

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8ed925e948b20635a5b6761edc4e4d522cb77d32a5403cbff28a9ebbf27721e2/

Verdict:

Malicious

Threat:

Family.GAFGYT

Link:

https://tip.neiki.dev/file/8ed925e948b20635a5b6761edc4e4d522cb77d32a5403cbff28a9ebbf27721e2

Threat name:

Linux.Downloader.Morila

Status:

Malicious

First seen:

2026-06-14 16:31:21 UTC

File Type:

Text (Shell)

AV detection:

16 of 24 (66.67%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=r3msl2kiwiddljnwoypnytsnkiwlo7jsuvadzp7srkplx4txehra._file

Result

Malware family:

n/a

Score:

7/10

Tags:

defense_evasion discovery linux persistence

Link:

https://tria.ge/reports/260615-hxtw7sby6j/

Behaviour

Reads runtime system information

Writes file to tmp directory

Changes its process name

Modifies init.d

Modifies rc script

File and Directory Permissions Modification

Deletes itself

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.36

Link:

https://yomi.yoroi.company/submissions/8ed925e948b20635a5b6761edc4e4d522cb77d32a5403cbff28a9ebbf27721e2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.