MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90832ad3f8a90b71a4d37f1740bd0f7497adbe9888ce18b026f9cdda54c94ed6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90832ad3f8a90b71a4d37f1740bd0f7497adbe9888ce18b026f9cdda54c94ed6
SHA3-384 hash: 2bed0f0876070798ade58966e021f8e8f48b2225a2f996424578882d7177e052309f311dcbf68b17c22250d42db6421f
SHA1 hash: dc32baed55bcb26c6597a0db7ba3cb628a2c7475
MD5 hash: 229feb789ec7eb0d2eee6383c54445f2
humanhash: september-network-west-sodium
File name:wget.sh
Download: download sample
File size:588 bytes
First seen:2026-01-11 02:30:34 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 6:TJ+d9Fvh2i2Iu3Pi3/3O2mb3olioeLW3qfH8qeFa0LKieY:TJ+zFZ2i9iPi3vObokoeLKKcC0LKVY
TLSH T154F0D1EF71545B72568CDD8161F2980DA889BAD226E40F6C6FD944A788E0B40FB8CF20
Magika txt
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://130.12.180.126/mips6091591c65e708bb1c7b6912438880bc14992de4e04939eec216a6ecd6dd93e0 Mirai32-bit elf mirai ua-wget
http://130.12.180.126/mpsl79f5ca34a62727003ef76416baa6ece3b7644a6e9d6e581efc32025df3bd86ac Miraielf gafgyt mirai ua-wget
http://130.12.180.126/arm4c17940c3b5f774b7d1b24542010805eb200cdeefc89f7c6f89244bc16b3dc02f Miraielf mirai ua-wget
http://130.12.180.126/arm5a5202dbe81c29fc2800a3dc5bd72a5968b541ca66af2b08f49aa6dafd94f5236 Miraielf mirai ua-wget
http://130.12.180.126/arm730c1fa4827381cc432b67aa1c1608170be61258bddd3a7fba2c66443e7ed88f3 Miraiarm elf geofenced mirai ua-wget USA

Intelligence

File Origin
# of uploads :
1
# of downloads :
44
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bash busybox expand lolbin mirai
Link:
https://www.filescan.io/uploads/69630b4f30368802bb7fb13e/reports/6d56867d-9e2d-4d1f-8e9d-dd007e04df73/overview
Result
Gathering data
Verdict:
Malicious
File Type:
text
Detections:
HEUR:Trojan-Downloader.Shell.Agent.a
Link:
https://opentip.kaspersky.com/90832ad3f8a90b71a4d37f1740bd0f7497adbe9888ce18b026f9cdda54c94ed6/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/f4f34fb7-b3d2-40b5-b949-29b477dffea7
Behavior Graph:
Download SVG
%3 guuid=7d848fd9-1700-0000-9766-379f1f0b0000 pid=2847 /usr/bin/sudo guuid=37ea40db-1700-0000-9766-379f260b0000 pid=2854 /tmp/sample.bin guuid=7d848fd9-1700-0000-9766-379f1f0b0000 pid=2847->guuid=37ea40db-1700-0000-9766-379f260b0000 pid=2854 execve guuid=01e778db-1700-0000-9766-379f280b0000 pid=2856 /usr/bin/rm guuid=37ea40db-1700-0000-9766-379f260b0000 pid=2854->guuid=01e778db-1700-0000-9766-379f280b0000 pid=2856 execve guuid=97d002dc-1700-0000-9766-379f2b0b0000 pid=2859 /usr/bin/wget net send-data write-file guuid=37ea40db-1700-0000-9766-379f260b0000 pid=2854->guuid=97d002dc-1700-0000-9766-379f2b0b0000 pid=2859 execve guuid=60d6fae2-1700-0000-9766-379f410b0000 pid=2881 /usr/bin/chmod guuid=37ea40db-1700-0000-9766-379f260b0000 pid=2854->guuid=60d6fae2-1700-0000-9766-379f410b0000 pid=2881 execve guuid=cb4b3ce3-1700-0000-9766-379f430b0000 pid=2883 /usr/bin/dash guuid=37ea40db-1700-0000-9766-379f260b0000 pid=2854->guuid=cb4b3ce3-1700-0000-9766-379f430b0000 pid=2883 clone guuid=e5c5d3e3-1700-0000-9766-379f450b0000 pid=2885 /usr/bin/wget net send-data write-file guuid=37ea40db-1700-0000-9766-379f260b0000 pid=2854->guuid=e5c5d3e3-1700-0000-9766-379f450b0000 pid=2885 execve guuid=b4b9b2e9-1700-0000-9766-379f520b0000 pid=2898 /usr/bin/chmod guuid=37ea40db-1700-0000-9766-379f260b0000 pid=2854->guuid=b4b9b2e9-1700-0000-9766-379f520b0000 pid=2898 execve guuid=602cf8e9-1700-0000-9766-379f540b0000 pid=2900 /usr/bin/dash guuid=37ea40db-1700-0000-9766-379f260b0000 pid=2854->guuid=602cf8e9-1700-0000-9766-379f540b0000 pid=2900 clone guuid=ba8570ea-1700-0000-9766-379f570b0000 pid=2903 /usr/bin/wget net send-data write-file guuid=37ea40db-1700-0000-9766-379f260b0000 pid=2854->guuid=ba8570ea-1700-0000-9766-379f570b0000 pid=2903 execve guuid=7a7f8def-1700-0000-9766-379f630b0000 pid=2915 /usr/bin/chmod guuid=37ea40db-1700-0000-9766-379f260b0000 pid=2854->guuid=7a7f8def-1700-0000-9766-379f630b0000 pid=2915 execve guuid=6919c2ef-1700-0000-9766-379f650b0000 pid=2917 /usr/bin/dash guuid=37ea40db-1700-0000-9766-379f260b0000 pid=2854->guuid=6919c2ef-1700-0000-9766-379f650b0000 pid=2917 clone guuid=27c04bf0-1700-0000-9766-379f680b0000 pid=2920 /usr/bin/wget net send-data write-file guuid=37ea40db-1700-0000-9766-379f260b0000 pid=2854->guuid=27c04bf0-1700-0000-9766-379f680b0000 pid=2920 execve guuid=fcbdb3f5-1700-0000-9766-379f6d0b0000 pid=2925 /usr/bin/chmod guuid=37ea40db-1700-0000-9766-379f260b0000 pid=2854->guuid=fcbdb3f5-1700-0000-9766-379f6d0b0000 pid=2925 execve guuid=80affaf5-1700-0000-9766-379f6f0b0000 pid=2927 /usr/bin/dash guuid=37ea40db-1700-0000-9766-379f260b0000 pid=2854->guuid=80affaf5-1700-0000-9766-379f6f0b0000 pid=2927 clone guuid=96bc98f7-1700-0000-9766-379f740b0000 pid=2932 /usr/bin/wget net send-data write-file guuid=37ea40db-1700-0000-9766-379f260b0000 pid=2854->guuid=96bc98f7-1700-0000-9766-379f740b0000 pid=2932 execve guuid=a7716afd-1700-0000-9766-379f7f0b0000 pid=2943 /usr/bin/chmod guuid=37ea40db-1700-0000-9766-379f260b0000 pid=2854->guuid=a7716afd-1700-0000-9766-379f7f0b0000 pid=2943 execve guuid=7ebd9ffd-1700-0000-9766-379f800b0000 pid=2944 /usr/bin/dash guuid=37ea40db-1700-0000-9766-379f260b0000 pid=2854->guuid=7ebd9ffd-1700-0000-9766-379f800b0000 pid=2944 clone 8091add5-ce18-531c-aa24-126a72d1cdd3 130.12.180.126:80 guuid=97d002dc-1700-0000-9766-379f2b0b0000 pid=2859->8091add5-ce18-531c-aa24-126a72d1cdd3 send: 133B guuid=e5c5d3e3-1700-0000-9766-379f450b0000 pid=2885->8091add5-ce18-531c-aa24-126a72d1cdd3 send: 133B guuid=ba8570ea-1700-0000-9766-379f570b0000 pid=2903->8091add5-ce18-531c-aa24-126a72d1cdd3 send: 133B guuid=27c04bf0-1700-0000-9766-379f680b0000 pid=2920->8091add5-ce18-531c-aa24-126a72d1cdd3 send: 133B guuid=96bc98f7-1700-0000-9766-379f740b0000 pid=2932->8091add5-ce18-531c-aa24-126a72d1cdd3 send: 133B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/90832ad3f8a90b71a4d37f1740bd0f7497adbe9888ce18b026f9cdda54c94ed6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/90832ad3f8a90b71a4d37f1740bd0f7497adbe9888ce18b026f9cdda54c94ed6/
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/90832ad3f8a90b71a4d37f1740bd0f7497adbe9888ce18b026f9cdda54c94ed6
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=scbsvu7yvefxdjgtp4lubpiposl23puyrdhbrmbg7hg5uvgjj3la._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/260111-czhdasdz2g/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/90832ad3f8a90b71a4d37f1740bd0f7497adbe9888ce18b026f9cdda54c94ed6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 90832ad3f8a90b71a4d37f1740bd0f7497adbe9888ce18b026f9cdda54c94ed6

(this sample)

Mirai

elf 6091591c65e708bb1c7b6912438880bc14992de4e04939eec216a6ecd6dd93e0

  
URLhaus
https://urlhaus.abuse.ch/url/3718749/
  
Delivery method
Distributed via web download
  
Dropping
MD5 36adfb215a9f1c13931f3f16f4dde8b6
  
Dropping
SHA256 6091591c65e708bb1c7b6912438880bc14992de4e04939eec216a6ecd6dd93e0

Comments