MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b263a5a34d255506fe51b8f57d8fe44fcfd387efd0e57263e95d5e7be92e40f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments

SHA256 hash: 9b263a5a34d255506fe51b8f57d8fe44fcfd387efd0e57263e95d5e7be92e40f
SHA3-384 hash: 819b72118612c9c7f37c044cdc592247ab4611010edffb9d39db27b5265dedbf02f47df28d03bffdc04e8f5ef79f8720
SHA1 hash: 84705726e34389ebdfcc12a71de62da89cd5d8cc
MD5 hash: 931c38d7da0121c65d4c5b6d16f42819
humanhash: emma-comet-sierra-hot
File name:wget.sh
Download: download sample
File size:528 bytes
First seen:2026-07-02 23:06:29 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 12:KSs6wZUJQNyHe0uUJRsHUbVSYeJBOUbg5pB:KSKZ16vsQle7qpB
TLSH T126F096CE0150365589CDD94FBBB3C92C245687CD168F5BC978AD051AA6446EAF044B6C
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:sh

Intelligence


File Origin
# of uploads :
1
# of downloads :
67
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
bash busybox downloader lolbin mirai
Status:
terminated
Behavior Graph:
%3 guuid=03965427-2400-0000-a507-687c700c0000 pid=3184 /usr/bin/sudo guuid=c9dccf29-2400-0000-a507-687c760c0000 pid=3190 /tmp/sample.bin guuid=03965427-2400-0000-a507-687c700c0000 pid=3184->guuid=c9dccf29-2400-0000-a507-687c760c0000 pid=3190 execve guuid=2abb362a-2400-0000-a507-687c780c0000 pid=3192 /usr/bin/rm guuid=c9dccf29-2400-0000-a507-687c760c0000 pid=3190->guuid=2abb362a-2400-0000-a507-687c780c0000 pid=3192 execve guuid=2eb4e22a-2400-0000-a507-687c790c0000 pid=3193 /usr/bin/rm guuid=c9dccf29-2400-0000-a507-687c760c0000 pid=3190->guuid=2eb4e22a-2400-0000-a507-687c790c0000 pid=3193 execve guuid=d35a382b-2400-0000-a507-687c7a0c0000 pid=3194 /usr/bin/rm guuid=c9dccf29-2400-0000-a507-687c760c0000 pid=3190->guuid=d35a382b-2400-0000-a507-687c7a0c0000 pid=3194 execve guuid=d848a92b-2400-0000-a507-687c7b0c0000 pid=3195 /usr/bin/rm guuid=c9dccf29-2400-0000-a507-687c760c0000 pid=3190->guuid=d848a92b-2400-0000-a507-687c7b0c0000 pid=3195 execve guuid=8663152c-2400-0000-a507-687c7c0c0000 pid=3196 /usr/bin/rm guuid=c9dccf29-2400-0000-a507-687c760c0000 pid=3190->guuid=8663152c-2400-0000-a507-687c7c0c0000 pid=3196 execve guuid=55ed912c-2400-0000-a507-687c7d0c0000 pid=3197 /usr/bin/rm guuid=c9dccf29-2400-0000-a507-687c760c0000 pid=3190->guuid=55ed912c-2400-0000-a507-687c7d0c0000 pid=3197 execve guuid=60aff22c-2400-0000-a507-687c7f0c0000 pid=3199 /usr/bin/rm guuid=c9dccf29-2400-0000-a507-687c760c0000 pid=3190->guuid=60aff22c-2400-0000-a507-687c7f0c0000 pid=3199 execve guuid=9f19572d-2400-0000-a507-687c820c0000 pid=3202 /usr/bin/cp guuid=c9dccf29-2400-0000-a507-687c760c0000 pid=3190->guuid=9f19572d-2400-0000-a507-687c820c0000 pid=3202 execve guuid=aa11ae35-2400-0000-a507-687c860c0000 pid=3206 /usr/bin/busybox net send-data write-file guuid=c9dccf29-2400-0000-a507-687c760c0000 pid=3190->guuid=aa11ae35-2400-0000-a507-687c860c0000 pid=3206 execve guuid=3086963e-2400-0000-a507-687c970c0000 pid=3223 /usr/bin/chmod guuid=c9dccf29-2400-0000-a507-687c760c0000 pid=3190->guuid=3086963e-2400-0000-a507-687c970c0000 pid=3223 execve guuid=ae8ce63e-2400-0000-a507-687c990c0000 pid=3225 /usr/bin/dash guuid=c9dccf29-2400-0000-a507-687c760c0000 pid=3190->guuid=ae8ce63e-2400-0000-a507-687c990c0000 pid=3225 clone guuid=a34c853f-2400-0000-a507-687c9d0c0000 pid=3229 /usr/bin/busybox net send-data write-file guuid=c9dccf29-2400-0000-a507-687c760c0000 pid=3190->guuid=a34c853f-2400-0000-a507-687c9d0c0000 pid=3229 execve guuid=4f45ec46-2400-0000-a507-687cad0c0000 pid=3245 /usr/bin/chmod guuid=c9dccf29-2400-0000-a507-687c760c0000 pid=3190->guuid=4f45ec46-2400-0000-a507-687cad0c0000 pid=3245 execve guuid=1792aa47-2400-0000-a507-687cb00c0000 pid=3248 /usr/bin/dash guuid=c9dccf29-2400-0000-a507-687c760c0000 pid=3190->guuid=1792aa47-2400-0000-a507-687cb00c0000 pid=3248 clone guuid=8f5ad749-2400-0000-a507-687cb50c0000 pid=3253 /usr/bin/busybox net send-data write-file guuid=c9dccf29-2400-0000-a507-687c760c0000 pid=3190->guuid=8f5ad749-2400-0000-a507-687cb50c0000 pid=3253 execve guuid=67bc1253-2400-0000-a507-687cc70c0000 pid=3271 /usr/bin/chmod guuid=c9dccf29-2400-0000-a507-687c760c0000 pid=3190->guuid=67bc1253-2400-0000-a507-687cc70c0000 pid=3271 execve guuid=19ca6353-2400-0000-a507-687cc90c0000 pid=3273 /usr/bin/dash guuid=c9dccf29-2400-0000-a507-687c760c0000 pid=3190->guuid=19ca6353-2400-0000-a507-687cc90c0000 pid=3273 clone guuid=0cf3dd54-2400-0000-a507-687cce0c0000 pid=3278 /usr/bin/busybox net send-data write-file guuid=c9dccf29-2400-0000-a507-687c760c0000 pid=3190->guuid=0cf3dd54-2400-0000-a507-687cce0c0000 pid=3278 execve guuid=18b2455e-2400-0000-a507-687cda0c0000 pid=3290 /usr/bin/chmod guuid=c9dccf29-2400-0000-a507-687c760c0000 pid=3190->guuid=18b2455e-2400-0000-a507-687cda0c0000 pid=3290 execve guuid=d767df5e-2400-0000-a507-687cdb0c0000 pid=3291 /usr/bin/dash guuid=c9dccf29-2400-0000-a507-687c760c0000 pid=3190->guuid=d767df5e-2400-0000-a507-687cdb0c0000 pid=3291 clone 0d0fe4f1-de4b-5b5e-9e8a-aca27a1eefeb 76.164.203.171:80 guuid=aa11ae35-2400-0000-a507-687c860c0000 pid=3206->0d0fe4f1-de4b-5b5e-9e8a-aca27a1eefeb send: 83B guuid=a34c853f-2400-0000-a507-687c9d0c0000 pid=3229->0d0fe4f1-de4b-5b5e-9e8a-aca27a1eefeb send: 83B guuid=8f5ad749-2400-0000-a507-687cb50c0000 pid=3253->0d0fe4f1-de4b-5b5e-9e8a-aca27a1eefeb send: 83B guuid=0cf3dd54-2400-0000-a507-687cce0c0000 pid=3278->0d0fe4f1-de4b-5b5e-9e8a-aca27a1eefeb send: 85B
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Threat name:
Document-HTML.Hacktool.Heuristic
Status:
Malicious
First seen:
2026-07-02 23:09:31 UTC
File Type:
Text (Shell)
AV detection:
9 of 38 (23.68%)
Threat level:
  1/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery linux
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Reads system network configuration
Enumerates active TCP sockets
Enumerates running processes
Reads system routing table
File and Directory Permissions Modification
Executes dropped EXE
Unexpected DNS network traffic destination
Please note that we are no longer able to provide a coverage score for Virus Total.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 9b263a5a34d255506fe51b8f57d8fe44fcfd387efd0e57263e95d5e7be92e40f

(this sample)

  
Delivery method
Distributed via web download

Comments