MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9dac3736e1d3f01462ebc884ea7ff864ee368b80dc2c34853c26250d1d226d61. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	9dac3736e1d3f01462ebc884ea7ff864ee368b80dc2c34853c26250d1d226d61
SHA3-384 hash:	7e1afeb7fe6a0b630f46d953d812a99c957f6aa8458a27139b08e60e4562f9c91916786a43cfb8cb674d8211c576bef4
SHA1 hash:	07786b8e18d59ab36982d15b6bc3e2a69f04be86
MD5 hash:	1c98a0cf25007d00402a12e46b038858
humanhash:	undress-social-montana-alabama
File name:	lil
Download:	download sample
File size:	830 bytes
First seen:	2025-05-14 09:47:49 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	12:GLk6Ne5iLy+68XXLlxM+6vzLt26deLO6UULC+6l:spe6D7ApPtf02mY
TLSH	T14501B5E566D2467A2D90AE47B16BCC5E302B7A8F08C2CF8A68CC31F9759CD50B061F43
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://213.209.143.24/mpsl	c081dbcab79688429efe181b099a18cd061bf0fd33da3d9f8b6bddf82bb99032	Mirai	elf mirai
http://213.209.143.24/mips	01453889de074520278d104c051ba80147706206ac12ccb4da2f07dc660872bb	Mirai	elf mirai
http://213.209.143.24/arm4	3b6bce64630d32a5372d776f043de20307aa7999c24cff8edfec52bc76078c5f	Mirai	elf mirai
http://213.209.143.24/arm5	6d04d6cc458082f1dd5233ac5b8b048c7d67c6a2a431e4750cf2b4366a0bdb74	Mirai	elf mirai
http://213.209.143.24/arm6	3b50d951810dc7e8bb7b9cf9d95d33ffaf55e50ca4ff15dded98a4198ecdef4e	Mirai	elf mirai
http://213.209.143.24/arm7	5d11b9be5daa65fe010cc7900d5d5eead7f62a7885e862a5971a005856ae9878	Mirai	elf mirai

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Verdict:

Clean

Score:

89.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68246891e16384d6a7045133linux22vpnfull_triage

Tags:

n/a

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox evasive mirai

Link:

https://www.filescan.io/uploads/682466dc233cdf981ae89eb6/reports/bad9666f-ff22-43c1-b5df-767397569c15/overview

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/9dac3736e1d3f01462ebc884ea7ff864ee368b80dc2c34853c26250d1d226d61

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9dac3736e1d3f01462ebc884ea7ff864ee368b80dc2c34853c26250d1d226d61/

Threat name:

Linux.Downloader.SAgnt

Status:

Malicious

First seen:

2025-05-11 18:00:46 UTC

File Type:

Text (Shell)

AV detection:

17 of 37 (45.95%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=twwdonxb2pybiyxlzccou77ymtxdnc4a3qwdjbj4eysq2hjcnvqq._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/250514-lt13wswkx9/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9dac3736e1d3f01462ebc884ea7ff864ee368b80dc2c34853c26250d1d226d61

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.