MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba8cc24c6576e9bac7a61417252c70a0fea224484fda4fc4f6251473f2ea7b08. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 6

Intelligence 6 IOCs YARA 2 File information Comments

SHA256 hash:	ba8cc24c6576e9bac7a61417252c70a0fea224484fda4fc4f6251473f2ea7b08
SHA3-384 hash:	5892b5581121efdd782aaf0814a25cad2b4be6bd3b19b232f435a190c2db521cc2516941016886f2c4e317cddd83a841
SHA1 hash:	018f3f9e0c592d8bfbe2681b6a7c592aa0de72f7
MD5 hash:	7326d7dea79c5ccee0d44f8f458c709f
humanhash:	wisconsin-robin-cup-three
File name:	bins.sh
Download:	download sample
File size:	10'830 bytes
First seen:	2025-01-26 16:12:04 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	96:Y+uILNNZLSqj3LcododotAkQX+XuXNa+nXrmJMQmUpBLLYU8LmWSLC2CmCwXjF+g:zlT0QQuGlVwXjIEywlVwXjc
TLSH	T17A22FEC9519001222DB0DE0F796818E45D64BDD25C8C5F2B8DCC3259A94EEFB78C1EBE
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://conn.masjesu.zip/bins/dkvuZLFNZtsWaW0dDJaYIGRPOiBNxMSyfB	n/a	n/a	n/a
http://conn.masjesu.zip/bins/FtGCFZNCb4QvlRtiQ0alLw6Wo6NNCVBZPK	n/a	n/a	n/a
http://conn.masjesu.zip/bins/bOU0ODbWvs9mU2mEyZTSjH8YhBe2d5hyA2	n/a	n/a	n/a
http://conn.masjesu.zip/bins/XA0nUC5ZiNT206nCDF90ea6KR2T5Lz16wI	n/a	n/a	n/a
http://conn.masjesu.zip/bins/aJnsO0aXiFcdurdMXhoo1EDyM54Rq6q3Fq	n/a	n/a	n/a
http://conn.masjesu.zip/bins/RHyYimwdZowCxHu9kYgN429VSfDRxgMO2c	n/a	n/a	n/a
http://conn.masjesu.zip/bins/zmCHFDLzv4nmZxX1hYmsZ3GOfzhsHVivPh	n/a	n/a	n/a
http://conn.masjesu.zip/bins/uddz48B2UMP5AUr7drWMEYw4mbCBvcqGMg	n/a	n/a	n/a
http://conn.masjesu.zip/bins/9SG75tMCsz4EGyODsTspyJ237di90xrTNa	n/a	n/a	n/a
http://conn.masjesu.zip/bins/cz5r9jOhxiHkRgBAvUaWeEwQBTNBtqNRid	n/a	n/a	n/a
http://conn.masjesu.zip/bins/mzTayzN2ipE6tpTPW21AYcH7VaImXLC7qH	n/a	n/a	n/a
http://conn.masjesu.zip/bins/95nSA4TvaOEPSfcG9TbG6HuQroUhhETey7	n/a	n/a	n/a
http://conn.masjesu.zip/bins/CmVlFMuk3jiF9GYuEZs1XBxwEvTX6XIWR1	n/a	n/a	n/a
http://conn.masjesu.zip/bins/45uKmIiDA7jdRxC8fLrlFG2iULNLMG0T5J	n/a	n/a	n/a

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Sanesecurity.Malware.30787.LX.BOT.UNOFFICIAL

Verdict:

Malicious

Score:

81.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67966015bb54c6545301300dlinux22vpnfull_triage

Tags:

virus

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox evasive lolbin remote

Link:

https://www.filescan.io/uploads/67965f0f0a04287e8b028977/reports/5db047b2-edc4-4dbf-9225-16944157505d/overview

Result

Verdict:

UNKNOWN

Score:

Verdict:

Benign

File Type:

SCRIPT

Link:

https://malprob.io/report/ba8cc24c6576e9bac7a61417252c70a0fea224484fda4fc4f6251473f2ea7b08

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ba8cc24c6576e9bac7a61417252c70a0fea224484fda4fc4f6251473f2ea7b08/

Threat name:

Win32.Trojan.Mirai

Status:

Malicious

First seen:

2025-01-26 16:13:04 UTC

File Type:

Text (Shell)

AV detection:

17 of 38 (44.74%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xkgmetdfo3u3vr5gcqlskldqud7kejcij7ne7rhweukhh4xkpmea._file

Result

Malware family:

n/a

Score:

7/10

Tags:

antivm defense_evasion discovery execution linux persistence privilege_escalation

Link:

https://tria.ge/reports/250126-tn221awmey/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

Creates/modifies Cron job

Enumerates running processes

File and Directory Permissions Modification

Executes dropped EXE

Renames itself

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ba8cc24c6576e9bac7a61417252c70a0fea224484fda4fc4f6251473f2ea7b08

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Linux_Shellscript_Downloader Create hunting rule
Author:	albertzsigovits
Description:	Generic Approach to Shellscript downloaders

Rule name:	UNK_install_script Create hunting rule
Author:	evilcel3ri
Description:	Detects a suspicious behaviour in an bash installation script

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh ba8cc24c6576e9bac7a61417252c70a0fea224484fda4fc4f6251473f2ea7b08

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3090349/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample