MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3eace21a07aa1c4d8ae0a88abc30f9376b83793d36f7820a05bc60872f4234a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d3eace21a07aa1c4d8ae0a88abc30f9376b83793d36f7820a05bc60872f4234a
SHA3-384 hash: 4c14233a0f53e37f49fb386db8356148a9de815514f224038b474140b219777ea4c346721d5d481678075e6741a284d1
SHA1 hash: 9cbfb31c6c69f12835f1cdfec0f37cbf14613eac
MD5 hash: fc85e73db50bcff0d02207a76512b386
humanhash: jersey-ack-missouri-ten
File name:w.sh
Download: download sample
File size:819 bytes
First seen:2026-02-01 06:42:24 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 12:nVHP3GvnVHtRxPVH8NIjlT0VH9iKl2CVHpNVHI67VHk90VHpFG100VHcVHuh7NVr:p3GneNIpbKlG6iVrRjn
TLSH T1F001A9DA40652F7143A48F1CA523C82C500AC9D0F783169CAA4E007A5DE9B6BF626FCA
Magika txt
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://94.156.152.67/bins/parm48967d1600dc0ad2effcdeda7eae9a666a5b1090eb07a75c754ef71659bec5cbc Miraielf mirai ua-wget
http://94.156.152.67/bins/parm5249bc7c5f69ca45551a7b7c35076a8a63b9c6de3d5228ca3006bd92583351fcf Miraiarm elf geofenced mirai opendir ua-wget USA
http://94.156.152.67/bins/parm66ba731baef133d63bdb492b29f8f148ffde09a43e8638bb09ac2d12632239978 Miraiarm elf geofenced mirai opendir ua-wget USA
http://94.156.152.67/bins/parm702618f3738f979bad10a6cb98bfaf9a45e200394ef955972c0ed9a3e567d4873 Miraiarm elf geofenced mirai opendir ua-wget USA
http://94.156.152.67/bins/psh4n/an/aelf mirai
http://94.156.152.67/bins/pppc6e675c36a690663707594e209383561ca3dd8e732e623bd9339f3819561cb00a Miraielf mirai
http://94.156.152.67/bins/pmipsn/an/aelf geofenced mips mirai opendir ua-wget USA
http://94.156.152.67/bins/pmpsln/an/aelf geofenced mips mirai opendir ua-wget USA
http://94.156.152.67/bins/pspcb8d3fa58b5c2de4ae7ac3ab396ce12f3db1fdcd1471115dcfaed4acb996f1d39 Miraielf mirai
http://94.156.152.67/bins/px86n/an/aelf geofenced mirai opendir ua-wget USA x86
http://94.156.152.67/bins/pm68k354c87c3d98f170852b5857bba1cb6a92adba034222b9558b3869f3f0149bc26 Miraielf mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
40
Origin country :
DE DE
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Linux.Downloader-32.UNOFFICIAL
Create hunting rule

Result
Gathering data
Verdict:
Clean
File Type:
cmd
Link:
https://opentip.kaspersky.com/d3eace21a07aa1c4d8ae0a88abc30f9376b83793d36f7820a05bc60872f4234a/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/6dcc19c6-cc19-4b69-828f-5c44aebf865e
Behavior Graph:
Download SVG
%3 guuid=cb9f54b0-1700-0000-1732-861b4b0c0000 pid=3147 /usr/bin/sudo guuid=94ebbbb2-1700-0000-1732-861b520c0000 pid=3154 /tmp/sample.bin guuid=cb9f54b0-1700-0000-1732-861b4b0c0000 pid=3147->guuid=94ebbbb2-1700-0000-1732-861b520c0000 pid=3154 execve guuid=dfe7f4b2-1700-0000-1732-861b540c0000 pid=3156 /usr/bin/busybox net send-data guuid=94ebbbb2-1700-0000-1732-861b520c0000 pid=3154->guuid=dfe7f4b2-1700-0000-1732-861b540c0000 pid=3156 execve guuid=ac85e7f5-1700-0000-1732-861b930c0000 pid=3219 /usr/bin/chmod guuid=94ebbbb2-1700-0000-1732-861b520c0000 pid=3154->guuid=ac85e7f5-1700-0000-1732-861b930c0000 pid=3219 execve guuid=fd0926f6-1700-0000-1732-861b940c0000 pid=3220 /usr/bin/dash guuid=94ebbbb2-1700-0000-1732-861b520c0000 pid=3154->guuid=fd0926f6-1700-0000-1732-861b940c0000 pid=3220 clone guuid=b62330f6-1700-0000-1732-861b950c0000 pid=3221 /usr/bin/busybox net send-data write-file guuid=94ebbbb2-1700-0000-1732-861b520c0000 pid=3154->guuid=b62330f6-1700-0000-1732-861b950c0000 pid=3221 execve guuid=05169701-1800-0000-1732-861ba40c0000 pid=3236 /usr/bin/chmod guuid=94ebbbb2-1700-0000-1732-861b520c0000 pid=3154->guuid=05169701-1800-0000-1732-861ba40c0000 pid=3236 execve guuid=7aa74f02-1800-0000-1732-861ba50c0000 pid=3237 /usr/bin/dash guuid=94ebbbb2-1700-0000-1732-861b520c0000 pid=3154->guuid=7aa74f02-1800-0000-1732-861ba50c0000 pid=3237 clone guuid=0b39b903-1800-0000-1732-861ba70c0000 pid=3239 /usr/bin/busybox net send-data write-file guuid=94ebbbb2-1700-0000-1732-861b520c0000 pid=3154->guuid=0b39b903-1800-0000-1732-861ba70c0000 pid=3239 execve guuid=9f3a0f13-1800-0000-1732-861bb70c0000 pid=3255 /usr/bin/chmod guuid=94ebbbb2-1700-0000-1732-861b520c0000 pid=3154->guuid=9f3a0f13-1800-0000-1732-861bb70c0000 pid=3255 execve guuid=db117513-1800-0000-1732-861bb90c0000 pid=3257 /usr/bin/dash guuid=94ebbbb2-1700-0000-1732-861b520c0000 pid=3154->guuid=db117513-1800-0000-1732-861bb90c0000 pid=3257 clone guuid=d004c415-1800-0000-1732-861bbf0c0000 pid=3263 /usr/bin/busybox net send-data write-file guuid=94ebbbb2-1700-0000-1732-861b520c0000 pid=3154->guuid=d004c415-1800-0000-1732-861bbf0c0000 pid=3263 execve guuid=d5a31125-1800-0000-1732-861bce0c0000 pid=3278 /usr/bin/chmod guuid=94ebbbb2-1700-0000-1732-861b520c0000 pid=3154->guuid=d5a31125-1800-0000-1732-861bce0c0000 pid=3278 execve guuid=0ba89125-1800-0000-1732-861bd00c0000 pid=3280 /usr/bin/dash guuid=94ebbbb2-1700-0000-1732-861b520c0000 pid=3154->guuid=0ba89125-1800-0000-1732-861bd00c0000 pid=3280 clone guuid=7594be26-1800-0000-1732-861bd50c0000 pid=3285 /usr/bin/busybox net send-data write-file guuid=94ebbbb2-1700-0000-1732-861b520c0000 pid=3154->guuid=7594be26-1800-0000-1732-861bd50c0000 pid=3285 execve guuid=bfa9b544-1800-0000-1732-861b070d0000 pid=3335 /usr/bin/chmod guuid=94ebbbb2-1700-0000-1732-861b520c0000 pid=3154->guuid=bfa9b544-1800-0000-1732-861b070d0000 pid=3335 execve guuid=18b82945-1800-0000-1732-861b090d0000 pid=3337 /usr/bin/dash guuid=94ebbbb2-1700-0000-1732-861b520c0000 pid=3154->guuid=18b82945-1800-0000-1732-861b090d0000 pid=3337 clone guuid=6fe32f46-1800-0000-1732-861b0e0d0000 pid=3342 /usr/bin/busybox net send-data write-file guuid=94ebbbb2-1700-0000-1732-861b520c0000 pid=3154->guuid=6fe32f46-1800-0000-1732-861b0e0d0000 pid=3342 execve guuid=b6761051-1800-0000-1732-861b110d0000 pid=3345 /usr/bin/chmod guuid=94ebbbb2-1700-0000-1732-861b520c0000 pid=3154->guuid=b6761051-1800-0000-1732-861b110d0000 pid=3345 execve guuid=8d096f51-1800-0000-1732-861b130d0000 pid=3347 /usr/bin/dash guuid=94ebbbb2-1700-0000-1732-861b520c0000 pid=3154->guuid=8d096f51-1800-0000-1732-861b130d0000 pid=3347 clone guuid=a2526352-1800-0000-1732-861b160d0000 pid=3350 /usr/bin/busybox net send-data write-file guuid=94ebbbb2-1700-0000-1732-861b520c0000 pid=3154->guuid=a2526352-1800-0000-1732-861b160d0000 pid=3350 execve guuid=c8cbc460-1800-0000-1732-861b2d0d0000 pid=3373 /usr/bin/chmod guuid=94ebbbb2-1700-0000-1732-861b520c0000 pid=3154->guuid=c8cbc460-1800-0000-1732-861b2d0d0000 pid=3373 execve guuid=3f014061-1800-0000-1732-861b2e0d0000 pid=3374 /usr/bin/dash guuid=94ebbbb2-1700-0000-1732-861b520c0000 pid=3154->guuid=3f014061-1800-0000-1732-861b2e0d0000 pid=3374 clone guuid=c0559e62-1800-0000-1732-861b310d0000 pid=3377 /usr/bin/busybox net send-data write-file guuid=94ebbbb2-1700-0000-1732-861b520c0000 pid=3154->guuid=c0559e62-1800-0000-1732-861b310d0000 pid=3377 execve guuid=08362b6d-1800-0000-1732-861b410d0000 pid=3393 /usr/bin/chmod guuid=94ebbbb2-1700-0000-1732-861b520c0000 pid=3154->guuid=08362b6d-1800-0000-1732-861b410d0000 pid=3393 execve guuid=d4cb876d-1800-0000-1732-861b430d0000 pid=3395 /usr/bin/dash guuid=94ebbbb2-1700-0000-1732-861b520c0000 pid=3154->guuid=d4cb876d-1800-0000-1732-861b430d0000 pid=3395 clone guuid=eedd616e-1800-0000-1732-861b460d0000 pid=3398 /usr/bin/busybox net send-data write-file guuid=94ebbbb2-1700-0000-1732-861b520c0000 pid=3154->guuid=eedd616e-1800-0000-1732-861b460d0000 pid=3398 execve guuid=c1fbbe81-1800-0000-1732-861b650d0000 pid=3429 /usr/bin/chmod guuid=94ebbbb2-1700-0000-1732-861b520c0000 pid=3154->guuid=c1fbbe81-1800-0000-1732-861b650d0000 pid=3429 execve guuid=16107c82-1800-0000-1732-861b680d0000 pid=3432 /usr/bin/dash guuid=94ebbbb2-1700-0000-1732-861b520c0000 pid=3154->guuid=16107c82-1800-0000-1732-861b680d0000 pid=3432 clone guuid=efa7a383-1800-0000-1732-861b6c0d0000 pid=3436 /usr/bin/busybox net send-data write-file guuid=94ebbbb2-1700-0000-1732-861b520c0000 pid=3154->guuid=efa7a383-1800-0000-1732-861b6c0d0000 pid=3436 execve guuid=8f206090-1800-0000-1732-861b840d0000 pid=3460 /usr/bin/chmod guuid=94ebbbb2-1700-0000-1732-861b520c0000 pid=3154->guuid=8f206090-1800-0000-1732-861b840d0000 pid=3460 execve guuid=e827d090-1800-0000-1732-861b860d0000 pid=3462 /home/sandbox/px86 delete-file net guuid=94ebbbb2-1700-0000-1732-861b520c0000 pid=3154->guuid=e827d090-1800-0000-1732-861b860d0000 pid=3462 execve guuid=77ed4391-1800-0000-1732-861b890d0000 pid=3465 /usr/bin/busybox net send-data write-file guuid=94ebbbb2-1700-0000-1732-861b520c0000 pid=3154->guuid=77ed4391-1800-0000-1732-861b890d0000 pid=3465 execve guuid=ba1e57a3-1800-0000-1732-861bc90d0000 pid=3529 /usr/bin/chmod guuid=94ebbbb2-1700-0000-1732-861b520c0000 pid=3154->guuid=ba1e57a3-1800-0000-1732-861bc90d0000 pid=3529 execve guuid=4081caa3-1800-0000-1732-861bcb0d0000 pid=3531 /usr/bin/dash guuid=94ebbbb2-1700-0000-1732-861b520c0000 pid=3154->guuid=4081caa3-1800-0000-1732-861bcb0d0000 pid=3531 clone guuid=e15e2da5-1800-0000-1732-861bd00d0000 pid=3536 /usr/bin/rm delete-file guuid=94ebbbb2-1700-0000-1732-861b520c0000 pid=3154->guuid=e15e2da5-1800-0000-1732-861bd00d0000 pid=3536 execve a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 94.156.152.67:80 guuid=dfe7f4b2-1700-0000-1732-861b540c0000 pid=3156->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 86B guuid=b62330f6-1700-0000-1732-861b950c0000 pid=3221->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 86B guuid=0b39b903-1800-0000-1732-861ba70c0000 pid=3239->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 86B guuid=d004c415-1800-0000-1732-861bbf0c0000 pid=3263->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 86B guuid=7594be26-1800-0000-1732-861bd50c0000 pid=3285->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 85B guuid=6fe32f46-1800-0000-1732-861b0e0d0000 pid=3342->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 85B guuid=a2526352-1800-0000-1732-861b160d0000 pid=3350->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 86B guuid=c0559e62-1800-0000-1732-861b310d0000 pid=3377->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 86B guuid=eedd616e-1800-0000-1732-861b460d0000 pid=3398->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 85B guuid=efa7a383-1800-0000-1732-861b6c0d0000 pid=3436->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 85B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=e827d090-1800-0000-1732-861b860d0000 pid=3462->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=12a53591-1800-0000-1732-861b880d0000 pid=3464 /home/sandbox/px86 net send-data zombie guuid=e827d090-1800-0000-1732-861b860d0000 pid=3462->guuid=12a53591-1800-0000-1732-861b880d0000 pid=3464 clone guuid=12a53591-1800-0000-1732-861b880d0000 pid=3464->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con 9c578459-fc2d-5995-9925-ebe708f9b2a3 94.156.152.67:18129 guuid=12a53591-1800-0000-1732-861b880d0000 pid=3464->9c578459-fc2d-5995-9925-ebe708f9b2a3 send: 10B guuid=05bc4b91-1800-0000-1732-861b8a0d0000 pid=3466 /home/sandbox/px86 guuid=12a53591-1800-0000-1732-861b880d0000 pid=3464->guuid=05bc4b91-1800-0000-1732-861b8a0d0000 pid=3466 clone guuid=88c45091-1800-0000-1732-861b8b0d0000 pid=3467 /home/sandbox/px86 guuid=12a53591-1800-0000-1732-861b880d0000 pid=3464->guuid=88c45091-1800-0000-1732-861b8b0d0000 pid=3467 clone guuid=77ed4391-1800-0000-1732-861b890d0000 pid=3465->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 86B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/d3eace21a07aa1c4d8ae0a88abc30f9376b83793d36f7820a05bc60872f4234a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d3eace21a07aa1c4d8ae0a88abc30f9376b83793d36f7820a05bc60872f4234a/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/d3eace21a07aa1c4d8ae0a88abc30f9376b83793d36f7820a05bc60872f4234a
Threat name:
Win32.Trojan.Alevaul
Create hunting rule
Status:
Malicious
First seen:
2026-02-01 05:18:07 UTC
File Type:
Text (Shell)
AV detection:
12 of 36 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2pvm4inapkq4jwfobkekxqypsn3lqn4t2nxxqifalpdaq4xuenfa._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/260201-hg4fpscw9a/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/d3eace21a07aa1c4d8ae0a88abc30f9376b83793d36f7820a05bc60872f4234a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh d3eace21a07aa1c4d8ae0a88abc30f9376b83793d36f7820a05bc60872f4234a

(this sample)

Mirai

elf 8967d1600dc0ad2effcdeda7eae9a666a5b1090eb07a75c754ef71659bec5cbc

  
URLhaus
https://urlhaus.abuse.ch/url/3761990/
  
Delivery method
Distributed via web download
  
Dropping
MD5 e13e1b4e824dedd67766fe98f7783f0b
  
Dropping
SHA256 8967d1600dc0ad2effcdeda7eae9a666a5b1090eb07a75c754ef71659bec5cbc

Comments