MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d479800e8d2056d244c73cbbe5893dbe105eaf968ad2a43142c0486732ba6d9b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 3


Intelligence 3 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d479800e8d2056d244c73cbbe5893dbe105eaf968ad2a43142c0486732ba6d9b
SHA3-384 hash: c827bec137aa7343116bd819249f75209e4d9d0b01d1778aaa1965806fa1ef48ceb41aad9558ffeadd7212f122fb1cc5
SHA1 hash: 4561de0d3687ca4dfa9e2725260d0d580c2a0904
MD5 hash: 1f292e81746436c6c8ed7a833a267a8b
humanhash: artist-venus-robert-stairway
File name:d479800e8d2056d244c73cbbe5893dbe105eaf968ad2a43142c0486732ba6d9b.sh
Download: download sample
File size:12'619 bytes
First seen:2026-02-22 13:19:16 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 96:cRu7B6WxWxJx1x71N2Rr5djGjmpRTmHWI1iza15J31aLtYyw7fQ2POYI6pbMtwHu:cRul6wL3//LLt+DQpYS
TLSH T18642087425F00C332E605A40F27727E6ABB6D85349E3258C35DE1F35AF86B12B5AF425
Magika xml
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://85.209.43.178/zt_armn/an/an/a
http://23.224.176.63/sh/easy_av_wget.shn/an/an/a
http://10.14.26.54:10902/wwRpedhgBjoNfePqnEGUn/an/an/a
http://58.16.29.36:10698/FqSemHABbfSNLKhWaEWcn/an/an/a
http://222.133.177.93:26169/FqSemHABbfSNLKhWaEWcn/an/an/a
http://218.25.111.185:1065/FqSemHABbfSNLKhWaEWcn/an/an/a
http://222.186.52.155:21541/sh/AV.shn/an/abash
http://ztccds.freesfocss.com/zt_armn/an/an/a

Intelligence

File Origin
# of uploads :
1
# of downloads :
5
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
busybox evasive mirai soft-404
Link:
https://www.filescan.io/uploads/699b02d110e80629d4ed2f7b/reports/2542dc1c-3302-43e2-8b26-2c2384a10208/overview
Result
Gathering data
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/6bb62554-e32b-498c-9a48-64649c2cdb96
Behavior Graph:
Download SVG
%3 guuid=645e7ffd-2100-0000-725f-4a9fb3090000 pid=2483 /usr/bin/sudo guuid=46d786ff-2100-0000-725f-4a9fba090000 pid=2490 /tmp/sample.bin guuid=645e7ffd-2100-0000-725f-4a9fb3090000 pid=2483->guuid=46d786ff-2100-0000-725f-4a9fba090000 pid=2490 execve
Score:
0%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/d479800e8d2056d244c73cbbe5893dbe105eaf968ad2a43142c0486732ba6d9b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d479800e8d2056d244c73cbbe5893dbe105eaf968ad2a43142c0486732ba6d9b/
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2r4yaduneblnerghhs56lcj5xyif5l4wrljkimkcybegomv2nwnq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/260222-qk5f6sdt5d/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/d479800e8d2056d244c73cbbe5893dbe105eaf968ad2a43142c0486732ba6d9b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh d479800e8d2056d244c73cbbe5893dbe105eaf968ad2a43142c0486732ba6d9b

(this sample)

1fdfc6e3ae612b736236df4579ff7a10954d47d9e7be67e6ebe8da173b0671c8

  
URLhaus
https://urlhaus.abuse.ch/url/3783268/
  
Delivery method
Distributed via web download
  
Dropping
MD5 bc422233b2512d7d5eb5500daf8a7822
  
Dropping
SHA256 1fdfc6e3ae612b736236df4579ff7a10954d47d9e7be67e6ebe8da173b0671c8

Comments