MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ebc3bbfd4a90be45fb3bdc345cccc5f02cf0fc5f28e5f5462b7a1acb720dcc9e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ebc3bbfd4a90be45fb3bdc345cccc5f02cf0fc5f28e5f5462b7a1acb720dcc9e
SHA3-384 hash: 279c1e60d45f87b1ea843774b272e4e9659fc789c2142c93ed3409312b52fc174b6847f27fc36316eeb9942556201678
SHA1 hash: b79fdbb8c984659d351f0992953b28951305e030
MD5 hash: f8752ac5cd750d6c4bda9ab405d9d8f6
humanhash: freddie-mississippi-alabama-pasta
File name:aaa
Download: download sample
File size:1'538 bytes
First seen:2026-05-30 16:43:56 UTC
Last seen:2026-05-30 17:48:22 UTC
File type: sh
MIME type:text/plain
ssdeep 24:sF+l/2rvKsT/2eEsc/2PAd/25Hstl/2nmst/22Iss/2TX/2Dxs7/2bsR/2zlsO/h:eiq7efNTKXt6ySKxUNh
TLSH T12231B3CA50A08ABA3CD49D8B766FCD0E3016F59E18C95F89DACC30FA588CD86B051703
Magika txt
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://139.177.197.168/x86_647e0d2f07bd4352603e9e99a4aedc597448dc02f75cb2c14928226b4551ae403f Miraielf mirai
http://139.177.197.168/mpsl73d23e3291eca6018be1e0c85b13aa48e9cd9e36cebcc642cfed72e6fdd8a17f Miraielf mirai
http://139.177.197.168/mips4e589892f95fe0035dbda7f3c189adee300dd94ee2de6bff873822f450080696 Miraielf mirai
http://139.177.197.168/arm4a2d3763d65108aea92fcbea331ae846d7f9d4ce0e8da0102b807b74eaecc7b7b Miraielf mirai
http://139.177.197.168/arm54b556c1816c13581e8391b6db17a9c1b1541adb871a29885129883e85f23b41a Miraielf mirai
http://139.177.197.168/arm6d36f3c629742f780da8f8a520381eb82bd8b3df8ad89a3b95d133354b3c836f0 Miraielf mirai
http://139.177.197.168/arm71037110be4c7ed0ab6be853d1bf99d95faac02e9ffdb5b3e8420ad5c3750bd8d Gafgytbotnet gafgyt mirai
http://139.177.197.168/m68kn/an/aelf mirai
http://139.177.197.168/x865356de50d524ed4ff2f4c815ee2e0d389542df51eda110feca31615e4aca7c31 Miraielf mirai
http://139.177.197.168/spcb23980490a512200d8d9b799a7f6a11279859862a5a151730a9548bdd079565e Gafgytelf mirai
http://139.177.197.168/ppcc2d57db0733962630a62af61e4c5150469715c967439ab17b224a5e0e28e8915 Miraielf mirai

Intelligence

File Origin
# of uploads :
43
# of downloads :
12
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
busybox evasive
Link:
https://www.filescan.io/uploads/6a1b232812da0d249c5eedc9/reports/2e237b2b-4fb5-4892-b03a-93d526b88ba4/overview
Verdict:
Malicious
File Type:
text
First seen:
2024-04-14T16:45:00Z UTC
Last seen:
2026-05-31T23:44:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/ebc3bbfd4a90be45fb3bdc345cccc5f02cf0fc5f28e5f5462b7a1acb720dcc9e/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/0b7f84a0-b270-4c0c-b827-e018c4903b6c
Behavior Graph:
Download SVG
%3 guuid=d4108ffb-1b00-0000-5f56-34248f0b0000 pid=2959 /usr/bin/sudo guuid=68d03bfd-1b00-0000-5f56-3424940b0000 pid=2964 /tmp/sample.bin guuid=d4108ffb-1b00-0000-5f56-34248f0b0000 pid=2959->guuid=68d03bfd-1b00-0000-5f56-3424940b0000 pid=2964 execve guuid=022b6efd-1b00-0000-5f56-3424950b0000 pid=2965 /usr/bin/rm guuid=68d03bfd-1b00-0000-5f56-3424940b0000 pid=2964->guuid=022b6efd-1b00-0000-5f56-3424950b0000 pid=2965 execve guuid=1d64f6fd-1b00-0000-5f56-3424970b0000 pid=2967 /usr/bin/busybox guuid=68d03bfd-1b00-0000-5f56-3424940b0000 pid=2964->guuid=1d64f6fd-1b00-0000-5f56-3424970b0000 pid=2967 execve
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/ebc3bbfd4a90be45fb3bdc345cccc5f02cf0fc5f28e5f5462b7a1acb720dcc9e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ebc3bbfd4a90be45fb3bdc345cccc5f02cf0fc5f28e5f5462b7a1acb720dcc9e/
Threat name:
Linux.Downloader.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-07-04 04:23:08 UTC
File Type:
Text (Shell)
AV detection:
17 of 36 (47.22%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5pb3x7kksc7el6z33q2fztgf6awpb7c7fds7krrlpinmw4qnzspa._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/260530-wd77dacv4j/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ebc3bbfd4a90be45fb3bdc345cccc5f02cf0fc5f28e5f5462b7a1acb720dcc9e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts
Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh ebc3bbfd4a90be45fb3bdc345cccc5f02cf0fc5f28e5f5462b7a1acb720dcc9e

(this sample)

Mirai

elf 7e0d2f07bd4352603e9e99a4aedc597448dc02f75cb2c14928226b4551ae403f

  
URLhaus
https://urlhaus.abuse.ch/url/3855875/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3855883/
  
Dropping
MD5 fcfef12901b0eb48e34e9a238d163089
  
Dropping
SHA256 7e0d2f07bd4352603e9e99a4aedc597448dc02f75cb2c14928226b4551ae403f

Comments