MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2c59c4f12e9725a468208a2a7d3ea474e24f123cb64d324735a75e07de5730f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2c59c4f12e9725a468208a2a7d3ea474e24f123cb64d324735a75e07de5730f
SHA3-384 hash: 72c489a51f6f64b49579d640e4f2a2cdb55dc44832760638da6c6fcdfec03cc359f2d5c1e5b0a698028fad0cb230b240
SHA1 hash: 53842f34efd66c9768b2a5b9e108442c108a2525
MD5 hash: a28f06fd35d4075bb2d69fa40c2dd2ad
humanhash: earth-quiet-timing-hamper
File name:massload
Download: download sample
File size:330 bytes
First seen:2026-06-05 13:48:31 UTC
Last seen:2026-06-06 00:15:54 UTC
File type: sh
MIME type:text/plain
ssdeep 6:L6FnGj5AANaa626V6F45AAPgV6FTWX5AAvbT2V6FLX5AA6KIey:KGj5AANfN6N5AAYau5AAjT2eX5AA6b
TLSH T1BEE01AEAA815A752400DEE44A07789597036EAD71590860C38EE20E9C8AC91DA229A8A
Magika html
Reporter BlinkzSec
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://31.56.209.220/arm75c501efadac0000afee68f6e6b8c362f20d66734f036ab26ea23ade50fd7cf3a Miraiarm elf mirai ua-wget
http://31.56.209.220/arm507bcfe93ba826112d94e11ed81e99e79019187b4cef043806f98fbcb4db4aa2a Miraiarm elf mirai ua-wget
http://31.56.209.220/mips3cf13f6915e916344708b364af4458befb09731bd920a637a3adfec34b6ea219 Miraielf mips mirai ua-wget
http://31.56.209.220/mpsl1bd61f2b5fec4f77c5a12ac5f3ba81b5396a3fabd886c3599e06b00569ad8078 Miraielf mips mirai ua-wget

Intelligence

File Origin
# of uploads :
27
# of downloads :
24
Origin country :
CH CH
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Linux.Downloader-35.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive
Link:
https://www.filescan.io/uploads/6a22dc58099ef368af221417/reports/25d90eff-2ebb-4991-98b3-3982b7019582/overview
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/a8bd9f65-f0fd-4543-9a5c-7846c73968d2
Behavior Graph:
Download SVG
%3 guuid=b99df1f2-1800-0000-4b61-edafe6090000 pid=2534 /usr/bin/sudo guuid=21d312f6-1800-0000-4b61-edaff0090000 pid=2544 /tmp/sample.bin guuid=b99df1f2-1800-0000-4b61-edafe6090000 pid=2534->guuid=21d312f6-1800-0000-4b61-edaff0090000 pid=2544 execve guuid=b6b189f6-1800-0000-4b61-edaff1090000 pid=2545 /usr/bin/rm guuid=21d312f6-1800-0000-4b61-edaff0090000 pid=2544->guuid=b6b189f6-1800-0000-4b61-edaff1090000 pid=2545 execve guuid=06ec1ff7-1800-0000-4b61-edaff2090000 pid=2546 /usr/bin/wget net send-data write-file guuid=21d312f6-1800-0000-4b61-edaff0090000 pid=2544->guuid=06ec1ff7-1800-0000-4b61-edaff2090000 pid=2546 execve guuid=ea2f32ff-1800-0000-4b61-edaffd090000 pid=2557 /usr/bin/chmod guuid=21d312f6-1800-0000-4b61-edaff0090000 pid=2544->guuid=ea2f32ff-1800-0000-4b61-edaffd090000 pid=2557 execve guuid=1c10b5ff-1800-0000-4b61-edafff090000 pid=2559 /usr/bin/dash guuid=21d312f6-1800-0000-4b61-edaff0090000 pid=2544->guuid=1c10b5ff-1800-0000-4b61-edafff090000 pid=2559 clone guuid=3d0aa701-1900-0000-4b61-edaf030a0000 pid=2563 /usr/bin/rm guuid=21d312f6-1800-0000-4b61-edaff0090000 pid=2544->guuid=3d0aa701-1900-0000-4b61-edaf030a0000 pid=2563 execve guuid=20b8f001-1900-0000-4b61-edaf050a0000 pid=2565 /usr/bin/wget net send-data write-file guuid=21d312f6-1800-0000-4b61-edaff0090000 pid=2544->guuid=20b8f001-1900-0000-4b61-edaf050a0000 pid=2565 execve guuid=342e1808-1900-0000-4b61-edaf120a0000 pid=2578 /usr/bin/chmod guuid=21d312f6-1800-0000-4b61-edaff0090000 pid=2544->guuid=342e1808-1900-0000-4b61-edaf120a0000 pid=2578 execve guuid=15b96608-1900-0000-4b61-edaf130a0000 pid=2579 /usr/bin/dash guuid=21d312f6-1800-0000-4b61-edaff0090000 pid=2544->guuid=15b96608-1900-0000-4b61-edaf130a0000 pid=2579 clone guuid=fa3c2609-1900-0000-4b61-edaf170a0000 pid=2583 /usr/bin/rm guuid=21d312f6-1800-0000-4b61-edaff0090000 pid=2544->guuid=fa3c2609-1900-0000-4b61-edaf170a0000 pid=2583 execve guuid=e5c36f09-1900-0000-4b61-edaf190a0000 pid=2585 /usr/bin/wget net send-data write-file guuid=21d312f6-1800-0000-4b61-edaff0090000 pid=2544->guuid=e5c36f09-1900-0000-4b61-edaf190a0000 pid=2585 execve guuid=58d2640f-1900-0000-4b61-edaf2c0a0000 pid=2604 /usr/bin/chmod guuid=21d312f6-1800-0000-4b61-edaff0090000 pid=2544->guuid=58d2640f-1900-0000-4b61-edaf2c0a0000 pid=2604 execve guuid=d95cad0f-1900-0000-4b61-edaf2e0a0000 pid=2606 /usr/bin/dash guuid=21d312f6-1800-0000-4b61-edaff0090000 pid=2544->guuid=d95cad0f-1900-0000-4b61-edaf2e0a0000 pid=2606 clone guuid=7d6c6110-1900-0000-4b61-edaf320a0000 pid=2610 /usr/bin/rm guuid=21d312f6-1800-0000-4b61-edaff0090000 pid=2544->guuid=7d6c6110-1900-0000-4b61-edaf320a0000 pid=2610 execve guuid=ab9bb710-1900-0000-4b61-edaf340a0000 pid=2612 /usr/bin/wget net send-data write-file guuid=21d312f6-1800-0000-4b61-edaff0090000 pid=2544->guuid=ab9bb710-1900-0000-4b61-edaf340a0000 pid=2612 execve guuid=d7d01f17-1900-0000-4b61-edaf480a0000 pid=2632 /usr/bin/chmod guuid=21d312f6-1800-0000-4b61-edaff0090000 pid=2544->guuid=d7d01f17-1900-0000-4b61-edaf480a0000 pid=2632 execve guuid=6a976017-1900-0000-4b61-edaf4a0a0000 pid=2634 /usr/bin/dash guuid=21d312f6-1800-0000-4b61-edaff0090000 pid=2544->guuid=6a976017-1900-0000-4b61-edaf4a0a0000 pid=2634 clone d6416cf9-53bd-50ef-8d88-92b65e079ca0 31.56.209.220:80 guuid=06ec1ff7-1800-0000-4b61-edaff2090000 pid=2546->d6416cf9-53bd-50ef-8d88-92b65e079ca0 send: 132B guuid=20b8f001-1900-0000-4b61-edaf050a0000 pid=2565->d6416cf9-53bd-50ef-8d88-92b65e079ca0 send: 132B guuid=e5c36f09-1900-0000-4b61-edaf190a0000 pid=2585->d6416cf9-53bd-50ef-8d88-92b65e079ca0 send: 132B guuid=ab9bb710-1900-0000-4b61-edaf340a0000 pid=2612->d6416cf9-53bd-50ef-8d88-92b65e079ca0 send: 132B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/f2c59c4f12e9725a468208a2a7d3ea474e24f123cb64d324735a75e07de5730f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f2c59c4f12e9725a468208a2a7d3ea474e24f123cb64d324735a75e07de5730f/
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/f2c59c4f12e9725a468208a2a7d3ea474e24f123cb64d324735a75e07de5730f
Threat name:
Document-HTML.Hacktool.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-06-05 13:48:15 UTC
File Type:
Text (Shell)
AV detection:
4 of 36 (11.11%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6lczytys5fzfurucbcrkpu7ki5hcj4jdznsngjdtlj26a7pfomhq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/260605-rrhfnahw21/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/f2c59c4f12e9725a468208a2a7d3ea474e24f123cb64d324735a75e07de5730f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh f2c59c4f12e9725a468208a2a7d3ea474e24f123cb64d324735a75e07de5730f

(this sample)

Mirai

elf 5c501efadac0000afee68f6e6b8c362f20d66734f036ab26ea23ade50fd7cf3a

  
URLhaus
https://urlhaus.abuse.ch/url/3859294/
  
Delivery method
Distributed via web download
  
Dropping
MD5 db326f41279c5fd0863ef8375875b2bd
  
Dropping
SHA256 5c501efadac0000afee68f6e6b8c362f20d66734f036ab26ea23ade50fd7cf3a

Comments