File name:	059dc71f33a19774e03dc47e61c5383dd650f4967db0b13b47ac76b9a5208f4f.sh
Full analysis:	https://app.any.run/tasks/386e0a32-33b1-48ef-a224-8f535dcdd871
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	May 28, 2026, 11:53:13
OS:	Ubuntu 22.04.2
Tags:	loader
MIME:	text/x-shellscript
File info:	POSIX shell script, ASCII text executable
MD5:	88DE3E25E677D14A37EB4B09E8D503E3
SHA1:	264C2EDA838DEAAEA376A5128BE6D63722C12C9B
SHA256:	059DC71F33A19774E03DC47E61C5383DD650F4967DB0B13B47AC76B9A5208F4F
SSDEEP:	12:yEdEqdwq4XmaZVgzd3/FFscll7qxOOK4aF:ucHH7qxsF

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	—	79.127.216.204:443	https://odrs.gnome.org/1.0/reviews/api/ratings	CZ	—	—	—
—	—	POST	—	185.125.188.60:443	https://api.snapcraft.io/v2/snaps/refresh	GB	—	—	unknown
—	—	POST	—	185.125.188.60:443	https://api.snapcraft.io/v2/snaps/refresh	GB	—	—	unknown
—	—	POST	200	185.125.188.60:443	https://api.snapcraft.io/v2/snaps/refresh	GB	text	39.5 Kb	unknown
—	—	GET	204	91.189.91.98:80	http://connectivity-check.ubuntu.com/	GB	—	—	whitelisted
—	—	GET	204	185.125.190.101:80	http://connectivity-check.ubuntu.com/	GB	—	—	whitelisted
3196	busybox	GET	200	140.233.190.47:80	http://140.233.190.47/terrabot/023782pler.x86	ZA	binary	50.9 Kb	unknown
—	—	POST	200	185.125.188.60:443	https://api.snapcraft.io/v2/snaps/refresh	GB	text	39.5 Kb	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
452	avahi-daemon	224.0.0.251:5353	—	—	—	whitelisted
—	—	185.125.190.101:80	connectivity-check.ubuntu.com	CANONICAL-AS	GB	whitelisted
—	—	185.125.190.100:80	connectivity-check.ubuntu.com	CANONICAL-AS	GB	whitelisted
—	—	79.127.216.204:443	odrs.gnome.org	CDN77 _	GB	whitelisted
—	—	185.125.188.60:443	api.snapcraft.io	CANONICAL-AS	GB	whitelisted
—	—	185.125.188.54:443	api.snapcraft.io	CANONICAL-AS	GB	whitelisted
—	—	185.125.188.58:443	api.snapcraft.io	CANONICAL-AS	GB	whitelisted
—	—	91.189.91.98:80	connectivity-check.ubuntu.com	CANONICAL-AS	GB	whitelisted
3196	busybox	140.233.190.47:80	—	INTERNET-MAGNATE	ZA	unknown
3309	.f	8.8.8.8:53	—	GOOGLE	US	whitelisted

Domain	IP	Reputation
connectivity-check.ubuntu.com	185.125.190.101 185.125.190.100 91.189.91.98 91.189.91.97 185.125.190.99 2620:2d:4002:1::197 2620:2d:4000:1::1101 2620:2d:4000:1::1100 2620:2d:4002:1::198 2620:2d:4000:1::1099	whitelisted
odrs.gnome.org	79.127.216.204 195.181.170.19 195.181.175.40 212.102.56.178 37.19.194.81 79.127.211.89 2a02:6ea0:c77a::48 2a02:6ea0:c700::19 2a02:6ea0:c700::21 2a02:6ea0:c700::11 2a02:6ea0:c700::101 2a02:6ea0:c77a::47	whitelisted
api.snapcraft.io	185.125.188.60 185.125.188.54 185.125.188.58 185.125.188.57 185.125.188.59 185.125.188.55 2620:2d:4000:1010::117 2620:2d:4000:1010::42 2620:2d:4000:1010::2cc 2620:2d:4000:1010::6d	whitelisted
google.com	142.250.154.139 142.250.154.100 142.250.154.138 142.250.154.101 142.250.154.102 142.250.154.113 2a00:1450:4001:c13::66 2a00:1450:4001:c13::8a 2a00:1450:4001:c13::64 2a00:1450:4001:c13::8b	whitelisted
5.100.168.192.in-addr.arpa	—	whitelisted

PID	Process	Class	Message
3196	busybox	Potentially Bad Traffic	ET INFO x86 File Download Request from IP Address
3196	busybox	Potentially Bad Traffic	ET HUNTING Suspicious GET Request for .x86
3196	busybox	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP

PID	Process	Filename		Type
3193	dash	/home/user/.f		binary
		MD5:—	SHA256:—

General Info

059dc71f33a19774e03dc47e61c5383dd650f4967db0b13b47ac76b9a5208f4f.sh

88DE3E25E677D14A37EB4B09E8D503E3

264C2EDA838DEAAEA376A5128BE6D63722C12C9B

059DC71F33A19774E03DC47E61C5383DD650F4967DB0B13B47AC76B9A5208F4F

12:yEdEqdwq4XmaZVgzd3/FFscll7qxOOK4aF:ucHH7qxsF

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

SUSPICIOUS

Executes the "rm" command to delete files or directories

Modifies file or directory owner

Create hidden file

Potential Corporate Privacy Violation

INFO

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Information

Modules

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings