MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 028f1e2ce50f9911d30905bdfb4b706fc520f32d7a753b83022de1812944b976. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 028f1e2ce50f9911d30905bdfb4b706fc520f32d7a753b83022de1812944b976
SHA3-384 hash: d98c75aa8a4d4f4852e3c3cfd2b932f4eceb5cc25b3525d9c5493273d348993f383870d94306fce837e842f02ea95606
SHA1 hash: e7f8b78ed1e35a83a1790114e1436684c08788f1
MD5 hash: 33669b1646ea8b64c0a82b8b52140f14
humanhash: texas-sodium-mirror-victor
File name:028f1e2ce50f9911d30905bdfb4b706fc520f32d7a753b83022de1812944b976
Download: download sample
File size:12'190'323 bytes
First seen:2026-04-01 10:41:07 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 49152:S6q/kybcffR6aQ4YtFoGta1GVJLgtwDSgbvsZWZbQ6dQRB4+NThHpHkMhVIXrOcB:W
TLSH T102C633306E993EBD436C8364607F6F2D1FB10FA39458E5CB6AC525C64CA9B428267C3D
TrID 50.0% (.SH) Linux/UNIX shell script (7000/1)
28.5% (.PL) Perl script (4000/1/1)
21.4% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter JAMESWT_WT
Tags:sh update-check-com

Intelligence

File Origin
# of uploads :
1
# of downloads :
46
Origin country :
IT IT
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.MacOS.Stealer-II.43793924.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
File Type:
unix shell
First seen:
2026-03-28T16:48:00Z UTC
Last seen:
2026-04-01T10:44:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/028f1e2ce50f9911d30905bdfb4b706fc520f32d7a753b83022de1812944b976/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/bef69b03-bef3-4050-835b-e9af0947a8aa
Behavior Graph:
Download SVG
%3 guuid=b14030fb-1800-0000-b1f4-8b6644080000 pid=2116 /usr/bin/sudo guuid=00ee14fe-1800-0000-b1f4-8b6648080000 pid=2120 /tmp/sample.bin guuid=b14030fb-1800-0000-b1f4-8b6644080000 pid=2116->guuid=00ee14fe-1800-0000-b1f4-8b6648080000 pid=2120 execve guuid=cff862ff-1800-0000-b1f4-8b664c080000 pid=2124 /usr/bin/mktemp guuid=00ee14fe-1800-0000-b1f4-8b6648080000 pid=2120->guuid=cff862ff-1800-0000-b1f4-8b664c080000 pid=2124 execve guuid=a798aca2-1900-0000-b1f4-8b662a090000 pid=2346 /usr/bin/base64 delete-file write-file guuid=00ee14fe-1800-0000-b1f4-8b6648080000 pid=2120->guuid=a798aca2-1900-0000-b1f4-8b662a090000 pid=2346 execve guuid=ea72b7e7-1900-0000-b1f4-8b6693090000 pid=2451 /usr/bin/chmod guuid=00ee14fe-1800-0000-b1f4-8b6648080000 pid=2120->guuid=ea72b7e7-1900-0000-b1f4-8b6693090000 pid=2451 execve guuid=389b2be8-1900-0000-b1f4-8b6695090000 pid=2453 /usr/bin/bash guuid=00ee14fe-1800-0000-b1f4-8b6648080000 pid=2120->guuid=389b2be8-1900-0000-b1f4-8b6695090000 pid=2453 clone guuid=c1d853e8-1900-0000-b1f4-8b6696090000 pid=2454 /tmp/.4277777b61b2fe3fdG1jjp guuid=00ee14fe-1800-0000-b1f4-8b6648080000 pid=2120->guuid=c1d853e8-1900-0000-b1f4-8b6696090000 pid=2454 execve guuid=3b586de8-1900-0000-b1f4-8b6697090000 pid=2455 /usr/bin/sleep guuid=00ee14fe-1800-0000-b1f4-8b6648080000 pid=2120->guuid=3b586de8-1900-0000-b1f4-8b6697090000 pid=2455 execve guuid=747a0613-1b00-0000-b1f4-8b666e0c0000 pid=3182 /usr/bin/rm delete-file guuid=00ee14fe-1800-0000-b1f4-8b6648080000 pid=2120->guuid=747a0613-1b00-0000-b1f4-8b666e0c0000 pid=3182 execve guuid=ea41dd13-1b00-0000-b1f4-8b666f0c0000 pid=3183 /usr/bin/sleep guuid=00ee14fe-1800-0000-b1f4-8b6648080000 pid=2120->guuid=ea41dd13-1b00-0000-b1f4-8b666f0c0000 pid=3183 execve guuid=ad20948b-1b00-0000-b1f4-8b66300d0000 pid=3376 /usr/bin/bash guuid=00ee14fe-1800-0000-b1f4-8b6648080000 pid=2120->guuid=ad20948b-1b00-0000-b1f4-8b66300d0000 pid=3376 clone
Score:
10%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/028f1e2ce50f9911d30905bdfb4b706fc520f32d7a753b83022de1812944b976
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/028f1e2ce50f9911d30905bdfb4b706fc520f32d7a753b83022de1812944b976/
Verdict:
Malicious
Threat:
Trojan-PSW.OSX.Amos
Link:
https://tip.neiki.dev/file/028f1e2ce50f9911d30905bdfb4b706fc520f32d7a753b83022de1812944b976
Threat name:
Win32.Trojan.Qwexlafiba
Create hunting rule
Status:
Malicious
First seen:
2026-03-26 13:20:06 UTC
File Type:
Text (Shell)
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=akhr4lhfb6mrduyjaw67ws3qn7csb4znpj2txaycfxqyckkexf3a._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion linux
Link:
https://tria.ge/reports/260401-mractset8y/
Behaviour
Writes file to tmp directory
Deobfuscate/Decode Files or Information
File and Directory Permissions Modification
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DriveBy Activity
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/028f1e2ce50f9911d30905bdfb4b706fc520f32d7a753b83022de1812944b976

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments