MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e8c239ee094ea6680a8e69d886fa82559d760b1e55ed95b3b54c69c1a74e5fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	0e8c239ee094ea6680a8e69d886fa82559d760b1e55ed95b3b54c69c1a74e5fa
SHA3-384 hash:	ca1b1b35a4eb1c58202592d9af35a3cc84f467a0ca52c2972bbcbd0f26b1e0b23f5e3c77b3ab5c14a0bb597f8819fece
SHA1 hash:	df1ba1bae7d75c6e68f90dcf8679a9a88c17544d
MD5 hash:	4a224587bbf603f3a364acc4cab74450
humanhash:	sink-echo-iowa-fillet
File name:	ssh
Download:	download sample
File size:	732 bytes
First seen:	2025-02-23 11:42:07 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	12:qg7gGQ64UMFGIyuU/8wATpL8wA018wA38wA9Ih8wAN8wX:f7gGb4UEGIyuUvATFA8AXA9QABX
TLSH	T1190184DBB122A5D23C4109D7BCD128AF91DCC4CB35EB4FBEECC26DD600478083505546
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://45.125.66.81/almips	n/a	n/a	n/a
http://45.125.66.81/almpsl	n/a	n/a	n/a
http://45.125.66.81/alarm7	n/a	n/a	n/a
http://45.125.66.81/alarm6	n/a	n/a	n/a
http://45.125.66.81/alarm5	n/a	n/a	n/a
http://45.125.66.81/alarm	n/a	n/a	n/a

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67bb0997a0fd713c335c721dlinux22vpnfull_triage

Tags:

agent hype sage

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/67bb09963afc3763bec248e9/reports/ac216d9a-98ae-488c-b031-3ca5e96b0ee9/overview

Result

Verdict:

UNKNOWN

Score:

20%

Verdict:

Benign

File Type:

SCRIPT

Link:

https://malprob.io/report/0e8c239ee094ea6680a8e69d886fa82559d760b1e55ed95b3b54c69c1a74e5fa

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0e8c239ee094ea6680a8e69d886fa82559d760b1e55ed95b3b54c69c1a74e5fa/

Threat name:

Win32.Trojan.Gafgyt

Status:

Malicious

First seen:

2025-02-23 11:43:12 UTC

File Type:

Text (Shell)

AV detection:

8 of 38 (21.05%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=b2gchhxastvgnafi42oyq35ievm5oyfr4vpnswz3ktdjygtu4x5a._file

Result

Malware family:

n/a

Score:

7/10

Tags:

defense_evasion discovery linux

Link:

https://tria.ge/reports/250223-nt3ylaxpw9/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Reads system network configuration

Enumerates active TCP sockets

File and Directory Permissions Modification

Executes dropped EXE

Unexpected DNS network traffic destination

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.36

Link:

https://yomi.yoroi.company/submissions/0e8c239ee094ea6680a8e69d886fa82559d760b1e55ed95b3b54c69c1a74e5fa

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 0e8c239ee094ea6680a8e69d886fa82559d760b1e55ed95b3b54c69c1a74e5fa

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3449755/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample