MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ffa6dafa8c65e522224da55752e0b4b8b5fb386719a866247e40e788f5fa0d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ffa6dafa8c65e522224da55752e0b4b8b5fb386719a866247e40e788f5fa0d1
SHA3-384 hash: 32af0791a431a1959e0f60fcf285fbb558e20fe8dd41cb622c04ee6fd2ae1b1dcba007b673bda01dc708eab8a002279c
SHA1 hash: 095a91f6d8d9c7b4eaa714b5ff8a9722b6eaabd0
MD5 hash: 7f36c1055b23492035234453bbc5628c
humanhash: golf-montana-video-lactose
File name:checkmacos.sh
Download: download sample
File size:993 bytes
First seen:2026-01-13 16:19:41 UTC
Last seen:2026-01-14 15:44:32 UTC
File type: sh
MIME type:text/x-shellscript
ssdeep 24:VUeYj+H1QEDMK9CFdYhEnHQ+Yw9I5DKqRyu3AnQZaZl1cSRs/:VUeYj+H1QEDMK9CnYhEbSKUyuwOjSu
TLSH T1B4118C816629ACB92CCC832DA3E758695086013F555F2F98BCDA9CBA0F1C540B150FA8
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://149.28.129.194/checkmacos.shn/an/aua-wget
http://149.28.129.194/macosn/an/aua-wget

Intelligence

File Origin
# of uploads :
2
# of downloads :
34
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.78322215.12720.31394.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
bash lolbin
Link:
https://www.filescan.io/uploads/696670d514b4fa2f67d35d72/reports/21c3386e-7e39-4f32-9db3-90cda331d302/overview
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-01-13T13:28:00Z UTC
Last seen:
2026-01-14T12:48:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.cw
Link:
https://opentip.kaspersky.com/0ffa6dafa8c65e522224da55752e0b4b8b5fb386719a866247e40e788f5fa0d1/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/4c54bbb1-a32a-41cf-983d-32bc77882a4e
Behavior Graph:
Download SVG
%3 guuid=6557cd61-1900-0000-0f5d-e6aa740b0000 pid=2932 /usr/bin/sudo guuid=2fcfc263-1900-0000-0f5d-e6aa760b0000 pid=2934 /tmp/sample.bin guuid=6557cd61-1900-0000-0f5d-e6aa740b0000 pid=2932->guuid=2fcfc263-1900-0000-0f5d-e6aa760b0000 pid=2934 execve guuid=56b3e964-1900-0000-0f5d-e6aa780b0000 pid=2936 /usr/bin/bash guuid=2fcfc263-1900-0000-0f5d-e6aa760b0000 pid=2934->guuid=56b3e964-1900-0000-0f5d-e6aa780b0000 pid=2936 clone guuid=e43f0265-1900-0000-0f5d-e6aa790b0000 pid=2937 /usr/bin/grep guuid=2fcfc263-1900-0000-0f5d-e6aa760b0000 pid=2934->guuid=e43f0265-1900-0000-0f5d-e6aa790b0000 pid=2937 execve guuid=ab90a165-1900-0000-0f5d-e6aa7a0b0000 pid=2938 /usr/bin/bash guuid=2fcfc263-1900-0000-0f5d-e6aa760b0000 pid=2934->guuid=ab90a165-1900-0000-0f5d-e6aa7a0b0000 pid=2938 clone guuid=5a0dd265-1900-0000-0f5d-e6aa7b0b0000 pid=2939 /usr/bin/bash guuid=2fcfc263-1900-0000-0f5d-e6aa760b0000 pid=2934->guuid=5a0dd265-1900-0000-0f5d-e6aa7b0b0000 pid=2939 clone guuid=b4896f66-1900-0000-0f5d-e6aa7d0b0000 pid=2941 /usr/bin/pgrep guuid=2fcfc263-1900-0000-0f5d-e6aa760b0000 pid=2934->guuid=b4896f66-1900-0000-0f5d-e6aa7d0b0000 pid=2941 execve guuid=ee92346b-1900-0000-0f5d-e6aa850b0000 pid=2949 /usr/bin/rm delete-file guuid=2fcfc263-1900-0000-0f5d-e6aa760b0000 pid=2934->guuid=ee92346b-1900-0000-0f5d-e6aa850b0000 pid=2949 execve guuid=ddc07d6f-1900-0000-0f5d-e6aa8c0b0000 pid=2956 /usr/bin/sleep guuid=2fcfc263-1900-0000-0f5d-e6aa760b0000 pid=2934->guuid=ddc07d6f-1900-0000-0f5d-e6aa8c0b0000 pid=2956 execve guuid=8810609a-1a00-0000-0f5d-e6aa230e0000 pid=3619 /usr/bin/curl net guuid=2fcfc263-1900-0000-0f5d-e6aa760b0000 pid=2934->guuid=8810609a-1a00-0000-0f5d-e6aa230e0000 pid=3619 execve guuid=04081966-1900-0000-0f5d-e6aa7c0b0000 pid=2940 /usr/bin/bash guuid=ab90a165-1900-0000-0f5d-e6aa7a0b0000 pid=2938->guuid=04081966-1900-0000-0f5d-e6aa7c0b0000 pid=2940 clone 47fcc191-d64a-5cf8-8e7b-485e68b6372e 149.28.129.194:80 guuid=8810609a-1a00-0000-0f5d-e6aa230e0000 pid=3619->47fcc191-d64a-5cf8-8e7b-485e68b6372e con
Score:
10%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/0ffa6dafa8c65e522224da55752e0b4b8b5fb386719a866247e40e788f5fa0d1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0ffa6dafa8c65e522224da55752e0b4b8b5fb386719a866247e40e788f5fa0d1/
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/0ffa6dafa8c65e522224da55752e0b4b8b5fb386719a866247e40e788f5fa0d1
Threat name:
Linux.Downloader.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-01-13 16:10:42 UTC
File Type:
Text (Shell)
AV detection:
4 of 36 (11.11%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b75g3l5iyzpfeire3jkxklqljofv7m4gognimysh4qhhrd27udiq._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery execution linux persistence privilege_escalation
Link:
https://tria.ge/reports/260113-ttd75act8f/
Behaviour
Reads runtime system information
Reads CPU attributes
Creates/modifies Cron job
Enumerates running processes
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.37
Link:
https://yomi.yoroi.company/submissions/0ffa6dafa8c65e522224da55752e0b4b8b5fb386719a866247e40e788f5fa0d1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 0ffa6dafa8c65e522224da55752e0b4b8b5fb386719a866247e40e788f5fa0d1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3757339/
  
Delivery method
Distributed via web download

Comments