MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 11c6c1093456e9eb949778d8fa9987cc7ffbd678fa2d30268f6e6b2ac2a320fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Threat unknown
Vendor detections: 6
| SHA256 hash: | 11c6c1093456e9eb949778d8fa9987cc7ffbd678fa2d30268f6e6b2ac2a320fb |
|---|---|
| SHA3-384 hash: | d8ce8290dc1b17f757b27f3216fe96032ceecd734a62033664d8932eba33c02eda32f05ce65c97166be6fb58cce475b4 |
| SHA1 hash: | 791a6ff8f630ac0d1e91a68fb972a31d126866cd |
| MD5 hash: | c4ac1b5aa602945c0e8d8c8148205137 |
| humanhash: | magazine-minnesota-venus-bravo |
| File name: | curl.sh |
| Download: | download sample |
| File size: | 1'449 bytes |
| First seen: | 2026-06-10 13:54:50 UTC |
| Last seen: | Never |
| File type: | sh |
| MIME type: | text/x-shellscript |
| ssdeep | 24:ZBqglRB0G29BCmnBQs1gBDmMBdTCsCBp1k8dBLETB4bmfSVBz0bsFByU5vBDZUw:/jppsCmBJeDmAd+sCjk8DLYjfSrz4ayI |
| TLSH | T1C9314BE4A1D01BF31ED4CE05BB2359BD60AC40CE7F2EA7D8A46908DD67957C3F188259 |
| TrID | 70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1) |
| Magika | shell |
| Reporter |  abuse_ch |
| Tags: | sh |
Shell script dropper
This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.
| URL | Malware sample (SHA256 hash) | Signature | Tags |
|---|---|---|---|
| http://5.175.249.53/arm | n/a | n/a | elf ua-wget |
| http://5.175.249.53/arm5 | n/a | n/a | elf ua-wget |
| http://5.175.249.53/arm6 | n/a | n/a | elf ua-wget |
| http://5.175.249.53/arm7 | n/a | n/a | elf ua-wget |
| http://5.175.249.53/m68k | n/a | n/a | elf ua-wget |
| http://5.175.249.53/mips | n/a | n/a | elf ua-wget |
| http://5.175.249.53/mpsl | n/a | n/a | elf ua-wget |
| http://5.175.249.53/ppc | n/a | n/a | elf ua-wget |
| http://5.175.249.53/sh4 | n/a | n/a | elf ua-wget |
| http://5.175.249.53/spc | n/a | n/a | elf ua-wget |
| http://5.175.249.53/x86 | n/a | n/a | elf ua-wget |
| http://5.175.249.53/arc | n/a | n/a | elf ua-wget |
Intelligence
File Origin
# of uploads :
1
# of downloads :
54
Origin country :
DEVendor Threat Intelligence
No detections
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
busybox evasive
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-06-10T11:01:00Z UTC
Last seen:
2026-06-10T11:15:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.cx
Status:
terminated
Behavior Graph:
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Threat name:
Document-HTML.Trojan.Vigorf
Status:
Malicious
First seen:
2026-06-10 13:55:41 UTC
File Type:
Text (Shell)
AV detection:
10 of 23 (43.48%)
Threat level:
5/5
Detection(s):
Suspicious file
Result
Malware family:
n/a
Score:
7/10
Tags:
defense_evasion discovery linux
Behaviour
System Network Configuration Discovery
File and Directory Permissions Modification
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
sh 11c6c1093456e9eb949778d8fa9987cc7ffbd678fa2d30268f6e6b2ac2a320fb
(this sample)
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.