MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a0b015f10ddb6773e33e27b07b24b1cd24a5095409173d587c7cdd247169c7b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a0b015f10ddb6773e33e27b07b24b1cd24a5095409173d587c7cdd247169c7b
SHA3-384 hash: 1c8dcf2bf4c0fe55de91b4b22f8fe7512b2434d96d38677cbd9536edc7f19682df661da87abcc6c491d7ddd5ec5c4551
SHA1 hash: 89e8937786fdd7cdce680c53d2b65263c002610a
MD5 hash: 596982d542be067b07077a9dc0e1dcba
humanhash: fifteen-lamp-colorado-utah
File name:1a0b015f10ddb6773e33e27b07b24b1cd24a5095409173d587c7cdd247169c7b
Download: download sample
File size:12'190'268 bytes
First seen:2026-04-01 10:41:54 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 49152:+6q/kybcffR6aQ4YtFoGta1GVJLgtwDSgbvsZWZbQ6dQRB4+NThHpHkMhVIXrOcC:9
TLSH T1E3C633306E993EBD436C8364607F6F2D1FB10FA39458E5CB6AC525C64CA9B428267C3D
TrID 50.0% (.SH) Linux/UNIX shell script (7000/1)
28.5% (.PL) Perl script (4000/1/1)
21.4% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter JAMESWT_WT
Tags:sh update-check-com

Intelligence

File Origin
# of uploads :
1
# of downloads :
52
Origin country :
IT IT
Vendor Threat Intelligence
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/69ccf68f90759d6205c095b7/reports/88be92aa-6408-4e41-bb2a-8c2b4a0f7586/overview
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-04-01T08:29:00Z UTC
Last seen:
2026-04-01T09:38:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/1a0b015f10ddb6773e33e27b07b24b1cd24a5095409173d587c7cdd247169c7b/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/80a11c9d-70b8-430e-b372-9ded0b13bfaf
Behavior Graph:
Download SVG
%3 guuid=24262dd6-1900-0000-a763-c99aa70c0000 pid=3239 /usr/bin/sudo guuid=216b69d8-1900-0000-a763-c99aa80c0000 pid=3240 /tmp/sample.bin guuid=24262dd6-1900-0000-a763-c99aa70c0000 pid=3239->guuid=216b69d8-1900-0000-a763-c99aa80c0000 pid=3240 execve guuid=1abedfd8-1900-0000-a763-c99aa90c0000 pid=3241 /usr/bin/mktemp guuid=216b69d8-1900-0000-a763-c99aa80c0000 pid=3240->guuid=1abedfd8-1900-0000-a763-c99aa90c0000 pid=3241 execve guuid=f56faa6e-1a00-0000-a763-c99aa90d0000 pid=3497 /usr/bin/base64 delete-file write-file guuid=216b69d8-1900-0000-a763-c99aa80c0000 pid=3240->guuid=f56faa6e-1a00-0000-a763-c99aa90d0000 pid=3497 execve guuid=d7e5a6ae-1a00-0000-a763-c99a1a0e0000 pid=3610 /usr/bin/chmod guuid=216b69d8-1900-0000-a763-c99aa80c0000 pid=3240->guuid=d7e5a6ae-1a00-0000-a763-c99a1a0e0000 pid=3610 execve guuid=229f15af-1a00-0000-a763-c99a1c0e0000 pid=3612 /usr/bin/bash guuid=216b69d8-1900-0000-a763-c99aa80c0000 pid=3240->guuid=229f15af-1a00-0000-a763-c99a1c0e0000 pid=3612 clone guuid=85a635af-1a00-0000-a763-c99a1e0e0000 pid=3614 /tmp/.fe943582e65d51c89zPTtj guuid=216b69d8-1900-0000-a763-c99aa80c0000 pid=3240->guuid=85a635af-1a00-0000-a763-c99a1e0e0000 pid=3614 execve guuid=b65b43af-1a00-0000-a763-c99a1f0e0000 pid=3615 /usr/bin/sleep guuid=216b69d8-1900-0000-a763-c99aa80c0000 pid=3240->guuid=b65b43af-1a00-0000-a763-c99a1f0e0000 pid=3615 execve guuid=fa6aefd9-1b00-0000-a763-c99a03120000 pid=4611 /usr/bin/rm delete-file guuid=216b69d8-1900-0000-a763-c99aa80c0000 pid=3240->guuid=fa6aefd9-1b00-0000-a763-c99a03120000 pid=4611 execve guuid=5a5b91da-1b00-0000-a763-c99a07120000 pid=4615 /usr/bin/sleep guuid=216b69d8-1900-0000-a763-c99aa80c0000 pid=3240->guuid=5a5b91da-1b00-0000-a763-c99a07120000 pid=4615 execve guuid=48e42252-1c00-0000-a763-c99a71130000 pid=4977 /usr/bin/bash guuid=216b69d8-1900-0000-a763-c99aa80c0000 pid=3240->guuid=48e42252-1c00-0000-a763-c99a71130000 pid=4977 clone
Score:
10%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/1a0b015f10ddb6773e33e27b07b24b1cd24a5095409173d587c7cdd247169c7b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1a0b015f10ddb6773e33e27b07b24b1cd24a5095409173d587c7cdd247169c7b/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/1a0b015f10ddb6773e33e27b07b24b1cd24a5095409173d587c7cdd247169c7b
Threat name:
MacOS.Trojan.SAgnt
Create hunting rule
Status:
Malicious
First seen:
2026-03-27 15:52:11 UTC
File Type:
Text (Shell)
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=difqcxyq3w3hoprt4j5qpmsldtjeuuevicixhvmhy7g5erywtr5q._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion linux
Link:
https://tria.ge/reports/260401-mrxhcsbw8j/
Behaviour
Writes file to tmp directory
Deobfuscate/Decode Files or Information
File and Directory Permissions Modification
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.05
Link:
https://yomi.yoroi.company/submissions/1a0b015f10ddb6773e33e27b07b24b1cd24a5095409173d587c7cdd247169c7b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments