MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ce02664505b1c5b519bc6c554d3be9f8f7e30c38f488446121d1a57054d72fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ce02664505b1c5b519bc6c554d3be9f8f7e30c38f488446121d1a57054d72fb
SHA3-384 hash: 8f59a6aa65606215ba0ba12367c341943fc4d8a09d137193d9017110962e310d0f3f4393f149e3e5f9878c420caf87a5
SHA1 hash: 929490ed612151b5851e77c8eba29ca63e4de497
MD5 hash: 267b92014e83dbe6b9cc5e6dca4b27ea
humanhash: west-kansas-april-march
File name:i
Download: download sample
File size:576 bytes
First seen:2025-06-17 10:46:42 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 12:3UkWK3qq15ZMoLF7+MB05loVPuLEDjoVPuLhDNkD8Tvn:k9q5zLt+MB08x0Vx0XkD8jn
TLSH T1BEF0FCCF51E5DC342C515DFEB4575B1A28C5C4C9069B4EC1A08E00BAF5CDD0D7161D75
Magika shell
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://94.26.90.217/vv/n/an/an/a

Intelligence

File Origin
# of uploads :
1
# of downloads :
56
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Linux.DownLoader.2324.20445.17313.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.32050.LX.Sh.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=685148503636eb0ab60dc3fclinux22vpnfull_triage
Tags:
n/a
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/2cf5af38-6dd8-44b3-9438-85e5d6613d28
Behavior Graph:
Download SVG
%3 guuid=d50381d3-1b00-0000-a2d9-9d5690090000 pid=2448 /usr/bin/sudo guuid=b7501dd6-1b00-0000-a2d9-9d5694090000 pid=2452 /tmp/sample.bin guuid=d50381d3-1b00-0000-a2d9-9d5690090000 pid=2448->guuid=b7501dd6-1b00-0000-a2d9-9d5694090000 pid=2452 execve guuid=d1856ed6-1b00-0000-a2d9-9d5696090000 pid=2454 /usr/bin/cat guuid=b7501dd6-1b00-0000-a2d9-9d5694090000 pid=2452->guuid=d1856ed6-1b00-0000-a2d9-9d5696090000 pid=2454 execve guuid=3f38e0d6-1b00-0000-a2d9-9d5698090000 pid=2456 /usr/bin/dash guuid=b7501dd6-1b00-0000-a2d9-9d5694090000 pid=2452->guuid=3f38e0d6-1b00-0000-a2d9-9d5698090000 pid=2456 clone guuid=939ca8d8-1b00-0000-a2d9-9d56a2090000 pid=2466 /usr/bin/rm delete-file guuid=b7501dd6-1b00-0000-a2d9-9d5694090000 pid=2452->guuid=939ca8d8-1b00-0000-a2d9-9d56a2090000 pid=2466 execve guuid=5c84fbd8-1b00-0000-a2d9-9d56a4090000 pid=2468 /usr/bin/rm delete-file guuid=b7501dd6-1b00-0000-a2d9-9d5694090000 pid=2452->guuid=5c84fbd8-1b00-0000-a2d9-9d56a4090000 pid=2468 execve guuid=7c754dd9-1b00-0000-a2d9-9d56a6090000 pid=2470 /usr/bin/rm delete-file guuid=b7501dd6-1b00-0000-a2d9-9d5694090000 pid=2452->guuid=7c754dd9-1b00-0000-a2d9-9d56a6090000 pid=2470 execve guuid=c3b89fd9-1b00-0000-a2d9-9d56a8090000 pid=2472 /usr/bin/rm guuid=b7501dd6-1b00-0000-a2d9-9d5694090000 pid=2452->guuid=c3b89fd9-1b00-0000-a2d9-9d56a8090000 pid=2472 execve guuid=f4bcedd9-1b00-0000-a2d9-9d56aa090000 pid=2474 /usr/bin/dash guuid=b7501dd6-1b00-0000-a2d9-9d5694090000 pid=2452->guuid=f4bcedd9-1b00-0000-a2d9-9d56aa090000 pid=2474 clone guuid=224c77da-1b00-0000-a2d9-9d56ad090000 pid=2477 /usr/bin/dash guuid=b7501dd6-1b00-0000-a2d9-9d5694090000 pid=2452->guuid=224c77da-1b00-0000-a2d9-9d56ad090000 pid=2477 clone guuid=bc75cbda-1b00-0000-a2d9-9d56af090000 pid=2479 /usr/bin/busybox net send-data guuid=b7501dd6-1b00-0000-a2d9-9d5694090000 pid=2452->guuid=bc75cbda-1b00-0000-a2d9-9d56af090000 pid=2479 execve guuid=1cbdec4b-1c00-0000-a2d9-9d56a20a0000 pid=2722 /usr/bin/chmod guuid=b7501dd6-1b00-0000-a2d9-9d5694090000 pid=2452->guuid=1cbdec4b-1c00-0000-a2d9-9d56a20a0000 pid=2722 execve guuid=98c7554c-1c00-0000-a2d9-9d56a40a0000 pid=2724 /run/user/1000/.f guuid=b7501dd6-1b00-0000-a2d9-9d5694090000 pid=2452->guuid=98c7554c-1c00-0000-a2d9-9d56a40a0000 pid=2724 execve guuid=41d6f0d6-1b00-0000-a2d9-9d5699090000 pid=2457 /usr/bin/cat guuid=3f38e0d6-1b00-0000-a2d9-9d5698090000 pid=2456->guuid=41d6f0d6-1b00-0000-a2d9-9d5699090000 pid=2457 execve guuid=fa52f6d6-1b00-0000-a2d9-9d569a090000 pid=2458 /usr/bin/grep guuid=3f38e0d6-1b00-0000-a2d9-9d5698090000 pid=2456->guuid=fa52f6d6-1b00-0000-a2d9-9d569a090000 pid=2458 execve guuid=9ce1fad6-1b00-0000-a2d9-9d569b090000 pid=2459 /usr/bin/grep guuid=3f38e0d6-1b00-0000-a2d9-9d5698090000 pid=2456->guuid=9ce1fad6-1b00-0000-a2d9-9d569b090000 pid=2459 execve guuid=6de100d7-1b00-0000-a2d9-9d569c090000 pid=2460 /usr/bin/grep guuid=3f38e0d6-1b00-0000-a2d9-9d5698090000 pid=2456->guuid=6de100d7-1b00-0000-a2d9-9d569c090000 pid=2460 execve guuid=fa2006d7-1b00-0000-a2d9-9d569d090000 pid=2461 /usr/bin/cut guuid=3f38e0d6-1b00-0000-a2d9-9d5698090000 pid=2456->guuid=fa2006d7-1b00-0000-a2d9-9d569d090000 pid=2461 execve guuid=f66af3d9-1b00-0000-a2d9-9d56ab090000 pid=2475 /usr/bin/cp write-file guuid=f4bcedd9-1b00-0000-a2d9-9d56aa090000 pid=2474->guuid=f66af3d9-1b00-0000-a2d9-9d56ab090000 pid=2475 execve guuid=a9aa7eda-1b00-0000-a2d9-9d56ae090000 pid=2478 /usr/bin/chmod guuid=224c77da-1b00-0000-a2d9-9d56ad090000 pid=2477->guuid=a9aa7eda-1b00-0000-a2d9-9d56ae090000 pid=2478 execve fbb9a6c5-a595-5199-8d51-c1632aa72f16 94.26.90.217:80 guuid=bc75cbda-1b00-0000-a2d9-9d56af090000 pid=2479->fbb9a6c5-a595-5199-8d51-c1632aa72f16 send: 84B guuid=1db6d3da-1b00-0000-a2d9-9d56b0090000 pid=2480 /usr/bin/uname guuid=bc75cbda-1b00-0000-a2d9-9d56af090000 pid=2479->guuid=1db6d3da-1b00-0000-a2d9-9d56b0090000 pid=2480 execve guuid=a23629db-1b00-0000-a2d9-9d56b1090000 pid=2481 /usr/bin/wget net send-data guuid=bc75cbda-1b00-0000-a2d9-9d56af090000 pid=2479->guuid=a23629db-1b00-0000-a2d9-9d56b1090000 pid=2481 execve guuid=a4002222-1c00-0000-a2d9-9d56470a0000 pid=2631 /usr/bin/uname guuid=bc75cbda-1b00-0000-a2d9-9d56af090000 pid=2479->guuid=a4002222-1c00-0000-a2d9-9d56470a0000 pid=2631 execve guuid=a23629db-1b00-0000-a2d9-9d56b1090000 pid=2481->fbb9a6c5-a595-5199-8d51-c1632aa72f16 send: 136B
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/1ce02664505b1c5b519bc6c554d3be9f8f7e30c38f488446121d1a57054d72fb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1ce02664505b1c5b519bc6c554d3be9f8f7e30c38f488446121d1a57054d72fb/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/1ce02664505b1c5b519bc6c554d3be9f8f7e30c38f488446121d1a57054d72fb
Threat name:
Script.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2025-06-17 10:49:31 UTC
File Type:
Text (Shell)
AV detection:
9 of 38 (23.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dtqcmzcqlmofwum3y3cvju56t6hx4mgdr5eiirqsdunfobknol5q._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/250617-mw12caaq9z/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/1ce02664505b1c5b519bc6c554d3be9f8f7e30c38f488446121d1a57054d72fb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 1ce02664505b1c5b519bc6c554d3be9f8f7e30c38f488446121d1a57054d72fb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3548153/
  
Delivery method
Distributed via web download

Comments