MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2670466de85480cbf02219e7ffadb5b176c6ea74ae2e2b3b95a98e4590c8a98a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	2670466de85480cbf02219e7ffadb5b176c6ea74ae2e2b3b95a98e4590c8a98a
SHA3-384 hash:	f1be810534bf111b6561b51285681ac8fe2107cce2ae7c9b22e78d59b0b1cac39e9d80e7e442dd2611f1e26f8b711491
SHA1 hash:	16a6e74b2a7b811cdff3129833b9975b67cbd589
MD5 hash:	06c4a3110897a5515a8d343484f02b73
humanhash:	mike-lion-sad-mirror
File name:	busybox.sh
Download:	download sample
File size:	1'025 bytes
First seen:	2025-06-24 23:00:46 UTC
Last seen:	2025-06-25 12:04:52 UTC
File type:	sh
MIME type:	text/plain
ssdeep	24:y6IF6Itd6IRGNINd6InKk6Id6IX6IGY6I3136Iv6IN6IT:ypFpHpdpnDpdpXpGYp3ZpvpNpT
TLSH	T173119AEA8459740344A19C6070796C59E01ACAE02684DBC9F4DED4F7E2A9E3E633278C
Magika	txt
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://api.trumdvfb.com/skibidi/cutearm	n/a	n/a	n/a
http://api.trumdvfb.com/skibidi/cutearm5	n/a	n/a	n/a
http://api.trumdvfb.com/skibidi/cutearm6	n/a	n/a	n/a
http://api.trumdvfb.com/skibidi/cutearm7	n/a	n/a	n/a
http://api.trumdvfb.com/skibidi/cutem68k	n/a	n/a	n/a
http://api.trumdvfb.com/skibidi/cutemips	n/a	n/a	n/a
http://api.trumdvfb.com/skibidi/cutempsl	n/a	n/a	n/a
http://api.trumdvfb.com/skibidi/cutepowerpc	n/a	n/a	botnetdomain elf ua-wget
http://api.trumdvfb.com/skibidi/cutesh4	n/a	n/a	n/a
http://api.trumdvfb.com/skibidi/cutex86	n/a	n/a	n/a
http://api.trumdvfb.com/skibidi/cutex86_64	n/a	n/a	n/a

Intelligence

File Origin

# of uploads :

# of downloads :

100

Origin country :

Vendor Threat Intelligence

Verdict:

Clean

Score:

84.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=685b2e4fb06783b9ebd71edclinux22vpnfull_triage

Tags:

n/a

Verdict:

Unknown

Threat level:

2.5/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/685b2e493faf8fcd7d401cba/reports/245681aa-1cff-4acb-bd4e-1d39a7ad79f2/overview

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/01fcd859-9407-4664-bf62-633d0c7e8b46

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/2670466de85480cbf02219e7ffadb5b176c6ea74ae2e2b3b95a98e4590c8a98a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2670466de85480cbf02219e7ffadb5b176c6ea74ae2e2b3b95a98e4590c8a98a/

Threat name:

Document-HTML.Trojan.Egairtigado

Status:

Malicious

First seen:

2025-06-24 23:01:30 UTC

File Type:

Text (Shell)

AV detection:

11 of 24 (45.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ezyem3piksamx4bcdht77lnvwf3mn2tuvyxcwo4vvghelegivgfa._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/250624-2zslpszqv3/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2670466de85480cbf02219e7ffadb5b176c6ea74ae2e2b3b95a98e4590c8a98a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 2670466de85480cbf02219e7ffadb5b176c6ea74ae2e2b3b95a98e4590c8a98a

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3562359/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample