MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26efebddb42aa2f169d9ee3db047a025ba43524b923d368cd2923524f9f7a6b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Supershell

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	26efebddb42aa2f169d9ee3db047a025ba43524b923d368cd2923524f9f7a6b1
SHA3-384 hash:	c083e7f82f8478eca5b3a56611660fdfd71dc71378b0d595ccd20abd6cb679e7b9f1446fce325cc10606eaf3be9dd1c4
SHA1 hash:	316395eb33b5d4ace93570a7a1f66822b2dc1c73
MD5 hash:	1e2a28728cff11d43a684f6c859e7656
humanhash:	delta-bakerloo-william-fix
File name:	yi.sh
Download:	download sample
Signature	Supershell Create hunting rule
File size:	299 bytes
First seen:	2025-08-05 21:04:12 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	6:zHLAgpTVS+QFhbcJizrfd1BrF3zuiIa0K1XGcyQDFSysQDQpyDy:Igp5SHlcJQrfdTF3h0KNGbTysL
TLSH	T1F0E07DFC6024AEB1314FDC8C7705C04088C346964EB93985F1FA18616C3D348F153759
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://103.43.18.19:16788/yi	eb8c12e9b881357c912d6e75f85e87842ac4859e183d97e0af24bd3fe945e895	Supershell	supershell ua-wget

Intelligence

File Origin

# of uploads :

1

# of downloads :

35

Origin country :

DE

Vendor Threat Intelligence

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive

Link:

https://www.filescan.io/uploads/689271dc397fd3ce6f9e318b/reports/8c7d62e5-25d3-4691-8883-91d9d9abad69/overview

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/5f836cd8-f88e-46f2-81ab-61801f18e839

Behavior Graph:

Score:

93%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/26efebddb42aa2f169d9ee3db047a025ba43524b923d368cd2923524f9f7a6b1

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/26efebddb42aa2f169d9ee3db047a025ba43524b923d368cd2923524f9f7a6b1/

Verdict:

Clean

Link:

https://tip.neiki.dev/file/26efebddb42aa2f169d9ee3db047a025ba43524b923d368cd2923524f9f7a6b1

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=e3x6xxnufkrpc2oz5y63ar5aew5eguslsi6tndgssi2sj6pxu2yq._file

Result

Malware family:

n/a

Score:

1/10

Tags:

linux

Link:

https://tria.ge/reports/250805-zwrh5ayvcs/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/26efebddb42aa2f169d9ee3db047a025ba43524b923d368cd2923524f9f7a6b1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 26efebddb42aa2f169d9ee3db047a025ba43524b923d368cd2923524f9f7a6b1

(this sample)

elf eb8c12e9b881357c912d6e75f85e87842ac4859e183d97e0af24bd3fe945e895

URLhaus

https://urlhaus.abuse.ch/url/3597126/

Delivery method

Distributed via web download

Dropping

MD5 66238749ebba1548f6829ba81f507a73

Dropping

SHA256 eb8c12e9b881357c912d6e75f85e87842ac4859e183d97e0af24bd3fe945e895

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample