MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35d90455526e0bd9326933f0c907a38d6780727ddcbd4516e29253d66d08abbf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	35d90455526e0bd9326933f0c907a38d6780727ddcbd4516e29253d66d08abbf
SHA3-384 hash:	f03ea75bc6702bfac65c1a5af51c51fbfe45e80a135eac2be1329de2d3a8d76a12e352b153a6a2e052b0540f51ba8f30
SHA1 hash:	306eb5e302e992fa64c79fb6f9023471cebd3a3c
MD5 hash:	f9d37ff23362e38a484df813a1d83f69
humanhash:	georgia-leopard-ten-mars
File name:	35d90455526e0bd9326933f0c907a38d6780727ddcbd4516e29253d66d08abbf.sh
Download:	download sample
File size:	14'688 bytes
First seen:	2026-02-27 14:06:34 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	192:cCu/K6nC4hvZ5mzj7V7jiDDDM79E44+TUO:+C4hvZ5mzjB7joDg79E4L
TLSH	T148626C7621F04A335B9065C4A33717915FB2A61744A720E8F4FE1E359F5AB03B0FBA21
Magika	xml
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://38.6.178.140/easy.sh	n/a	n/a	n/a
http://38.6.178.140/easy_cloud.sh	n/a	n/a	n/a
http://38.6.178.140/sh/easy_av_curl.sh	n/a	n/a	n/a
http://109.205.213.2/download.sh	n/a	n/a	n/a
http://194.156.102.210/bins/bins.sh	n/a	n/a	n/a
http://116.129.7.63:81/hiddenbin/dvr1.sh	n/a	n/a	n/a
http://hxipzknrsojnitzv.zip/bins/bins.sh	652285d260515c08cfe146ebdd2f5a4977ec490a608c57007abcb5b6f4fd4975	Mirai	botnetdomain mirai opendir sh

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox evasive

Link:

https://www.filescan.io/uploads/69a1a51497feb4afd65f672d/reports/5a6a345c-ae95-4c37-bdfa-eb33d822b2ae/overview

Result

Gathering data

Score:

Verdict:

Benign

File Type:

SCRIPT

Link:

https://malprob.io/report/35d90455526e0bd9326933f0c907a38d6780727ddcbd4516e29253d66d08abbf

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/35d90455526e0bd9326933f0c907a38d6780727ddcbd4516e29253d66d08abbf/

Verdict:

Clean

Link:

https://tip.neiki.dev/file/35d90455526e0bd9326933f0c907a38d6780727ddcbd4516e29253d66d08abbf

Threat name:

Script-Shell.Trojan.Heuristic

Status:

Malicious

First seen:

2026-02-27 14:07:23 UTC

File Type:

Text (HTML)

AV detection:

3 of 36 (8.33%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gxmqivksnyf5smtjgpymsb5drvtya4t53s6ukfxcsjj5m3iivo7q._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/260227-re37laaz3e/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 35d90455526e0bd9326933f0c907a38d6780727ddcbd4516e29253d66d08abbf

(this sample)

Mirai

sh 652285d260515c08cfe146ebdd2f5a4977ec490a608c57007abcb5b6f4fd4975

URLhaus

https://urlhaus.abuse.ch/url/3783365/

Delivery method

Distributed via web download

Dropping

MD5 b8264a3c5d5897320cf7549c149e0052

Dropping

SHA256 652285d260515c08cfe146ebdd2f5a4977ec490a608c57007abcb5b6f4fd4975

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample