MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 410132bb1b0a13ec961311328b5e16e6ab73914f59f043099a0ef2bb95e3eaef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	410132bb1b0a13ec961311328b5e16e6ab73914f59f043099a0ef2bb95e3eaef
SHA3-384 hash:	e5fc0ebbf03e7b2d54ae62054dca3d4617ab28a0ba0c305cfe5947fd24d1ed9159e9df5f8876d48593ab4629a917f3c6
SHA1 hash:	861e06d67d22f6bda8da15ed8a97887fbdca3474
MD5 hash:	23fd5f10523722b5b5dbb618b2e7273c
humanhash:	coffee-march-uncle-pennsylvania
File name:	run.sh
Download:	download sample
File size:	6'032 bytes
First seen:	2025-10-23 17:43:39 UTC
Last seen:	2025-10-24 11:45:53 UTC
File type:	sh
MIME type:	text/plain
ssdeep	96:CVKGRUWli2JMxOvbiB3+uZ5+dRKTBrbwE:h+uZzrbwE
TLSH	T190C1218F20458731DE15CA8EB3F5B234910FA1C373DB9B94B9D94C294EC5C4CA685EA2
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://196.251.80.30/xnxnxnxnxnxnxnxnaarch64xnxn	n/a	n/a	elf ua-wget
http://196.251.80.30/xnxnxnxnxnxnxnxnalphaxnxn	n/a	n/a	elf ua-wget
http://196.251.80.30/xnxnxnxnxnxnxnxnarcxnxn	n/a	n/a	elf ua-wget
http://196.251.80.30/xnxnxnxnxnxnxnxnarm-gnueabixnxn	n/a	n/a	elf ua-wget
http://196.251.80.30/xnxnxnxnxnxnxnxncskyxnxn	n/a	n/a	elf ua-wget
http://196.251.80.30/xnxnxnxnxnxnxnxnhppaxnxn	n/a	n/a	elf ua-wget
http://196.251.80.30/xnxnxnxnxnxnxnxnhppa64xnxn	n/a	n/a	elf ua-wget
http://196.251.80.30/xnxnxnxnxnxnxnxni386xnxn	n/a	n/a	elf ua-wget
http://196.251.80.30/xnxnxnxnxnxnxnxnloongarch64xnxn	n/a	n/a	elf ua-wget
http://196.251.80.30/xnxnxnxnxnxnxnxnm68kxnxn	n/a	n/a	elf ua-wget
http://196.251.80.30/xnxnxnxnxnxnxnxnmicroblazexnxn	n/a	n/a	elf ua-wget
http://196.251.80.30/xnxnxnxnxnxnxnxnmipsxnxn	n/a	n/a	elf ua-wget
http://196.251.80.30/xnxnxnxnxnxnxnxnmips64xnxn	n/a	n/a	elf ua-wget
http://196.251.80.30/xnxnxnxnxnxnxnxnor1kxnxn	n/a	n/a	elf ua-wget
http://196.251.80.30/xnxnxnxnxnxnxnxnpowerpcxnxn	n/a	n/a	elf ua-wget
http://196.251.80.30/xnxnxnxnxnxnxnxnpowerpc64xnxn	n/a	n/a	elf ua-wget
http://196.251.80.30/xnxnxnxnxnxnxnxnriscv32xnxn	n/a	n/a	elf ua-wget
http://196.251.80.30/xnxnxnxnxnxnxnxnriscv64xnxn	n/a	n/a	elf ua-wget
http://196.251.80.30/xnxnxnxnxnxnxnxns390xnxn	n/a	n/a	elf ua-wget
http://196.251.80.30/xnxnxnxnxnxnxnxnsh2xnxn	n/a	n/a	elf ua-wget
http://196.251.80.30/xnxnxnxnxnxnxnxnsh4xnxn	n/a	n/a	elf ua-wget
http://196.251.80.30/xnxnxnxnxnxnxnxnsparcxnxn	n/a	n/a	elf ua-wget
http://196.251.80.30/xnxnxnxnxnxnxnxnsparc64xnxn	n/a	n/a	elf ua-wget
http://196.251.80.30/xnxnxnxnxnxnxnxnx86_64xnxn	n/a	n/a	elf ua-wget
http://196.251.80.30/xnxnxnxnxnxnxnxnxtensaxnxn	n/a	n/a	elf ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

File Type:

text

First seen:

2025-10-23T17:43:00Z UTC

Last seen:

2025-10-23T18:43:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/410132bb1b0a13ec961311328b5e16e6ab73914f59f043099a0ef2bb95e3eaef/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/1af0f1a1-56c2-440f-b8bb-61a600d0cfd5

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/410132bb1b0a13ec961311328b5e16e6ab73914f59f043099a0ef2bb95e3eaef

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/410132bb1b0a13ec961311328b5e16e6ab73914f59f043099a0ef2bb95e3eaef/

Threat name:

Linux.Downloader.Generic

Status:

Suspicious

First seen:

2025-10-23 17:44:34 UTC

File Type:

Text (Shell)

AV detection:

6 of 38 (15.79%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ieatfoy3bij6zfqtceziwxqw42vxhekplhyegcm2b3zlxfpd5lxq._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/251023-wbfdksgt4a/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/410132bb1b0a13ec961311328b5e16e6ab73914f59f043099a0ef2bb95e3eaef

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 410132bb1b0a13ec961311328b5e16e6ab73914f59f043099a0ef2bb95e3eaef

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3680245/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample