MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 504ff639d048022ef75e96cfcfd320709348daa8ba2b4cab51402a3db9c22221. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 504ff639d048022ef75e96cfcfd320709348daa8ba2b4cab51402a3db9c22221
SHA3-384 hash: 2b2b53f1ad041f9acd1b4274547fab4a4cf471056a2160952bbfdfaa39993dca7eba5dae828c3cc0f12ce784c6a42832
SHA1 hash: 77eae8b7d973d43869f53c22327f43bc1ca3175e
MD5 hash: 2390a80333f306821df6a568f3a93ad0
humanhash: indigo-romeo-three-low
File name:update.sh
Download: download sample
File size:4'284 bytes
First seen:2026-01-09 15:06:41 UTC
Last seen:2026-01-10 01:10:13 UTC
File type: sh
MIME type:text/x-shellscript
ssdeep 48:/L+bva6ysuap1NzV1pLs8sNq8ii1GIrOJwCDtFLQYihBPxxN3nFyYHdyY0lbyt8R:/LV2LH6PNs/DPsnsct8H5h5
TLSH T19F91ACEAFA61A430779F4438278B858185A73E3B2C0478CD348E9C199FBD895A174F76
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:sh

Intelligence

File Origin
# of uploads :
2
# of downloads :
26
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
busybox
Link:
https://www.filescan.io/uploads/696119af30368802bb7de9b8/reports/912c1e52-58ef-4add-93a3-f0281c7d8a1f/overview
Verdict:
Clean
File Type:
unix shell
First seen:
2026-01-09T12:14:00Z UTC
Last seen:
2026-01-09T12:24:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/504ff639d048022ef75e96cfcfd320709348daa8ba2b4cab51402a3db9c22221/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/112bc052-6a15-475a-afe3-31f4485fbce9
Behavior Graph:
Download SVG
%3 guuid=505d8ee4-1600-0000-3276-2fae500e0000 pid=3664 /usr/bin/sudo guuid=0cdf42e6-1600-0000-3276-2fae550e0000 pid=3669 /tmp/sample.bin write-file guuid=505d8ee4-1600-0000-3276-2fae500e0000 pid=3664->guuid=0cdf42e6-1600-0000-3276-2fae550e0000 pid=3669 execve guuid=3c3cf2e6-1600-0000-3276-2fae560e0000 pid=3670 /usr/bin/bash guuid=0cdf42e6-1600-0000-3276-2fae550e0000 pid=3669->guuid=3c3cf2e6-1600-0000-3276-2fae560e0000 pid=3670 clone guuid=983ac6e7-1600-0000-3276-2fae580e0000 pid=3672 /usr/bin/mkdir guuid=0cdf42e6-1600-0000-3276-2fae550e0000 pid=3669->guuid=983ac6e7-1600-0000-3276-2fae580e0000 pid=3672 execve guuid=af7c46e8-1600-0000-3276-2fae590e0000 pid=3673 /usr/bin/curl net send-data write-file guuid=0cdf42e6-1600-0000-3276-2fae550e0000 pid=3669->guuid=af7c46e8-1600-0000-3276-2fae590e0000 pid=3673 execve guuid=8f0458fd-1600-0000-3276-2fae970e0000 pid=3735 /usr/bin/chmod guuid=0cdf42e6-1600-0000-3276-2fae550e0000 pid=3669->guuid=8f0458fd-1600-0000-3276-2fae970e0000 pid=3735 execve guuid=9785fcfd-1600-0000-3276-2fae9d0e0000 pid=3741 /usr/bin/mkdir guuid=0cdf42e6-1600-0000-3276-2fae550e0000 pid=3669->guuid=9785fcfd-1600-0000-3276-2fae9d0e0000 pid=3741 execve guuid=2c6d8efe-1600-0000-3276-2faea00e0000 pid=3744 /usr/bin/cat write-config guuid=0cdf42e6-1600-0000-3276-2fae550e0000 pid=3669->guuid=2c6d8efe-1600-0000-3276-2faea00e0000 pid=3744 execve guuid=a2d7dbfe-1600-0000-3276-2faea10e0000 pid=3745 /usr/bin/systemctl guuid=0cdf42e6-1600-0000-3276-2fae550e0000 pid=3669->guuid=a2d7dbfe-1600-0000-3276-2faea10e0000 pid=3745 execve guuid=68dfbe37-1700-0000-3276-2fae630f0000 pid=3939 /usr/bin/systemctl guuid=0cdf42e6-1600-0000-3276-2fae550e0000 pid=3669->guuid=68dfbe37-1700-0000-3276-2fae630f0000 pid=3939 execve guuid=eb765a53-1700-0000-3276-2faef70f0000 pid=4087 /usr/bin/systemctl guuid=0cdf42e6-1600-0000-3276-2fae550e0000 pid=3669->guuid=eb765a53-1700-0000-3276-2faef70f0000 pid=4087 execve guuid=9d310657-1700-0000-3276-2fae08100000 pid=4104 /usr/bin/grep guuid=0cdf42e6-1600-0000-3276-2fae550e0000 pid=3669->guuid=9d310657-1700-0000-3276-2fae08100000 pid=4104 execve guuid=91d97457-1700-0000-3276-2fae0a100000 pid=4106 /usr/bin/grep guuid=0cdf42e6-1600-0000-3276-2fae550e0000 pid=3669->guuid=91d97457-1700-0000-3276-2fae0a100000 pid=4106 execve guuid=920cc957-1700-0000-3276-2fae0b100000 pid=4107 /usr/bin/date write-file guuid=0cdf42e6-1600-0000-3276-2fae550e0000 pid=3669->guuid=920cc957-1700-0000-3276-2fae0b100000 pid=4107 execve guuid=e1fe0458-1700-0000-3276-2fae0c100000 pid=4108 /root/.cache/systemd/systemd-helper mprotect-exec net send-data zombie guuid=0cdf42e6-1600-0000-3276-2fae550e0000 pid=3669->guuid=e1fe0458-1700-0000-3276-2fae0c100000 pid=4108 execve guuid=f79719e7-1600-0000-3276-2fae570e0000 pid=3671 /usr/bin/uname guuid=3c3cf2e6-1600-0000-3276-2fae560e0000 pid=3670->guuid=f79719e7-1600-0000-3276-2fae570e0000 pid=3671 execve 21339c78-ce2c-5075-af6d-83c2284591fc 65.109.93.171:1476 guuid=af7c46e8-1600-0000-3276-2fae590e0000 pid=3673->21339c78-ce2c-5075-af6d-83c2284591fc send: 85B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=e1fe0458-1700-0000-3276-2fae0c100000 pid=4108->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con 504b77a7-fc96-5635-bdb1-3e086b52caf9 127.0.0.1:8345 guuid=e1fe0458-1700-0000-3276-2fae0c100000 pid=4108->504b77a7-fc96-5635-bdb1-3e086b52caf9 send: 4B
Score:
2%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/504ff639d048022ef75e96cfcfd320709348daa8ba2b4cab51402a3db9c22221
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/504ff639d048022ef75e96cfcfd320709348daa8ba2b4cab51402a3db9c22221/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/504ff639d048022ef75e96cfcfd320709348daa8ba2b4cab51402a3db9c22221
Threat name:
Text.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-01-08 18:53:39 UTC
File Type:
Text (Shell)
AV detection:
3 of 24 (12.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kbh7mooqjabc5526s3h47uzaocjurwvixivuzk2riavd3ooceiqq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
antivm defense_evasion discovery execution linux persistence privilege_escalation upx
Link:
https://tria.ge/reports/260109-shj4kaf19a/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Checks CPU configuration
UPX packed file
Creates/modifies Cron job
Modifies systemd
Unexpected DNS network traffic destination
File and Directory Permissions Modification
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
Link:
https://yomi.yoroi.company/submissions/504ff639d048022ef75e96cfcfd320709348daa8ba2b4cab51402a3db9c22221

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 504ff639d048022ef75e96cfcfd320709348daa8ba2b4cab51402a3db9c22221

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3754608/
  
Delivery method
Distributed via web download

Comments