MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b79ad41c1b291d442227c4b658174f35296d0789a661a4bc334f31e6db8d2fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments

SHA256 hash: 5b79ad41c1b291d442227c4b658174f35296d0789a661a4bc334f31e6db8d2fd
SHA3-384 hash: 2b34b3d16ab9b418224e2497245ddbbf1432c8f9139df82e99c8133bd5f34d21d22215452fff386de60e9da5c28b73c5
SHA1 hash: d9f44f193a8945737837a91d5ef1ec23d4c08d3e
MD5 hash: bb7774148564840e4227e642abb44f75
humanhash: wisconsin-don-september-timing
File name:ftpget.sh
Download: download sample
File size:544 bytes
First seen:2026-02-17 14:09:53 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 12:bi8T75T7eb7IQIodKPoBwhF7mCBmna0LK27:b3T9TKb7PfdKPoBwhRmKmBK27
TLSH T1EDF01DAC3FF26E7785705D69B02606A6E21BB08C4CA78A98A42E542E8677B40F310905
Magika txt
Reporter abuse_ch
Tags:sh

Intelligence


File Origin
# of uploads :
1
# of downloads :
48
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
busybox
Result
Gathering data
Status:
terminated
Behavior Graph:
%3 guuid=039ec6c0-1600-0000-7dd7-690a4d100000 pid=4173 /usr/bin/sudo guuid=1d92f5c2-1600-0000-7dd7-690a58100000 pid=4184 /tmp/sample.bin guuid=039ec6c0-1600-0000-7dd7-690a4d100000 pid=4173->guuid=1d92f5c2-1600-0000-7dd7-690a58100000 pid=4184 execve guuid=eeb747c3-1600-0000-7dd7-690a5a100000 pid=4186 /usr/bin/rm delete-file guuid=1d92f5c2-1600-0000-7dd7-690a58100000 pid=4184->guuid=eeb747c3-1600-0000-7dd7-690a5a100000 pid=4186 execve guuid=545285c3-1600-0000-7dd7-690a5c100000 pid=4188 /usr/bin/busybox net send-data write-file guuid=1d92f5c2-1600-0000-7dd7-690a58100000 pid=4184->guuid=545285c3-1600-0000-7dd7-690a5c100000 pid=4188 execve guuid=f8cf01ef-1600-0000-7dd7-690a38110000 pid=4408 /usr/bin/chmod guuid=1d92f5c2-1600-0000-7dd7-690a58100000 pid=4184->guuid=f8cf01ef-1600-0000-7dd7-690a38110000 pid=4408 execve guuid=319437ef-1600-0000-7dd7-690a3b110000 pid=4411 /usr/bin/dash guuid=1d92f5c2-1600-0000-7dd7-690a58100000 pid=4184->guuid=319437ef-1600-0000-7dd7-690a3b110000 pid=4411 clone guuid=96065af0-1600-0000-7dd7-690a41110000 pid=4417 /usr/bin/busybox net send-data write-file guuid=1d92f5c2-1600-0000-7dd7-690a58100000 pid=4184->guuid=96065af0-1600-0000-7dd7-690a41110000 pid=4417 execve guuid=5b72af1d-1700-0000-7dd7-690af2110000 pid=4594 /usr/bin/chmod guuid=1d92f5c2-1600-0000-7dd7-690a58100000 pid=4184->guuid=5b72af1d-1700-0000-7dd7-690af2110000 pid=4594 execve guuid=b404e61d-1700-0000-7dd7-690af3110000 pid=4595 /usr/bin/dash guuid=1d92f5c2-1600-0000-7dd7-690a58100000 pid=4184->guuid=b404e61d-1700-0000-7dd7-690af3110000 pid=4595 clone guuid=71f9721e-1700-0000-7dd7-690af9110000 pid=4601 /usr/bin/busybox net send-data write-file guuid=1d92f5c2-1600-0000-7dd7-690a58100000 pid=4184->guuid=71f9721e-1700-0000-7dd7-690af9110000 pid=4601 execve guuid=67d4e746-1700-0000-7dd7-690a71120000 pid=4721 /usr/bin/chmod guuid=1d92f5c2-1600-0000-7dd7-690a58100000 pid=4184->guuid=67d4e746-1700-0000-7dd7-690a71120000 pid=4721 execve guuid=e2fb1c47-1700-0000-7dd7-690a73120000 pid=4723 /usr/bin/dash guuid=1d92f5c2-1600-0000-7dd7-690a58100000 pid=4184->guuid=e2fb1c47-1700-0000-7dd7-690a73120000 pid=4723 clone guuid=60659647-1700-0000-7dd7-690a78120000 pid=4728 /usr/bin/busybox net send-data write-file guuid=1d92f5c2-1600-0000-7dd7-690a58100000 pid=4184->guuid=60659647-1700-0000-7dd7-690a78120000 pid=4728 execve guuid=ba829f70-1700-0000-7dd7-690a30130000 pid=4912 /usr/bin/chmod guuid=1d92f5c2-1600-0000-7dd7-690a58100000 pid=4184->guuid=ba829f70-1700-0000-7dd7-690a30130000 pid=4912 execve guuid=9355d570-1700-0000-7dd7-690a32130000 pid=4914 /usr/bin/dash guuid=1d92f5c2-1600-0000-7dd7-690a58100000 pid=4184->guuid=9355d570-1700-0000-7dd7-690a32130000 pid=4914 clone guuid=ae325071-1700-0000-7dd7-690a36130000 pid=4918 /usr/bin/busybox net send-data write-file guuid=1d92f5c2-1600-0000-7dd7-690a58100000 pid=4184->guuid=ae325071-1700-0000-7dd7-690a36130000 pid=4918 execve guuid=0fe8b09c-1700-0000-7dd7-690af8130000 pid=5112 /usr/bin/chmod guuid=1d92f5c2-1600-0000-7dd7-690a58100000 pid=4184->guuid=0fe8b09c-1700-0000-7dd7-690af8130000 pid=5112 execve guuid=a2a4f09c-1700-0000-7dd7-690af9130000 pid=5113 /usr/bin/dash guuid=1d92f5c2-1600-0000-7dd7-690a58100000 pid=4184->guuid=a2a4f09c-1700-0000-7dd7-690af9130000 pid=5113 clone 3a83ea15-c768-546e-9bd9-20995f88268d 158.94.208.69:21 guuid=545285c3-1600-0000-7dd7-690a5c100000 pid=4188->3a83ea15-c768-546e-9bd9-20995f88268d send: 78B c3975e82-f1ef-5b6f-89d3-727349609892 158.94.208.69:44091 guuid=545285c3-1600-0000-7dd7-690a5c100000 pid=4188->c3975e82-f1ef-5b6f-89d3-727349609892 con guuid=96065af0-1600-0000-7dd7-690a41110000 pid=4417->3a83ea15-c768-546e-9bd9-20995f88268d send: 78B 384ff7db-b2fd-5b66-b0eb-a4778c654253 158.94.208.69:45997 guuid=96065af0-1600-0000-7dd7-690a41110000 pid=4417->384ff7db-b2fd-5b66-b0eb-a4778c654253 con guuid=71f9721e-1700-0000-7dd7-690af9110000 pid=4601->3a83ea15-c768-546e-9bd9-20995f88268d send: 78B efd0c115-4b30-5eb3-8fd9-7d3a74bc49b6 158.94.208.69:40639 guuid=71f9721e-1700-0000-7dd7-690af9110000 pid=4601->efd0c115-4b30-5eb3-8fd9-7d3a74bc49b6 con guuid=60659647-1700-0000-7dd7-690a78120000 pid=4728->3a83ea15-c768-546e-9bd9-20995f88268d send: 78B 47c3d846-ffde-55f4-b680-070529f2555c 158.94.208.69:34885 guuid=60659647-1700-0000-7dd7-690a78120000 pid=4728->47c3d846-ffde-55f4-b680-070529f2555c con guuid=ae325071-1700-0000-7dd7-690a36130000 pid=4918->3a83ea15-c768-546e-9bd9-20995f88268d send: 78B d4faebe5-baff-5e9f-90b1-f874d147887a 158.94.208.69:38613 guuid=ae325071-1700-0000-7dd7-690a36130000 pid=4918->d4faebe5-baff-5e9f-90b1-f874d147887a con
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Gathering data
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 5b79ad41c1b291d442227c4b658174f35296d0789a661a4bc334f31e6db8d2fd

(this sample)

  
Delivery method
Distributed via web download

Comments