MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 636f7e8a0ff3db0e7da27451cb64e0ab2ff8ea19e9b666ec714b3db879da965a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 636f7e8a0ff3db0e7da27451cb64e0ab2ff8ea19e9b666ec714b3db879da965a
SHA3-384 hash: eb757a9796ea4024edc17bcbd6dbd2e05a8ca87dd7392c0c47147dad1b15c6cb27d3aaab9c31f1f90c4d868711d10f06
SHA1 hash: 78dd53a91fb65e0069acde6eee5ffd9cdb70202b
MD5 hash: eed09dd724455a3f25de44d61176cf74
humanhash: speaker-california-washington-spaghetti
File name:s
Download: download sample
File size:538 bytes
First seen:2026-05-29 05:45:40 UTC
Last seen:2026-05-30 04:22:04 UTC
File type: sh
MIME type:text/x-shellscript
ssdeep 12:ZFl/Q7xK+ITTyARD/bbKLCvdwYVo4FGSjVMB2LwG:Xt+dARrrlwY3Dj+W
TLSH T1FDF0C0FAF8F193E0274D0094741950FE6166CC7D291CF9C490468D74604B2BDF67B366
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter BlinkzSec
URLMalware sample (SHA256 hash)SignatureTags
https://154.89.148.115/un/an/aelf ua-wget

Intelligence

File Origin
# of uploads :
2
# of downloads :
56
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-05-29T03:02:00Z UTC
Last seen:
2026-05-30T23:06:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/636f7e8a0ff3db0e7da27451cb64e0ab2ff8ea19e9b666ec714b3db879da965a/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/b9e2d50f-16b3-4d17-8eea-792c38ddfa77
Behavior Graph:
Download SVG
%3 guuid=4512e1ea-1600-0000-105a-1e34730b0000 pid=2931 /usr/bin/sudo guuid=809a7aed-1600-0000-105a-1e34790b0000 pid=2937 /tmp/sample.bin guuid=4512e1ea-1600-0000-105a-1e34730b0000 pid=2931->guuid=809a7aed-1600-0000-105a-1e34790b0000 pid=2937 execve guuid=c0f118ee-1600-0000-105a-1e347a0b0000 pid=2938 /usr/bin/bash zombie guuid=809a7aed-1600-0000-105a-1e34790b0000 pid=2937->guuid=c0f118ee-1600-0000-105a-1e347a0b0000 pid=2938 clone guuid=b3f935ee-1600-0000-105a-1e347b0b0000 pid=2939 /usr/bin/curl net send-data write-file guuid=c0f118ee-1600-0000-105a-1e347a0b0000 pid=2938->guuid=b3f935ee-1600-0000-105a-1e347b0b0000 pid=2939 execve guuid=118408d2-1700-0000-105a-1e34d20c0000 pid=3282 /usr/bin/chmod guuid=c0f118ee-1600-0000-105a-1e347a0b0000 pid=2938->guuid=118408d2-1700-0000-105a-1e34d20c0000 pid=3282 execve guuid=a89252d2-1700-0000-105a-1e34d40c0000 pid=3284 /usr/bin/bash guuid=c0f118ee-1600-0000-105a-1e347a0b0000 pid=2938->guuid=a89252d2-1700-0000-105a-1e34d40c0000 pid=3284 clone guuid=4c4679d2-1700-0000-105a-1e34d70c0000 pid=3287 /usr/bin/bash guuid=c0f118ee-1600-0000-105a-1e347a0b0000 pid=2938->guuid=4c4679d2-1700-0000-105a-1e34d70c0000 pid=3287 clone bef82f23-f759-5cbe-beea-f2da093ad702 154.89.148.115:443 guuid=b3f935ee-1600-0000-105a-1e347b0b0000 pid=2939->bef82f23-f759-5cbe-beea-f2da093ad702 send: 778B guuid=bcafedd2-1700-0000-105a-1e34d90c0000 pid=3289 /usr/bin/bash guuid=4c4679d2-1700-0000-105a-1e34d70c0000 pid=3287->guuid=bcafedd2-1700-0000-105a-1e34d90c0000 pid=3289 clone
Score:
6%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/636f7e8a0ff3db0e7da27451cb64e0ab2ff8ea19e9b666ec714b3db879da965a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/636f7e8a0ff3db0e7da27451cb64e0ab2ff8ea19e9b666ec714b3db879da965a/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/636f7e8a0ff3db0e7da27451cb64e0ab2ff8ea19e9b666ec714b3db879da965a
Threat name:
Text.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-05-29 05:45:00 UTC
File Type:
Text (Shell)
AV detection:
6 of 38 (15.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mnxx5cqp6pnq47ncori4wzhavmx7r2qz5g3gn3drjm63q6o2szna._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
antivm defense_evasion discovery linux
Link:
https://tria.ge/reports/260529-gf4veadt3l/
Behaviour
Reads runtime system information
Writes file to tmp directory
Checks CPU configuration
File and Directory Permissions Modification
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/636f7e8a0ff3db0e7da27451cb64e0ab2ff8ea19e9b666ec714b3db879da965a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 636f7e8a0ff3db0e7da27451cb64e0ab2ff8ea19e9b666ec714b3db879da965a

(this sample)

php macho 2d43717af3a2ab65e79f0bd1c97242e4c2f1823059b28fdaa0f1821012dcd926

  
URLhaus
https://urlhaus.abuse.ch/url/3855029/
  
Delivery method
Distributed via web download
  
Dropping
MD5 4c122a63ce31fd557a8bca9568c415f0
  
Dropping
SHA256 2d43717af3a2ab65e79f0bd1c97242e4c2f1823059b28fdaa0f1821012dcd926

Comments