MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 738c670d22ba36c8361681d59711716b71dc08fc7a998002ccc7e23428c53671. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 738c670d22ba36c8361681d59711716b71dc08fc7a998002ccc7e23428c53671
SHA3-384 hash: 62707d9001d9d11b4741b21f104f65dde8a20a2f94d9b99875c4745f981fe3906114166806a6dec777f56191b9478964
SHA1 hash: 58a4e59354ae53f28921319f4b47b2807cd84986
MD5 hash: ddb33eb81f51e79e6553dcbf27d9745a
humanhash: whiskey-uranus-east-lemon
File name:za.sh
Download: download sample
File size:2'370 bytes
First seen:2026-03-17 20:08:38 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:kdIpKr8mO7UZXPeQWw6uiprmuiRnDL3YEAPNo5M:CxO7UZXPeQWw61q9xAPie
TLSH T1074151E1F971AC76291A4F3F9C8A0269778E05AB84322C10309FA8323B0C5585AEC7D8
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:sh

Intelligence

File Origin
# of uploads :
1
# of downloads :
61
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Gathering data
Verdict:
Clean
File Type:
unix shell
Link:
https://opentip.kaspersky.com/738c670d22ba36c8361681d59711716b71dc08fc7a998002ccc7e23428c53671/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/d3d21d10-584b-4f33-9c08-68eef0c22435
Behavior Graph:
Download SVG
%3 guuid=da0e9258-1800-0000-2d53-20d95f0b0000 pid=2911 /usr/bin/sudo guuid=12881f5a-1800-0000-2d53-20d9660b0000 pid=2918 /tmp/sample.bin write-config guuid=da0e9258-1800-0000-2d53-20d95f0b0000 pid=2911->guuid=12881f5a-1800-0000-2d53-20d9660b0000 pid=2918 execve guuid=5ffe865a-1800-0000-2d53-20d9670b0000 pid=2919 /usr/bin/id guuid=12881f5a-1800-0000-2d53-20d9660b0000 pid=2918->guuid=5ffe865a-1800-0000-2d53-20d9670b0000 pid=2919 execve guuid=3d32855b-1800-0000-2d53-20d9680b0000 pid=2920 /usr/sbin/useradd delete-file write-config write-file guuid=12881f5a-1800-0000-2d53-20d9660b0000 pid=2918->guuid=3d32855b-1800-0000-2d53-20d9680b0000 pid=2920 execve guuid=6089079d-1800-0000-2d53-20d9c90b0000 pid=3017 /usr/bin/bash guuid=12881f5a-1800-0000-2d53-20d9660b0000 pid=2918->guuid=6089079d-1800-0000-2d53-20d9c90b0000 pid=3017 clone guuid=ba5a169d-1800-0000-2d53-20d9ca0b0000 pid=3018 /usr/sbin/chpasswd write-config guuid=12881f5a-1800-0000-2d53-20d9660b0000 pid=2918->guuid=ba5a169d-1800-0000-2d53-20d9ca0b0000 pid=3018 execve guuid=acbdc5ca-1800-0000-2d53-20d9270c0000 pid=3111 /usr/bin/grep guuid=12881f5a-1800-0000-2d53-20d9660b0000 pid=2918->guuid=acbdc5ca-1800-0000-2d53-20d9270c0000 pid=3111 execve guuid=9e2f2dcb-1800-0000-2d53-20d92a0c0000 pid=3114 /usr/bin/chmod guuid=12881f5a-1800-0000-2d53-20d9660b0000 pid=2918->guuid=9e2f2dcb-1800-0000-2d53-20d92a0c0000 pid=3114 execve guuid=286487cb-1800-0000-2d53-20d92c0c0000 pid=3116 /usr/bin/grep guuid=12881f5a-1800-0000-2d53-20d9660b0000 pid=2918->guuid=286487cb-1800-0000-2d53-20d92c0c0000 pid=3116 execve guuid=c5b2f8cb-1800-0000-2d53-20d92e0c0000 pid=3118 /usr/bin/cat write-config guuid=12881f5a-1800-0000-2d53-20d9660b0000 pid=2918->guuid=c5b2f8cb-1800-0000-2d53-20d92e0c0000 pid=3118 execve guuid=026c69cc-1800-0000-2d53-20d9300c0000 pid=3120 /usr/sbin/sshd net guuid=12881f5a-1800-0000-2d53-20d9660b0000 pid=2918->guuid=026c69cc-1800-0000-2d53-20d9300c0000 pid=3120 execve guuid=647662d0-1800-0000-2d53-20d9370c0000 pid=3127 /usr/bin/systemctl guuid=12881f5a-1800-0000-2d53-20d9660b0000 pid=2918->guuid=647662d0-1800-0000-2d53-20d9370c0000 pid=3127 execve guuid=9bdca7d9-1800-0000-2d53-20d95d0c0000 pid=3165 /usr/bin/bash net zombie guuid=12881f5a-1800-0000-2d53-20d9660b0000 pid=2918->guuid=9bdca7d9-1800-0000-2d53-20d95d0c0000 pid=3165 clone guuid=65f1b99b-1800-0000-2d53-20d9c30b0000 pid=3011 /usr/sbin/useradd guuid=3d32855b-1800-0000-2d53-20d9680b0000 pid=2920->guuid=65f1b99b-1800-0000-2d53-20d9c30b0000 pid=3011 clone guuid=642f019c-1800-0000-2d53-20d9c40b0000 pid=3012 /usr/sbin/useradd guuid=3d32855b-1800-0000-2d53-20d9680b0000 pid=2920->guuid=642f019c-1800-0000-2d53-20d9c40b0000 pid=3012 clone guuid=e5b9219c-1800-0000-2d53-20d9c50b0000 pid=3013 /usr/sbin/useradd guuid=3d32855b-1800-0000-2d53-20d9680b0000 pid=2920->guuid=e5b9219c-1800-0000-2d53-20d9c50b0000 pid=3013 clone guuid=c038409c-1800-0000-2d53-20d9c60b0000 pid=3014 /usr/sbin/useradd guuid=3d32855b-1800-0000-2d53-20d9680b0000 pid=2920->guuid=c038409c-1800-0000-2d53-20d9c60b0000 pid=3014 clone guuid=b7785c9c-1800-0000-2d53-20d9c70b0000 pid=3015 /usr/sbin/useradd guuid=3d32855b-1800-0000-2d53-20d9680b0000 pid=2920->guuid=b7785c9c-1800-0000-2d53-20d9c70b0000 pid=3015 clone guuid=6224839c-1800-0000-2d53-20d9c80b0000 pid=3016 /usr/sbin/useradd guuid=3d32855b-1800-0000-2d53-20d9680b0000 pid=2920->guuid=6224839c-1800-0000-2d53-20d9c80b0000 pid=3016 clone guuid=23f885ca-1800-0000-2d53-20d9250c0000 pid=3109 /usr/sbin/chpasswd guuid=ba5a169d-1800-0000-2d53-20d9ca0b0000 pid=3018->guuid=23f885ca-1800-0000-2d53-20d9250c0000 pid=3109 clone guuid=1a37a1ca-1800-0000-2d53-20d9260c0000 pid=3110 /usr/sbin/chpasswd guuid=ba5a169d-1800-0000-2d53-20d9ca0b0000 pid=3018->guuid=1a37a1ca-1800-0000-2d53-20d9260c0000 pid=3110 clone 88e76a66-5a65-587e-9703-6e80a88be12a :::22 guuid=026c69cc-1800-0000-2d53-20d9300c0000 pid=3120->88e76a66-5a65-587e-9703-6e80a88be12a con e12ec15f-2baa-59a4-a90e-44935507fc15 0.0.0.0:22 guuid=026c69cc-1800-0000-2d53-20d9300c0000 pid=3120->e12ec15f-2baa-59a4-a90e-44935507fc15 con 48d25faf-288b-5d58-81d4-8f46d52ea596 176.65.139.15:42515 guuid=9bdca7d9-1800-0000-2d53-20d95d0c0000 pid=3165->48d25faf-288b-5d58-81d4-8f46d52ea596 con
Score:
0%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/738c670d22ba36c8361681d59711716b71dc08fc7a998002ccc7e23428c53671
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/738c670d22ba36c8361681d59711716b71dc08fc7a998002ccc7e23428c53671/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/738c670d22ba36c8361681d59711716b71dc08fc7a998002ccc7e23428c53671
Threat name:
Text.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-03-17 17:45:55 UTC
File Type:
Text (Shell)
AV detection:
3 of 24 (12.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ooggodjcxi3mqnqwqhkzoelrnny5ych4pkmyaawmy7rdikgfgzyq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
credential_access defense_evasion discovery execution linux persistence privilege_escalation
Link:
https://tria.ge/reports/260317-yxafkaax9p/
Behaviour
Reads runtime system information
Writes file to tmp directory
Creates .desktop file
Modifies Bash startup script
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Adds a user to the system
Creates/modifies environment variables
Modifies sudoers policy
OS Credential Dumping
Modifies password files for system users/ groups
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/738c670d22ba36c8361681d59711716b71dc08fc7a998002ccc7e23428c53671

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 738c670d22ba36c8361681d59711716b71dc08fc7a998002ccc7e23428c53671

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3798043/
  
Delivery method
Distributed via web download

Comments