MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76bad9d18efdc2fcaac1f8b32d1d34e3c05577f80d85cc6ae453e3e887bc4260. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 76bad9d18efdc2fcaac1f8b32d1d34e3c05577f80d85cc6ae453e3e887bc4260
SHA3-384 hash: edb55a53a7c7b4441c1f09222e168b3e100445d99aa308dcaa155fd2587309a5e0e21297688dfbb09f1b23c785b99ffb
SHA1 hash: ee7de2b7e05376fa42b2581781b4173a027a829c
MD5 hash: 1f384ed24caeba8444fa54cf411a4d36
humanhash: michigan-sink-don-orange
File name:sm
Download: download sample
File size:171 bytes
First seen:2025-11-02 15:32:57 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 3:zBMXBgHrwVoyGjhLEgWMV7GBzSEyLTUWRINSXhLEgWVaBzSE8eUs5oIj:tfLwVIjhiMVCItXhiod3
TLSH T1F6C0129705512780418CFA7E76BB062E504193C4221787ADFCD800368188814B021A06
Magika txt
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://45.90.236.17/mipsn/an/aelf ua-wget
http://45.90.236.17/mpsln/an/aelf ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
37
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Linux.Downloader-35.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/690779d221d55ed90d44efc5/reports/7bb94688-4208-42b9-8def-a718834c55e7/overview
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-11-02T13:05:00Z UTC
Last seen:
2025-11-02T13:24:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/76bad9d18efdc2fcaac1f8b32d1d34e3c05577f80d85cc6ae453e3e887bc4260/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/876c542c-1b37-488c-923a-86fe2cd04325
Behavior Graph:
Download SVG
%3 guuid=3e5ca7af-3b00-0000-09d1-505f2f040000 pid=1071 /usr/bin/sudo guuid=b1ae86b1-3b00-0000-09d1-505f30040000 pid=1072 /tmp/sample.bin guuid=3e5ca7af-3b00-0000-09d1-505f2f040000 pid=1071->guuid=b1ae86b1-3b00-0000-09d1-505f30040000 pid=1072 execve guuid=f9b38fca-3b00-0000-09d1-505f31040000 pid=1073 /usr/bin/mkdir guuid=b1ae86b1-3b00-0000-09d1-505f30040000 pid=1072->guuid=f9b38fca-3b00-0000-09d1-505f31040000 pid=1073 execve guuid=cecc14cb-3b00-0000-09d1-505f32040000 pid=1074 /usr/bin/wget net send-data guuid=b1ae86b1-3b00-0000-09d1-505f30040000 pid=1072->guuid=cecc14cb-3b00-0000-09d1-505f32040000 pid=1074 execve guuid=8f5489de-3b00-0000-09d1-505f33040000 pid=1075 /usr/bin/chmod guuid=b1ae86b1-3b00-0000-09d1-505f30040000 pid=1072->guuid=8f5489de-3b00-0000-09d1-505f33040000 pid=1075 execve guuid=2e51d9de-3b00-0000-09d1-505f34040000 pid=1076 /usr/bin/dash guuid=b1ae86b1-3b00-0000-09d1-505f30040000 pid=1072->guuid=2e51d9de-3b00-0000-09d1-505f34040000 pid=1076 clone guuid=5471e9de-3b00-0000-09d1-505f35040000 pid=1077 /usr/bin/rm guuid=b1ae86b1-3b00-0000-09d1-505f30040000 pid=1072->guuid=5471e9de-3b00-0000-09d1-505f35040000 pid=1077 execve guuid=e4572bdf-3b00-0000-09d1-505f36040000 pid=1078 /usr/bin/wget net send-data guuid=b1ae86b1-3b00-0000-09d1-505f30040000 pid=1072->guuid=e4572bdf-3b00-0000-09d1-505f36040000 pid=1078 execve guuid=6afa6ce2-3b00-0000-09d1-505f37040000 pid=1079 /usr/bin/chmod guuid=b1ae86b1-3b00-0000-09d1-505f30040000 pid=1072->guuid=6afa6ce2-3b00-0000-09d1-505f37040000 pid=1079 execve guuid=ee9bd3e2-3b00-0000-09d1-505f38040000 pid=1080 /usr/bin/dash guuid=b1ae86b1-3b00-0000-09d1-505f30040000 pid=1072->guuid=ee9bd3e2-3b00-0000-09d1-505f38040000 pid=1080 clone guuid=0633e0e2-3b00-0000-09d1-505f39040000 pid=1081 /usr/bin/rm guuid=b1ae86b1-3b00-0000-09d1-505f30040000 pid=1072->guuid=0633e0e2-3b00-0000-09d1-505f39040000 pid=1081 execve be98fdc6-86be-5786-8b09-abc07da8d2d0 45.90.236.17:80 guuid=cecc14cb-3b00-0000-09d1-505f32040000 pid=1074->be98fdc6-86be-5786-8b09-abc07da8d2d0 send: 131B guuid=e4572bdf-3b00-0000-09d1-505f36040000 pid=1078->be98fdc6-86be-5786-8b09-abc07da8d2d0 send: 131B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/76bad9d18efdc2fcaac1f8b32d1d34e3c05577f80d85cc6ae453e3e887bc4260
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/76bad9d18efdc2fcaac1f8b32d1d34e3c05577f80d85cc6ae453e3e887bc4260/
Threat name:
Script-Shell.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-11-02 15:38:30 UTC
File Type:
Text (Shell)
AV detection:
5 of 23 (21.74%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o25ntumo7xbpzkwb7czs2hju4pafk57ybwc4y2xekpr6rb54ijqa._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/251102-s3cvzsby5g/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/76bad9d18efdc2fcaac1f8b32d1d34e3c05577f80d85cc6ae453e3e887bc4260

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 76bad9d18efdc2fcaac1f8b32d1d34e3c05577f80d85cc6ae453e3e887bc4260

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3677510/
  
Delivery method
Distributed via web download

Comments