MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 a4caf78137e6ced7c4dc51149cedb1f8d94c5447d4ccf525e2b785a9904f0c2f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Threat unknown
Vendor detections: 7
| SHA256 hash: | a4caf78137e6ced7c4dc51149cedb1f8d94c5447d4ccf525e2b785a9904f0c2f |
|---|---|
| SHA3-384 hash: | 9e5eeeb80779d5ea67e874a113dbc46e0e7c40a7edd375c28ef7753a749e357f727645c3ed0b2b05272de204e8c8ace8 |
| SHA1 hash: | 860dcbc4828e84bb47ac52af56f90a49337b0016 |
| MD5 hash: | 2e248349256cfdf07cccacd6582b54a8 |
| humanhash: | spaghetti-ink-foxtrot-maryland |
| File name: | w.sh |
| Download: | download sample |
| File size: | 1'223 bytes |
| First seen: | 2025-09-06 14:44:34 UTC |
| Last seen: | Never |
| File type: | sh |
| MIME type: | text/plain |
| ssdeep | 24:FdIdOoWldIdjldIdxNIfldIdAK9ldId6ldIdxldIdLTDk1ldIdo0ldIdTlldId2R:zwfFcpi8SwIl/Vsg |
| TLSH | T19621A4EF337D85105B190AC03076442461CAC7D336989785F36C50727E9DADCBE22E1A |
| Magika | txt |
| Reporter |  abuse_ch |
| Tags: | sh |
Shell script dropper
This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.
| URL | Malware sample (SHA256 hash) | Signature | Tags |
|---|---|---|---|
| http://41.216.189.108/00101010101001/sora.arm | n/a | n/a | elf ua-wget |
| http://41.216.189.108/00101010101001/sora.arm5 | n/a | n/a | elf ua-wget |
| http://41.216.189.108/00101010101001/sora.arm6 | n/a | n/a | elf ua-wget |
| http://41.216.189.108/00101010101001/sora.arm7 | n/a | n/a | elf ua-wget |
| http://41.216.189.108/00101010101001/sora.m68k | n/a | n/a | elf ua-wget |
| http://41.216.189.108/00101010101001/sora.mips | n/a | n/a | elf ua-wget |
| http://41.216.189.108/00101010101001/sora.mpsl | n/a | n/a | elf ua-wget |
| http://41.216.189.108/00101010101001/sora.ppc | n/a | n/a | elf ua-wget |
| http://41.216.189.108/00101010101001/sora.sh4 | n/a | n/a | elf ua-wget |
| http://41.216.189.108/00101010101001/sora..spc | n/a | n/a | n/a |
| http://41.216.189.108//sora.x86 | n/a | n/a | n/a |
| http://41.216.189.108/00101010101001/sora.x86_64 | n/a | n/a | elf ua-wget |
Intelligence
File Origin
# of uploads :
1
# of downloads :
30
Origin country :
DEVendor Threat Intelligence
Detection(s):
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Verdict:
Malicious
File Type:
ps1
First seen:
2025-09-06T12:02:00Z UTC
Last seen:
2025-09-06T12:02:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.cl HEUR:Trojan-Downloader.Shell.Agent.c
Status:
terminated
Behavior Graph:
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Verdict:
Malicious
Threat:
Linux.Downloader.Generic
Threat name:
Linux.Trojan.Vigorf
Status:
Malicious
First seen:
2025-09-06 14:48:29 UTC
File Type:
Text (Shell)
AV detection:
17 of 38 (44.74%)
Threat level:
5/5
Detection(s):
Suspicious file
Result
Malware family:
n/a
Score:
3/10
Tags:
n/a
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
sh a4caf78137e6ced7c4dc51149cedb1f8d94c5447d4ccf525e2b785a9904f0c2f
(this sample)
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.