MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5950efa34c1c1301ecbca1786e192e3608b6e8aff63abc1a82f1891b900f177. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	b5950efa34c1c1301ecbca1786e192e3608b6e8aff63abc1a82f1891b900f177
SHA3-384 hash:	d481222aa5d5d09c6ea82fa6c49a4870a8e44907189e9bdd3f6587ad8738e66cbc81d7da474c77138cf2d30ae81a7144
SHA1 hash:	af3f53fa8e1bd47ea39b353195f3892406c85f6a
MD5 hash:	705aa9db6e229d4c7f6e4a2ab29f89e4
humanhash:	spaghetti-california-wolfram-delaware
File name:	dl17
Download:	download sample
File size:	7'581 bytes
First seen:	2025-05-04 11:46:44 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	96:+H4ysXRhgdI4mk8fiDi0digXihXBKYNWdyi6FoD4kBcBvYr0yOge+aLsR:+1e/xiohE
TLSH	T149F1A3CC02E541316447375FBBD42BA4CC9813B17CB70F96F891CB8869B0998F66AA7D
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://31.170.22.205/bins/whisper.armv5	55d6cc5c314be3c2c988a797eeed584c7844549513e5eb9106a3a266f5c9c527	DDoSAgent	DDoSAgent elf
http://31.170.22.205/bins/whisper.armv6	2b4c87240aaf767982d676933e628f8bf2957c931d906a90c88ccf3a18dc55ce	DDoSAgent	DDoSAgent elf
http://31.170.22.205/bins/whisper.armv7	e97da696893a2a090ac962789c524119aacab5583df1f2074c081295a0f582e3	DDoSAgent	DDoSAgent elf
http://31.170.22.205/bins/whisper.aarch64	38b7cbe9ff53cec015d67d04da59bcced70fae6c7e1d15baf95abc34035cc862	DDoSAgent	DDoSAgent elf
http://31.170.22.205/bins/whisper.aarch64be	5b489dfd7395de9106468d7b92374c56d30af994b4ea06be6c77e98ba540cf6a	DDoSAgent	DDoSAgent elf
http://31.170.22.205/bins/whisper.arcle750d	6001350ab65adfd7a9e0fca7560c49fc5d8f6e96939f1bdb630599e5fb902a14	DDoSAgent	DDoSAgent elf
http://31.170.22.205/bins/whisper.arclehs38	1a3c8f2dbd32b05b5dc1c7ebd3b5cdaaf24fb5296978e6061671edca802a41f4	DDoSAgent	DDoSAgent elf
http://31.170.22.205/bins/whisper.mips	3d0ff85391334a8130b92bf85bb1b760f7f060508a5bfaab3ff7eb9a2ca53b0a	DDoSAgent	DDoSAgent elf mirai opendir
http://31.170.22.205/bins/whisper.mips64	b8c1191781c9feb322cfcacf40f4f1d207a09af4d786e26a7455e8a36afd4a1c	DDoSAgent	DDoSAgent elf mirai opendir
http://31.170.22.205/bins/whisper.mips64le	527a822afceebc65d8926a1dd0c3c97862f3e114db26f104797c58f45a2e609c	DDoSAgent	DDoSAgent elf mirai opendir
http://31.170.22.205/bins/whisper.mips64len32	c6a1cd7348531c4c0db50ecf21f64e444b33a3ff194ed55a467adb938ec22408	DDoSAgent	DDoSAgent elf
http://31.170.22.205/bins/whisper.mips64n32	90676d5a951bfb339c20472a0d3ff253767268f54be520eb6410522eeba9741e	DDoSAgent	DDoSAgent elf
http://31.170.22.205/bins/whisper.mipsle	e479f82af03dd6087f688cd398fc792a6443e362c9a36348ab53a3f6ddc591a2	DDoSAgent	DDoSAgent elf mirai opendir
http://31.170.22.205/bins/whisper.riscv32	45ca399bc539910e391f87bb398acac0f5c47410acb0d329ea3bf82406b3c189	DDoSAgent	DDoSAgent elf
http://31.170.22.205/bins/whisper.riscv64	84dbcc96a5ede7cb185d06f1116aee3bbe07e85ab020e86b5d4bfa9dcc6e60e1	DDoSAgent	DDoSAgent elf
http://31.170.22.205/bins/whisper.m68k	c304b1825bfe337bc1801440ca0bb1cda35aa96672d60952b852a5b2e3255f06	DDoSAgent	DDoSAgent elf
http://31.170.22.205/bins/whisper.sh4	n/a	n/a	elf
http://31.170.22.205/bins/whisper.i686	2ba541b4a6c62619d785852c86d67829118e70a52105ef37f32010aecb64784b	DDoSAgent	DDoSAgent elf
http://31.170.22.205/bins/whisper.x64	11742623bba0e1ca221814a36cd8239be94898c59fcc61c1328a6230a9981219	DDoSAgent	DDoSAgent elf mirai opendir
http://31.170.22.205/bins/whisper.powerpc440fp	197455fb6ac704dea344ee392427a842c243f6919c6886965b9586424b65e00b	DDoSAgent	DDoSAgent elf
http://31.170.22.205/bins/whisper.powerpc64e5500	1033d5f5d215d7df4d05737606f8323406eaeb9c215e1308fe48e77aba6f00f4	DDoSAgent	DDoSAgent elf
http://31.170.22.205/bins/whisper.powerpc64e6500	a97c72cdfb63586cf2bbf84c6839b38eaf7af1a474d6f5f27af0b11f7140f067	DDoSAgent	DDoSAgent elf
http://31.170.22.205/bins/whisper.powerpc64lepower8	4d5ef555aac80b752223c279e28e49de774e1a68309e426095c52690a105f313	DDoSAgent	DDoSAgent elf
http://31.170.22.205/bins/whisper.powerpc64power8	e3ed9343357d6cb963060d7908aa2637165f89cf21a4eb8f7538bb2ddb79e54f	DDoSAgent	DDoSAgent elf
http://31.170.22.205/bins/whisper.powerpce300c3	95d23e5693047c429dcf68baf9141ee074a578d08d434f6e1ae520374d0c7928	DDoSAgent	DDoSAgent elf
http://31.170.22.205/bins/whisper.powerpce500mc	189b5636d5a9a46a6ed38a7fdcd6b4f063fd7abc292363ff9ef7ac77852eae49	DDoSAgent	DDoSAgent elf
http://31.170.22.205/bins/whisper.sparc	25bf2d5845b6d3497bbceeeda40ba99a78e27f8ca88ec2efb690d919b4c5b8f6	DDoSAgent	DDoSAgent elf
http://31.170.22.205/bins/whisper.sparc64	0e7338e304ae5c960e232d80d98edb0a281d03c974ab13c6de4b0596fd0557c9	DDoSAgent	DDoSAgent elf
http://31.170.22.205/bins/whisper.armv4	n/a	n/a	elf

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Verdict:

Clean

Score:

89.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6817a0448474cc94a4e3e172linux22vpnfull_triage

Tags:

n/a

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox

Link:

https://www.filescan.io/uploads/681753b9c7418694c8a512fc/reports/95efa9b2-cb45-4841-a40e-149cea099f27/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/b5950efa34c1c1301ecbca1786e192e3608b6e8aff63abc1a82f1891b900f177

Score:

99%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/b5950efa34c1c1301ecbca1786e192e3608b6e8aff63abc1a82f1891b900f177

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b5950efa34c1c1301ecbca1786e192e3608b6e8aff63abc1a82f1891b900f177/

Threat name:

Text.Trojan.Generic

Status:

Suspicious

First seen:

2025-05-04 17:09:21 UTC

File Type:

Text (Shell)

AV detection:

4 of 24 (16.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wwkq56ruyhatahwlzilynyms4nqiw3uk75r2xqnif4mjdoia6f3q._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/250504-vn67dsxxd1/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b5950efa34c1c1301ecbca1786e192e3608b6e8aff63abc1a82f1891b900f177

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh b5950efa34c1c1301ecbca1786e192e3608b6e8aff63abc1a82f1891b900f177

(this sample)

DDoSAgent

elf 55d6cc5c314be3c2c988a797eeed584c7844549513e5eb9106a3a266f5c9c527

URLhaus

https://urlhaus.abuse.ch/url/3484493/

Delivery method

Distributed via web download

Dropping

MD5 2f4c13a8e22bcca551ce49a5b20245af

Dropping

SHA256 55d6cc5c314be3c2c988a797eeed584c7844549513e5eb9106a3a266f5c9c527

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample