MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd687e9a4440bd98dac021fc4b6db2b230570e3b4839581e76f07fd5175de466. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd687e9a4440bd98dac021fc4b6db2b230570e3b4839581e76f07fd5175de466
SHA3-384 hash: 128d7c8232815816a103844c70d90fe10dca77365afd7657bc079aa3cb925ffc6b598ca86082b8e2a4ab56fc9f2aa33e
SHA1 hash: 98bead939398725d61b32d51b89fee37a0c7e4db
MD5 hash: c538eff1056f1a3a5bc50f68b0275bcd
humanhash: bacon-triple-ink-two
File name:zy.sh
Download: download sample
File size:854 bytes
First seen:2025-06-17 05:28:45 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 24:GIbr5zOt+MB09WGM0GzktgGy0G5ktgf706ktgY0Pktv:jr5CEA090kck49kskd
TLSH T160016FCC52728C32EDB15EDAB5224529D48EC4D6718FCDCAE2C90527E49D9043471BBA
Magika shell
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://158.51.126.131/narmv5l42aea37337e2b2cc306bf363b15f7f7cf962b87db3b4d4449d7e13e31d8f434e Gafgytelf gafgyt mirai ua-wget
http://158.51.126.131/narmv7l89e53d182f78499c985edf7e16c4da4d768b090fe685d92f5b7778ff2748f975 Gafgytelf gafgyt mirai ua-wget
http://158.51.126.131/nmips15c9ec390182a640ee6e36c5ae36f633ea3c76e82a9a0e7b138283c414d15e27 Gafgytelf gafgyt mirai ua-wget
http://158.51.126.131/nmipselc14f3c5adc33a437a16c0ad651eb6b0e493c6fbcb2ff5d9fd4624666bd4f9034 Gafgytelf gafgyt mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
60
Origin country :
DE DE
Vendor Threat Intelligence
Gathering data
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/293fb5b8-2e32-45da-9d77-26ae15e80a71
Behavior Graph:
Download SVG
%3 guuid=1dc3ae55-1b00-0000-7414-56b9e90a0000 pid=2793 /usr/bin/sudo guuid=16195b58-1b00-0000-7414-56b9eb0a0000 pid=2795 /tmp/sample.bin guuid=1dc3ae55-1b00-0000-7414-56b9e90a0000 pid=2793->guuid=16195b58-1b00-0000-7414-56b9eb0a0000 pid=2795 execve guuid=45160059-1b00-0000-7414-56b9ec0a0000 pid=2796 /usr/bin/dash guuid=16195b58-1b00-0000-7414-56b9eb0a0000 pid=2795->guuid=45160059-1b00-0000-7414-56b9ec0a0000 pid=2796 clone guuid=76c8605a-1b00-0000-7414-56b9f50a0000 pid=2805 /usr/bin/rm delete-file guuid=16195b58-1b00-0000-7414-56b9eb0a0000 pid=2795->guuid=76c8605a-1b00-0000-7414-56b9f50a0000 pid=2805 execve guuid=b713ae5a-1b00-0000-7414-56b9f70a0000 pid=2807 /usr/bin/rm delete-file guuid=16195b58-1b00-0000-7414-56b9eb0a0000 pid=2795->guuid=b713ae5a-1b00-0000-7414-56b9f70a0000 pid=2807 execve guuid=7696f25a-1b00-0000-7414-56b9f90a0000 pid=2809 /usr/bin/rm delete-file guuid=16195b58-1b00-0000-7414-56b9eb0a0000 pid=2795->guuid=7696f25a-1b00-0000-7414-56b9f90a0000 pid=2809 execve guuid=bcea325b-1b00-0000-7414-56b9fb0a0000 pid=2811 /usr/bin/dash guuid=16195b58-1b00-0000-7414-56b9eb0a0000 pid=2795->guuid=bcea325b-1b00-0000-7414-56b9fb0a0000 pid=2811 clone guuid=ed955b5c-1b00-0000-7414-56b9fe0a0000 pid=2814 /usr/bin/dash guuid=16195b58-1b00-0000-7414-56b9eb0a0000 pid=2795->guuid=ed955b5c-1b00-0000-7414-56b9fe0a0000 pid=2814 clone guuid=9837aa5c-1b00-0000-7414-56b9000b0000 pid=2816 /usr/bin/dash guuid=16195b58-1b00-0000-7414-56b9eb0a0000 pid=2795->guuid=9837aa5c-1b00-0000-7414-56b9000b0000 pid=2816 clone guuid=90b4338f-1b00-0000-7414-56b97a0b0000 pid=2938 /usr/bin/chmod guuid=16195b58-1b00-0000-7414-56b9eb0a0000 pid=2795->guuid=90b4338f-1b00-0000-7414-56b97a0b0000 pid=2938 execve guuid=4092978f-1b00-0000-7414-56b97c0b0000 pid=2940 /usr/bin/dash guuid=16195b58-1b00-0000-7414-56b9eb0a0000 pid=2795->guuid=4092978f-1b00-0000-7414-56b97c0b0000 pid=2940 clone guuid=f5b22090-1b00-0000-7414-56b97e0b0000 pid=2942 /usr/bin/dash guuid=16195b58-1b00-0000-7414-56b9eb0a0000 pid=2795->guuid=f5b22090-1b00-0000-7414-56b97e0b0000 pid=2942 clone guuid=b58fe3c1-1b00-0000-7414-56b9000c0000 pid=3072 /usr/bin/chmod guuid=16195b58-1b00-0000-7414-56b9eb0a0000 pid=2795->guuid=b58fe3c1-1b00-0000-7414-56b9000c0000 pid=3072 execve guuid=28fe2ac2-1b00-0000-7414-56b9020c0000 pid=3074 /usr/bin/dash guuid=16195b58-1b00-0000-7414-56b9eb0a0000 pid=2795->guuid=28fe2ac2-1b00-0000-7414-56b9020c0000 pid=3074 clone guuid=895e2ac4-1b00-0000-7414-56b9070c0000 pid=3079 /usr/bin/dash guuid=16195b58-1b00-0000-7414-56b9eb0a0000 pid=2795->guuid=895e2ac4-1b00-0000-7414-56b9070c0000 pid=3079 clone guuid=5ba6c9f5-1b00-0000-7414-56b97f0c0000 pid=3199 /usr/bin/chmod guuid=16195b58-1b00-0000-7414-56b9eb0a0000 pid=2795->guuid=5ba6c9f5-1b00-0000-7414-56b97f0c0000 pid=3199 execve guuid=e5ce19f6-1b00-0000-7414-56b9800c0000 pid=3200 /usr/bin/dash guuid=16195b58-1b00-0000-7414-56b9eb0a0000 pid=2795->guuid=e5ce19f6-1b00-0000-7414-56b9800c0000 pid=3200 clone guuid=a6a115f7-1b00-0000-7414-56b9820c0000 pid=3202 /usr/bin/dash guuid=16195b58-1b00-0000-7414-56b9eb0a0000 pid=2795->guuid=a6a115f7-1b00-0000-7414-56b9820c0000 pid=3202 clone guuid=01d6252a-1c00-0000-7414-56b9c50c0000 pid=3269 /usr/bin/chmod guuid=16195b58-1b00-0000-7414-56b9eb0a0000 pid=2795->guuid=01d6252a-1c00-0000-7414-56b9c50c0000 pid=3269 execve guuid=0de39d2a-1c00-0000-7414-56b9c60c0000 pid=3270 /usr/bin/dash guuid=16195b58-1b00-0000-7414-56b9eb0a0000 pid=2795->guuid=0de39d2a-1c00-0000-7414-56b9c60c0000 pid=3270 clone guuid=e6a11b59-1b00-0000-7414-56b9ed0a0000 pid=2797 /usr/bin/cat guuid=45160059-1b00-0000-7414-56b9ec0a0000 pid=2796->guuid=e6a11b59-1b00-0000-7414-56b9ed0a0000 pid=2797 execve guuid=c3fa2c59-1b00-0000-7414-56b9ee0a0000 pid=2798 /usr/bin/grep guuid=45160059-1b00-0000-7414-56b9ec0a0000 pid=2796->guuid=c3fa2c59-1b00-0000-7414-56b9ee0a0000 pid=2798 execve guuid=099b3759-1b00-0000-7414-56b9ef0a0000 pid=2799 /usr/bin/grep guuid=45160059-1b00-0000-7414-56b9ec0a0000 pid=2796->guuid=099b3759-1b00-0000-7414-56b9ef0a0000 pid=2799 execve guuid=2c683f59-1b00-0000-7414-56b9f00a0000 pid=2800 /usr/bin/grep guuid=45160059-1b00-0000-7414-56b9ec0a0000 pid=2796->guuid=2c683f59-1b00-0000-7414-56b9f00a0000 pid=2800 execve guuid=7733bc59-1b00-0000-7414-56b9f20a0000 pid=2802 /usr/bin/cut guuid=45160059-1b00-0000-7414-56b9ec0a0000 pid=2796->guuid=7733bc59-1b00-0000-7414-56b9f20a0000 pid=2802 execve guuid=def5395b-1b00-0000-7414-56b9fc0a0000 pid=2812 /usr/bin/cp write-file guuid=bcea325b-1b00-0000-7414-56b9fb0a0000 pid=2811->guuid=def5395b-1b00-0000-7414-56b9fc0a0000 pid=2812 execve guuid=fe8d635c-1b00-0000-7414-56b9ff0a0000 pid=2815 /usr/bin/chmod guuid=ed955b5c-1b00-0000-7414-56b9fe0a0000 pid=2814->guuid=fe8d635c-1b00-0000-7414-56b9ff0a0000 pid=2815 execve guuid=f113b55c-1b00-0000-7414-56b9010b0000 pid=2817 /usr/bin/curl net send-data write-file guuid=9837aa5c-1b00-0000-7414-56b9000b0000 pid=2816->guuid=f113b55c-1b00-0000-7414-56b9010b0000 pid=2817 execve 2beca644-24da-5e18-bc49-c06b8c4a111d 158.51.126.131:80 guuid=f113b55c-1b00-0000-7414-56b9010b0000 pid=2817->2beca644-24da-5e18-bc49-c06b8c4a111d send: 85B guuid=427c2c90-1b00-0000-7414-56b97f0b0000 pid=2943 /usr/bin/curl net send-data write-file guuid=f5b22090-1b00-0000-7414-56b97e0b0000 pid=2942->guuid=427c2c90-1b00-0000-7414-56b97f0b0000 pid=2943 execve guuid=427c2c90-1b00-0000-7414-56b97f0b0000 pid=2943->2beca644-24da-5e18-bc49-c06b8c4a111d send: 85B guuid=26003fc4-1b00-0000-7414-56b9080c0000 pid=3080 /usr/bin/curl net send-data write-file guuid=895e2ac4-1b00-0000-7414-56b9070c0000 pid=3079->guuid=26003fc4-1b00-0000-7414-56b9080c0000 pid=3080 execve guuid=26003fc4-1b00-0000-7414-56b9080c0000 pid=3080->2beca644-24da-5e18-bc49-c06b8c4a111d send: 83B guuid=0e0028f7-1b00-0000-7414-56b9830c0000 pid=3203 /usr/bin/curl net send-data write-file guuid=a6a115f7-1b00-0000-7414-56b9820c0000 pid=3202->guuid=0e0028f7-1b00-0000-7414-56b9830c0000 pid=3203 execve guuid=0e0028f7-1b00-0000-7414-56b9830c0000 pid=3203->2beca644-24da-5e18-bc49-c06b8c4a111d send: 85B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/bd687e9a4440bd98dac021fc4b6db2b230570e3b4839581e76f07fd5175de466
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bd687e9a4440bd98dac021fc4b6db2b230570e3b4839581e76f07fd5175de466/
Threat name:
Script.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2025-06-13 04:37:24 UTC
File Type:
Text (Shell)
AV detection:
9 of 38 (23.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xvuh5gseic6zrwwaeh6ew3nswiyfodr3ja4vqhtw6b75kf254rta._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/250617-f7lx8sej61/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bd687e9a4440bd98dac021fc4b6db2b230570e3b4839581e76f07fd5175de466

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh bd687e9a4440bd98dac021fc4b6db2b230570e3b4839581e76f07fd5175de466

(this sample)

Mirai

elf 33b271cb315063dac87838a3b0548eb1e1c39861f19c54bccc59c05b0c33ea9d

  
Dropping
MD5 e45a5e64dffc01361169257c1d77cc6d
  
Dropping
SHA256 33b271cb315063dac87838a3b0548eb1e1c39861f19c54bccc59c05b0c33ea9d
  
URLhaus
https://urlhaus.abuse.ch/url/3562863/
  
Delivery method
Distributed via web download

Comments