MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0b1bbdd2dd4dd3430af4e06fb05a9b412de8c18b22f71a4cfe4d6822d2f4c2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	c0b1bbdd2dd4dd3430af4e06fb05a9b412de8c18b22f71a4cfe4d6822d2f4c2b
SHA3-384 hash:	fb450bb82843f33fbc1b4dbfe43bf66303ea62f6afe025ca7f1923ad7531afe0c78e02a11e72f51f9bcaed073fb5606c
SHA1 hash:	897965ad007c252df52b8ac0aa28f353c29bd38e
MD5 hash:	882ef5270dafae69332bcf44314b4c9c
humanhash:	april-don-bacon-bravo
File name:	android.sh
Download:	download sample
File size:	1'178 bytes
First seen:	2026-05-21 21:57:24 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	24:q0I0e0kNIc/0nKyS50I5Nl5u5S0uWMoS0bzXp0ETde2deFTdS0DwI0bKAJv02zM9:q0I0e06/0nc0I5b5u5S0uWMoS0bzXp0Z
TLSH	T19121C2CE60F0B1078068CE1434A3E5817004CBDB92AA5F39FDB95B73C5C6A44F128B8A
Magika	csv
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://176.65.139.188/2s3dkw7s/atbtjft.arm	n/a	n/a	arm elf ua-wget
http://176.65.139.188/2s3dkw7s/wyszztw.arm5	n/a	n/a	arm elf ua-wget
http://176.65.139.188/2s3dkw7s/iztsowy.arm6	n/a	n/a	arm elf ua-wget
http://176.65.139.188/2s3dkw7s/iwhcwck.arm7	n/a	n/a	arm elf ua-wget
http://176.65.139.188/2s3dkw7s/uagkrww.aarch64	n/a	n/a	arm elf ua-wget
http://176.65.139.188/2s3dkw7s/nbhpcpg.mips	n/a	n/a	elf mips ua-wget
http://176.65.139.188/2s3dkw7s/edykljw.mpsl	n/a	n/a	elf mips ua-wget
http://176.65.139.188/2s3dkw7s/einqgiy.mips64	n/a	n/a	elf mips ua-wget
http://176.65.139.188/2s3dkw7s/tpprwsu.ppc	n/a	n/a	elf PowerPC ua-wget
http://176.65.139.188/2s3dkw7s/ljwqgms.x86_64	n/a	n/a	elf ua-wget x86
http://176.65.139.188/2s3dkw7s/znebtbj.i686	n/a	n/a	elf ua-wget x86
http://176.65.139.188/2s3dkw7s/iovmytx.i586	n/a	n/a	elf ua-wget x86
http://176.65.139.188/2s3dkw7s/lduhsjo.i486	n/a	n/a	elf ua-wget x86

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/6a0f7fca056ea44c4537b19c/reports/ad4392fa-10d2-4d7b-ab44-4eb0fc640416/overview

Verdict:

Malicious

File Type:

ps1

First seen:

2026-05-21T19:05:00Z UTC

Last seen:

2026-05-22T03:57:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.cl

Link:

https://opentip.kaspersky.com/c0b1bbdd2dd4dd3430af4e06fb05a9b412de8c18b22f71a4cfe4d6822d2f4c2b/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/684f78fd-b5fa-45ea-af2c-1254962d95a1

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/c0b1bbdd2dd4dd3430af4e06fb05a9b412de8c18b22f71a4cfe4d6822d2f4c2b

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c0b1bbdd2dd4dd3430af4e06fb05a9b412de8c18b22f71a4cfe4d6822d2f4c2b/

Verdict:

Malicious

Threat:

Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/c0b1bbdd2dd4dd3430af4e06fb05a9b412de8c18b22f71a4cfe4d6822d2f4c2b

Threat name:

Script.Trojan.Heuristic

Status:

Malicious

First seen:

2026-05-21 21:58:36 UTC

File Type:

Text (Shell)

AV detection:

11 of 24 (45.83%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ycy3xxjn2totimfpjydpwbnjwqjn5daywixxdjgp4tlieljpjqvq._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/260521-1t7b8sat6k/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/c0b1bbdd2dd4dd3430af4e06fb05a9b412de8c18b22f71a4cfe4d6822d2f4c2b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh