MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c57b1d31e62a2e4bcbbe3c203bc5872541a83ff02e904f90022181a9a00e8895. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Xorbot

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	c57b1d31e62a2e4bcbbe3c203bc5872541a83ff02e904f90022181a9a00e8895
SHA3-384 hash:	d228f275277fd8af513dd3bb2a224d2bea8acce47318faa904ff990e44b58f6ed7fd65d2d55b2da6479a24eb34cbde82
SHA1 hash:	3d86d820f77b3fa09828463bc345474d1382d317
MD5 hash:	83c4df58416363dc3934996744c94bd7
humanhash:	eight-double-five-red
File name:	.shell
Download:	download sample
Signature	Xorbot Create hunting rule
File size:	211 bytes
First seen:	2025-04-14 08:22:14 UTC
Last seen:	2025-04-15 08:15:06 UTC
File type:	sh
MIME type:	text/plain
ssdeep	3:QnQzanFCKl2X4HMiPPHKMxWPHKMNqRDPHKMaSLM9Kd:lOnFflHMkqMx+qMMqMpM9Kd
TLSH	T184D0C9CDB45564B0D9E0CDB939E1F400619842959DC13B154CC8F8E080A8E0C3948E91
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://87.121.84.214/bins.sh	7e955a8cb51233b3f9cce4d2938ff3dd829dcf4b80e9a215135e6df439355cbd	Xorbot	sh ua-wget Xorbot

Intelligence

File Origin

# of uploads :

2

# of downloads :

125

Origin country :

DE

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67fce34d1dba888a93d371a9linux22vpnfull_triage

Tags:

trojan agent virus

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox evasive

Link:

https://www.filescan.io/uploads/67fcc5ee2201d518c82a7c7e/reports/e036b6bb-ae06-4288-b879-fecf82e97606/overview

Verdict:

Malicious

Labled as:

Linux/TrojanDownloader.SH

Link:

https://www.hybrid-analysis.com/sample/c57b1d31e62a2e4bcbbe3c203bc5872541a83ff02e904f90022181a9a00e8895

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/c57b1d31e62a2e4bcbbe3c203bc5872541a83ff02e904f90022181a9a00e8895

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c57b1d31e62a2e4bcbbe3c203bc5872541a83ff02e904f90022181a9a00e8895/

Threat name:

Script.Trojan.Boxter

Status:

Malicious

First seen:

2025-04-14 09:38:13 UTC

File Type:

Text (Shell)

AV detection:

7 of 24 (29.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yv5r2mpgfixexs56hqqdxrmheva2qp7qf2ie7eacega2tiaorckq._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/250414-ll3lrawsdx/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/c57b1d31e62a2e4bcbbe3c203bc5872541a83ff02e904f90022181a9a00e8895

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh c57b1d31e62a2e4bcbbe3c203bc5872541a83ff02e904f90022181a9a00e8895

(this sample)

sh 7e955a8cb51233b3f9cce4d2938ff3dd829dcf4b80e9a215135e6df439355cbd

URLhaus

https://urlhaus.abuse.ch/url/3510689/

Delivery method

Distributed via web download

Dropping

MD5 14fe92196204effcebf383b6c229fa20

Dropping

SHA256 7e955a8cb51233b3f9cce4d2938ff3dd829dcf4b80e9a215135e6df439355cbd

URLhaus

https://urlhaus.abuse.ch/url/3400388/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample