MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d5bf4a35100631b61962bb8bc6313ff56261164d658f8f83961f6c172cbbb8e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	d5bf4a35100631b61962bb8bc6313ff56261164d658f8f83961f6c172cbbb8e7
SHA3-384 hash:	8006fa169cb405b4b4cecce2faa89648d9102db7f34d295006defa0c8e1e98db1baefb595f15831923084b5f2aa204c4
SHA1 hash:	659c7b225d7c60a6d7fcc000a5d76d9075ab849e
MD5 hash:	4c4bdf496ce0aec96867b743ecd94723
humanhash:	mars-lamp-sad-edward
File name:	kt.sh
Download:	download sample
File size:	338 bytes
First seen:	2025-03-15 00:18:40 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	6:uf2y9KpLGCMf2y9Bej7FGFd8/1RB9LF9KhFGFd8YIhRB9LF9KhFGFd8AB9LF9q:GAGCMnBgBSdc7LLF9CSdlI3LLF9CSdrG
TLSH	T11BE086CA3845145B8C07CD44785B8D26B945E1ED60C19FA83AF73C3A51B9E0A3D1AFC8
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://87.120.253.44/re.bot.arm7	07ef12e0741251ae867210ed7db52419181baefa7981075d41afcbd7567bd3d2	Mirai	ddos elf mirai
http://87.120.253.44/re.bot.arm5	n/a	n/a	ddos elf mirai
http://87.120.253.44/re.bot.arm	n/a	n/a	ddos elf mirai

Intelligence

File Origin

# of uploads :

# of downloads :

117

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

Score:

95.7%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67d4e15c3962f1a6f47170b1linux22vpnfull_triage

Tags:

downloader agent hype

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/67d4c7c50a7899f35796d2a2/reports/3c7d352d-5a80-4a07-aaaa-c28817851b31/overview

Result

Verdict:

UNKNOWN

Score:

Verdict:

Benign

File Type:

SCRIPT

Link:

https://malprob.io/report/d5bf4a35100631b61962bb8bc6313ff56261164d658f8f83961f6c172cbbb8e7

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d5bf4a35100631b61962bb8bc6313ff56261164d658f8f83961f6c172cbbb8e7/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2w7uuniqayy3mglcxof4mmj76vrgcfsnmwhy7a4wd5wbolf3xdtq._file

Result

Malware family:

n/a

Score:

3/10

Tags:

discovery

Link:

https://tria.ge/reports/250315-ampkqsvny2/

Behaviour

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d5bf4a35100631b61962bb8bc6313ff56261164d658f8f83961f6c172cbbb8e7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh d5bf4a35100631b61962bb8bc6313ff56261164d658f8f83961f6c172cbbb8e7

(this sample)

elf 39b8e60216321522f71e2150c49b452c104a025d7a102001da1b7360dfb970cd

URLhaus

https://urlhaus.abuse.ch/url/3477731/

Delivery method

Distributed via web download

Dropping

MD5 d7f2fb5faaff7bb86c9acdc2d6f35e85

Dropping

SHA256 39b8e60216321522f71e2150c49b452c104a025d7a102001da1b7360dfb970cd

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample