MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7941fb5f95afea26f508570552724ba45d74b0e141ab9aeed245140b9b921d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d7941fb5f95afea26f508570552724ba45d74b0e141ab9aeed245140b9b921d0
SHA3-384 hash: 3ff7dacdadf4723e48b5bf3c27456f872403086c0bba78297aa30280490577c1389b99a583cf2299c172f6048e4b3b94
SHA1 hash: e45eb5da2ff067714ec7ec075998cd7426ff6919
MD5 hash: 0b4337857af30681ba668c0cd283b9c7
humanhash: black-chicken-solar-cold
File name:w.sh
Download: download sample
File size:942 bytes
First seen:2025-10-02 05:50:37 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 24:c/D//D4Yz/DpNI74/DZKI/DU+Ic/D5jN/DTTV/Dcl0/D9tp/Di0/Dfz/Drn:KDnD4YrDEmDZRDBIKD5ZDH1D1DNDiyDb
TLSH T16A1160CF926073364D485E287069942880249DD17A9A8FDEEF9C4CF2E9DD9507236E2C
Magika asm
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://139.162.143.187/systemcl/armn/an/aelf ua-wget
http://139.162.143.187/systemcl/arm5n/an/aelf ua-wget
http://139.162.143.187/systemcl/arm6n/an/aelf ua-wget
http://139.162.143.187/systemcl/arm7n/an/aelf ua-wget
http://139.162.143.187/systemcl/m68kn/an/aelf ua-wget
http://139.162.143.187/systemcl/mipsn/an/aelf ua-wget
http://139.162.143.187/systemcl/mpsln/an/aelf ua-wget
http://139.162.143.187/systemcl/ppcn/an/aelf ua-wget
http://139.162.143.187/systemcl/sh4n/an/aelf ua-wget
http://139.162.143.187/systemcl/spcn/an/aelf ua-wget
http://139.162.143.187/systemcl/x86n/an/aelf ua-wget
http://139.162.143.187/systemcl/x86_64n/an/aelf ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
38
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Linux.Downloader-32.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.32160.LX.BOT.UNOFFICIAL
Create hunting rule

Verdict:
Clean
File Type:
text
Link:
https://opentip.kaspersky.com/d7941fb5f95afea26f508570552724ba45d74b0e141ab9aeed245140b9b921d0/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/4b71f624-ff9f-493b-89f8-0da2bcbf0ae1
Behavior Graph:
Download SVG
%3 guuid=f7237d27-1700-0000-0570-58f0880e0000 pid=3720 /usr/bin/sudo guuid=ec4c0429-1700-0000-0570-58f0920e0000 pid=3730 /tmp/sample.bin guuid=f7237d27-1700-0000-0570-58f0880e0000 pid=3720->guuid=ec4c0429-1700-0000-0570-58f0920e0000 pid=3730 execve guuid=0ba53229-1700-0000-0570-58f0950e0000 pid=3733 /usr/bin/busybox net send-data guuid=ec4c0429-1700-0000-0570-58f0920e0000 pid=3730->guuid=0ba53229-1700-0000-0570-58f0950e0000 pid=3733 execve guuid=919c412a-1700-0000-0570-58f09c0e0000 pid=3740 /usr/bin/chmod guuid=ec4c0429-1700-0000-0570-58f0920e0000 pid=3730->guuid=919c412a-1700-0000-0570-58f09c0e0000 pid=3740 execve guuid=8a66912a-1700-0000-0570-58f09e0e0000 pid=3742 /usr/bin/dash guuid=ec4c0429-1700-0000-0570-58f0920e0000 pid=3730->guuid=8a66912a-1700-0000-0570-58f09e0e0000 pid=3742 clone guuid=8206a72a-1700-0000-0570-58f09f0e0000 pid=3743 /usr/bin/busybox net send-data guuid=ec4c0429-1700-0000-0570-58f0920e0000 pid=3730->guuid=8206a72a-1700-0000-0570-58f09f0e0000 pid=3743 execve guuid=c895992b-1700-0000-0570-58f0a40e0000 pid=3748 /usr/bin/chmod guuid=ec4c0429-1700-0000-0570-58f0920e0000 pid=3730->guuid=c895992b-1700-0000-0570-58f0a40e0000 pid=3748 execve guuid=abe2d42b-1700-0000-0570-58f0a60e0000 pid=3750 /usr/bin/dash guuid=ec4c0429-1700-0000-0570-58f0920e0000 pid=3730->guuid=abe2d42b-1700-0000-0570-58f0a60e0000 pid=3750 clone guuid=0e71e82b-1700-0000-0570-58f0a70e0000 pid=3751 /usr/bin/busybox net send-data guuid=ec4c0429-1700-0000-0570-58f0920e0000 pid=3730->guuid=0e71e82b-1700-0000-0570-58f0a70e0000 pid=3751 execve guuid=b8b1cb2c-1700-0000-0570-58f0ab0e0000 pid=3755 /usr/bin/chmod guuid=ec4c0429-1700-0000-0570-58f0920e0000 pid=3730->guuid=b8b1cb2c-1700-0000-0570-58f0ab0e0000 pid=3755 execve guuid=49a4092d-1700-0000-0570-58f0ad0e0000 pid=3757 /usr/bin/dash guuid=ec4c0429-1700-0000-0570-58f0920e0000 pid=3730->guuid=49a4092d-1700-0000-0570-58f0ad0e0000 pid=3757 clone guuid=f2811b2d-1700-0000-0570-58f0ae0e0000 pid=3758 /usr/bin/busybox net send-data guuid=ec4c0429-1700-0000-0570-58f0920e0000 pid=3730->guuid=f2811b2d-1700-0000-0570-58f0ae0e0000 pid=3758 execve guuid=8007122e-1700-0000-0570-58f0b30e0000 pid=3763 /usr/bin/chmod guuid=ec4c0429-1700-0000-0570-58f0920e0000 pid=3730->guuid=8007122e-1700-0000-0570-58f0b30e0000 pid=3763 execve guuid=9a11502e-1700-0000-0570-58f0b40e0000 pid=3764 /usr/bin/dash guuid=ec4c0429-1700-0000-0570-58f0920e0000 pid=3730->guuid=9a11502e-1700-0000-0570-58f0b40e0000 pid=3764 clone guuid=9aa9572e-1700-0000-0570-58f0b60e0000 pid=3766 /usr/bin/busybox net send-data guuid=ec4c0429-1700-0000-0570-58f0920e0000 pid=3730->guuid=9aa9572e-1700-0000-0570-58f0b60e0000 pid=3766 execve guuid=48b43c2f-1700-0000-0570-58f0ba0e0000 pid=3770 /usr/bin/chmod guuid=ec4c0429-1700-0000-0570-58f0920e0000 pid=3730->guuid=48b43c2f-1700-0000-0570-58f0ba0e0000 pid=3770 execve guuid=cdcf722f-1700-0000-0570-58f0bc0e0000 pid=3772 /usr/bin/dash guuid=ec4c0429-1700-0000-0570-58f0920e0000 pid=3730->guuid=cdcf722f-1700-0000-0570-58f0bc0e0000 pid=3772 clone guuid=58767d2f-1700-0000-0570-58f0bd0e0000 pid=3773 /usr/bin/busybox net send-data guuid=ec4c0429-1700-0000-0570-58f0920e0000 pid=3730->guuid=58767d2f-1700-0000-0570-58f0bd0e0000 pid=3773 execve guuid=4f695f30-1700-0000-0570-58f0c10e0000 pid=3777 /usr/bin/chmod guuid=ec4c0429-1700-0000-0570-58f0920e0000 pid=3730->guuid=4f695f30-1700-0000-0570-58f0c10e0000 pid=3777 execve guuid=0192be30-1700-0000-0570-58f0c30e0000 pid=3779 /usr/bin/dash guuid=ec4c0429-1700-0000-0570-58f0920e0000 pid=3730->guuid=0192be30-1700-0000-0570-58f0c30e0000 pid=3779 clone guuid=0243d030-1700-0000-0570-58f0c40e0000 pid=3780 /usr/bin/busybox net send-data guuid=ec4c0429-1700-0000-0570-58f0920e0000 pid=3730->guuid=0243d030-1700-0000-0570-58f0c40e0000 pid=3780 execve guuid=073fe431-1700-0000-0570-58f0cd0e0000 pid=3789 /usr/bin/chmod guuid=ec4c0429-1700-0000-0570-58f0920e0000 pid=3730->guuid=073fe431-1700-0000-0570-58f0cd0e0000 pid=3789 execve guuid=cb309132-1700-0000-0570-58f0d10e0000 pid=3793 /usr/bin/dash guuid=ec4c0429-1700-0000-0570-58f0920e0000 pid=3730->guuid=cb309132-1700-0000-0570-58f0d10e0000 pid=3793 clone guuid=150e9632-1700-0000-0570-58f0d20e0000 pid=3794 /usr/bin/busybox net send-data guuid=ec4c0429-1700-0000-0570-58f0920e0000 pid=3730->guuid=150e9632-1700-0000-0570-58f0d20e0000 pid=3794 execve guuid=cbe7e133-1700-0000-0570-58f0d80e0000 pid=3800 /usr/bin/chmod guuid=ec4c0429-1700-0000-0570-58f0920e0000 pid=3730->guuid=cbe7e133-1700-0000-0570-58f0d80e0000 pid=3800 execve guuid=410d4434-1700-0000-0570-58f0db0e0000 pid=3803 /usr/bin/dash guuid=ec4c0429-1700-0000-0570-58f0920e0000 pid=3730->guuid=410d4434-1700-0000-0570-58f0db0e0000 pid=3803 clone guuid=5d6e5334-1700-0000-0570-58f0dc0e0000 pid=3804 /usr/bin/busybox net send-data guuid=ec4c0429-1700-0000-0570-58f0920e0000 pid=3730->guuid=5d6e5334-1700-0000-0570-58f0dc0e0000 pid=3804 execve guuid=dc038735-1700-0000-0570-58f0e30e0000 pid=3811 /usr/bin/chmod guuid=ec4c0429-1700-0000-0570-58f0920e0000 pid=3730->guuid=dc038735-1700-0000-0570-58f0e30e0000 pid=3811 execve guuid=da79dc35-1700-0000-0570-58f0e60e0000 pid=3814 /usr/bin/dash guuid=ec4c0429-1700-0000-0570-58f0920e0000 pid=3730->guuid=da79dc35-1700-0000-0570-58f0e60e0000 pid=3814 clone guuid=7acded35-1700-0000-0570-58f0e70e0000 pid=3815 /usr/bin/busybox net send-data guuid=ec4c0429-1700-0000-0570-58f0920e0000 pid=3730->guuid=7acded35-1700-0000-0570-58f0e70e0000 pid=3815 execve guuid=3400ef36-1700-0000-0570-58f0ee0e0000 pid=3822 /usr/bin/chmod guuid=ec4c0429-1700-0000-0570-58f0920e0000 pid=3730->guuid=3400ef36-1700-0000-0570-58f0ee0e0000 pid=3822 execve guuid=f2b43137-1700-0000-0570-58f0ef0e0000 pid=3823 /usr/bin/dash guuid=ec4c0429-1700-0000-0570-58f0920e0000 pid=3730->guuid=f2b43137-1700-0000-0570-58f0ef0e0000 pid=3823 clone guuid=519e3e37-1700-0000-0570-58f0f10e0000 pid=3825 /usr/bin/busybox net send-data guuid=ec4c0429-1700-0000-0570-58f0920e0000 pid=3730->guuid=519e3e37-1700-0000-0570-58f0f10e0000 pid=3825 execve guuid=10d74638-1700-0000-0570-58f0f70e0000 pid=3831 /usr/bin/chmod guuid=ec4c0429-1700-0000-0570-58f0920e0000 pid=3730->guuid=10d74638-1700-0000-0570-58f0f70e0000 pid=3831 execve guuid=b5fa7a38-1700-0000-0570-58f0fa0e0000 pid=3834 /usr/bin/dash guuid=ec4c0429-1700-0000-0570-58f0920e0000 pid=3730->guuid=b5fa7a38-1700-0000-0570-58f0fa0e0000 pid=3834 clone guuid=08978338-1700-0000-0570-58f0fb0e0000 pid=3835 /usr/bin/busybox net send-data guuid=ec4c0429-1700-0000-0570-58f0920e0000 pid=3730->guuid=08978338-1700-0000-0570-58f0fb0e0000 pid=3835 execve guuid=45f06c39-1700-0000-0570-58f0000f0000 pid=3840 /usr/bin/chmod guuid=ec4c0429-1700-0000-0570-58f0920e0000 pid=3730->guuid=45f06c39-1700-0000-0570-58f0000f0000 pid=3840 execve guuid=537ba039-1700-0000-0570-58f0020f0000 pid=3842 /usr/bin/dash guuid=ec4c0429-1700-0000-0570-58f0920e0000 pid=3730->guuid=537ba039-1700-0000-0570-58f0020f0000 pid=3842 clone guuid=55e3ac39-1700-0000-0570-58f0030f0000 pid=3843 /usr/bin/rm delete-file guuid=ec4c0429-1700-0000-0570-58f0920e0000 pid=3730->guuid=55e3ac39-1700-0000-0570-58f0030f0000 pid=3843 execve 85cb166f-c5aa-5d66-976c-4b45cd0248d7 139.162.143.187:80 guuid=0ba53229-1700-0000-0570-58f0950e0000 pid=3733->85cb166f-c5aa-5d66-976c-4b45cd0248d7 send: 90B guuid=8206a72a-1700-0000-0570-58f09f0e0000 pid=3743->85cb166f-c5aa-5d66-976c-4b45cd0248d7 send: 91B guuid=0e71e82b-1700-0000-0570-58f0a70e0000 pid=3751->85cb166f-c5aa-5d66-976c-4b45cd0248d7 send: 91B guuid=f2811b2d-1700-0000-0570-58f0ae0e0000 pid=3758->85cb166f-c5aa-5d66-976c-4b45cd0248d7 send: 91B guuid=9aa9572e-1700-0000-0570-58f0b60e0000 pid=3766->85cb166f-c5aa-5d66-976c-4b45cd0248d7 send: 91B guuid=58767d2f-1700-0000-0570-58f0bd0e0000 pid=3773->85cb166f-c5aa-5d66-976c-4b45cd0248d7 send: 91B guuid=0243d030-1700-0000-0570-58f0c40e0000 pid=3780->85cb166f-c5aa-5d66-976c-4b45cd0248d7 send: 91B guuid=150e9632-1700-0000-0570-58f0d20e0000 pid=3794->85cb166f-c5aa-5d66-976c-4b45cd0248d7 send: 90B guuid=5d6e5334-1700-0000-0570-58f0dc0e0000 pid=3804->85cb166f-c5aa-5d66-976c-4b45cd0248d7 send: 90B guuid=7acded35-1700-0000-0570-58f0e70e0000 pid=3815->85cb166f-c5aa-5d66-976c-4b45cd0248d7 send: 90B guuid=519e3e37-1700-0000-0570-58f0f10e0000 pid=3825->85cb166f-c5aa-5d66-976c-4b45cd0248d7 send: 90B guuid=08978338-1700-0000-0570-58f0fb0e0000 pid=3835->85cb166f-c5aa-5d66-976c-4b45cd0248d7 send: 93B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/d7941fb5f95afea26f508570552724ba45d74b0e141ab9aeed245140b9b921d0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d7941fb5f95afea26f508570552724ba45d74b0e141ab9aeed245140b9b921d0/
Verdict:
Susipicious
Link:
https://tip.neiki.dev/file/d7941fb5f95afea26f508570552724ba45d74b0e141ab9aeed245140b9b921d0
Threat name:
Linux.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-10-02 05:51:47 UTC
File Type:
Text (Shell)
AV detection:
18 of 38 (47.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=26kb7npzll7ke32qqvyfkjzexjc5osyocqnltlxneriubonzehia._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/251002-gj3rhshp2y/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/d7941fb5f95afea26f508570552724ba45d74b0e141ab9aeed245140b9b921d0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh d7941fb5f95afea26f508570552724ba45d74b0e141ab9aeed245140b9b921d0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3639244/
  
Delivery method
Distributed via web download

Comments