MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ddb5ff03dc232e15045540e739348b41d53701b23a712137cefbc042c9840714. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash: ddb5ff03dc232e15045540e739348b41d53701b23a712137cefbc042c9840714
SHA3-384 hash: 7d1f1e1af25efa7659cec73786667dfc0cec32455bb5d049c6faa0970d7e2dbae4a43adaf09c9e56c51c5f662d33e010
SHA1 hash: 2a9e862eb0350e24a0886c3c492f19794ea8ac27
MD5 hash: 94ec905c348821e2bf1604b2a66bfbdf
humanhash: friend-delaware-aspen-utah
File name:ok
Download: download sample
File size:1'584 bytes
First seen:2026-06-20 08:51:06 UTC
Last seen:2026-06-21 04:20:17 UTC
File type: sh
MIME type:text/x-shellscript
ssdeep 12:UGW6GDa896lyI6lyIQqv6djp6r6H5wP1x6P1V1tP46P69Rk6sdEy6EIwAxP6xUSa:Ga89YcujQo5om3PWGlegr4FICb0OF
TLSH T12B3160EA11102D355342C9CEB7B3318D744CC5EB6C9BD3A4D8490EE9829C9CC72A5FA4
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://5.182.210.61/3d8453n/an/aelf ua-wget
http://5.182.210.61/8f1b48n/an/aelf ua-wget
http://5.182.210.61/9e0d2en/an/aelf ua-wget
http://5.182.210.61/1f93d1n/an/aelf ua-wget
http://5.182.210.61/3a0dd5n/an/aelf ua-wget
http://5.182.210.61/23d922n/an/aelf ua-wget
http://5.182.210.61/ed800cn/an/aelf ua-wget
http://5.182.210.61/29849an/an/aelf ua-wget
http://5.182.210.61/168767n/an/aelf ua-wget
http://5.182.210.61/f14ad7n/an/aelf ua-wget
http://5.182.210.61/4acf91n/an/aelf ua-wget
http://5.182.210.61/d90292n/an/aelf ua-wget

Intelligence


File Origin
# of uploads :
3
# of downloads :
59
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-06-20T06:00:00Z UTC
Last seen:
2026-06-20T07:32:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.a
Status:
terminated
Behavior Graph:
%3 guuid=5c76783b-1900-0000-bfe7-0050290e0000 pid=3625 /usr/bin/sudo guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630 /tmp/sample.bin guuid=5c76783b-1900-0000-bfe7-0050290e0000 pid=3625->guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630 execve guuid=ae1a7a3f-1900-0000-bfe7-0050300e0000 pid=3632 /usr/bin/wget net send-data guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=ae1a7a3f-1900-0000-bfe7-0050300e0000 pid=3632 execve guuid=df2e5d4f-1900-0000-bfe7-00506c0e0000 pid=3692 /usr/bin/curl net send-data write-file guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=df2e5d4f-1900-0000-bfe7-00506c0e0000 pid=3692 execve guuid=95181358-1900-0000-bfe7-00508b0e0000 pid=3723 /usr/bin/chmod guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=95181358-1900-0000-bfe7-00508b0e0000 pid=3723 execve guuid=a26d6b58-1900-0000-bfe7-00508e0e0000 pid=3726 /usr/bin/bash guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=a26d6b58-1900-0000-bfe7-00508e0e0000 pid=3726 clone guuid=7e05c158-1900-0000-bfe7-0050900e0000 pid=3728 /usr/bin/rm delete-file guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=7e05c158-1900-0000-bfe7-0050900e0000 pid=3728 execve guuid=af402b59-1900-0000-bfe7-0050930e0000 pid=3731 /usr/bin/rm guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=af402b59-1900-0000-bfe7-0050930e0000 pid=3731 execve guuid=b2409359-1900-0000-bfe7-0050960e0000 pid=3734 /usr/bin/wget net send-data guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=b2409359-1900-0000-bfe7-0050960e0000 pid=3734 execve guuid=de80515d-1900-0000-bfe7-0050a50e0000 pid=3749 /usr/bin/curl net send-data write-file guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=de80515d-1900-0000-bfe7-0050a50e0000 pid=3749 execve guuid=35efdc62-1900-0000-bfe7-0050bd0e0000 pid=3773 /usr/bin/chmod guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=35efdc62-1900-0000-bfe7-0050bd0e0000 pid=3773 execve guuid=42cc2563-1900-0000-bfe7-0050be0e0000 pid=3774 /usr/bin/bash guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=42cc2563-1900-0000-bfe7-0050be0e0000 pid=3774 clone guuid=08465e63-1900-0000-bfe7-0050c10e0000 pid=3777 /usr/bin/rm delete-file guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=08465e63-1900-0000-bfe7-0050c10e0000 pid=3777 execve guuid=f55bae63-1900-0000-bfe7-0050c30e0000 pid=3779 /usr/bin/rm guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=f55bae63-1900-0000-bfe7-0050c30e0000 pid=3779 execve guuid=fa77ee63-1900-0000-bfe7-0050c50e0000 pid=3781 /usr/bin/wget net send-data guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=fa77ee63-1900-0000-bfe7-0050c50e0000 pid=3781 execve guuid=d7c26d66-1900-0000-bfe7-0050d20e0000 pid=3794 /usr/bin/curl net send-data write-file guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=d7c26d66-1900-0000-bfe7-0050d20e0000 pid=3794 execve guuid=b4c70b6a-1900-0000-bfe7-0050e00e0000 pid=3808 /usr/bin/chmod guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=b4c70b6a-1900-0000-bfe7-0050e00e0000 pid=3808 execve guuid=31555d6a-1900-0000-bfe7-0050e20e0000 pid=3810 /usr/bin/bash guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=31555d6a-1900-0000-bfe7-0050e20e0000 pid=3810 clone guuid=0fb1996a-1900-0000-bfe7-0050e40e0000 pid=3812 /usr/bin/rm delete-file guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=0fb1996a-1900-0000-bfe7-0050e40e0000 pid=3812 execve guuid=5214ea6a-1900-0000-bfe7-0050e60e0000 pid=3814 /usr/bin/rm guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=5214ea6a-1900-0000-bfe7-0050e60e0000 pid=3814 execve guuid=428b336b-1900-0000-bfe7-0050e90e0000 pid=3817 /usr/bin/wget net send-data guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=428b336b-1900-0000-bfe7-0050e90e0000 pid=3817 execve guuid=5769036e-1900-0000-bfe7-0050f40e0000 pid=3828 /usr/bin/curl net send-data write-file guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=5769036e-1900-0000-bfe7-0050f40e0000 pid=3828 execve guuid=00685473-1900-0000-bfe7-0050080f0000 pid=3848 /usr/bin/chmod guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=00685473-1900-0000-bfe7-0050080f0000 pid=3848 execve guuid=d61cb673-1900-0000-bfe7-00500a0f0000 pid=3850 /usr/bin/bash guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=d61cb673-1900-0000-bfe7-00500a0f0000 pid=3850 clone guuid=d82b0874-1900-0000-bfe7-00500d0f0000 pid=3853 /usr/bin/rm delete-file guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=d82b0874-1900-0000-bfe7-00500d0f0000 pid=3853 execve guuid=77b25274-1900-0000-bfe7-00500e0f0000 pid=3854 /usr/bin/rm guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=77b25274-1900-0000-bfe7-00500e0f0000 pid=3854 execve guuid=e846a074-1900-0000-bfe7-0050120f0000 pid=3858 /usr/bin/wget net send-data guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=e846a074-1900-0000-bfe7-0050120f0000 pid=3858 execve guuid=07117177-1900-0000-bfe7-00501e0f0000 pid=3870 /usr/bin/curl net send-data write-file guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=07117177-1900-0000-bfe7-00501e0f0000 pid=3870 execve guuid=34955e7b-1900-0000-bfe7-00502c0f0000 pid=3884 /usr/bin/chmod guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=34955e7b-1900-0000-bfe7-00502c0f0000 pid=3884 execve guuid=97cd9f7b-1900-0000-bfe7-00502e0f0000 pid=3886 /usr/bin/bash guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=97cd9f7b-1900-0000-bfe7-00502e0f0000 pid=3886 clone guuid=ad35227c-1900-0000-bfe7-0050330f0000 pid=3891 /usr/bin/rm delete-file guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=ad35227c-1900-0000-bfe7-0050330f0000 pid=3891 execve guuid=9358747c-1900-0000-bfe7-0050340f0000 pid=3892 /usr/bin/rm guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=9358747c-1900-0000-bfe7-0050340f0000 pid=3892 execve guuid=0220ff7c-1900-0000-bfe7-0050350f0000 pid=3893 /usr/bin/wget net send-data guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=0220ff7c-1900-0000-bfe7-0050350f0000 pid=3893 execve guuid=226d8280-1900-0000-bfe7-0050470f0000 pid=3911 /usr/bin/curl net send-data write-file guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=226d8280-1900-0000-bfe7-0050470f0000 pid=3911 execve guuid=a2d2c285-1900-0000-bfe7-0050590f0000 pid=3929 /usr/bin/chmod guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=a2d2c285-1900-0000-bfe7-0050590f0000 pid=3929 execve guuid=6c021686-1900-0000-bfe7-00505c0f0000 pid=3932 /usr/bin/bash guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=6c021686-1900-0000-bfe7-00505c0f0000 pid=3932 clone guuid=52569086-1900-0000-bfe7-0050600f0000 pid=3936 /usr/bin/rm delete-file guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=52569086-1900-0000-bfe7-0050600f0000 pid=3936 execve guuid=207adb86-1900-0000-bfe7-0050630f0000 pid=3939 /usr/bin/rm guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=207adb86-1900-0000-bfe7-0050630f0000 pid=3939 execve guuid=251e1e87-1900-0000-bfe7-0050640f0000 pid=3940 /usr/bin/wget net send-data guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=251e1e87-1900-0000-bfe7-0050640f0000 pid=3940 execve guuid=c6ab9f89-1900-0000-bfe7-0050710f0000 pid=3953 /usr/bin/curl net send-data write-file guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=c6ab9f89-1900-0000-bfe7-0050710f0000 pid=3953 execve guuid=d3d0e58c-1900-0000-bfe7-0050800f0000 pid=3968 /usr/bin/chmod guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=d3d0e58c-1900-0000-bfe7-0050800f0000 pid=3968 execve guuid=35a42a8d-1900-0000-bfe7-0050820f0000 pid=3970 /usr/bin/bash guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=35a42a8d-1900-0000-bfe7-0050820f0000 pid=3970 clone guuid=2466618d-1900-0000-bfe7-0050850f0000 pid=3973 /usr/bin/rm delete-file guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=2466618d-1900-0000-bfe7-0050850f0000 pid=3973 execve guuid=9eb6e08d-1900-0000-bfe7-0050860f0000 pid=3974 /usr/bin/rm guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=9eb6e08d-1900-0000-bfe7-0050860f0000 pid=3974 execve guuid=4f5a458e-1900-0000-bfe7-0050880f0000 pid=3976 /usr/bin/wget net send-data guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=4f5a458e-1900-0000-bfe7-0050880f0000 pid=3976 execve guuid=3a698b92-1900-0000-bfe7-0050980f0000 pid=3992 /usr/bin/curl net send-data write-file guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=3a698b92-1900-0000-bfe7-0050980f0000 pid=3992 execve guuid=e28ad195-1900-0000-bfe7-0050a60f0000 pid=4006 /usr/bin/chmod guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=e28ad195-1900-0000-bfe7-0050a60f0000 pid=4006 execve guuid=df4f3596-1900-0000-bfe7-0050a80f0000 pid=4008 /usr/bin/bash guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=df4f3596-1900-0000-bfe7-0050a80f0000 pid=4008 clone guuid=acd07a96-1900-0000-bfe7-0050ab0f0000 pid=4011 /usr/bin/rm delete-file guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=acd07a96-1900-0000-bfe7-0050ab0f0000 pid=4011 execve guuid=3a80ca96-1900-0000-bfe7-0050ad0f0000 pid=4013 /usr/bin/rm guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=3a80ca96-1900-0000-bfe7-0050ad0f0000 pid=4013 execve guuid=43281997-1900-0000-bfe7-0050af0f0000 pid=4015 /usr/bin/wget net send-data guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=43281997-1900-0000-bfe7-0050af0f0000 pid=4015 execve guuid=cf60c799-1900-0000-bfe7-0050ba0f0000 pid=4026 /usr/bin/curl net send-data write-file guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=cf60c799-1900-0000-bfe7-0050ba0f0000 pid=4026 execve guuid=e20b069f-1900-0000-bfe7-0050d00f0000 pid=4048 /usr/bin/chmod guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=e20b069f-1900-0000-bfe7-0050d00f0000 pid=4048 execve guuid=37294e9f-1900-0000-bfe7-0050d20f0000 pid=4050 /usr/bin/bash guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=37294e9f-1900-0000-bfe7-0050d20f0000 pid=4050 clone guuid=0b87aa9f-1900-0000-bfe7-0050d70f0000 pid=4055 /usr/bin/rm delete-file guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=0b87aa9f-1900-0000-bfe7-0050d70f0000 pid=4055 execve guuid=796af19f-1900-0000-bfe7-0050d80f0000 pid=4056 /usr/bin/rm guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=796af19f-1900-0000-bfe7-0050d80f0000 pid=4056 execve guuid=965631a0-1900-0000-bfe7-0050db0f0000 pid=4059 /usr/bin/wget net send-data guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=965631a0-1900-0000-bfe7-0050db0f0000 pid=4059 execve guuid=49fe91a2-1900-0000-bfe7-0050e70f0000 pid=4071 /usr/bin/curl net send-data write-file guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=49fe91a2-1900-0000-bfe7-0050e70f0000 pid=4071 execve guuid=9f6e27a6-1900-0000-bfe7-0050f70f0000 pid=4087 /usr/bin/chmod guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=9f6e27a6-1900-0000-bfe7-0050f70f0000 pid=4087 execve guuid=b15964a6-1900-0000-bfe7-0050f80f0000 pid=4088 /usr/bin/bash guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=b15964a6-1900-0000-bfe7-0050f80f0000 pid=4088 clone guuid=2109aaa6-1900-0000-bfe7-0050fd0f0000 pid=4093 /usr/bin/rm delete-file guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=2109aaa6-1900-0000-bfe7-0050fd0f0000 pid=4093 execve guuid=c1aaeea6-1900-0000-bfe7-0050fe0f0000 pid=4094 /usr/bin/rm guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=c1aaeea6-1900-0000-bfe7-0050fe0f0000 pid=4094 execve guuid=51442da7-1900-0000-bfe7-005002100000 pid=4098 /usr/bin/wget net send-data guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=51442da7-1900-0000-bfe7-005002100000 pid=4098 execve guuid=276bbaaa-1900-0000-bfe7-00500b100000 pid=4107 /usr/bin/curl net send-data write-file guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=276bbaaa-1900-0000-bfe7-00500b100000 pid=4107 execve guuid=1a2170ae-1900-0000-bfe7-00501d100000 pid=4125 /usr/bin/chmod guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=1a2170ae-1900-0000-bfe7-00501d100000 pid=4125 execve guuid=9090baae-1900-0000-bfe7-00501e100000 pid=4126 /usr/bin/bash guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=9090baae-1900-0000-bfe7-00501e100000 pid=4126 clone guuid=4a9aebae-1900-0000-bfe7-005023100000 pid=4131 /usr/bin/rm delete-file guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=4a9aebae-1900-0000-bfe7-005023100000 pid=4131 execve guuid=886f2baf-1900-0000-bfe7-005025100000 pid=4133 /usr/bin/rm guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=886f2baf-1900-0000-bfe7-005025100000 pid=4133 execve guuid=9e9670af-1900-0000-bfe7-005027100000 pid=4135 /usr/bin/wget net send-data guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=9e9670af-1900-0000-bfe7-005027100000 pid=4135 execve guuid=ad22d2b3-1900-0000-bfe7-00503e100000 pid=4158 /usr/bin/curl net send-data write-file guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=ad22d2b3-1900-0000-bfe7-00503e100000 pid=4158 execve guuid=61769fb8-1900-0000-bfe7-00504d100000 pid=4173 /usr/bin/chmod guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=61769fb8-1900-0000-bfe7-00504d100000 pid=4173 execve guuid=66f4feb8-1900-0000-bfe7-005050100000 pid=4176 /usr/bin/bash guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=66f4feb8-1900-0000-bfe7-005050100000 pid=4176 clone guuid=97a047b9-1900-0000-bfe7-005052100000 pid=4178 /usr/bin/rm delete-file guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=97a047b9-1900-0000-bfe7-005052100000 pid=4178 execve guuid=770b93b9-1900-0000-bfe7-005054100000 pid=4180 /usr/bin/rm guuid=2a6e0b3e-1900-0000-bfe7-00502e0e0000 pid=3630->guuid=770b93b9-1900-0000-bfe7-005054100000 pid=4180 execve 9e33e6d7-6ac7-5a65-88f4-941337e56821 5.182.210.61:80 guuid=ae1a7a3f-1900-0000-bfe7-0050300e0000 pid=3632->9e33e6d7-6ac7-5a65-88f4-941337e56821 send: 133B guuid=df2e5d4f-1900-0000-bfe7-00506c0e0000 pid=3692->9e33e6d7-6ac7-5a65-88f4-941337e56821 send: 82B guuid=7b889b58-1900-0000-bfe7-00508f0e0000 pid=3727 /usr/bin/bash guuid=a26d6b58-1900-0000-bfe7-00508e0e0000 pid=3726->guuid=7b889b58-1900-0000-bfe7-00508f0e0000 pid=3727 clone guuid=b2409359-1900-0000-bfe7-0050960e0000 pid=3734->9e33e6d7-6ac7-5a65-88f4-941337e56821 send: 133B guuid=de80515d-1900-0000-bfe7-0050a50e0000 pid=3749->9e33e6d7-6ac7-5a65-88f4-941337e56821 send: 82B guuid=b5563d63-1900-0000-bfe7-0050bf0e0000 pid=3775 /usr/bin/bash guuid=42cc2563-1900-0000-bfe7-0050be0e0000 pid=3774->guuid=b5563d63-1900-0000-bfe7-0050bf0e0000 pid=3775 clone guuid=fa77ee63-1900-0000-bfe7-0050c50e0000 pid=3781->9e33e6d7-6ac7-5a65-88f4-941337e56821 send: 133B guuid=d7c26d66-1900-0000-bfe7-0050d20e0000 pid=3794->9e33e6d7-6ac7-5a65-88f4-941337e56821 send: 82B guuid=f8cb7a6a-1900-0000-bfe7-0050e30e0000 pid=3811 /usr/bin/bash guuid=31555d6a-1900-0000-bfe7-0050e20e0000 pid=3810->guuid=f8cb7a6a-1900-0000-bfe7-0050e30e0000 pid=3811 clone guuid=428b336b-1900-0000-bfe7-0050e90e0000 pid=3817->9e33e6d7-6ac7-5a65-88f4-941337e56821 send: 133B guuid=5769036e-1900-0000-bfe7-0050f40e0000 pid=3828->9e33e6d7-6ac7-5a65-88f4-941337e56821 send: 82B guuid=86b9d973-1900-0000-bfe7-00500b0f0000 pid=3851 /usr/bin/bash guuid=d61cb673-1900-0000-bfe7-00500a0f0000 pid=3850->guuid=86b9d973-1900-0000-bfe7-00500b0f0000 pid=3851 clone guuid=e846a074-1900-0000-bfe7-0050120f0000 pid=3858->9e33e6d7-6ac7-5a65-88f4-941337e56821 send: 133B guuid=07117177-1900-0000-bfe7-00501e0f0000 pid=3870->9e33e6d7-6ac7-5a65-88f4-941337e56821 send: 82B guuid=0f8ed57b-1900-0000-bfe7-00502f0f0000 pid=3887 /usr/bin/bash guuid=97cd9f7b-1900-0000-bfe7-00502e0f0000 pid=3886->guuid=0f8ed57b-1900-0000-bfe7-00502f0f0000 pid=3887 clone guuid=0220ff7c-1900-0000-bfe7-0050350f0000 pid=3893->9e33e6d7-6ac7-5a65-88f4-941337e56821 send: 133B guuid=226d8280-1900-0000-bfe7-0050470f0000 pid=3911->9e33e6d7-6ac7-5a65-88f4-941337e56821 send: 82B guuid=869a6686-1900-0000-bfe7-00505e0f0000 pid=3934 /usr/bin/bash guuid=6c021686-1900-0000-bfe7-00505c0f0000 pid=3932->guuid=869a6686-1900-0000-bfe7-00505e0f0000 pid=3934 clone guuid=251e1e87-1900-0000-bfe7-0050640f0000 pid=3940->9e33e6d7-6ac7-5a65-88f4-941337e56821 send: 133B guuid=c6ab9f89-1900-0000-bfe7-0050710f0000 pid=3953->9e33e6d7-6ac7-5a65-88f4-941337e56821 send: 82B guuid=417a448d-1900-0000-bfe7-0050830f0000 pid=3971 /usr/bin/bash guuid=35a42a8d-1900-0000-bfe7-0050820f0000 pid=3970->guuid=417a448d-1900-0000-bfe7-0050830f0000 pid=3971 clone guuid=4f5a458e-1900-0000-bfe7-0050880f0000 pid=3976->9e33e6d7-6ac7-5a65-88f4-941337e56821 send: 133B guuid=3a698b92-1900-0000-bfe7-0050980f0000 pid=3992->9e33e6d7-6ac7-5a65-88f4-941337e56821 send: 82B guuid=b79a5796-1900-0000-bfe7-0050a90f0000 pid=4009 /usr/bin/bash guuid=df4f3596-1900-0000-bfe7-0050a80f0000 pid=4008->guuid=b79a5796-1900-0000-bfe7-0050a90f0000 pid=4009 clone guuid=43281997-1900-0000-bfe7-0050af0f0000 pid=4015->9e33e6d7-6ac7-5a65-88f4-941337e56821 send: 133B guuid=cf60c799-1900-0000-bfe7-0050ba0f0000 pid=4026->9e33e6d7-6ac7-5a65-88f4-941337e56821 send: 82B guuid=32066a9f-1900-0000-bfe7-0050d30f0000 pid=4051 /usr/bin/bash guuid=37294e9f-1900-0000-bfe7-0050d20f0000 pid=4050->guuid=32066a9f-1900-0000-bfe7-0050d30f0000 pid=4051 clone guuid=965631a0-1900-0000-bfe7-0050db0f0000 pid=4059->9e33e6d7-6ac7-5a65-88f4-941337e56821 send: 133B guuid=49fe91a2-1900-0000-bfe7-0050e70f0000 pid=4071->9e33e6d7-6ac7-5a65-88f4-941337e56821 send: 82B guuid=083f7ca6-1900-0000-bfe7-0050f90f0000 pid=4089 /usr/bin/bash guuid=b15964a6-1900-0000-bfe7-0050f80f0000 pid=4088->guuid=083f7ca6-1900-0000-bfe7-0050f90f0000 pid=4089 clone guuid=51442da7-1900-0000-bfe7-005002100000 pid=4098->9e33e6d7-6ac7-5a65-88f4-941337e56821 send: 133B guuid=276bbaaa-1900-0000-bfe7-00500b100000 pid=4107->9e33e6d7-6ac7-5a65-88f4-941337e56821 send: 82B guuid=5588ceae-1900-0000-bfe7-005022100000 pid=4130 /usr/bin/bash guuid=9090baae-1900-0000-bfe7-00501e100000 pid=4126->guuid=5588ceae-1900-0000-bfe7-005022100000 pid=4130 clone guuid=9e9670af-1900-0000-bfe7-005027100000 pid=4135->9e33e6d7-6ac7-5a65-88f4-941337e56821 send: 133B guuid=ad22d2b3-1900-0000-bfe7-00503e100000 pid=4158->9e33e6d7-6ac7-5a65-88f4-941337e56821 send: 82B guuid=dc4319b9-1900-0000-bfe7-005051100000 pid=4177 /usr/bin/bash guuid=66f4feb8-1900-0000-bfe7-005050100000 pid=4176->guuid=dc4319b9-1900-0000-bfe7-005051100000 pid=4177 clone
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Threat name:
Win32.Trojan.Vigorf
Status:
Malicious
First seen:
2026-06-20 08:52:30 UTC
File Type:
Text (Shell)
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
antivm defense_evasion discovery linux
Behaviour
Reads runtime system information
Writes file to tmp directory
Checks CPU configuration
File and Directory Permissions Modification
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Author:abuse.ch
Description:Detects suspicious Linux bash scripts

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh ddb5ff03dc232e15045540e739348b41d53701b23a712137cefbc042c9840714

(this sample)

  
Delivery method
Distributed via web download

Comments