MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1c17fd272e164ae3b0f48542309535e50cb96914193af7bba155cbcdc520dae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e1c17fd272e164ae3b0f48542309535e50cb96914193af7bba155cbcdc520dae
SHA3-384 hash: c8284eef27f35dcab19a29152aa2f8222b75d08cb1d2aef00fcf7499e0a57aad309546dec3fb48530bc9cf0dca141c3b
SHA1 hash: 8b4529535ee438f4d90be0e42bcde90fde922847
MD5 hash: 0898ded55e744303b4bf2185db06d44f
humanhash: steak-avocado-nevada-illinois
File name:w_a.sh
Download: download sample
File size:483 bytes
First seen:2026-03-16 15:16:51 UTC
Last seen:2026-03-17 02:32:03 UTC
File type: sh
MIME type:text/x-shellscript
ssdeep 6:hLgjJ5Ja/+YcLN7+Y3JMF/+Ye0IdyJ44Lwy4oO4eGLw+v+YdF/vNnQz2JMIykwFx:lSjkOLZpqjWD5o/8pqF82Q/NiTUQQ
TLSH T1D9F0A00BA04BF02AD04419E8AB61FB66AC30B96B6273CE5C78407A10FFD71347862680
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://5.175.223.124/n/an/an/a

Intelligence

File Origin
# of uploads :
3
# of downloads :
89
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
soft-404
Link:
https://www.filescan.io/uploads/69b81efa2000fc76c3e2a40e/reports/42659cfa-6e61-4851-abc1-cde3330478d6/overview
Verdict:
Malicious
File Type:
unix shell
Link:
https://opentip.kaspersky.com/e1c17fd272e164ae3b0f48542309535e50cb96914193af7bba155cbcdc520dae/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/e7d40aac-033c-436e-8e24-5240f38eef6d
Behavior Graph:
Download SVG
%3 guuid=2418f130-1700-0000-95d1-c6138b0e0000 pid=3723 /usr/bin/sudo guuid=094f6532-1700-0000-95d1-c613940e0000 pid=3732 /tmp/sample.bin guuid=2418f130-1700-0000-95d1-c6138b0e0000 pid=3723->guuid=094f6532-1700-0000-95d1-c613940e0000 pid=3732 execve guuid=99c39532-1700-0000-95d1-c613950e0000 pid=3733 /usr/bin/uname guuid=094f6532-1700-0000-95d1-c613940e0000 pid=3732->guuid=99c39532-1700-0000-95d1-c613950e0000 pid=3733 execve guuid=5289d132-1700-0000-95d1-c613990e0000 pid=3737 /usr/bin/rm guuid=094f6532-1700-0000-95d1-c613940e0000 pid=3732->guuid=5289d132-1700-0000-95d1-c613990e0000 pid=3737 execve guuid=d5c45e33-1700-0000-95d1-c6139b0e0000 pid=3739 /usr/bin/wget net send-data write-file guuid=094f6532-1700-0000-95d1-c613940e0000 pid=3732->guuid=d5c45e33-1700-0000-95d1-c6139b0e0000 pid=3739 execve guuid=af99737e-1c00-0000-95d1-c61390140000 pid=5264 /usr/bin/chmod guuid=094f6532-1700-0000-95d1-c613940e0000 pid=3732->guuid=af99737e-1c00-0000-95d1-c61390140000 pid=5264 execve guuid=f2adf47e-1c00-0000-95d1-c61391140000 pid=5265 /home/sandbox/data.x86_64 net guuid=094f6532-1700-0000-95d1-c613940e0000 pid=3732->guuid=f2adf47e-1c00-0000-95d1-c61391140000 pid=5265 execve guuid=6499557f-1c00-0000-95d1-c61394140000 pid=5268 /usr/bin/rm delete-file guuid=094f6532-1700-0000-95d1-c613940e0000 pid=3732->guuid=6499557f-1c00-0000-95d1-c61394140000 pid=5268 execve guuid=5b1fd17f-1c00-0000-95d1-c61395140000 pid=5269 /usr/bin/rm delete-file guuid=094f6532-1700-0000-95d1-c613940e0000 pid=3732->guuid=5b1fd17f-1c00-0000-95d1-c61395140000 pid=5269 execve 5668ce23-1c09-5b92-b500-f59a8ec6b05f 5.175.223.124:80 guuid=d5c45e33-1700-0000-95d1-c6139b0e0000 pid=3739->5668ce23-1c09-5b92-b500-f59a8ec6b05f send: 139B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=f2adf47e-1c00-0000-95d1-c61391140000 pid=5265->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=2fa5467f-1c00-0000-95d1-c61392140000 pid=5266 /home/sandbox/data.x86_64 zombie guuid=f2adf47e-1c00-0000-95d1-c61391140000 pid=5265->guuid=2fa5467f-1c00-0000-95d1-c61392140000 pid=5266 clone guuid=ad22557f-1c00-0000-95d1-c61393140000 pid=5267 /home/sandbox/data.x86_64 write-file zombie guuid=2fa5467f-1c00-0000-95d1-c61392140000 pid=5266->guuid=ad22557f-1c00-0000-95d1-c61393140000 pid=5267 clone guuid=671c1e80-1c00-0000-95d1-c61396140000 pid=5270 /home/sandbox/data.x86_64 net send-data zombie guuid=ad22557f-1c00-0000-95d1-c61393140000 pid=5267->guuid=671c1e80-1c00-0000-95d1-c61396140000 pid=5270 clone guuid=671c1e80-1c00-0000-95d1-c61396140000 pid=5270->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 35B 79330709-4ba7-5769-b683-21ef3c41191a 45.131.65.74:8082 guuid=671c1e80-1c00-0000-95d1-c61396140000 pid=5270->79330709-4ba7-5769-b683-21ef3c41191a send: 14B guuid=671c1e80-1c00-0000-95d1-c61396140000 pid=5271 /home/sandbox/data.x86_64 send-data zombie guuid=671c1e80-1c00-0000-95d1-c61396140000 pid=5270->guuid=671c1e80-1c00-0000-95d1-c61396140000 pid=5271 clone guuid=bbb22f80-1c00-0000-95d1-c61398140000 pid=5272 /home/sandbox/data.x86_64 net send-data write-file guuid=671c1e80-1c00-0000-95d1-c61396140000 pid=5270->guuid=bbb22f80-1c00-0000-95d1-c61398140000 pid=5272 clone guuid=04af2381-1c00-0000-95d1-c61399140000 pid=5273 /usr/bin/dash guuid=671c1e80-1c00-0000-95d1-c61396140000 pid=5270->guuid=04af2381-1c00-0000-95d1-c61399140000 pid=5273 execve guuid=fc60428c-1c00-0000-95d1-c6139e140000 pid=5278 /usr/bin/dash guuid=671c1e80-1c00-0000-95d1-c61396140000 pid=5270->guuid=fc60428c-1c00-0000-95d1-c6139e140000 pid=5278 execve 5a1eed8a-85fe-5cc9-b13b-21dc70289ae4 0.0.0.0:0 guuid=671c1e80-1c00-0000-95d1-c61396140000 pid=5271->5a1eed8a-85fe-5cc9-b13b-21dc70289ae4 send: 121B a15c7036-706e-5ee9-888f-734cbb9e72e7 127.0.0.1:30565 guuid=bbb22f80-1c00-0000-95d1-c61398140000 pid=5272->a15c7036-706e-5ee9-888f-734cbb9e72e7 send: 121B guuid=5c5d5e81-1c00-0000-95d1-c6139a140000 pid=5274 /usr/sbin/xtables-nft-multi guuid=04af2381-1c00-0000-95d1-c61399140000 pid=5273->guuid=5c5d5e81-1c00-0000-95d1-c6139a140000 pid=5274 execve guuid=5a94958c-1c00-0000-95d1-c6139f140000 pid=5279 /usr/sbin/xtables-nft-multi guuid=fc60428c-1c00-0000-95d1-c6139e140000 pid=5278->guuid=5a94958c-1c00-0000-95d1-c6139f140000 pid=5279 execve
Score:
12%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/e1c17fd272e164ae3b0f48542309535e50cb96914193af7bba155cbcdc520dae
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e1c17fd272e164ae3b0f48542309535e50cb96914193af7bba155cbcdc520dae/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/e1c17fd272e164ae3b0f48542309535e50cb96914193af7bba155cbcdc520dae
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4hax7uts4fsk4oypjbkcgcktlzimxfurigj26652cvolzxcsbwxa._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
credential_access defense_evasion discovery linux
Link:
https://tria.ge/reports/260316-sn41xsa141/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Reads system network configuration
Reads process memory
Enumerates active TCP sockets
Enumerates running processes
File and Directory Permissions Modification
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.11
Link:
https://yomi.yoroi.company/submissions/e1c17fd272e164ae3b0f48542309535e50cb96914193af7bba155cbcdc520dae

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh e1c17fd272e164ae3b0f48542309535e50cb96914193af7bba155cbcdc520dae

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3796813/
  
Delivery method
Distributed via web download

Comments