MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0cc41c9a9302463c01ec04dbc01ba89609d1c502f820afffc8cf8a9caf3555b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0cc41c9a9302463c01ec04dbc01ba89609d1c502f820afffc8cf8a9caf3555b7
SHA3-384 hash: 4719ad98304d269eb80ec8cb7edb7717635ca1580a62997ced814b6e66b82cd6e352f1d408d9422373f91031f9f1bcfb
SHA1 hash: 748fee77015f34f7dd2edcfa12bf59681a98ce00
MD5 hash: a97c2825318bb089f2e4676f4808a355
humanhash: orange-sweet-nebraska-jersey
File name:k.php
Download: download sample
File size:19'491 bytes
First seen:2026-02-25 13:26:25 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 384:PVk/xNd9xaBTfJs5P/BzsO9a4cbddrME8jyfzsO9a4cbddrME8jy4:PVC/aBTfGpzsP4cbddr7zsP4cbddrk
TLSH T1E9924B7906497D34F7C1DE799E3C2F0DAEE881C42124E39CFA0F3A215E116ADD60935A
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:sh

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive masquerade
Link:
https://www.filescan.io/uploads/699ef8b197feb4afd659db9e/reports/0027c0e8-3ea3-4192-9710-1017d18e8d28/overview
Result
Gathering data
Verdict:
Malicious
File Type:
Script
Detections:
HEUR:Trojan-Downloader.Shell.Agent.bc
Link:
https://opentip.kaspersky.com/0cc41c9a9302463c01ec04dbc01ba89609d1c502f820afffc8cf8a9caf3555b7/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/cdcfdc0a-ad04-4607-be40-176e84adeec0
Behavior Graph:
Download SVG
%3 guuid=0ae1d474-1600-0000-4c2d-1899370f0000 pid=3895 /usr/bin/sudo guuid=396e9276-1600-0000-4c2d-18993c0f0000 pid=3900 /tmp/sample.bin guuid=0ae1d474-1600-0000-4c2d-1899370f0000 pid=3895->guuid=396e9276-1600-0000-4c2d-18993c0f0000 pid=3900 execve guuid=e662fb76-1600-0000-4c2d-18993e0f0000 pid=3902 /usr/bin/bash guuid=396e9276-1600-0000-4c2d-18993c0f0000 pid=3900->guuid=e662fb76-1600-0000-4c2d-18993e0f0000 pid=3902 clone guuid=7b5d0377-1600-0000-4c2d-18993f0f0000 pid=3903 /usr/bin/bash guuid=396e9276-1600-0000-4c2d-18993c0f0000 pid=3900->guuid=7b5d0377-1600-0000-4c2d-18993f0f0000 pid=3903 clone guuid=e5d53677-1600-0000-4c2d-1899400f0000 pid=3904 /usr/bin/mkdir guuid=396e9276-1600-0000-4c2d-18993c0f0000 pid=3900->guuid=e5d53677-1600-0000-4c2d-1899400f0000 pid=3904 execve guuid=33b28e77-1600-0000-4c2d-1899430f0000 pid=3907 /usr/bin/mkdir guuid=396e9276-1600-0000-4c2d-18993c0f0000 pid=3900->guuid=33b28e77-1600-0000-4c2d-1899430f0000 pid=3907 execve guuid=01d8e277-1600-0000-4c2d-1899450f0000 pid=3909 /usr/bin/mkdir guuid=396e9276-1600-0000-4c2d-18993c0f0000 pid=3900->guuid=01d8e277-1600-0000-4c2d-1899450f0000 pid=3909 execve guuid=4bce3278-1600-0000-4c2d-1899470f0000 pid=3911 /usr/bin/mkdir guuid=396e9276-1600-0000-4c2d-18993c0f0000 pid=3900->guuid=4bce3278-1600-0000-4c2d-1899470f0000 pid=3911 execve guuid=9b9e8278-1600-0000-4c2d-1899490f0000 pid=3913 /usr/bin/mkdir guuid=396e9276-1600-0000-4c2d-18993c0f0000 pid=3900->guuid=9b9e8278-1600-0000-4c2d-1899490f0000 pid=3913 execve guuid=63a5d478-1600-0000-4c2d-18994d0f0000 pid=3917 /usr/bin/mkdir guuid=396e9276-1600-0000-4c2d-18993c0f0000 pid=3900->guuid=63a5d478-1600-0000-4c2d-18994d0f0000 pid=3917 execve guuid=79882b79-1600-0000-4c2d-18994e0f0000 pid=3918 /usr/bin/mkdir guuid=396e9276-1600-0000-4c2d-18993c0f0000 pid=3900->guuid=79882b79-1600-0000-4c2d-18994e0f0000 pid=3918 execve guuid=a96d8a79-1600-0000-4c2d-1899500f0000 pid=3920 /usr/bin/cp guuid=396e9276-1600-0000-4c2d-18993c0f0000 pid=3900->guuid=a96d8a79-1600-0000-4c2d-1899500f0000 pid=3920 execve guuid=0063f679-1600-0000-4c2d-1899530f0000 pid=3923 /usr/bin/cp guuid=396e9276-1600-0000-4c2d-18993c0f0000 pid=3900->guuid=0063f679-1600-0000-4c2d-1899530f0000 pid=3923 execve guuid=44cd5d7a-1600-0000-4c2d-1899570f0000 pid=3927 /usr/bin/cp guuid=396e9276-1600-0000-4c2d-18993c0f0000 pid=3900->guuid=44cd5d7a-1600-0000-4c2d-1899570f0000 pid=3927 execve guuid=c9dbbc7a-1600-0000-4c2d-18995b0f0000 pid=3931 /usr/bin/cp guuid=396e9276-1600-0000-4c2d-18993c0f0000 pid=3900->guuid=c9dbbc7a-1600-0000-4c2d-18995b0f0000 pid=3931 execve guuid=04dd1b7b-1600-0000-4c2d-18995f0f0000 pid=3935 /usr/bin/cp guuid=396e9276-1600-0000-4c2d-18993c0f0000 pid=3900->guuid=04dd1b7b-1600-0000-4c2d-18995f0f0000 pid=3935 execve guuid=03ac7a7b-1600-0000-4c2d-1899610f0000 pid=3937 /usr/bin/cp guuid=396e9276-1600-0000-4c2d-18993c0f0000 pid=3900->guuid=03ac7a7b-1600-0000-4c2d-1899610f0000 pid=3937 execve guuid=2951d77b-1600-0000-4c2d-1899630f0000 pid=3939 /usr/bin/cp guuid=396e9276-1600-0000-4c2d-18993c0f0000 pid=3900->guuid=2951d77b-1600-0000-4c2d-1899630f0000 pid=3939 execve guuid=b444437c-1600-0000-4c2d-1899670f0000 pid=3943 /usr/bin/cp guuid=396e9276-1600-0000-4c2d-18993c0f0000 pid=3900->guuid=b444437c-1600-0000-4c2d-1899670f0000 pid=3943 execve guuid=dd5ab47c-1600-0000-4c2d-18996b0f0000 pid=3947 /usr/bin/cp guuid=396e9276-1600-0000-4c2d-18993c0f0000 pid=3900->guuid=dd5ab47c-1600-0000-4c2d-18996b0f0000 pid=3947 execve guuid=03a8117d-1600-0000-4c2d-18996d0f0000 pid=3949 /usr/bin/cp guuid=396e9276-1600-0000-4c2d-18993c0f0000 pid=3900->guuid=03a8117d-1600-0000-4c2d-18996d0f0000 pid=3949 execve guuid=e3396c7d-1600-0000-4c2d-18996f0f0000 pid=3951 /usr/bin/cp guuid=396e9276-1600-0000-4c2d-18993c0f0000 pid=3900->guuid=e3396c7d-1600-0000-4c2d-18996f0f0000 pid=3951 execve guuid=54bbc57d-1600-0000-4c2d-1899730f0000 pid=3955 /usr/bin/cp guuid=396e9276-1600-0000-4c2d-18993c0f0000 pid=3900->guuid=54bbc57d-1600-0000-4c2d-1899730f0000 pid=3955 execve guuid=7fef1f7e-1600-0000-4c2d-1899750f0000 pid=3957 /usr/bin/cp guuid=396e9276-1600-0000-4c2d-18993c0f0000 pid=3900->guuid=7fef1f7e-1600-0000-4c2d-1899750f0000 pid=3957 execve guuid=94bd7d7e-1600-0000-4c2d-1899780f0000 pid=3960 /usr/bin/cp guuid=396e9276-1600-0000-4c2d-18993c0f0000 pid=3900->guuid=94bd7d7e-1600-0000-4c2d-1899780f0000 pid=3960 execve guuid=bdfdd37e-1600-0000-4c2d-18997a0f0000 pid=3962 /usr/bin/cp guuid=396e9276-1600-0000-4c2d-18993c0f0000 pid=3900->guuid=bdfdd37e-1600-0000-4c2d-18997a0f0000 pid=3962 execve guuid=606c287f-1600-0000-4c2d-18997c0f0000 pid=3964 /usr/bin/touch guuid=396e9276-1600-0000-4c2d-18993c0f0000 pid=3900->guuid=606c287f-1600-0000-4c2d-18997c0f0000 pid=3964 execve guuid=af61637f-1600-0000-4c2d-18997e0f0000 pid=3966 /usr/bin/bash guuid=396e9276-1600-0000-4c2d-18993c0f0000 pid=3900->guuid=af61637f-1600-0000-4c2d-18997e0f0000 pid=3966 clone guuid=69886a7f-1600-0000-4c2d-18997f0f0000 pid=3967 /usr/bin/bash guuid=396e9276-1600-0000-4c2d-18993c0f0000 pid=3900->guuid=69886a7f-1600-0000-4c2d-18997f0f0000 pid=3967 clone guuid=e72b887f-1600-0000-4c2d-1899800f0000 pid=3968 /usr/bin/bash guuid=396e9276-1600-0000-4c2d-18993c0f0000 pid=3900->guuid=e72b887f-1600-0000-4c2d-1899800f0000 pid=3968 clone guuid=874e8e7f-1600-0000-4c2d-1899810f0000 pid=3969 /usr/bin/base64 write-file guuid=396e9276-1600-0000-4c2d-18993c0f0000 pid=3900->guuid=874e8e7f-1600-0000-4c2d-1899810f0000 pid=3969 execve guuid=9cc81880-1600-0000-4c2d-1899820f0000 pid=3970 /usr/bin/bash guuid=396e9276-1600-0000-4c2d-18993c0f0000 pid=3900->guuid=9cc81880-1600-0000-4c2d-1899820f0000 pid=3970 execve guuid=8b77bc85-1600-0000-4c2d-1899aa0f0000 pid=4010 /usr/bin/rm delete-file guuid=396e9276-1600-0000-4c2d-18993c0f0000 pid=3900->guuid=8b77bc85-1600-0000-4c2d-1899aa0f0000 pid=4010 execve guuid=fbabfd85-1600-0000-4c2d-1899ab0f0000 pid=4011 /usr/bin/bash guuid=396e9276-1600-0000-4c2d-18993c0f0000 pid=3900->guuid=fbabfd85-1600-0000-4c2d-1899ab0f0000 pid=4011 clone guuid=fcdb0386-1600-0000-4c2d-1899ac0f0000 pid=4012 /usr/bin/bash guuid=396e9276-1600-0000-4c2d-18993c0f0000 pid=3900->guuid=fcdb0386-1600-0000-4c2d-1899ac0f0000 pid=4012 clone guuid=887d3b86-1600-0000-4c2d-1899b00f0000 pid=4016 /usr/bin/bash guuid=396e9276-1600-0000-4c2d-18993c0f0000 pid=3900->guuid=887d3b86-1600-0000-4c2d-1899b00f0000 pid=4016 execve guuid=fcd88b86-1600-0000-4c2d-1899b20f0000 pid=4018 /usr/bin/rm guuid=396e9276-1600-0000-4c2d-18993c0f0000 pid=3900->guuid=fcd88b86-1600-0000-4c2d-1899b20f0000 pid=4018 execve guuid=0fe07580-1600-0000-4c2d-1899860f0000 pid=3974 /usr/bin/bash guuid=9cc81880-1600-0000-4c2d-1899820f0000 pid=3970->guuid=0fe07580-1600-0000-4c2d-1899860f0000 pid=3974 clone guuid=598d7b80-1600-0000-4c2d-1899870f0000 pid=3975 /usr/bin/bash guuid=9cc81880-1600-0000-4c2d-1899820f0000 pid=3970->guuid=598d7b80-1600-0000-4c2d-1899870f0000 pid=3975 clone guuid=935c9b80-1600-0000-4c2d-1899880f0000 pid=3976 /usr/bin/ls guuid=9cc81880-1600-0000-4c2d-1899820f0000 pid=3970->guuid=935c9b80-1600-0000-4c2d-1899880f0000 pid=3976 execve guuid=618e3d81-1600-0000-4c2d-1899890f0000 pid=3977 /usr/bin/cat guuid=9cc81880-1600-0000-4c2d-1899820f0000 pid=3970->guuid=618e3d81-1600-0000-4c2d-1899890f0000 pid=3977 execve guuid=33e49b81-1600-0000-4c2d-18998d0f0000 pid=3981 /usr/bin/ls guuid=9cc81880-1600-0000-4c2d-1899820f0000 pid=3970->guuid=33e49b81-1600-0000-4c2d-18998d0f0000 pid=3981 execve guuid=e8d90e82-1600-0000-4c2d-1899910f0000 pid=3985 /usr/bin/mkdir guuid=9cc81880-1600-0000-4c2d-1899820f0000 pid=3970->guuid=e8d90e82-1600-0000-4c2d-1899910f0000 pid=3985 execve guuid=8641cc82-1600-0000-4c2d-1899950f0000 pid=3989 /usr/bin/mv guuid=9cc81880-1600-0000-4c2d-1899820f0000 pid=3970->guuid=8641cc82-1600-0000-4c2d-1899950f0000 pid=3989 execve guuid=fcb93583-1600-0000-4c2d-1899980f0000 pid=3992 /usr/bin/bash guuid=9cc81880-1600-0000-4c2d-1899820f0000 pid=3970->guuid=fcb93583-1600-0000-4c2d-1899980f0000 pid=3992 clone guuid=fa0b3c83-1600-0000-4c2d-18999a0f0000 pid=3994 /usr/bin/base64 write-file guuid=9cc81880-1600-0000-4c2d-1899820f0000 pid=3970->guuid=fa0b3c83-1600-0000-4c2d-18999a0f0000 pid=3994 execve guuid=fd2b9d83-1600-0000-4c2d-18999c0f0000 pid=3996 /usr/bin/rm delete-file guuid=9cc81880-1600-0000-4c2d-1899820f0000 pid=3970->guuid=fd2b9d83-1600-0000-4c2d-18999c0f0000 pid=3996 execve guuid=7af0e483-1600-0000-4c2d-18999e0f0000 pid=3998 /usr/bin/ls guuid=9cc81880-1600-0000-4c2d-1899820f0000 pid=3970->guuid=7af0e483-1600-0000-4c2d-18999e0f0000 pid=3998 execve guuid=2a754684-1600-0000-4c2d-1899a00f0000 pid=4000 /usr/bin/bash guuid=9cc81880-1600-0000-4c2d-1899820f0000 pid=3970->guuid=2a754684-1600-0000-4c2d-1899a00f0000 pid=4000 clone guuid=591f4d84-1600-0000-4c2d-1899a10f0000 pid=4001 /usr/bin/base64 write-file guuid=9cc81880-1600-0000-4c2d-1899820f0000 pid=3970->guuid=591f4d84-1600-0000-4c2d-1899a10f0000 pid=4001 execve guuid=965da484-1600-0000-4c2d-1899a30f0000 pid=4003 /usr/bin/ls guuid=9cc81880-1600-0000-4c2d-1899820f0000 pid=3970->guuid=965da484-1600-0000-4c2d-1899a30f0000 pid=4003 execve guuid=4b911085-1600-0000-4c2d-1899a60f0000 pid=4006 /usr/bin/cat guuid=9cc81880-1600-0000-4c2d-1899820f0000 pid=3970->guuid=4b911085-1600-0000-4c2d-1899a60f0000 pid=4006 execve guuid=4bed4f85-1600-0000-4c2d-1899a80f0000 pid=4008 /usr/bin/ls guuid=9cc81880-1600-0000-4c2d-1899820f0000 pid=3970->guuid=4bed4f85-1600-0000-4c2d-1899a80f0000 pid=4008 execve
Score:
82%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/0cc41c9a9302463c01ec04dbc01ba89609d1c502f820afffc8cf8a9caf3555b7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0cc41c9a9302463c01ec04dbc01ba89609d1c502f820afffc8cf8a9caf3555b7/
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/0cc41c9a9302463c01ec04dbc01ba89609d1c502f820afffc8cf8a9caf3555b7
Threat name:
Script-Shell.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-02-25 13:27:26 UTC
File Type:
Text (Shell)
AV detection:
8 of 36 (22.22%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=btcbzgutajddyapmatn4ag5isye5dric7aqk776iz6fjzlzvkw3q._file
Result
Malware family:
n/a
Score:
  4/10
Tags:
defense_evasion discovery linux
Link:
https://tria.ge/reports/260225-qp9axsgv3h/
Behaviour
Reads runtime system information
Writes file to tmp directory
Deobfuscate/Decode Files or Information
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/0cc41c9a9302463c01ec04dbc01ba89609d1c502f820afffc8cf8a9caf3555b7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_LNX_Base64_Exec_Apr24
Create hunting rule
Author:Christian Burkard
Description:Detects suspicious base64 encoded shell commands (as seen in Palo Alto CVE-2024-3400 exploitation)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 0cc41c9a9302463c01ec04dbc01ba89609d1c502f820afffc8cf8a9caf3555b7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3784565/
  
Delivery method
Distributed via web download

Comments