MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f60c1c23bda9eb9213713e8f21470de0da0d4b67b46e6c27c9f8007bafcef74. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f60c1c23bda9eb9213713e8f21470de0da0d4b67b46e6c27c9f8007bafcef74
SHA3-384 hash: b5384b6b1efe15291cf38d4c935cd9021141562b23345dc7d8c0a6b73f500bce1bb427f733a7e9ec7c845a2e4bfe3047
SHA1 hash: 1b0f7ca72b59562c541c7942d03a9dbf26c7fa21
MD5 hash: d071d37731eb7e61ffa35079484eb31d
humanhash: oxygen-orange-summer-river
File name:k.php
Download: download sample
File size:19'491 bytes
First seen:2026-03-07 15:35:37 UTC
Last seen:2026-03-08 02:25:38 UTC
File type: sh
MIME type:text/x-shellscript
ssdeep 384:AcfxncuxOLnVYMSYzsO9a4cbddrME8jyfzsO9a4cbddrME8jy4:JCuQL+YzsP4cbddr7zsP4cbddrk
TLSH T1BD925CB906496C75BBC0CE799F3C7F0CAEE582C42128E39DBA1F39705A2065DC609359
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:sh

Intelligence

File Origin
# of uploads :
2
# of downloads :
58
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Linux.MulDrop.187.11978.32197.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive masquerade
Link:
https://www.filescan.io/uploads/69ac45ed9eaae8465945109c/reports/0ff5e4b1-96e9-455a-8a6b-ac8f4380bc84/overview
Verdict:
Malicious
File Type:
unix shell
Detections:
HEUR:Trojan-Downloader.Shell.Agent.bc
Link:
https://opentip.kaspersky.com/0f60c1c23bda9eb9213713e8f21470de0da0d4b67b46e6c27c9f8007bafcef74/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/37803d32-b29d-4924-a938-871e82604414
Behavior Graph:
Download SVG
%3 guuid=c88509ac-1600-0000-0666-8e2dc00e0000 pid=3776 /usr/bin/sudo guuid=cb94c8ad-1600-0000-0666-8e2dcb0e0000 pid=3787 /tmp/sample.bin guuid=c88509ac-1600-0000-0666-8e2dc00e0000 pid=3776->guuid=cb94c8ad-1600-0000-0666-8e2dcb0e0000 pid=3787 execve guuid=57bcb6ae-1600-0000-0666-8e2dd00e0000 pid=3792 /usr/bin/bash guuid=cb94c8ad-1600-0000-0666-8e2dcb0e0000 pid=3787->guuid=57bcb6ae-1600-0000-0666-8e2dd00e0000 pid=3792 clone guuid=bed9c5ae-1600-0000-0666-8e2dd10e0000 pid=3793 /usr/bin/bash guuid=cb94c8ad-1600-0000-0666-8e2dcb0e0000 pid=3787->guuid=bed9c5ae-1600-0000-0666-8e2dd10e0000 pid=3793 clone guuid=7dd3e8ae-1600-0000-0666-8e2dd40e0000 pid=3796 /usr/bin/mkdir guuid=cb94c8ad-1600-0000-0666-8e2dcb0e0000 pid=3787->guuid=7dd3e8ae-1600-0000-0666-8e2dd40e0000 pid=3796 execve guuid=c0093aaf-1600-0000-0666-8e2dd70e0000 pid=3799 /usr/bin/mkdir guuid=cb94c8ad-1600-0000-0666-8e2dcb0e0000 pid=3787->guuid=c0093aaf-1600-0000-0666-8e2dd70e0000 pid=3799 execve guuid=0502a7af-1600-0000-0666-8e2dda0e0000 pid=3802 /usr/bin/mkdir guuid=cb94c8ad-1600-0000-0666-8e2dcb0e0000 pid=3787->guuid=0502a7af-1600-0000-0666-8e2dda0e0000 pid=3802 execve guuid=14f706b0-1600-0000-0666-8e2dde0e0000 pid=3806 /usr/bin/mkdir guuid=cb94c8ad-1600-0000-0666-8e2dcb0e0000 pid=3787->guuid=14f706b0-1600-0000-0666-8e2dde0e0000 pid=3806 execve guuid=321152b0-1600-0000-0666-8e2de10e0000 pid=3809 /usr/bin/mkdir guuid=cb94c8ad-1600-0000-0666-8e2dcb0e0000 pid=3787->guuid=321152b0-1600-0000-0666-8e2de10e0000 pid=3809 execve guuid=4508a0b0-1600-0000-0666-8e2de40e0000 pid=3812 /usr/bin/mkdir guuid=cb94c8ad-1600-0000-0666-8e2dcb0e0000 pid=3787->guuid=4508a0b0-1600-0000-0666-8e2de40e0000 pid=3812 execve guuid=7ae5eab0-1600-0000-0666-8e2de60e0000 pid=3814 /usr/bin/mkdir guuid=cb94c8ad-1600-0000-0666-8e2dcb0e0000 pid=3787->guuid=7ae5eab0-1600-0000-0666-8e2de60e0000 pid=3814 execve guuid=398935b1-1600-0000-0666-8e2de80e0000 pid=3816 /usr/bin/cp guuid=cb94c8ad-1600-0000-0666-8e2dcb0e0000 pid=3787->guuid=398935b1-1600-0000-0666-8e2de80e0000 pid=3816 execve guuid=4c9c8ab1-1600-0000-0666-8e2dea0e0000 pid=3818 /usr/bin/cp guuid=cb94c8ad-1600-0000-0666-8e2dcb0e0000 pid=3787->guuid=4c9c8ab1-1600-0000-0666-8e2dea0e0000 pid=3818 execve guuid=24f6f7b1-1600-0000-0666-8e2df00e0000 pid=3824 /usr/bin/cp guuid=cb94c8ad-1600-0000-0666-8e2dcb0e0000 pid=3787->guuid=24f6f7b1-1600-0000-0666-8e2df00e0000 pid=3824 execve guuid=88b076b2-1600-0000-0666-8e2df20e0000 pid=3826 /usr/bin/cp guuid=cb94c8ad-1600-0000-0666-8e2dcb0e0000 pid=3787->guuid=88b076b2-1600-0000-0666-8e2df20e0000 pid=3826 execve guuid=5575ffb2-1600-0000-0666-8e2df30e0000 pid=3827 /usr/bin/cp guuid=cb94c8ad-1600-0000-0666-8e2dcb0e0000 pid=3787->guuid=5575ffb2-1600-0000-0666-8e2df30e0000 pid=3827 execve guuid=95389ab3-1600-0000-0666-8e2df40e0000 pid=3828 /usr/bin/cp guuid=cb94c8ad-1600-0000-0666-8e2dcb0e0000 pid=3787->guuid=95389ab3-1600-0000-0666-8e2df40e0000 pid=3828 execve guuid=765a34b4-1600-0000-0666-8e2df50e0000 pid=3829 /usr/bin/cp guuid=cb94c8ad-1600-0000-0666-8e2dcb0e0000 pid=3787->guuid=765a34b4-1600-0000-0666-8e2df50e0000 pid=3829 execve guuid=e124c5b4-1600-0000-0666-8e2df60e0000 pid=3830 /usr/bin/cp guuid=cb94c8ad-1600-0000-0666-8e2dcb0e0000 pid=3787->guuid=e124c5b4-1600-0000-0666-8e2df60e0000 pid=3830 execve guuid=4bac54b5-1600-0000-0666-8e2df70e0000 pid=3831 /usr/bin/cp guuid=cb94c8ad-1600-0000-0666-8e2dcb0e0000 pid=3787->guuid=4bac54b5-1600-0000-0666-8e2df70e0000 pid=3831 execve guuid=7791b3b5-1600-0000-0666-8e2dfa0e0000 pid=3834 /usr/bin/cp guuid=cb94c8ad-1600-0000-0666-8e2dcb0e0000 pid=3787->guuid=7791b3b5-1600-0000-0666-8e2dfa0e0000 pid=3834 execve guuid=c0d535b6-1600-0000-0666-8e2dfc0e0000 pid=3836 /usr/bin/cp guuid=cb94c8ad-1600-0000-0666-8e2dcb0e0000 pid=3787->guuid=c0d535b6-1600-0000-0666-8e2dfc0e0000 pid=3836 execve guuid=e4d1b9b6-1600-0000-0666-8e2dff0e0000 pid=3839 /usr/bin/cp guuid=cb94c8ad-1600-0000-0666-8e2dcb0e0000 pid=3787->guuid=e4d1b9b6-1600-0000-0666-8e2dff0e0000 pid=3839 execve guuid=df3c20b7-1600-0000-0666-8e2d010f0000 pid=3841 /usr/bin/cp guuid=cb94c8ad-1600-0000-0666-8e2dcb0e0000 pid=3787->guuid=df3c20b7-1600-0000-0666-8e2d010f0000 pid=3841 execve guuid=85e87fb7-1600-0000-0666-8e2d040f0000 pid=3844 /usr/bin/cp guuid=cb94c8ad-1600-0000-0666-8e2dcb0e0000 pid=3787->guuid=85e87fb7-1600-0000-0666-8e2d040f0000 pid=3844 execve guuid=d4fedab7-1600-0000-0666-8e2d060f0000 pid=3846 /usr/bin/cp guuid=cb94c8ad-1600-0000-0666-8e2dcb0e0000 pid=3787->guuid=d4fedab7-1600-0000-0666-8e2d060f0000 pid=3846 execve guuid=f21543b8-1600-0000-0666-8e2d0a0f0000 pid=3850 /usr/bin/touch guuid=cb94c8ad-1600-0000-0666-8e2dcb0e0000 pid=3787->guuid=f21543b8-1600-0000-0666-8e2d0a0f0000 pid=3850 execve guuid=79437fb8-1600-0000-0666-8e2d0b0f0000 pid=3851 /usr/bin/bash guuid=cb94c8ad-1600-0000-0666-8e2dcb0e0000 pid=3787->guuid=79437fb8-1600-0000-0666-8e2d0b0f0000 pid=3851 clone guuid=b3de8bb8-1600-0000-0666-8e2d0c0f0000 pid=3852 /usr/bin/bash guuid=cb94c8ad-1600-0000-0666-8e2dcb0e0000 pid=3787->guuid=b3de8bb8-1600-0000-0666-8e2d0c0f0000 pid=3852 clone guuid=76fea9b8-1600-0000-0666-8e2d0d0f0000 pid=3853 /usr/bin/bash guuid=cb94c8ad-1600-0000-0666-8e2dcb0e0000 pid=3787->guuid=76fea9b8-1600-0000-0666-8e2d0d0f0000 pid=3853 clone guuid=9437b1b8-1600-0000-0666-8e2d0e0f0000 pid=3854 /usr/bin/base64 write-file guuid=cb94c8ad-1600-0000-0666-8e2dcb0e0000 pid=3787->guuid=9437b1b8-1600-0000-0666-8e2d0e0f0000 pid=3854 execve guuid=229c3cb9-1600-0000-0666-8e2d130f0000 pid=3859 /usr/bin/bash guuid=cb94c8ad-1600-0000-0666-8e2dcb0e0000 pid=3787->guuid=229c3cb9-1600-0000-0666-8e2d130f0000 pid=3859 execve guuid=e2e5d2bd-1600-0000-0666-8e2d3b0f0000 pid=3899 /usr/bin/rm delete-file guuid=cb94c8ad-1600-0000-0666-8e2dcb0e0000 pid=3787->guuid=e2e5d2bd-1600-0000-0666-8e2d3b0f0000 pid=3899 execve guuid=37960fbe-1600-0000-0666-8e2d3d0f0000 pid=3901 /usr/bin/bash guuid=cb94c8ad-1600-0000-0666-8e2dcb0e0000 pid=3787->guuid=37960fbe-1600-0000-0666-8e2d3d0f0000 pid=3901 clone guuid=661714be-1600-0000-0666-8e2d3e0f0000 pid=3902 /usr/bin/bash guuid=cb94c8ad-1600-0000-0666-8e2dcb0e0000 pid=3787->guuid=661714be-1600-0000-0666-8e2d3e0f0000 pid=3902 clone guuid=59d734be-1600-0000-0666-8e2d400f0000 pid=3904 /usr/bin/bash guuid=cb94c8ad-1600-0000-0666-8e2dcb0e0000 pid=3787->guuid=59d734be-1600-0000-0666-8e2d400f0000 pid=3904 execve guuid=069e81be-1600-0000-0666-8e2d420f0000 pid=3906 /usr/bin/rm guuid=cb94c8ad-1600-0000-0666-8e2dcb0e0000 pid=3787->guuid=069e81be-1600-0000-0666-8e2d420f0000 pid=3906 execve guuid=dd1d9db9-1600-0000-0666-8e2d160f0000 pid=3862 /usr/bin/bash guuid=229c3cb9-1600-0000-0666-8e2d130f0000 pid=3859->guuid=dd1d9db9-1600-0000-0666-8e2d160f0000 pid=3862 clone guuid=f753a2b9-1600-0000-0666-8e2d170f0000 pid=3863 /usr/bin/bash guuid=229c3cb9-1600-0000-0666-8e2d130f0000 pid=3859->guuid=f753a2b9-1600-0000-0666-8e2d170f0000 pid=3863 clone guuid=9d2fc0b9-1600-0000-0666-8e2d180f0000 pid=3864 /usr/bin/ls guuid=229c3cb9-1600-0000-0666-8e2d130f0000 pid=3859->guuid=9d2fc0b9-1600-0000-0666-8e2d180f0000 pid=3864 execve guuid=2d3338ba-1600-0000-0666-8e2d1d0f0000 pid=3869 /usr/bin/cat guuid=229c3cb9-1600-0000-0666-8e2d130f0000 pid=3859->guuid=2d3338ba-1600-0000-0666-8e2d1d0f0000 pid=3869 execve guuid=9d5a7aba-1600-0000-0666-8e2d200f0000 pid=3872 /usr/bin/ls guuid=229c3cb9-1600-0000-0666-8e2d130f0000 pid=3859->guuid=9d5a7aba-1600-0000-0666-8e2d200f0000 pid=3872 execve guuid=321fd3ba-1600-0000-0666-8e2d220f0000 pid=3874 /usr/bin/mkdir guuid=229c3cb9-1600-0000-0666-8e2d130f0000 pid=3859->guuid=321fd3ba-1600-0000-0666-8e2d220f0000 pid=3874 execve guuid=f4f622bb-1600-0000-0666-8e2d240f0000 pid=3876 /usr/bin/mv guuid=229c3cb9-1600-0000-0666-8e2d130f0000 pid=3859->guuid=f4f622bb-1600-0000-0666-8e2d240f0000 pid=3876 execve guuid=0d037bbb-1600-0000-0666-8e2d270f0000 pid=3879 /usr/bin/bash guuid=229c3cb9-1600-0000-0666-8e2d130f0000 pid=3859->guuid=0d037bbb-1600-0000-0666-8e2d270f0000 pid=3879 clone guuid=919882bb-1600-0000-0666-8e2d280f0000 pid=3880 /usr/bin/base64 write-file guuid=229c3cb9-1600-0000-0666-8e2d130f0000 pid=3859->guuid=919882bb-1600-0000-0666-8e2d280f0000 pid=3880 execve guuid=d035ccbb-1600-0000-0666-8e2d2a0f0000 pid=3882 /usr/bin/rm delete-file guuid=229c3cb9-1600-0000-0666-8e2d130f0000 pid=3859->guuid=d035ccbb-1600-0000-0666-8e2d2a0f0000 pid=3882 execve guuid=d3800fbc-1600-0000-0666-8e2d2c0f0000 pid=3884 /usr/bin/ls guuid=229c3cb9-1600-0000-0666-8e2d130f0000 pid=3859->guuid=d3800fbc-1600-0000-0666-8e2d2c0f0000 pid=3884 execve guuid=0a1d6fbc-1600-0000-0666-8e2d2f0f0000 pid=3887 /usr/bin/bash guuid=229c3cb9-1600-0000-0666-8e2d130f0000 pid=3859->guuid=0a1d6fbc-1600-0000-0666-8e2d2f0f0000 pid=3887 clone guuid=703875bc-1600-0000-0666-8e2d300f0000 pid=3888 /usr/bin/base64 write-file guuid=229c3cb9-1600-0000-0666-8e2d130f0000 pid=3859->guuid=703875bc-1600-0000-0666-8e2d300f0000 pid=3888 execve guuid=c39dc6bc-1600-0000-0666-8e2d310f0000 pid=3889 /usr/bin/ls guuid=229c3cb9-1600-0000-0666-8e2d130f0000 pid=3859->guuid=c39dc6bc-1600-0000-0666-8e2d310f0000 pid=3889 execve guuid=092b1fbd-1600-0000-0666-8e2d350f0000 pid=3893 /usr/bin/cat guuid=229c3cb9-1600-0000-0666-8e2d130f0000 pid=3859->guuid=092b1fbd-1600-0000-0666-8e2d350f0000 pid=3893 execve guuid=336566bd-1600-0000-0666-8e2d390f0000 pid=3897 /usr/bin/ls guuid=229c3cb9-1600-0000-0666-8e2d130f0000 pid=3859->guuid=336566bd-1600-0000-0666-8e2d390f0000 pid=3897 execve
Score:
81%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/0f60c1c23bda9eb9213713e8f21470de0da0d4b67b46e6c27c9f8007bafcef74
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0f60c1c23bda9eb9213713e8f21470de0da0d4b67b46e6c27c9f8007bafcef74/
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/0f60c1c23bda9eb9213713e8f21470de0da0d4b67b46e6c27c9f8007bafcef74
Threat name:
Script-Shell.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2026-03-07 15:36:43 UTC
File Type:
Text (Shell)
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b5qmdqr33kplsijxcpupefdq3yg2bvfwpndonqt4t6aapox4552a._file
Result
Malware family:
n/a
Score:
  4/10
Tags:
defense_evasion discovery linux
Link:
https://tria.ge/reports/260307-s1z8hags2s/
Behaviour
Reads runtime system information
Writes file to tmp directory
Deobfuscate/Decode Files or Information
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/0f60c1c23bda9eb9213713e8f21470de0da0d4b67b46e6c27c9f8007bafcef74

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_LNX_Base64_Exec_Apr24
Create hunting rule
Author:Christian Burkard
Description:Detects suspicious base64 encoded shell commands (as seen in Palo Alto CVE-2024-3400 exploitation)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 0f60c1c23bda9eb9213713e8f21470de0da0d4b67b46e6c27c9f8007bafcef74

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3784565/
  
Delivery method
Distributed via web download

Comments