MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22e1b7f62eef7a61d8d3e8511453c2a5a40ee994e7a53295db533bbab410dd83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 22e1b7f62eef7a61d8d3e8511453c2a5a40ee994e7a53295db533bbab410dd83
SHA3-384 hash: bca27bda121abcf00a786a664a83d668e73e57e9f3501ef002b23b0dc70538ac4a8a4d7d635c0cf7c69b4644f7f4c6b5
SHA1 hash: b68228bd06846c3b127dead726f190b2c79f3ee3
MD5 hash: 406d3b896e179d3b5d7080f8fb8d447d
humanhash: hamper-montana-delta-whiskey
File name:k.php
Download: download sample
File size:19'499 bytes
First seen:2026-03-16 02:26:06 UTC
Last seen:2026-03-16 04:50:48 UTC
File type: sh
MIME type:text/x-shellscript
ssdeep 384:TicuQpWx+BL0SWL0gszsO9a4cbddrME8jyfzsO9a4cbddrME8jy4:Ti8i+BL0SI0fzsP4cbddr7zsP4cbddrk
TLSH T174924CB512896C79FBD0CE39AF3C6F4DADE8C2C42124A3ADBA4F39205A1166DC705359
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:sh

Intelligence

File Origin
# of uploads :
2
# of downloads :
72
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Linux.MulDrop.187.15448.27113.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive masquerade
Link:
https://www.filescan.io/uploads/69b76a49493cb7d62dff166f/reports/541f2c5b-aa8e-4912-ae38-236c6e39e70b/overview
Verdict:
Malicious
File Type:
unix shell
Detections:
HEUR:Trojan-Downloader.Shell.Agent.bc
Link:
https://opentip.kaspersky.com/22e1b7f62eef7a61d8d3e8511453c2a5a40ee994e7a53295db533bbab410dd83/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/e756a465-85d0-4eaf-a8b2-0f0d81d7ec2f
Behavior Graph:
Download SVG
%3 guuid=d2ccd24b-1800-0000-4ec8-3dbc810c0000 pid=3201 /usr/bin/sudo guuid=ebddef4f-1800-0000-4ec8-3dbc830c0000 pid=3203 /tmp/sample.bin guuid=d2ccd24b-1800-0000-4ec8-3dbc810c0000 pid=3201->guuid=ebddef4f-1800-0000-4ec8-3dbc830c0000 pid=3203 execve guuid=f926ed50-1800-0000-4ec8-3dbc860c0000 pid=3206 /usr/bin/bash guuid=ebddef4f-1800-0000-4ec8-3dbc830c0000 pid=3203->guuid=f926ed50-1800-0000-4ec8-3dbc860c0000 pid=3206 clone guuid=d76e1551-1800-0000-4ec8-3dbc870c0000 pid=3207 /usr/bin/bash guuid=ebddef4f-1800-0000-4ec8-3dbc830c0000 pid=3203->guuid=d76e1551-1800-0000-4ec8-3dbc870c0000 pid=3207 clone guuid=cffa8051-1800-0000-4ec8-3dbc890c0000 pid=3209 /usr/bin/mkdir guuid=ebddef4f-1800-0000-4ec8-3dbc830c0000 pid=3203->guuid=cffa8051-1800-0000-4ec8-3dbc890c0000 pid=3209 execve guuid=66030952-1800-0000-4ec8-3dbc8c0c0000 pid=3212 /usr/bin/mkdir guuid=ebddef4f-1800-0000-4ec8-3dbc830c0000 pid=3203->guuid=66030952-1800-0000-4ec8-3dbc8c0c0000 pid=3212 execve guuid=c6376f52-1800-0000-4ec8-3dbc8e0c0000 pid=3214 /usr/bin/mkdir guuid=ebddef4f-1800-0000-4ec8-3dbc830c0000 pid=3203->guuid=c6376f52-1800-0000-4ec8-3dbc8e0c0000 pid=3214 execve guuid=60f53053-1800-0000-4ec8-3dbc8f0c0000 pid=3215 /usr/bin/mkdir guuid=ebddef4f-1800-0000-4ec8-3dbc830c0000 pid=3203->guuid=60f53053-1800-0000-4ec8-3dbc8f0c0000 pid=3215 execve guuid=65e4cf53-1800-0000-4ec8-3dbc910c0000 pid=3217 /usr/bin/mkdir guuid=ebddef4f-1800-0000-4ec8-3dbc830c0000 pid=3203->guuid=65e4cf53-1800-0000-4ec8-3dbc910c0000 pid=3217 execve guuid=b8427854-1800-0000-4ec8-3dbc920c0000 pid=3218 /usr/bin/mkdir guuid=ebddef4f-1800-0000-4ec8-3dbc830c0000 pid=3203->guuid=b8427854-1800-0000-4ec8-3dbc920c0000 pid=3218 execve guuid=79a0e354-1800-0000-4ec8-3dbc940c0000 pid=3220 /usr/bin/mkdir guuid=ebddef4f-1800-0000-4ec8-3dbc830c0000 pid=3203->guuid=79a0e354-1800-0000-4ec8-3dbc940c0000 pid=3220 execve guuid=d5994f55-1800-0000-4ec8-3dbc960c0000 pid=3222 /usr/bin/cp guuid=ebddef4f-1800-0000-4ec8-3dbc830c0000 pid=3203->guuid=d5994f55-1800-0000-4ec8-3dbc960c0000 pid=3222 execve guuid=c01df255-1800-0000-4ec8-3dbc980c0000 pid=3224 /usr/bin/cp guuid=ebddef4f-1800-0000-4ec8-3dbc830c0000 pid=3203->guuid=c01df255-1800-0000-4ec8-3dbc980c0000 pid=3224 execve guuid=44997d56-1800-0000-4ec8-3dbc9c0c0000 pid=3228 /usr/bin/cp guuid=ebddef4f-1800-0000-4ec8-3dbc830c0000 pid=3203->guuid=44997d56-1800-0000-4ec8-3dbc9c0c0000 pid=3228 execve guuid=c1afef56-1800-0000-4ec8-3dbc9d0c0000 pid=3229 /usr/bin/cp guuid=ebddef4f-1800-0000-4ec8-3dbc830c0000 pid=3203->guuid=c1afef56-1800-0000-4ec8-3dbc9d0c0000 pid=3229 execve guuid=36eba757-1800-0000-4ec8-3dbc9f0c0000 pid=3231 /usr/bin/cp guuid=ebddef4f-1800-0000-4ec8-3dbc830c0000 pid=3203->guuid=36eba757-1800-0000-4ec8-3dbc9f0c0000 pid=3231 execve guuid=066b4d58-1800-0000-4ec8-3dbca00c0000 pid=3232 /usr/bin/cp guuid=ebddef4f-1800-0000-4ec8-3dbc830c0000 pid=3203->guuid=066b4d58-1800-0000-4ec8-3dbca00c0000 pid=3232 execve guuid=e8a0d758-1800-0000-4ec8-3dbca10c0000 pid=3233 /usr/bin/cp guuid=ebddef4f-1800-0000-4ec8-3dbc830c0000 pid=3203->guuid=e8a0d758-1800-0000-4ec8-3dbca10c0000 pid=3233 execve guuid=6c755759-1800-0000-4ec8-3dbca20c0000 pid=3234 /usr/bin/cp guuid=ebddef4f-1800-0000-4ec8-3dbc830c0000 pid=3203->guuid=6c755759-1800-0000-4ec8-3dbca20c0000 pid=3234 execve guuid=c439c659-1800-0000-4ec8-3dbca40c0000 pid=3236 /usr/bin/cp guuid=ebddef4f-1800-0000-4ec8-3dbc830c0000 pid=3203->guuid=c439c659-1800-0000-4ec8-3dbca40c0000 pid=3236 execve guuid=e737365a-1800-0000-4ec8-3dbca60c0000 pid=3238 /usr/bin/cp guuid=ebddef4f-1800-0000-4ec8-3dbc830c0000 pid=3203->guuid=e737365a-1800-0000-4ec8-3dbca60c0000 pid=3238 execve guuid=ba65935a-1800-0000-4ec8-3dbca80c0000 pid=3240 /usr/bin/cp guuid=ebddef4f-1800-0000-4ec8-3dbc830c0000 pid=3203->guuid=ba65935a-1800-0000-4ec8-3dbca80c0000 pid=3240 execve guuid=f310195b-1800-0000-4ec8-3dbcaa0c0000 pid=3242 /usr/bin/cp guuid=ebddef4f-1800-0000-4ec8-3dbc830c0000 pid=3203->guuid=f310195b-1800-0000-4ec8-3dbcaa0c0000 pid=3242 execve guuid=42be855b-1800-0000-4ec8-3dbcac0c0000 pid=3244 /usr/bin/cp guuid=ebddef4f-1800-0000-4ec8-3dbc830c0000 pid=3203->guuid=42be855b-1800-0000-4ec8-3dbcac0c0000 pid=3244 execve guuid=35a0055c-1800-0000-4ec8-3dbcae0c0000 pid=3246 /usr/bin/cp guuid=ebddef4f-1800-0000-4ec8-3dbc830c0000 pid=3203->guuid=35a0055c-1800-0000-4ec8-3dbcae0c0000 pid=3246 execve guuid=992cc35c-1800-0000-4ec8-3dbcaf0c0000 pid=3247 /usr/bin/cp guuid=ebddef4f-1800-0000-4ec8-3dbc830c0000 pid=3203->guuid=992cc35c-1800-0000-4ec8-3dbcaf0c0000 pid=3247 execve guuid=73d0875d-1800-0000-4ec8-3dbcb00c0000 pid=3248 /usr/bin/touch guuid=ebddef4f-1800-0000-4ec8-3dbc830c0000 pid=3203->guuid=73d0875d-1800-0000-4ec8-3dbcb00c0000 pid=3248 execve guuid=1917055e-1800-0000-4ec8-3dbcb20c0000 pid=3250 /usr/bin/bash guuid=ebddef4f-1800-0000-4ec8-3dbc830c0000 pid=3203->guuid=1917055e-1800-0000-4ec8-3dbcb20c0000 pid=3250 clone guuid=343b0c5e-1800-0000-4ec8-3dbcb30c0000 pid=3251 /usr/bin/bash guuid=ebddef4f-1800-0000-4ec8-3dbc830c0000 pid=3203->guuid=343b0c5e-1800-0000-4ec8-3dbcb30c0000 pid=3251 clone guuid=b18b315e-1800-0000-4ec8-3dbcb40c0000 pid=3252 /usr/bin/bash guuid=ebddef4f-1800-0000-4ec8-3dbc830c0000 pid=3203->guuid=b18b315e-1800-0000-4ec8-3dbcb40c0000 pid=3252 clone guuid=afcc435e-1800-0000-4ec8-3dbcb50c0000 pid=3253 /usr/bin/base64 write-file guuid=ebddef4f-1800-0000-4ec8-3dbc830c0000 pid=3203->guuid=afcc435e-1800-0000-4ec8-3dbcb50c0000 pid=3253 execve guuid=443d385f-1800-0000-4ec8-3dbcb60c0000 pid=3254 /usr/bin/bash guuid=ebddef4f-1800-0000-4ec8-3dbc830c0000 pid=3203->guuid=443d385f-1800-0000-4ec8-3dbcb60c0000 pid=3254 execve guuid=47e70766-1800-0000-4ec8-3dbcd50c0000 pid=3285 /usr/bin/rm delete-file guuid=ebddef4f-1800-0000-4ec8-3dbc830c0000 pid=3203->guuid=47e70766-1800-0000-4ec8-3dbcd50c0000 pid=3285 execve guuid=05d48866-1800-0000-4ec8-3dbcd60c0000 pid=3286 /usr/bin/bash guuid=ebddef4f-1800-0000-4ec8-3dbc830c0000 pid=3203->guuid=05d48866-1800-0000-4ec8-3dbcd60c0000 pid=3286 clone guuid=a16e9d66-1800-0000-4ec8-3dbcd70c0000 pid=3287 /usr/bin/bash guuid=ebddef4f-1800-0000-4ec8-3dbc830c0000 pid=3203->guuid=a16e9d66-1800-0000-4ec8-3dbcd70c0000 pid=3287 clone guuid=9412c966-1800-0000-4ec8-3dbcd80c0000 pid=3288 /usr/bin/bash guuid=ebddef4f-1800-0000-4ec8-3dbc830c0000 pid=3203->guuid=9412c966-1800-0000-4ec8-3dbcd80c0000 pid=3288 execve guuid=6d8cd667-1800-0000-4ec8-3dbcdc0c0000 pid=3292 /usr/bin/rm guuid=ebddef4f-1800-0000-4ec8-3dbc830c0000 pid=3203->guuid=6d8cd667-1800-0000-4ec8-3dbcdc0c0000 pid=3292 execve guuid=4ae20a60-1800-0000-4ec8-3dbcba0c0000 pid=3258 /usr/bin/bash guuid=443d385f-1800-0000-4ec8-3dbcb60c0000 pid=3254->guuid=4ae20a60-1800-0000-4ec8-3dbcba0c0000 pid=3258 clone guuid=9ae51960-1800-0000-4ec8-3dbcbb0c0000 pid=3259 /usr/bin/bash guuid=443d385f-1800-0000-4ec8-3dbcb60c0000 pid=3254->guuid=9ae51960-1800-0000-4ec8-3dbcbb0c0000 pid=3259 clone guuid=484c3e60-1800-0000-4ec8-3dbcbc0c0000 pid=3260 /usr/bin/ls guuid=443d385f-1800-0000-4ec8-3dbcb60c0000 pid=3254->guuid=484c3e60-1800-0000-4ec8-3dbcbc0c0000 pid=3260 execve guuid=58f6c060-1800-0000-4ec8-3dbcbf0c0000 pid=3263 /usr/bin/cat guuid=443d385f-1800-0000-4ec8-3dbcb60c0000 pid=3254->guuid=58f6c060-1800-0000-4ec8-3dbcbf0c0000 pid=3263 execve guuid=02cf0361-1800-0000-4ec8-3dbcc10c0000 pid=3265 /usr/bin/ls guuid=443d385f-1800-0000-4ec8-3dbcb60c0000 pid=3254->guuid=02cf0361-1800-0000-4ec8-3dbcc10c0000 pid=3265 execve guuid=a0e6b861-1800-0000-4ec8-3dbcc30c0000 pid=3267 /usr/bin/mkdir guuid=443d385f-1800-0000-4ec8-3dbcb60c0000 pid=3254->guuid=a0e6b861-1800-0000-4ec8-3dbcc30c0000 pid=3267 execve guuid=ccd51162-1800-0000-4ec8-3dbcc40c0000 pid=3268 /usr/bin/mv guuid=443d385f-1800-0000-4ec8-3dbcb60c0000 pid=3254->guuid=ccd51162-1800-0000-4ec8-3dbcc40c0000 pid=3268 execve guuid=7ea67e62-1800-0000-4ec8-3dbcc60c0000 pid=3270 /usr/bin/bash guuid=443d385f-1800-0000-4ec8-3dbcb60c0000 pid=3254->guuid=7ea67e62-1800-0000-4ec8-3dbcc60c0000 pid=3270 clone guuid=76f28b62-1800-0000-4ec8-3dbcc70c0000 pid=3271 /usr/bin/base64 write-file guuid=443d385f-1800-0000-4ec8-3dbcb60c0000 pid=3254->guuid=76f28b62-1800-0000-4ec8-3dbcc70c0000 pid=3271 execve guuid=ea592463-1800-0000-4ec8-3dbcc90c0000 pid=3273 /usr/bin/rm delete-file guuid=443d385f-1800-0000-4ec8-3dbcb60c0000 pid=3254->guuid=ea592463-1800-0000-4ec8-3dbcc90c0000 pid=3273 execve guuid=98d36063-1800-0000-4ec8-3dbccb0c0000 pid=3275 /usr/bin/ls guuid=443d385f-1800-0000-4ec8-3dbcb60c0000 pid=3254->guuid=98d36063-1800-0000-4ec8-3dbccb0c0000 pid=3275 execve guuid=0e07d863-1800-0000-4ec8-3dbccd0c0000 pid=3277 /usr/bin/bash guuid=443d385f-1800-0000-4ec8-3dbcb60c0000 pid=3254->guuid=0e07d863-1800-0000-4ec8-3dbccd0c0000 pid=3277 clone guuid=5e59de63-1800-0000-4ec8-3dbcce0c0000 pid=3278 /usr/bin/base64 write-file guuid=443d385f-1800-0000-4ec8-3dbcb60c0000 pid=3254->guuid=5e59de63-1800-0000-4ec8-3dbcce0c0000 pid=3278 execve guuid=dad36f64-1800-0000-4ec8-3dbcd10c0000 pid=3281 /usr/bin/ls guuid=443d385f-1800-0000-4ec8-3dbcb60c0000 pid=3254->guuid=dad36f64-1800-0000-4ec8-3dbcd10c0000 pid=3281 execve guuid=1b6ff364-1800-0000-4ec8-3dbcd20c0000 pid=3282 /usr/bin/cat guuid=443d385f-1800-0000-4ec8-3dbcb60c0000 pid=3254->guuid=1b6ff364-1800-0000-4ec8-3dbcd20c0000 pid=3282 execve guuid=01cc4665-1800-0000-4ec8-3dbcd30c0000 pid=3283 /usr/bin/ls guuid=443d385f-1800-0000-4ec8-3dbcb60c0000 pid=3254->guuid=01cc4665-1800-0000-4ec8-3dbcd30c0000 pid=3283 execve
Score:
81%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/22e1b7f62eef7a61d8d3e8511453c2a5a40ee994e7a53295db533bbab410dd83
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/22e1b7f62eef7a61d8d3e8511453c2a5a40ee994e7a53295db533bbab410dd83/
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/22e1b7f62eef7a61d8d3e8511453c2a5a40ee994e7a53295db533bbab410dd83
Threat name:
Script-Shell.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2026-03-16 02:26:36 UTC
File Type:
Text (Shell)
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=elq3p5ro555gdwgt5biriu6cuwsa52mu46stffo3km53vnaq3wbq._file
Result
Malware family:
n/a
Score:
  4/10
Tags:
defense_evasion discovery linux
Link:
https://tria.ge/reports/260316-cwzheads8l/
Behaviour
Reads runtime system information
Writes file to tmp directory
Deobfuscate/Decode Files or Information
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/22e1b7f62eef7a61d8d3e8511453c2a5a40ee994e7a53295db533bbab410dd83

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_LNX_Base64_Exec_Apr24
Create hunting rule
Author:Christian Burkard
Description:Detects suspicious base64 encoded shell commands (as seen in Palo Alto CVE-2024-3400 exploitation)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 22e1b7f62eef7a61d8d3e8511453c2a5a40ee994e7a53295db533bbab410dd83

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3784565/
  
Delivery method
Distributed via web download

Comments