MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3619fbcb12d39bbc5009f473a25dcfc95b543f67cbdb88ab203bc4259903eab1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3619fbcb12d39bbc5009f473a25dcfc95b543f67cbdb88ab203bc4259903eab1
SHA3-384 hash: bdc2daa5af9b6370efb0090127c4504d071a888a51011d0ffd509b99b9e7d6ccd7472a5b9456aa610bec8f17078c5a2c
SHA1 hash: 753950d33a5e9c05e7b8a10a8e0d67c90fc6aa37
MD5 hash: 3764a1f3fa64ebea4863f14a8fc8f27b
humanhash: wolfram-coffee-indigo-eight
File name:k.php
Download: download sample
File size:19'499 bytes
First seen:2026-03-06 09:47:35 UTC
Last seen:2026-03-07 03:34:43 UTC
File type: sh
MIME type:text/x-shellscript
ssdeep 384:6BcuQpWx+BL0SWL0gOzsO9a4cbddrME8jyfzsO9a4cbddrME8jy4:6B8i+BL0SI0ZzsP4cbddr7zsP4cbddrk
TLSH T11E924CB512896C79FBD1CE399F3C6F4DADE882C42124A3ACBA0F39215A1166DCB0535D
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:sh

Intelligence

File Origin
# of uploads :
2
# of downloads :
50
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Linux.MulDrop.187.16644.9621.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive masquerade
Link:
https://www.filescan.io/uploads/69aaa2de10e80629d4ff4410/reports/6b62f406-bad1-4f4d-bd24-d907685bc357/overview
Verdict:
Malicious
File Type:
unix shell
Detections:
HEUR:Trojan-Downloader.Shell.Agent.bc
Link:
https://opentip.kaspersky.com/3619fbcb12d39bbc5009f473a25dcfc95b543f67cbdb88ab203bc4259903eab1/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/0f3ac7ce-262e-46c6-99d0-9285d33aa927
Behavior Graph:
Download SVG
%3 guuid=29da7a19-1700-0000-c574-eb98550d0000 pid=3413 /usr/bin/sudo guuid=c6e54f1b-1700-0000-c574-eb985d0d0000 pid=3421 /tmp/sample.bin guuid=29da7a19-1700-0000-c574-eb98550d0000 pid=3413->guuid=c6e54f1b-1700-0000-c574-eb985d0d0000 pid=3421 execve guuid=a1d3a21b-1700-0000-c574-eb985f0d0000 pid=3423 /usr/bin/bash guuid=c6e54f1b-1700-0000-c574-eb985d0d0000 pid=3421->guuid=a1d3a21b-1700-0000-c574-eb985f0d0000 pid=3423 clone guuid=bcccab1b-1700-0000-c574-eb98600d0000 pid=3424 /usr/bin/bash guuid=c6e54f1b-1700-0000-c574-eb985d0d0000 pid=3421->guuid=bcccab1b-1700-0000-c574-eb98600d0000 pid=3424 clone guuid=3e6dc61b-1700-0000-c574-eb98610d0000 pid=3425 /usr/bin/mkdir guuid=c6e54f1b-1700-0000-c574-eb985d0d0000 pid=3421->guuid=3e6dc61b-1700-0000-c574-eb98610d0000 pid=3425 execve guuid=a6d21b1c-1700-0000-c574-eb98640d0000 pid=3428 /usr/bin/mkdir guuid=c6e54f1b-1700-0000-c574-eb985d0d0000 pid=3421->guuid=a6d21b1c-1700-0000-c574-eb98640d0000 pid=3428 execve guuid=aa886c1c-1700-0000-c574-eb98660d0000 pid=3430 /usr/bin/mkdir guuid=c6e54f1b-1700-0000-c574-eb985d0d0000 pid=3421->guuid=aa886c1c-1700-0000-c574-eb98660d0000 pid=3430 execve guuid=3fd7bc1c-1700-0000-c574-eb98680d0000 pid=3432 /usr/bin/mkdir guuid=c6e54f1b-1700-0000-c574-eb985d0d0000 pid=3421->guuid=3fd7bc1c-1700-0000-c574-eb98680d0000 pid=3432 execve guuid=044e0a1d-1700-0000-c574-eb986a0d0000 pid=3434 /usr/bin/mkdir guuid=c6e54f1b-1700-0000-c574-eb985d0d0000 pid=3421->guuid=044e0a1d-1700-0000-c574-eb986a0d0000 pid=3434 execve guuid=48a15c1d-1700-0000-c574-eb986d0d0000 pid=3437 /usr/bin/mkdir guuid=c6e54f1b-1700-0000-c574-eb985d0d0000 pid=3421->guuid=48a15c1d-1700-0000-c574-eb986d0d0000 pid=3437 execve guuid=4b27ac1d-1700-0000-c574-eb986f0d0000 pid=3439 /usr/bin/mkdir guuid=c6e54f1b-1700-0000-c574-eb985d0d0000 pid=3421->guuid=4b27ac1d-1700-0000-c574-eb986f0d0000 pid=3439 execve guuid=449bfa1d-1700-0000-c574-eb98710d0000 pid=3441 /usr/bin/cp guuid=c6e54f1b-1700-0000-c574-eb985d0d0000 pid=3421->guuid=449bfa1d-1700-0000-c574-eb98710d0000 pid=3441 execve guuid=4819591e-1700-0000-c574-eb98730d0000 pid=3443 /usr/bin/cp guuid=c6e54f1b-1700-0000-c574-eb985d0d0000 pid=3421->guuid=4819591e-1700-0000-c574-eb98730d0000 pid=3443 execve guuid=1c9eb21e-1700-0000-c574-eb98760d0000 pid=3446 /usr/bin/cp guuid=c6e54f1b-1700-0000-c574-eb985d0d0000 pid=3421->guuid=1c9eb21e-1700-0000-c574-eb98760d0000 pid=3446 execve guuid=5b49111f-1700-0000-c574-eb98780d0000 pid=3448 /usr/bin/cp guuid=c6e54f1b-1700-0000-c574-eb985d0d0000 pid=3421->guuid=5b49111f-1700-0000-c574-eb98780d0000 pid=3448 execve guuid=57c5711f-1700-0000-c574-eb987b0d0000 pid=3451 /usr/bin/cp guuid=c6e54f1b-1700-0000-c574-eb985d0d0000 pid=3421->guuid=57c5711f-1700-0000-c574-eb987b0d0000 pid=3451 execve guuid=60c5d11f-1700-0000-c574-eb987d0d0000 pid=3453 /usr/bin/cp guuid=c6e54f1b-1700-0000-c574-eb985d0d0000 pid=3421->guuid=60c5d11f-1700-0000-c574-eb987d0d0000 pid=3453 execve guuid=f4a72b20-1700-0000-c574-eb987f0d0000 pid=3455 /usr/bin/cp guuid=c6e54f1b-1700-0000-c574-eb985d0d0000 pid=3421->guuid=f4a72b20-1700-0000-c574-eb987f0d0000 pid=3455 execve guuid=55ed9420-1700-0000-c574-eb98820d0000 pid=3458 /usr/bin/cp guuid=c6e54f1b-1700-0000-c574-eb985d0d0000 pid=3421->guuid=55ed9420-1700-0000-c574-eb98820d0000 pid=3458 execve guuid=e409f120-1700-0000-c574-eb98840d0000 pid=3460 /usr/bin/cp guuid=c6e54f1b-1700-0000-c574-eb985d0d0000 pid=3421->guuid=e409f120-1700-0000-c574-eb98840d0000 pid=3460 execve guuid=dd386721-1700-0000-c574-eb98870d0000 pid=3463 /usr/bin/cp guuid=c6e54f1b-1700-0000-c574-eb985d0d0000 pid=3421->guuid=dd386721-1700-0000-c574-eb98870d0000 pid=3463 execve guuid=b11ac621-1700-0000-c574-eb98890d0000 pid=3465 /usr/bin/cp guuid=c6e54f1b-1700-0000-c574-eb985d0d0000 pid=3421->guuid=b11ac621-1700-0000-c574-eb98890d0000 pid=3465 execve guuid=0bc52622-1700-0000-c574-eb988c0d0000 pid=3468 /usr/bin/cp guuid=c6e54f1b-1700-0000-c574-eb985d0d0000 pid=3421->guuid=0bc52622-1700-0000-c574-eb988c0d0000 pid=3468 execve guuid=f98c8122-1700-0000-c574-eb988e0d0000 pid=3470 /usr/bin/cp guuid=c6e54f1b-1700-0000-c574-eb985d0d0000 pid=3421->guuid=f98c8122-1700-0000-c574-eb988e0d0000 pid=3470 execve guuid=c273da22-1700-0000-c574-eb98910d0000 pid=3473 /usr/bin/cp guuid=c6e54f1b-1700-0000-c574-eb985d0d0000 pid=3421->guuid=c273da22-1700-0000-c574-eb98910d0000 pid=3473 execve guuid=39952d23-1700-0000-c574-eb98930d0000 pid=3475 /usr/bin/cp guuid=c6e54f1b-1700-0000-c574-eb985d0d0000 pid=3421->guuid=39952d23-1700-0000-c574-eb98930d0000 pid=3475 execve guuid=072c8923-1700-0000-c574-eb98950d0000 pid=3477 /usr/bin/touch guuid=c6e54f1b-1700-0000-c574-eb985d0d0000 pid=3421->guuid=072c8923-1700-0000-c574-eb98950d0000 pid=3477 execve guuid=2ba6c923-1700-0000-c574-eb98970d0000 pid=3479 /usr/bin/bash guuid=c6e54f1b-1700-0000-c574-eb985d0d0000 pid=3421->guuid=2ba6c923-1700-0000-c574-eb98970d0000 pid=3479 clone guuid=2f57cf23-1700-0000-c574-eb98980d0000 pid=3480 /usr/bin/bash guuid=c6e54f1b-1700-0000-c574-eb985d0d0000 pid=3421->guuid=2f57cf23-1700-0000-c574-eb98980d0000 pid=3480 clone guuid=9658f123-1700-0000-c574-eb989a0d0000 pid=3482 /usr/bin/bash guuid=c6e54f1b-1700-0000-c574-eb985d0d0000 pid=3421->guuid=9658f123-1700-0000-c574-eb989a0d0000 pid=3482 clone guuid=5789f823-1700-0000-c574-eb989b0d0000 pid=3483 /usr/bin/base64 write-file guuid=c6e54f1b-1700-0000-c574-eb985d0d0000 pid=3421->guuid=5789f823-1700-0000-c574-eb989b0d0000 pid=3483 execve guuid=14228324-1700-0000-c574-eb989e0d0000 pid=3486 /usr/bin/bash guuid=c6e54f1b-1700-0000-c574-eb985d0d0000 pid=3421->guuid=14228324-1700-0000-c574-eb989e0d0000 pid=3486 execve guuid=c35a3029-1700-0000-c574-eb98c10d0000 pid=3521 /usr/bin/rm delete-file guuid=c6e54f1b-1700-0000-c574-eb985d0d0000 pid=3421->guuid=c35a3029-1700-0000-c574-eb98c10d0000 pid=3521 execve guuid=74cd7629-1700-0000-c574-eb98c30d0000 pid=3523 /usr/bin/bash guuid=c6e54f1b-1700-0000-c574-eb985d0d0000 pid=3421->guuid=74cd7629-1700-0000-c574-eb98c30d0000 pid=3523 clone guuid=6c118029-1700-0000-c574-eb98c40d0000 pid=3524 /usr/bin/bash guuid=c6e54f1b-1700-0000-c574-eb985d0d0000 pid=3421->guuid=6c118029-1700-0000-c574-eb98c40d0000 pid=3524 clone guuid=3a779c29-1700-0000-c574-eb98c60d0000 pid=3526 /usr/bin/bash guuid=c6e54f1b-1700-0000-c574-eb985d0d0000 pid=3421->guuid=3a779c29-1700-0000-c574-eb98c60d0000 pid=3526 execve guuid=b86ae629-1700-0000-c574-eb98c80d0000 pid=3528 /usr/bin/rm guuid=c6e54f1b-1700-0000-c574-eb985d0d0000 pid=3421->guuid=b86ae629-1700-0000-c574-eb98c80d0000 pid=3528 execve guuid=75b8d124-1700-0000-c574-eb98a00d0000 pid=3488 /usr/bin/bash guuid=14228324-1700-0000-c574-eb989e0d0000 pid=3486->guuid=75b8d124-1700-0000-c574-eb98a00d0000 pid=3488 clone guuid=9190d724-1700-0000-c574-eb98a10d0000 pid=3489 /usr/bin/bash guuid=14228324-1700-0000-c574-eb989e0d0000 pid=3486->guuid=9190d724-1700-0000-c574-eb98a10d0000 pid=3489 clone guuid=d13eef24-1700-0000-c574-eb98a20d0000 pid=3490 /usr/bin/ls guuid=14228324-1700-0000-c574-eb989e0d0000 pid=3486->guuid=d13eef24-1700-0000-c574-eb98a20d0000 pid=3490 execve guuid=67db6225-1700-0000-c574-eb98a50d0000 pid=3493 /usr/bin/cat guuid=14228324-1700-0000-c574-eb989e0d0000 pid=3486->guuid=67db6225-1700-0000-c574-eb98a50d0000 pid=3493 execve guuid=729ea725-1700-0000-c574-eb98a70d0000 pid=3495 /usr/bin/ls guuid=14228324-1700-0000-c574-eb989e0d0000 pid=3486->guuid=729ea725-1700-0000-c574-eb98a70d0000 pid=3495 execve guuid=beaf0a26-1700-0000-c574-eb98aa0d0000 pid=3498 /usr/bin/mkdir guuid=14228324-1700-0000-c574-eb989e0d0000 pid=3486->guuid=beaf0a26-1700-0000-c574-eb98aa0d0000 pid=3498 execve guuid=b7846626-1700-0000-c574-eb98ac0d0000 pid=3500 /usr/bin/mv guuid=14228324-1700-0000-c574-eb989e0d0000 pid=3486->guuid=b7846626-1700-0000-c574-eb98ac0d0000 pid=3500 execve guuid=c276cb26-1700-0000-c574-eb98ae0d0000 pid=3502 /usr/bin/bash guuid=14228324-1700-0000-c574-eb989e0d0000 pid=3486->guuid=c276cb26-1700-0000-c574-eb98ae0d0000 pid=3502 clone guuid=bf75d126-1700-0000-c574-eb98b00d0000 pid=3504 /usr/bin/base64 write-file guuid=14228324-1700-0000-c574-eb989e0d0000 pid=3486->guuid=bf75d126-1700-0000-c574-eb98b00d0000 pid=3504 execve guuid=16431427-1700-0000-c574-eb98b20d0000 pid=3506 /usr/bin/rm delete-file guuid=14228324-1700-0000-c574-eb989e0d0000 pid=3486->guuid=16431427-1700-0000-c574-eb98b20d0000 pid=3506 execve guuid=075c5e27-1700-0000-c574-eb98b40d0000 pid=3508 /usr/bin/ls guuid=14228324-1700-0000-c574-eb989e0d0000 pid=3486->guuid=075c5e27-1700-0000-c574-eb98b40d0000 pid=3508 execve guuid=e311bf27-1700-0000-c574-eb98b60d0000 pid=3510 /usr/bin/bash guuid=14228324-1700-0000-c574-eb989e0d0000 pid=3486->guuid=e311bf27-1700-0000-c574-eb98b60d0000 pid=3510 clone guuid=703fc727-1700-0000-c574-eb98b70d0000 pid=3511 /usr/bin/base64 write-file guuid=14228324-1700-0000-c574-eb989e0d0000 pid=3486->guuid=703fc727-1700-0000-c574-eb98b70d0000 pid=3511 execve guuid=8e3a1a28-1700-0000-c574-eb98ba0d0000 pid=3514 /usr/bin/ls guuid=14228324-1700-0000-c574-eb989e0d0000 pid=3486->guuid=8e3a1a28-1700-0000-c574-eb98ba0d0000 pid=3514 execve guuid=b6668728-1700-0000-c574-eb98bc0d0000 pid=3516 /usr/bin/cat guuid=14228324-1700-0000-c574-eb989e0d0000 pid=3486->guuid=b6668728-1700-0000-c574-eb98bc0d0000 pid=3516 execve guuid=c520c928-1700-0000-c574-eb98be0d0000 pid=3518 /usr/bin/ls guuid=14228324-1700-0000-c574-eb989e0d0000 pid=3486->guuid=c520c928-1700-0000-c574-eb98be0d0000 pid=3518 execve
Score:
80%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/3619fbcb12d39bbc5009f473a25dcfc95b543f67cbdb88ab203bc4259903eab1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3619fbcb12d39bbc5009f473a25dcfc95b543f67cbdb88ab203bc4259903eab1/
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/3619fbcb12d39bbc5009f473a25dcfc95b543f67cbdb88ab203bc4259903eab1
Threat name:
Script-Shell.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2026-03-06 09:48:22 UTC
File Type:
Text (Shell)
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gym7xsys2on3yuaj6rz2exopzfnvip3hzpnyrkzahpcclgid5kyq._file
Result
Malware family:
n/a
Score:
  4/10
Tags:
defense_evasion discovery linux
Link:
https://tria.ge/reports/260306-lsv59aav9n/
Behaviour
Reads runtime system information
Writes file to tmp directory
Deobfuscate/Decode Files or Information
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/3619fbcb12d39bbc5009f473a25dcfc95b543f67cbdb88ab203bc4259903eab1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_LNX_Base64_Exec_Apr24
Create hunting rule
Author:Christian Burkard
Description:Detects suspicious base64 encoded shell commands (as seen in Palo Alto CVE-2024-3400 exploitation)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 3619fbcb12d39bbc5009f473a25dcfc95b543f67cbdb88ab203bc4259903eab1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3784565/
  
Delivery method
Distributed via web download

Comments