MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 523acd0e37faf5898ba397001cab4658de45d8742760c6eb23797e222deaafef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 523acd0e37faf5898ba397001cab4658de45d8742760c6eb23797e222deaafef
SHA3-384 hash: 8c303878c600dced2d8c300a57bb514048b4242dbd100f232bda188680fbf6f081d9c81beeff523a29e6e691e77300d8
SHA1 hash: 3812a05f51ac5ca3509b8fdef67b52913e00ec17
MD5 hash: 3c02dc988369b983e7bd55ea1a8678fe
humanhash: bravo-black-high-maine
File name:k.php
Download: download sample
File size:19'499 bytes
First seen:2026-03-13 14:21:30 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 384:sDcuQpWx+BL0SWL0gRzsO9a4cbddrME8jyfzsO9a4cbddrME8jy4:sD8i+BL0SI0WzsP4cbddr7zsP4cbddrk
TLSH T103924CB512896C79FBD1CE399F3C7F4CADE8C2C42124A3ACBA4F39205A1166DC70535A
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:sh

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Linux.MulDrop.187.2212.25733.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive masquerade
Link:
https://www.filescan.io/uploads/69b41d93493cb7d62dfb58db/reports/3942fba2-20e6-4d66-a5be-6a6e99d25f0a/overview
Verdict:
Malicious
File Type:
unix shell
Detections:
HEUR:Trojan-Downloader.Shell.Agent.bc
Link:
https://opentip.kaspersky.com/523acd0e37faf5898ba397001cab4658de45d8742760c6eb23797e222deaafef/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/9b6f7bcd-95e8-4171-882e-167f12396ee6
Behavior Graph:
Download SVG
%3 guuid=4c532b07-1700-0000-4fdc-1722b60d0000 pid=3510 /usr/bin/sudo guuid=246f120b-1700-0000-4fdc-1722c00d0000 pid=3520 /tmp/sample.bin guuid=4c532b07-1700-0000-4fdc-1722b60d0000 pid=3510->guuid=246f120b-1700-0000-4fdc-1722c00d0000 pid=3520 execve guuid=2ad6dc0b-1700-0000-4fdc-1722c20d0000 pid=3522 /usr/bin/bash guuid=246f120b-1700-0000-4fdc-1722c00d0000 pid=3520->guuid=2ad6dc0b-1700-0000-4fdc-1722c20d0000 pid=3522 clone guuid=4bf60a0c-1700-0000-4fdc-1722c30d0000 pid=3523 /usr/bin/bash guuid=246f120b-1700-0000-4fdc-1722c00d0000 pid=3520->guuid=4bf60a0c-1700-0000-4fdc-1722c30d0000 pid=3523 clone guuid=ea57480c-1700-0000-4fdc-1722c50d0000 pid=3525 /usr/bin/mkdir guuid=246f120b-1700-0000-4fdc-1722c00d0000 pid=3520->guuid=ea57480c-1700-0000-4fdc-1722c50d0000 pid=3525 execve guuid=53fbc80c-1700-0000-4fdc-1722c60d0000 pid=3526 /usr/bin/mkdir guuid=246f120b-1700-0000-4fdc-1722c00d0000 pid=3520->guuid=53fbc80c-1700-0000-4fdc-1722c60d0000 pid=3526 execve guuid=d9042e0d-1700-0000-4fdc-1722c80d0000 pid=3528 /usr/bin/mkdir guuid=246f120b-1700-0000-4fdc-1722c00d0000 pid=3520->guuid=d9042e0d-1700-0000-4fdc-1722c80d0000 pid=3528 execve guuid=72f2980d-1700-0000-4fdc-1722c90d0000 pid=3529 /usr/bin/mkdir guuid=246f120b-1700-0000-4fdc-1722c00d0000 pid=3520->guuid=72f2980d-1700-0000-4fdc-1722c90d0000 pid=3529 execve guuid=e55c080e-1700-0000-4fdc-1722ca0d0000 pid=3530 /usr/bin/mkdir guuid=246f120b-1700-0000-4fdc-1722c00d0000 pid=3520->guuid=e55c080e-1700-0000-4fdc-1722ca0d0000 pid=3530 execve guuid=622fa10e-1700-0000-4fdc-1722cb0d0000 pid=3531 /usr/bin/mkdir guuid=246f120b-1700-0000-4fdc-1722c00d0000 pid=3520->guuid=622fa10e-1700-0000-4fdc-1722cb0d0000 pid=3531 execve guuid=304b220f-1700-0000-4fdc-1722cd0d0000 pid=3533 /usr/bin/mkdir guuid=246f120b-1700-0000-4fdc-1722c00d0000 pid=3520->guuid=304b220f-1700-0000-4fdc-1722cd0d0000 pid=3533 execve guuid=50efe10f-1700-0000-4fdc-1722d00d0000 pid=3536 /usr/bin/cp guuid=246f120b-1700-0000-4fdc-1722c00d0000 pid=3520->guuid=50efe10f-1700-0000-4fdc-1722d00d0000 pid=3536 execve guuid=10dd7310-1700-0000-4fdc-1722d20d0000 pid=3538 /usr/bin/cp guuid=246f120b-1700-0000-4fdc-1722c00d0000 pid=3520->guuid=10dd7310-1700-0000-4fdc-1722d20d0000 pid=3538 execve guuid=01401211-1700-0000-4fdc-1722d40d0000 pid=3540 /usr/bin/cp guuid=246f120b-1700-0000-4fdc-1722c00d0000 pid=3520->guuid=01401211-1700-0000-4fdc-1722d40d0000 pid=3540 execve guuid=90b69b11-1700-0000-4fdc-1722d70d0000 pid=3543 /usr/bin/cp guuid=246f120b-1700-0000-4fdc-1722c00d0000 pid=3520->guuid=90b69b11-1700-0000-4fdc-1722d70d0000 pid=3543 execve guuid=0eb05112-1700-0000-4fdc-1722da0d0000 pid=3546 /usr/bin/cp guuid=246f120b-1700-0000-4fdc-1722c00d0000 pid=3520->guuid=0eb05112-1700-0000-4fdc-1722da0d0000 pid=3546 execve guuid=41eed013-1700-0000-4fdc-1722de0d0000 pid=3550 /usr/bin/cp guuid=246f120b-1700-0000-4fdc-1722c00d0000 pid=3520->guuid=41eed013-1700-0000-4fdc-1722de0d0000 pid=3550 execve guuid=d96a7014-1700-0000-4fdc-1722e10d0000 pid=3553 /usr/bin/cp guuid=246f120b-1700-0000-4fdc-1722c00d0000 pid=3520->guuid=d96a7014-1700-0000-4fdc-1722e10d0000 pid=3553 execve guuid=3f5a1215-1700-0000-4fdc-1722e40d0000 pid=3556 /usr/bin/cp guuid=246f120b-1700-0000-4fdc-1722c00d0000 pid=3520->guuid=3f5a1215-1700-0000-4fdc-1722e40d0000 pid=3556 execve guuid=a23da915-1700-0000-4fdc-1722e60d0000 pid=3558 /usr/bin/cp guuid=246f120b-1700-0000-4fdc-1722c00d0000 pid=3520->guuid=a23da915-1700-0000-4fdc-1722e60d0000 pid=3558 execve guuid=33804116-1700-0000-4fdc-1722e90d0000 pid=3561 /usr/bin/cp guuid=246f120b-1700-0000-4fdc-1722c00d0000 pid=3520->guuid=33804116-1700-0000-4fdc-1722e90d0000 pid=3561 execve guuid=da3cda16-1700-0000-4fdc-1722ec0d0000 pid=3564 /usr/bin/cp guuid=246f120b-1700-0000-4fdc-1722c00d0000 pid=3520->guuid=da3cda16-1700-0000-4fdc-1722ec0d0000 pid=3564 execve guuid=1ab27f17-1700-0000-4fdc-1722ee0d0000 pid=3566 /usr/bin/cp guuid=246f120b-1700-0000-4fdc-1722c00d0000 pid=3520->guuid=1ab27f17-1700-0000-4fdc-1722ee0d0000 pid=3566 execve guuid=e79e1e18-1700-0000-4fdc-1722f10d0000 pid=3569 /usr/bin/cp guuid=246f120b-1700-0000-4fdc-1722c00d0000 pid=3520->guuid=e79e1e18-1700-0000-4fdc-1722f10d0000 pid=3569 execve guuid=8771b618-1700-0000-4fdc-1722f40d0000 pid=3572 /usr/bin/cp guuid=246f120b-1700-0000-4fdc-1722c00d0000 pid=3520->guuid=8771b618-1700-0000-4fdc-1722f40d0000 pid=3572 execve guuid=c0ad5a19-1700-0000-4fdc-1722f60d0000 pid=3574 /usr/bin/cp guuid=246f120b-1700-0000-4fdc-1722c00d0000 pid=3520->guuid=c0ad5a19-1700-0000-4fdc-1722f60d0000 pid=3574 execve guuid=4a40ff19-1700-0000-4fdc-1722f90d0000 pid=3577 /usr/bin/touch guuid=246f120b-1700-0000-4fdc-1722c00d0000 pid=3520->guuid=4a40ff19-1700-0000-4fdc-1722f90d0000 pid=3577 execve guuid=e5a96f1a-1700-0000-4fdc-1722fe0d0000 pid=3582 /usr/bin/bash guuid=246f120b-1700-0000-4fdc-1722c00d0000 pid=3520->guuid=e5a96f1a-1700-0000-4fdc-1722fe0d0000 pid=3582 clone guuid=71cc771a-1700-0000-4fdc-1722ff0d0000 pid=3583 /usr/bin/bash guuid=246f120b-1700-0000-4fdc-1722c00d0000 pid=3520->guuid=71cc771a-1700-0000-4fdc-1722ff0d0000 pid=3583 clone guuid=e902a81a-1700-0000-4fdc-1722000e0000 pid=3584 /usr/bin/bash guuid=246f120b-1700-0000-4fdc-1722c00d0000 pid=3520->guuid=e902a81a-1700-0000-4fdc-1722000e0000 pid=3584 clone guuid=9b99af1a-1700-0000-4fdc-1722010e0000 pid=3585 /usr/bin/base64 write-file guuid=246f120b-1700-0000-4fdc-1722c00d0000 pid=3520->guuid=9b99af1a-1700-0000-4fdc-1722010e0000 pid=3585 execve guuid=b6b7431b-1700-0000-4fdc-1722030e0000 pid=3587 /usr/bin/bash guuid=246f120b-1700-0000-4fdc-1722c00d0000 pid=3520->guuid=b6b7431b-1700-0000-4fdc-1722030e0000 pid=3587 execve guuid=a1b63421-1700-0000-4fdc-1722230e0000 pid=3619 /usr/bin/rm delete-file guuid=246f120b-1700-0000-4fdc-1722c00d0000 pid=3520->guuid=a1b63421-1700-0000-4fdc-1722230e0000 pid=3619 execve guuid=ce797621-1700-0000-4fdc-1722250e0000 pid=3621 /usr/bin/bash guuid=246f120b-1700-0000-4fdc-1722c00d0000 pid=3520->guuid=ce797621-1700-0000-4fdc-1722250e0000 pid=3621 clone guuid=75817c21-1700-0000-4fdc-1722260e0000 pid=3622 /usr/bin/bash guuid=246f120b-1700-0000-4fdc-1722c00d0000 pid=3520->guuid=75817c21-1700-0000-4fdc-1722260e0000 pid=3622 clone guuid=25ad9721-1700-0000-4fdc-1722270e0000 pid=3623 /usr/bin/bash guuid=246f120b-1700-0000-4fdc-1722c00d0000 pid=3520->guuid=25ad9721-1700-0000-4fdc-1722270e0000 pid=3623 execve guuid=52dae521-1700-0000-4fdc-1722290e0000 pid=3625 /usr/bin/rm guuid=246f120b-1700-0000-4fdc-1722c00d0000 pid=3520->guuid=52dae521-1700-0000-4fdc-1722290e0000 pid=3625 execve guuid=d835b51b-1700-0000-4fdc-1722040e0000 pid=3588 /usr/bin/bash guuid=b6b7431b-1700-0000-4fdc-1722030e0000 pid=3587->guuid=d835b51b-1700-0000-4fdc-1722040e0000 pid=3588 clone guuid=9506bf1b-1700-0000-4fdc-1722050e0000 pid=3589 /usr/bin/bash guuid=b6b7431b-1700-0000-4fdc-1722030e0000 pid=3587->guuid=9506bf1b-1700-0000-4fdc-1722050e0000 pid=3589 clone guuid=a1bfee1b-1700-0000-4fdc-1722070e0000 pid=3591 /usr/bin/ls guuid=b6b7431b-1700-0000-4fdc-1722030e0000 pid=3587->guuid=a1bfee1b-1700-0000-4fdc-1722070e0000 pid=3591 execve guuid=44f77b1c-1700-0000-4fdc-1722080e0000 pid=3592 /usr/bin/cat guuid=b6b7431b-1700-0000-4fdc-1722030e0000 pid=3587->guuid=44f77b1c-1700-0000-4fdc-1722080e0000 pid=3592 execve guuid=035fe21c-1700-0000-4fdc-17220b0e0000 pid=3595 /usr/bin/ls guuid=b6b7431b-1700-0000-4fdc-1722030e0000 pid=3587->guuid=035fe21c-1700-0000-4fdc-17220b0e0000 pid=3595 execve guuid=b3626c1d-1700-0000-4fdc-17220d0e0000 pid=3597 /usr/bin/mkdir guuid=b6b7431b-1700-0000-4fdc-1722030e0000 pid=3587->guuid=b3626c1d-1700-0000-4fdc-17220d0e0000 pid=3597 execve guuid=38d7d91d-1700-0000-4fdc-17220f0e0000 pid=3599 /usr/bin/mv guuid=b6b7431b-1700-0000-4fdc-1722030e0000 pid=3587->guuid=38d7d91d-1700-0000-4fdc-17220f0e0000 pid=3599 execve guuid=0e806e1e-1700-0000-4fdc-1722120e0000 pid=3602 /usr/bin/bash guuid=b6b7431b-1700-0000-4fdc-1722030e0000 pid=3587->guuid=0e806e1e-1700-0000-4fdc-1722120e0000 pid=3602 clone guuid=b96d741e-1700-0000-4fdc-1722130e0000 pid=3603 /usr/bin/base64 write-file guuid=b6b7431b-1700-0000-4fdc-1722030e0000 pid=3587->guuid=b96d741e-1700-0000-4fdc-1722130e0000 pid=3603 execve guuid=ef42e71e-1700-0000-4fdc-1722150e0000 pid=3605 /usr/bin/rm delete-file guuid=b6b7431b-1700-0000-4fdc-1722030e0000 pid=3587->guuid=ef42e71e-1700-0000-4fdc-1722150e0000 pid=3605 execve guuid=41ac461f-1700-0000-4fdc-1722170e0000 pid=3607 /usr/bin/ls guuid=b6b7431b-1700-0000-4fdc-1722030e0000 pid=3587->guuid=41ac461f-1700-0000-4fdc-1722170e0000 pid=3607 execve guuid=6d11cb1f-1700-0000-4fdc-1722190e0000 pid=3609 /usr/bin/bash guuid=b6b7431b-1700-0000-4fdc-1722030e0000 pid=3587->guuid=6d11cb1f-1700-0000-4fdc-1722190e0000 pid=3609 clone guuid=99bcd21f-1700-0000-4fdc-17221a0e0000 pid=3610 /usr/bin/base64 write-file guuid=b6b7431b-1700-0000-4fdc-1722030e0000 pid=3587->guuid=99bcd21f-1700-0000-4fdc-17221a0e0000 pid=3610 execve guuid=b2ae3320-1700-0000-4fdc-17221d0e0000 pid=3613 /usr/bin/ls guuid=b6b7431b-1700-0000-4fdc-1722030e0000 pid=3587->guuid=b2ae3320-1700-0000-4fdc-17221d0e0000 pid=3613 execve guuid=a60c9320-1700-0000-4fdc-17221e0e0000 pid=3614 /usr/bin/cat guuid=b6b7431b-1700-0000-4fdc-1722030e0000 pid=3587->guuid=a60c9320-1700-0000-4fdc-17221e0e0000 pid=3614 execve guuid=aa62d120-1700-0000-4fdc-1722210e0000 pid=3617 /usr/bin/ls guuid=b6b7431b-1700-0000-4fdc-1722030e0000 pid=3587->guuid=aa62d120-1700-0000-4fdc-1722210e0000 pid=3617 execve
Score:
81%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/523acd0e37faf5898ba397001cab4658de45d8742760c6eb23797e222deaafef
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/523acd0e37faf5898ba397001cab4658de45d8742760c6eb23797e222deaafef/
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/523acd0e37faf5898ba397001cab4658de45d8742760c6eb23797e222deaafef
Threat name:
Script-Shell.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2026-03-13 14:22:16 UTC
File Type:
Text (Shell)
AV detection:
9 of 23 (39.13%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ki5m2drx7l2ytc5ds4abzk2gldpelwdue5qmn2zdpf7celpkv7xq._file
Result
Malware family:
n/a
Score:
  4/10
Tags:
defense_evasion discovery linux
Link:
https://tria.ge/reports/260313-rpmmlac15l/
Behaviour
Reads runtime system information
Writes file to tmp directory
Deobfuscate/Decode Files or Information
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/523acd0e37faf5898ba397001cab4658de45d8742760c6eb23797e222deaafef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_LNX_Base64_Exec_Apr24
Create hunting rule
Author:Christian Burkard
Description:Detects suspicious base64 encoded shell commands (as seen in Palo Alto CVE-2024-3400 exploitation)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 523acd0e37faf5898ba397001cab4658de45d8742760c6eb23797e222deaafef

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3784565/
  
Delivery method
Distributed via web download

Comments