MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b3ead35a73cf214b6b0063fecb647871deb5b0fe83984b3fcbcccd59222e416. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b3ead35a73cf214b6b0063fecb647871deb5b0fe83984b3fcbcccd59222e416
SHA3-384 hash: 6e097782b1adcbdce1bd3d85f241eb3e303633e0ac00156437a9c4dc238a125252e4a75c5ea308db9930fdf728d0798f
SHA1 hash: 1b4aa3b0948554c9f41d906ed821b151ef4a539c
MD5 hash: c5a7a736ba390d1414df250b355face6
humanhash: magnesium-orange-fillet-bulldog
File name:k.php
Download: download sample
File size:19'499 bytes
First seen:2026-03-19 21:54:09 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 384:6rcuQpWx+BL0SWL0g0zsO9a4cbddrME8jyfzsO9a4cbddrME8jy4:6r8i+BL0SI0PzsP4cbddr7zsP4cbddrk
TLSH T1D2925CB412896D79FBD1CE39AF3C7F4DADE8C2C42124A3ACBA4F39215A1166DC705349
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:sh

Intelligence

File Origin
# of uploads :
1
# of downloads :
53
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Linux.MulDrop.187.20551.1795.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive masquerade
Link:
https://www.filescan.io/uploads/69bc7086493cb7d62d078a7a/reports/a5072aa4-059d-4584-8407-c169b5162540/overview
Verdict:
Malicious
File Type:
unix shell
Detections:
HEUR:Trojan-Downloader.Shell.Agent.bc
Link:
https://opentip.kaspersky.com/5b3ead35a73cf214b6b0063fecb647871deb5b0fe83984b3fcbcccd59222e416/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/d40c2f20-1f99-4578-8a46-f94d403833b5
Behavior Graph:
Download SVG
%3 guuid=4c889fbe-1500-0000-ec26-aef15a0c0000 pid=3162 /usr/bin/sudo guuid=c70fe8c0-1500-0000-ec26-aef15b0c0000 pid=3163 /tmp/sample.bin guuid=4c889fbe-1500-0000-ec26-aef15a0c0000 pid=3162->guuid=c70fe8c0-1500-0000-ec26-aef15b0c0000 pid=3163 execve guuid=12b59bc1-1500-0000-ec26-aef15c0c0000 pid=3164 /usr/bin/bash guuid=c70fe8c0-1500-0000-ec26-aef15b0c0000 pid=3163->guuid=12b59bc1-1500-0000-ec26-aef15c0c0000 pid=3164 clone guuid=d344a5c1-1500-0000-ec26-aef15d0c0000 pid=3165 /usr/bin/bash guuid=c70fe8c0-1500-0000-ec26-aef15b0c0000 pid=3163->guuid=d344a5c1-1500-0000-ec26-aef15d0c0000 pid=3165 clone guuid=49dadcc1-1500-0000-ec26-aef15e0c0000 pid=3166 /usr/bin/mkdir guuid=c70fe8c0-1500-0000-ec26-aef15b0c0000 pid=3163->guuid=49dadcc1-1500-0000-ec26-aef15e0c0000 pid=3166 execve guuid=123058c2-1500-0000-ec26-aef15f0c0000 pid=3167 /usr/bin/mkdir guuid=c70fe8c0-1500-0000-ec26-aef15b0c0000 pid=3163->guuid=123058c2-1500-0000-ec26-aef15f0c0000 pid=3167 execve guuid=dc7ecac2-1500-0000-ec26-aef1600c0000 pid=3168 /usr/bin/mkdir guuid=c70fe8c0-1500-0000-ec26-aef15b0c0000 pid=3163->guuid=dc7ecac2-1500-0000-ec26-aef1600c0000 pid=3168 execve guuid=4ef347c3-1500-0000-ec26-aef1610c0000 pid=3169 /usr/bin/mkdir guuid=c70fe8c0-1500-0000-ec26-aef15b0c0000 pid=3163->guuid=4ef347c3-1500-0000-ec26-aef1610c0000 pid=3169 execve guuid=0b8bddc3-1500-0000-ec26-aef1620c0000 pid=3170 /usr/bin/mkdir guuid=c70fe8c0-1500-0000-ec26-aef15b0c0000 pid=3163->guuid=0b8bddc3-1500-0000-ec26-aef1620c0000 pid=3170 execve guuid=3f836cc4-1500-0000-ec26-aef1630c0000 pid=3171 /usr/bin/mkdir guuid=c70fe8c0-1500-0000-ec26-aef15b0c0000 pid=3163->guuid=3f836cc4-1500-0000-ec26-aef1630c0000 pid=3171 execve guuid=4560ffc4-1500-0000-ec26-aef1640c0000 pid=3172 /usr/bin/mkdir guuid=c70fe8c0-1500-0000-ec26-aef15b0c0000 pid=3163->guuid=4560ffc4-1500-0000-ec26-aef1640c0000 pid=3172 execve guuid=f44f7fc5-1500-0000-ec26-aef1650c0000 pid=3173 /usr/bin/cp guuid=c70fe8c0-1500-0000-ec26-aef15b0c0000 pid=3163->guuid=f44f7fc5-1500-0000-ec26-aef1650c0000 pid=3173 execve guuid=0e0813c6-1500-0000-ec26-aef1660c0000 pid=3174 /usr/bin/cp guuid=c70fe8c0-1500-0000-ec26-aef15b0c0000 pid=3163->guuid=0e0813c6-1500-0000-ec26-aef1660c0000 pid=3174 execve guuid=2daba2c6-1500-0000-ec26-aef1670c0000 pid=3175 /usr/bin/cp guuid=c70fe8c0-1500-0000-ec26-aef15b0c0000 pid=3163->guuid=2daba2c6-1500-0000-ec26-aef1670c0000 pid=3175 execve guuid=bcba39c7-1500-0000-ec26-aef1680c0000 pid=3176 /usr/bin/cp guuid=c70fe8c0-1500-0000-ec26-aef15b0c0000 pid=3163->guuid=bcba39c7-1500-0000-ec26-aef1680c0000 pid=3176 execve guuid=a53946c8-1500-0000-ec26-aef1690c0000 pid=3177 /usr/bin/cp guuid=c70fe8c0-1500-0000-ec26-aef15b0c0000 pid=3163->guuid=a53946c8-1500-0000-ec26-aef1690c0000 pid=3177 execve guuid=69a629c9-1500-0000-ec26-aef16b0c0000 pid=3179 /usr/bin/cp guuid=c70fe8c0-1500-0000-ec26-aef15b0c0000 pid=3163->guuid=69a629c9-1500-0000-ec26-aef16b0c0000 pid=3179 execve guuid=d103e3c9-1500-0000-ec26-aef16c0c0000 pid=3180 /usr/bin/cp guuid=c70fe8c0-1500-0000-ec26-aef15b0c0000 pid=3163->guuid=d103e3c9-1500-0000-ec26-aef16c0c0000 pid=3180 execve guuid=ff8d72ca-1500-0000-ec26-aef16d0c0000 pid=3181 /usr/bin/cp guuid=c70fe8c0-1500-0000-ec26-aef15b0c0000 pid=3163->guuid=ff8d72ca-1500-0000-ec26-aef16d0c0000 pid=3181 execve guuid=6a07deca-1500-0000-ec26-aef1700c0000 pid=3184 /usr/bin/cp guuid=c70fe8c0-1500-0000-ec26-aef15b0c0000 pid=3163->guuid=6a07deca-1500-0000-ec26-aef1700c0000 pid=3184 execve guuid=7d358acb-1500-0000-ec26-aef1730c0000 pid=3187 /usr/bin/cp guuid=c70fe8c0-1500-0000-ec26-aef15b0c0000 pid=3163->guuid=7d358acb-1500-0000-ec26-aef1730c0000 pid=3187 execve guuid=90ddf0cb-1500-0000-ec26-aef1750c0000 pid=3189 /usr/bin/cp guuid=c70fe8c0-1500-0000-ec26-aef15b0c0000 pid=3163->guuid=90ddf0cb-1500-0000-ec26-aef1750c0000 pid=3189 execve guuid=539256cc-1500-0000-ec26-aef1770c0000 pid=3191 /usr/bin/cp guuid=c70fe8c0-1500-0000-ec26-aef15b0c0000 pid=3163->guuid=539256cc-1500-0000-ec26-aef1770c0000 pid=3191 execve guuid=501bc4cc-1500-0000-ec26-aef17a0c0000 pid=3194 /usr/bin/cp guuid=c70fe8c0-1500-0000-ec26-aef15b0c0000 pid=3163->guuid=501bc4cc-1500-0000-ec26-aef17a0c0000 pid=3194 execve guuid=dffa39cd-1500-0000-ec26-aef17b0c0000 pid=3195 /usr/bin/cp guuid=c70fe8c0-1500-0000-ec26-aef15b0c0000 pid=3163->guuid=dffa39cd-1500-0000-ec26-aef17b0c0000 pid=3195 execve guuid=184d9dcd-1500-0000-ec26-aef17d0c0000 pid=3197 /usr/bin/cp guuid=c70fe8c0-1500-0000-ec26-aef15b0c0000 pid=3163->guuid=184d9dcd-1500-0000-ec26-aef17d0c0000 pid=3197 execve guuid=874f0cce-1500-0000-ec26-aef17f0c0000 pid=3199 /usr/bin/touch guuid=c70fe8c0-1500-0000-ec26-aef15b0c0000 pid=3163->guuid=874f0cce-1500-0000-ec26-aef17f0c0000 pid=3199 execve guuid=78a651ce-1500-0000-ec26-aef1810c0000 pid=3201 /usr/bin/bash guuid=c70fe8c0-1500-0000-ec26-aef15b0c0000 pid=3163->guuid=78a651ce-1500-0000-ec26-aef1810c0000 pid=3201 clone guuid=b3695bce-1500-0000-ec26-aef1820c0000 pid=3202 /usr/bin/bash guuid=c70fe8c0-1500-0000-ec26-aef15b0c0000 pid=3163->guuid=b3695bce-1500-0000-ec26-aef1820c0000 pid=3202 clone guuid=59fd77ce-1500-0000-ec26-aef1840c0000 pid=3204 /usr/bin/bash guuid=c70fe8c0-1500-0000-ec26-aef15b0c0000 pid=3163->guuid=59fd77ce-1500-0000-ec26-aef1840c0000 pid=3204 clone guuid=3bd27ece-1500-0000-ec26-aef1850c0000 pid=3205 /usr/bin/base64 write-file guuid=c70fe8c0-1500-0000-ec26-aef15b0c0000 pid=3163->guuid=3bd27ece-1500-0000-ec26-aef1850c0000 pid=3205 execve guuid=c3e3f3ce-1500-0000-ec26-aef1870c0000 pid=3207 /usr/bin/bash guuid=c70fe8c0-1500-0000-ec26-aef15b0c0000 pid=3163->guuid=c3e3f3ce-1500-0000-ec26-aef1870c0000 pid=3207 execve guuid=8c14c9d4-1500-0000-ec26-aef1a40c0000 pid=3236 /usr/bin/rm delete-file guuid=c70fe8c0-1500-0000-ec26-aef15b0c0000 pid=3163->guuid=8c14c9d4-1500-0000-ec26-aef1a40c0000 pid=3236 execve guuid=cadb1fd5-1500-0000-ec26-aef1a50c0000 pid=3237 /usr/bin/bash guuid=c70fe8c0-1500-0000-ec26-aef15b0c0000 pid=3163->guuid=cadb1fd5-1500-0000-ec26-aef1a50c0000 pid=3237 clone guuid=77232ad5-1500-0000-ec26-aef1a60c0000 pid=3238 /usr/bin/bash guuid=c70fe8c0-1500-0000-ec26-aef15b0c0000 pid=3163->guuid=77232ad5-1500-0000-ec26-aef1a60c0000 pid=3238 clone guuid=798682d5-1500-0000-ec26-aef1a70c0000 pid=3239 /usr/bin/bash guuid=c70fe8c0-1500-0000-ec26-aef15b0c0000 pid=3163->guuid=798682d5-1500-0000-ec26-aef1a70c0000 pid=3239 execve guuid=786ffcd5-1500-0000-ec26-aef1a80c0000 pid=3240 /usr/bin/rm guuid=c70fe8c0-1500-0000-ec26-aef15b0c0000 pid=3163->guuid=786ffcd5-1500-0000-ec26-aef1a80c0000 pid=3240 execve guuid=fe5843cf-1500-0000-ec26-aef18a0c0000 pid=3210 /usr/bin/bash guuid=c3e3f3ce-1500-0000-ec26-aef1870c0000 pid=3207->guuid=fe5843cf-1500-0000-ec26-aef18a0c0000 pid=3210 clone guuid=c92949cf-1500-0000-ec26-aef18b0c0000 pid=3211 /usr/bin/bash guuid=c3e3f3ce-1500-0000-ec26-aef1870c0000 pid=3207->guuid=c92949cf-1500-0000-ec26-aef18b0c0000 pid=3211 clone guuid=357273cf-1500-0000-ec26-aef18c0c0000 pid=3212 /usr/bin/ls guuid=c3e3f3ce-1500-0000-ec26-aef1870c0000 pid=3207->guuid=357273cf-1500-0000-ec26-aef18c0c0000 pid=3212 execve guuid=966ff3cf-1500-0000-ec26-aef18f0c0000 pid=3215 /usr/bin/cat guuid=c3e3f3ce-1500-0000-ec26-aef1870c0000 pid=3207->guuid=966ff3cf-1500-0000-ec26-aef18f0c0000 pid=3215 execve guuid=bd053dd0-1500-0000-ec26-aef1910c0000 pid=3217 /usr/bin/ls guuid=c3e3f3ce-1500-0000-ec26-aef1870c0000 pid=3207->guuid=bd053dd0-1500-0000-ec26-aef1910c0000 pid=3217 execve guuid=f40fcad0-1500-0000-ec26-aef1920c0000 pid=3218 /usr/bin/mkdir guuid=c3e3f3ce-1500-0000-ec26-aef1870c0000 pid=3207->guuid=f40fcad0-1500-0000-ec26-aef1920c0000 pid=3218 execve guuid=d9f455d1-1500-0000-ec26-aef1930c0000 pid=3219 /usr/bin/mv guuid=c3e3f3ce-1500-0000-ec26-aef1870c0000 pid=3207->guuid=d9f455d1-1500-0000-ec26-aef1930c0000 pid=3219 execve guuid=a1a3cbd1-1500-0000-ec26-aef1940c0000 pid=3220 /usr/bin/bash guuid=c3e3f3ce-1500-0000-ec26-aef1870c0000 pid=3207->guuid=a1a3cbd1-1500-0000-ec26-aef1940c0000 pid=3220 clone guuid=695dd5d1-1500-0000-ec26-aef1950c0000 pid=3221 /usr/bin/base64 write-file guuid=c3e3f3ce-1500-0000-ec26-aef1870c0000 pid=3207->guuid=695dd5d1-1500-0000-ec26-aef1950c0000 pid=3221 execve guuid=5ebd2cd2-1500-0000-ec26-aef1970c0000 pid=3223 /usr/bin/rm delete-file guuid=c3e3f3ce-1500-0000-ec26-aef1870c0000 pid=3207->guuid=5ebd2cd2-1500-0000-ec26-aef1970c0000 pid=3223 execve guuid=e3a77dd2-1500-0000-ec26-aef1990c0000 pid=3225 /usr/bin/ls guuid=c3e3f3ce-1500-0000-ec26-aef1870c0000 pid=3207->guuid=e3a77dd2-1500-0000-ec26-aef1990c0000 pid=3225 execve guuid=cfd5f0d2-1500-0000-ec26-aef19c0c0000 pid=3228 /usr/bin/bash guuid=c3e3f3ce-1500-0000-ec26-aef1870c0000 pid=3207->guuid=cfd5f0d2-1500-0000-ec26-aef19c0c0000 pid=3228 clone guuid=7fe4f6d2-1500-0000-ec26-aef19d0c0000 pid=3229 /usr/bin/base64 write-file guuid=c3e3f3ce-1500-0000-ec26-aef1870c0000 pid=3207->guuid=7fe4f6d2-1500-0000-ec26-aef19d0c0000 pid=3229 execve guuid=f4e042d3-1500-0000-ec26-aef19f0c0000 pid=3231 /usr/bin/ls guuid=c3e3f3ce-1500-0000-ec26-aef1870c0000 pid=3207->guuid=f4e042d3-1500-0000-ec26-aef19f0c0000 pid=3231 execve guuid=f666aad3-1500-0000-ec26-aef1a10c0000 pid=3233 /usr/bin/cat guuid=c3e3f3ce-1500-0000-ec26-aef1870c0000 pid=3207->guuid=f666aad3-1500-0000-ec26-aef1a10c0000 pid=3233 execve guuid=aef721d4-1500-0000-ec26-aef1a20c0000 pid=3234 /usr/bin/ls guuid=c3e3f3ce-1500-0000-ec26-aef1870c0000 pid=3207->guuid=aef721d4-1500-0000-ec26-aef1a20c0000 pid=3234 execve
Score:
81%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/5b3ead35a73cf214b6b0063fecb647871deb5b0fe83984b3fcbcccd59222e416
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b3ead35a73cf214b6b0063fecb647871deb5b0fe83984b3fcbcccd59222e416/
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/5b3ead35a73cf214b6b0063fecb647871deb5b0fe83984b3fcbcccd59222e416
Threat name:
Script-Shell.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2026-03-19 21:55:27 UTC
File Type:
Text (Shell)
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lm7k2nnhhtzbjnvqay76znshq4o6wwyp5a4yjm74xtgnlerc4qla._file
Result
Malware family:
n/a
Score:
  4/10
Tags:
defense_evasion discovery linux
Link:
https://tria.ge/reports/260319-1sa8eaez7y/
Behaviour
Reads runtime system information
Writes file to tmp directory
Deobfuscate/Decode Files or Information
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/5b3ead35a73cf214b6b0063fecb647871deb5b0fe83984b3fcbcccd59222e416

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_LNX_Base64_Exec_Apr24
Create hunting rule
Author:Christian Burkard
Description:Detects suspicious base64 encoded shell commands (as seen in Palo Alto CVE-2024-3400 exploitation)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 5b3ead35a73cf214b6b0063fecb647871deb5b0fe83984b3fcbcccd59222e416

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3784565/
  
Delivery method
Distributed via web download

Comments