MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b1df6cd0d85f16f74a915276b7e140e5466cd40f371234cb90ce9bac1f0e54d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b1df6cd0d85f16f74a915276b7e140e5466cd40f371234cb90ce9bac1f0e54d
SHA3-384 hash: e8f99e6fcccca757c66de35b0293a167796924a6332cec11478146e360a93844db788f20517c1d0d006a1659a0233dec
SHA1 hash: cf1ca84c0ceb4e28e09852b4d38d06a1c9871d6e
MD5 hash: 2dec34b44e04f15403f5571dbef95dd0
humanhash: football-timing-gee-magazine
File name:k.php
Download: download sample
File size:19'499 bytes
First seen:2026-03-23 03:42:39 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 384:HFcuQpWx+BL0SWL0g3zsO9a4cbddrME8jyfzsO9a4cbddrME8jy4:HF8i+BL0SI0EzsP4cbddr7zsP4cbddrk
TLSH T120925DB512896C79FBD0CE39AF3C7F4DADE8C2C42124A3ACBA4F39215A1166DC705359
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:sh

Intelligence

File Origin
# of uploads :
1
# of downloads :
54
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Linux.MulDrop.187.9116.10345.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive masquerade
Link:
https://www.filescan.io/uploads/69c0b6d2493cb7d62d0d3140/reports/c83bcf41-ca25-462d-84d3-0fbf6d9d5f9b/overview
Result
Gathering data
Verdict:
Malicious
File Type:
unix shell
Detections:
HEUR:Trojan-Downloader.Shell.Agent.bc
Link:
https://opentip.kaspersky.com/7b1df6cd0d85f16f74a915276b7e140e5466cd40f371234cb90ce9bac1f0e54d/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/c4edcf4e-43ef-4d3f-97c9-d63741a1e27e
Behavior Graph:
Download SVG
%3 guuid=5ab2eba5-1800-0000-4ae4-bb27730d0000 pid=3443 /usr/bin/sudo guuid=f157a7a7-1800-0000-4ae4-bb277a0d0000 pid=3450 /tmp/sample.bin guuid=5ab2eba5-1800-0000-4ae4-bb27730d0000 pid=3443->guuid=f157a7a7-1800-0000-4ae4-bb277a0d0000 pid=3450 execve guuid=b2ba28a8-1800-0000-4ae4-bb277d0d0000 pid=3453 /usr/bin/bash guuid=f157a7a7-1800-0000-4ae4-bb277a0d0000 pid=3450->guuid=b2ba28a8-1800-0000-4ae4-bb277d0d0000 pid=3453 clone guuid=7e7337a8-1800-0000-4ae4-bb277e0d0000 pid=3454 /usr/bin/bash guuid=f157a7a7-1800-0000-4ae4-bb277a0d0000 pid=3450->guuid=7e7337a8-1800-0000-4ae4-bb277e0d0000 pid=3454 clone guuid=4cae5ea8-1800-0000-4ae4-bb27800d0000 pid=3456 /usr/bin/mkdir guuid=f157a7a7-1800-0000-4ae4-bb277a0d0000 pid=3450->guuid=4cae5ea8-1800-0000-4ae4-bb27800d0000 pid=3456 execve guuid=8eb8b6a8-1800-0000-4ae4-bb27820d0000 pid=3458 /usr/bin/mkdir guuid=f157a7a7-1800-0000-4ae4-bb277a0d0000 pid=3450->guuid=8eb8b6a8-1800-0000-4ae4-bb27820d0000 pid=3458 execve guuid=ac0c06a9-1800-0000-4ae4-bb27840d0000 pid=3460 /usr/bin/mkdir guuid=f157a7a7-1800-0000-4ae4-bb277a0d0000 pid=3450->guuid=ac0c06a9-1800-0000-4ae4-bb27840d0000 pid=3460 execve guuid=22305ba9-1800-0000-4ae4-bb27870d0000 pid=3463 /usr/bin/mkdir guuid=f157a7a7-1800-0000-4ae4-bb277a0d0000 pid=3450->guuid=22305ba9-1800-0000-4ae4-bb27870d0000 pid=3463 execve guuid=e580b2a9-1800-0000-4ae4-bb27890d0000 pid=3465 /usr/bin/mkdir guuid=f157a7a7-1800-0000-4ae4-bb277a0d0000 pid=3450->guuid=e580b2a9-1800-0000-4ae4-bb27890d0000 pid=3465 execve guuid=159d02aa-1800-0000-4ae4-bb278b0d0000 pid=3467 /usr/bin/mkdir guuid=f157a7a7-1800-0000-4ae4-bb277a0d0000 pid=3450->guuid=159d02aa-1800-0000-4ae4-bb278b0d0000 pid=3467 execve guuid=ca1e53aa-1800-0000-4ae4-bb278d0d0000 pid=3469 /usr/bin/mkdir guuid=f157a7a7-1800-0000-4ae4-bb277a0d0000 pid=3450->guuid=ca1e53aa-1800-0000-4ae4-bb278d0d0000 pid=3469 execve guuid=dcc0a7aa-1800-0000-4ae4-bb278f0d0000 pid=3471 /usr/bin/cp guuid=f157a7a7-1800-0000-4ae4-bb277a0d0000 pid=3450->guuid=dcc0a7aa-1800-0000-4ae4-bb278f0d0000 pid=3471 execve guuid=430c09ab-1800-0000-4ae4-bb27920d0000 pid=3474 /usr/bin/cp guuid=f157a7a7-1800-0000-4ae4-bb277a0d0000 pid=3450->guuid=430c09ab-1800-0000-4ae4-bb27920d0000 pid=3474 execve guuid=890468ab-1800-0000-4ae4-bb27940d0000 pid=3476 /usr/bin/cp guuid=f157a7a7-1800-0000-4ae4-bb277a0d0000 pid=3450->guuid=890468ab-1800-0000-4ae4-bb27940d0000 pid=3476 execve guuid=d8cfc2ab-1800-0000-4ae4-bb27960d0000 pid=3478 /usr/bin/cp guuid=f157a7a7-1800-0000-4ae4-bb277a0d0000 pid=3450->guuid=d8cfc2ab-1800-0000-4ae4-bb27960d0000 pid=3478 execve guuid=8aa01aac-1800-0000-4ae4-bb27990d0000 pid=3481 /usr/bin/cp guuid=f157a7a7-1800-0000-4ae4-bb277a0d0000 pid=3450->guuid=8aa01aac-1800-0000-4ae4-bb27990d0000 pid=3481 execve guuid=35647aac-1800-0000-4ae4-bb279b0d0000 pid=3483 /usr/bin/cp guuid=f157a7a7-1800-0000-4ae4-bb277a0d0000 pid=3450->guuid=35647aac-1800-0000-4ae4-bb279b0d0000 pid=3483 execve guuid=ea49d4ac-1800-0000-4ae4-bb279d0d0000 pid=3485 /usr/bin/cp guuid=f157a7a7-1800-0000-4ae4-bb277a0d0000 pid=3450->guuid=ea49d4ac-1800-0000-4ae4-bb279d0d0000 pid=3485 execve guuid=baef2aad-1800-0000-4ae4-bb27a00d0000 pid=3488 /usr/bin/cp guuid=f157a7a7-1800-0000-4ae4-bb277a0d0000 pid=3450->guuid=baef2aad-1800-0000-4ae4-bb27a00d0000 pid=3488 execve guuid=72e09aad-1800-0000-4ae4-bb27a20d0000 pid=3490 /usr/bin/cp guuid=f157a7a7-1800-0000-4ae4-bb277a0d0000 pid=3450->guuid=72e09aad-1800-0000-4ae4-bb27a20d0000 pid=3490 execve guuid=c6570aae-1800-0000-4ae4-bb27a50d0000 pid=3493 /usr/bin/cp guuid=f157a7a7-1800-0000-4ae4-bb277a0d0000 pid=3450->guuid=c6570aae-1800-0000-4ae4-bb27a50d0000 pid=3493 execve guuid=90a772ae-1800-0000-4ae4-bb27a70d0000 pid=3495 /usr/bin/cp guuid=f157a7a7-1800-0000-4ae4-bb277a0d0000 pid=3450->guuid=90a772ae-1800-0000-4ae4-bb27a70d0000 pid=3495 execve guuid=1ae1d4ae-1800-0000-4ae4-bb27a90d0000 pid=3497 /usr/bin/cp guuid=f157a7a7-1800-0000-4ae4-bb277a0d0000 pid=3450->guuid=1ae1d4ae-1800-0000-4ae4-bb27a90d0000 pid=3497 execve guuid=5d2b37af-1800-0000-4ae4-bb27ab0d0000 pid=3499 /usr/bin/cp guuid=f157a7a7-1800-0000-4ae4-bb277a0d0000 pid=3450->guuid=5d2b37af-1800-0000-4ae4-bb27ab0d0000 pid=3499 execve guuid=4ca497af-1800-0000-4ae4-bb27ae0d0000 pid=3502 /usr/bin/cp guuid=f157a7a7-1800-0000-4ae4-bb277a0d0000 pid=3450->guuid=4ca497af-1800-0000-4ae4-bb27ae0d0000 pid=3502 execve guuid=f6e702b0-1800-0000-4ae4-bb27b00d0000 pid=3504 /usr/bin/cp guuid=f157a7a7-1800-0000-4ae4-bb277a0d0000 pid=3450->guuid=f6e702b0-1800-0000-4ae4-bb27b00d0000 pid=3504 execve guuid=e17567b0-1800-0000-4ae4-bb27b20d0000 pid=3506 /usr/bin/touch guuid=f157a7a7-1800-0000-4ae4-bb277a0d0000 pid=3450->guuid=e17567b0-1800-0000-4ae4-bb27b20d0000 pid=3506 execve guuid=8275c0b0-1800-0000-4ae4-bb27b40d0000 pid=3508 /usr/bin/bash guuid=f157a7a7-1800-0000-4ae4-bb277a0d0000 pid=3450->guuid=8275c0b0-1800-0000-4ae4-bb27b40d0000 pid=3508 clone guuid=baa1c8b0-1800-0000-4ae4-bb27b60d0000 pid=3510 /usr/bin/bash guuid=f157a7a7-1800-0000-4ae4-bb277a0d0000 pid=3450->guuid=baa1c8b0-1800-0000-4ae4-bb27b60d0000 pid=3510 clone guuid=e0a5eeb0-1800-0000-4ae4-bb27ba0d0000 pid=3514 /usr/bin/bash guuid=f157a7a7-1800-0000-4ae4-bb277a0d0000 pid=3450->guuid=e0a5eeb0-1800-0000-4ae4-bb27ba0d0000 pid=3514 clone guuid=7baef7b0-1800-0000-4ae4-bb27bb0d0000 pid=3515 /usr/bin/base64 write-file guuid=f157a7a7-1800-0000-4ae4-bb277a0d0000 pid=3450->guuid=7baef7b0-1800-0000-4ae4-bb27bb0d0000 pid=3515 execve guuid=ce986db1-1800-0000-4ae4-bb27bc0d0000 pid=3516 /usr/bin/bash guuid=f157a7a7-1800-0000-4ae4-bb277a0d0000 pid=3450->guuid=ce986db1-1800-0000-4ae4-bb27bc0d0000 pid=3516 execve guuid=88939db8-1800-0000-4ae4-bb27d20d0000 pid=3538 /usr/bin/rm delete-file guuid=f157a7a7-1800-0000-4ae4-bb277a0d0000 pid=3450->guuid=88939db8-1800-0000-4ae4-bb27d20d0000 pid=3538 execve guuid=24daf3b8-1800-0000-4ae4-bb27d40d0000 pid=3540 /usr/bin/bash guuid=f157a7a7-1800-0000-4ae4-bb277a0d0000 pid=3450->guuid=24daf3b8-1800-0000-4ae4-bb27d40d0000 pid=3540 clone guuid=ac93feb8-1800-0000-4ae4-bb27d50d0000 pid=3541 /usr/bin/bash guuid=f157a7a7-1800-0000-4ae4-bb277a0d0000 pid=3450->guuid=ac93feb8-1800-0000-4ae4-bb27d50d0000 pid=3541 clone guuid=cb8531b9-1800-0000-4ae4-bb27d70d0000 pid=3543 /usr/bin/bash guuid=f157a7a7-1800-0000-4ae4-bb277a0d0000 pid=3450->guuid=cb8531b9-1800-0000-4ae4-bb27d70d0000 pid=3543 execve guuid=e592a3b9-1800-0000-4ae4-bb27d90d0000 pid=3545 /usr/bin/rm guuid=f157a7a7-1800-0000-4ae4-bb277a0d0000 pid=3450->guuid=e592a3b9-1800-0000-4ae4-bb27d90d0000 pid=3545 execve guuid=9d0fc0b1-1800-0000-4ae4-bb27bd0d0000 pid=3517 /usr/bin/bash guuid=ce986db1-1800-0000-4ae4-bb27bc0d0000 pid=3516->guuid=9d0fc0b1-1800-0000-4ae4-bb27bd0d0000 pid=3517 clone guuid=a00fc6b1-1800-0000-4ae4-bb27be0d0000 pid=3518 /usr/bin/bash guuid=ce986db1-1800-0000-4ae4-bb27bc0d0000 pid=3516->guuid=a00fc6b1-1800-0000-4ae4-bb27be0d0000 pid=3518 clone guuid=04d6edb1-1800-0000-4ae4-bb27bf0d0000 pid=3519 /usr/bin/ls guuid=ce986db1-1800-0000-4ae4-bb27bc0d0000 pid=3516->guuid=04d6edb1-1800-0000-4ae4-bb27bf0d0000 pid=3519 execve guuid=c08475b2-1800-0000-4ae4-bb27c00d0000 pid=3520 /usr/bin/cat guuid=ce986db1-1800-0000-4ae4-bb27bc0d0000 pid=3516->guuid=c08475b2-1800-0000-4ae4-bb27c00d0000 pid=3520 execve guuid=58abf9b2-1800-0000-4ae4-bb27c10d0000 pid=3521 /usr/bin/ls guuid=ce986db1-1800-0000-4ae4-bb27bc0d0000 pid=3516->guuid=58abf9b2-1800-0000-4ae4-bb27c10d0000 pid=3521 execve guuid=419cabb3-1800-0000-4ae4-bb27c20d0000 pid=3522 /usr/bin/mkdir guuid=ce986db1-1800-0000-4ae4-bb27bc0d0000 pid=3516->guuid=419cabb3-1800-0000-4ae4-bb27c20d0000 pid=3522 execve guuid=768e32b4-1800-0000-4ae4-bb27c30d0000 pid=3523 /usr/bin/mv guuid=ce986db1-1800-0000-4ae4-bb27bc0d0000 pid=3516->guuid=768e32b4-1800-0000-4ae4-bb27c30d0000 pid=3523 execve guuid=73c5e6b4-1800-0000-4ae4-bb27c40d0000 pid=3524 /usr/bin/bash guuid=ce986db1-1800-0000-4ae4-bb27bc0d0000 pid=3516->guuid=73c5e6b4-1800-0000-4ae4-bb27c40d0000 pid=3524 clone guuid=b0cbeeb4-1800-0000-4ae4-bb27c50d0000 pid=3525 /usr/bin/base64 write-file guuid=ce986db1-1800-0000-4ae4-bb27bc0d0000 pid=3516->guuid=b0cbeeb4-1800-0000-4ae4-bb27c50d0000 pid=3525 execve guuid=042c88b5-1800-0000-4ae4-bb27c60d0000 pid=3526 /usr/bin/rm delete-file guuid=ce986db1-1800-0000-4ae4-bb27bc0d0000 pid=3516->guuid=042c88b5-1800-0000-4ae4-bb27c60d0000 pid=3526 execve guuid=5186ffb5-1800-0000-4ae4-bb27c70d0000 pid=3527 /usr/bin/ls guuid=ce986db1-1800-0000-4ae4-bb27bc0d0000 pid=3516->guuid=5186ffb5-1800-0000-4ae4-bb27c70d0000 pid=3527 execve guuid=bc6ca1b6-1800-0000-4ae4-bb27c80d0000 pid=3528 /usr/bin/bash guuid=ce986db1-1800-0000-4ae4-bb27bc0d0000 pid=3516->guuid=bc6ca1b6-1800-0000-4ae4-bb27c80d0000 pid=3528 clone guuid=5b27acb6-1800-0000-4ae4-bb27c90d0000 pid=3529 /usr/bin/base64 write-file guuid=ce986db1-1800-0000-4ae4-bb27bc0d0000 pid=3516->guuid=5b27acb6-1800-0000-4ae4-bb27c90d0000 pid=3529 execve guuid=bbfc05b7-1800-0000-4ae4-bb27ca0d0000 pid=3530 /usr/bin/ls guuid=ce986db1-1800-0000-4ae4-bb27bc0d0000 pid=3516->guuid=bbfc05b7-1800-0000-4ae4-bb27ca0d0000 pid=3530 execve guuid=c5e587b7-1800-0000-4ae4-bb27ce0d0000 pid=3534 /usr/bin/cat guuid=ce986db1-1800-0000-4ae4-bb27bc0d0000 pid=3516->guuid=c5e587b7-1800-0000-4ae4-bb27ce0d0000 pid=3534 execve guuid=7985ddb7-1800-0000-4ae4-bb27d00d0000 pid=3536 /usr/bin/ls guuid=ce986db1-1800-0000-4ae4-bb27bc0d0000 pid=3516->guuid=7985ddb7-1800-0000-4ae4-bb27d00d0000 pid=3536 execve
Score:
80%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/7b1df6cd0d85f16f74a915276b7e140e5466cd40f371234cb90ce9bac1f0e54d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7b1df6cd0d85f16f74a915276b7e140e5466cd40f371234cb90ce9bac1f0e54d/
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/7b1df6cd0d85f16f74a915276b7e140e5466cd40f371234cb90ce9bac1f0e54d
Threat name:
Script-Shell.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-03-23 03:43:17 UTC
File Type:
Text (Shell)
AV detection:
14 of 36 (38.89%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pmo7ntinqxyw65fjcutww7qubzkgntka6nysgtfzbtu3vqpq4vgq._file
Result
Malware family:
n/a
Score:
  4/10
Tags:
defense_evasion discovery linux
Link:
https://tria.ge/reports/260323-d914tsdz8m/
Behaviour
Reads runtime system information
Writes file to tmp directory
Deobfuscate/Decode Files or Information
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/7b1df6cd0d85f16f74a915276b7e140e5466cd40f371234cb90ce9bac1f0e54d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_LNX_Base64_Exec_Apr24
Create hunting rule
Author:Christian Burkard
Description:Detects suspicious base64 encoded shell commands (as seen in Palo Alto CVE-2024-3400 exploitation)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 7b1df6cd0d85f16f74a915276b7e140e5466cd40f371234cb90ce9bac1f0e54d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3792476/
  
Delivery method
Distributed via web download

Comments