MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ebd67ffeebda248fade75c15719b8033a8f88eb289c226144dacf62b3cab327. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ebd67ffeebda248fade75c15719b8033a8f88eb289c226144dacf62b3cab327
SHA3-384 hash: f6ea4f48bdf0395a4212fa08ab8048122bbbb00c58735d065bd93c3725553c6727d5b02c0c454749cdc432980c13cf24
SHA1 hash: 8b734a07a9260d3344d581020ed02dc243870fb2
MD5 hash: a67683d5f35f80427be8bd37c489bd8c
humanhash: twelve-ink-carolina-thirteen
File name:k.php
Download: download sample
File size:19'499 bytes
First seen:2026-03-11 14:21:38 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 384:Yh0M3vgRjGlsaq7CzsO9a4cbddrME8jyfzsO9a4cbddrME8jy4:YxmjfezsP4cbddr7zsP4cbddrk
TLSH T13B925BA916496C79FBC0CE7D9F3C7F0CADE481C02118A3ACBA4F39604A2069DDA0635D
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:sh

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Linux.MulDrop.187.17204.26648.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive masquerade
Link:
https://www.filescan.io/uploads/69b17a982000fc76c3d3c521/reports/a4d6b85e-fc70-4a85-baea-87fd510e450b/overview
Verdict:
Malicious
File Type:
unix shell
Detections:
HEUR:Trojan-Downloader.Shell.Agent.bc
Link:
https://opentip.kaspersky.com/7ebd67ffeebda248fade75c15719b8033a8f88eb289c226144dacf62b3cab327/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/49652650-2743-4f7b-84c3-8d9ea3bcbe2b
Behavior Graph:
Download SVG
%3 guuid=9b5475a0-1600-0000-d4a7-043fad0c0000 pid=3245 /usr/bin/sudo guuid=7430aca2-1600-0000-d4a7-043fb40c0000 pid=3252 /tmp/sample.bin guuid=9b5475a0-1600-0000-d4a7-043fad0c0000 pid=3245->guuid=7430aca2-1600-0000-d4a7-043fb40c0000 pid=3252 execve guuid=d84f58a3-1600-0000-d4a7-043fb80c0000 pid=3256 /usr/bin/bash guuid=7430aca2-1600-0000-d4a7-043fb40c0000 pid=3252->guuid=d84f58a3-1600-0000-d4a7-043fb80c0000 pid=3256 clone guuid=ae1d6ba3-1600-0000-d4a7-043fb90c0000 pid=3257 /usr/bin/bash guuid=7430aca2-1600-0000-d4a7-043fb40c0000 pid=3252->guuid=ae1d6ba3-1600-0000-d4a7-043fb90c0000 pid=3257 clone guuid=0eaaaba3-1600-0000-d4a7-043fbb0c0000 pid=3259 /usr/bin/mkdir guuid=7430aca2-1600-0000-d4a7-043fb40c0000 pid=3252->guuid=0eaaaba3-1600-0000-d4a7-043fbb0c0000 pid=3259 execve guuid=c19c28a4-1600-0000-d4a7-043fbe0c0000 pid=3262 /usr/bin/mkdir guuid=7430aca2-1600-0000-d4a7-043fb40c0000 pid=3252->guuid=c19c28a4-1600-0000-d4a7-043fbe0c0000 pid=3262 execve guuid=e06ca0a4-1600-0000-d4a7-043fc00c0000 pid=3264 /usr/bin/mkdir guuid=7430aca2-1600-0000-d4a7-043fb40c0000 pid=3252->guuid=e06ca0a4-1600-0000-d4a7-043fc00c0000 pid=3264 execve guuid=2ad6f3a4-1600-0000-d4a7-043fc20c0000 pid=3266 /usr/bin/mkdir guuid=7430aca2-1600-0000-d4a7-043fb40c0000 pid=3252->guuid=2ad6f3a4-1600-0000-d4a7-043fc20c0000 pid=3266 execve guuid=5cbb44a5-1600-0000-d4a7-043fc50c0000 pid=3269 /usr/bin/mkdir guuid=7430aca2-1600-0000-d4a7-043fb40c0000 pid=3252->guuid=5cbb44a5-1600-0000-d4a7-043fc50c0000 pid=3269 execve guuid=69abdfa5-1600-0000-d4a7-043fc60c0000 pid=3270 /usr/bin/mkdir guuid=7430aca2-1600-0000-d4a7-043fb40c0000 pid=3252->guuid=69abdfa5-1600-0000-d4a7-043fc60c0000 pid=3270 execve guuid=2c5362a6-1600-0000-d4a7-043fc80c0000 pid=3272 /usr/bin/mkdir guuid=7430aca2-1600-0000-d4a7-043fb40c0000 pid=3252->guuid=2c5362a6-1600-0000-d4a7-043fc80c0000 pid=3272 execve guuid=dd9609a7-1600-0000-d4a7-043fc90c0000 pid=3273 /usr/bin/cp guuid=7430aca2-1600-0000-d4a7-043fb40c0000 pid=3252->guuid=dd9609a7-1600-0000-d4a7-043fc90c0000 pid=3273 execve guuid=a1739ba7-1600-0000-d4a7-043fca0c0000 pid=3274 /usr/bin/cp guuid=7430aca2-1600-0000-d4a7-043fb40c0000 pid=3252->guuid=a1739ba7-1600-0000-d4a7-043fca0c0000 pid=3274 execve guuid=0d931aa8-1600-0000-d4a7-043fcc0c0000 pid=3276 /usr/bin/cp guuid=7430aca2-1600-0000-d4a7-043fb40c0000 pid=3252->guuid=0d931aa8-1600-0000-d4a7-043fcc0c0000 pid=3276 execve guuid=d01798a8-1600-0000-d4a7-043fcf0c0000 pid=3279 /usr/bin/cp guuid=7430aca2-1600-0000-d4a7-043fb40c0000 pid=3252->guuid=d01798a8-1600-0000-d4a7-043fcf0c0000 pid=3279 execve guuid=496635a9-1600-0000-d4a7-043fd20c0000 pid=3282 /usr/bin/cp guuid=7430aca2-1600-0000-d4a7-043fb40c0000 pid=3252->guuid=496635a9-1600-0000-d4a7-043fd20c0000 pid=3282 execve guuid=28459da9-1600-0000-d4a7-043fd40c0000 pid=3284 /usr/bin/cp guuid=7430aca2-1600-0000-d4a7-043fb40c0000 pid=3252->guuid=28459da9-1600-0000-d4a7-043fd40c0000 pid=3284 execve guuid=68d104aa-1600-0000-d4a7-043fd60c0000 pid=3286 /usr/bin/cp guuid=7430aca2-1600-0000-d4a7-043fb40c0000 pid=3252->guuid=68d104aa-1600-0000-d4a7-043fd60c0000 pid=3286 execve guuid=fada5eaa-1600-0000-d4a7-043fd80c0000 pid=3288 /usr/bin/cp guuid=7430aca2-1600-0000-d4a7-043fb40c0000 pid=3252->guuid=fada5eaa-1600-0000-d4a7-043fd80c0000 pid=3288 execve guuid=7588c0aa-1600-0000-d4a7-043fdb0c0000 pid=3291 /usr/bin/cp guuid=7430aca2-1600-0000-d4a7-043fb40c0000 pid=3252->guuid=7588c0aa-1600-0000-d4a7-043fdb0c0000 pid=3291 execve guuid=f8121bab-1600-0000-d4a7-043fdd0c0000 pid=3293 /usr/bin/cp guuid=7430aca2-1600-0000-d4a7-043fb40c0000 pid=3252->guuid=f8121bab-1600-0000-d4a7-043fdd0c0000 pid=3293 execve guuid=7b6670ab-1600-0000-d4a7-043fdf0c0000 pid=3295 /usr/bin/cp guuid=7430aca2-1600-0000-d4a7-043fb40c0000 pid=3252->guuid=7b6670ab-1600-0000-d4a7-043fdf0c0000 pid=3295 execve guuid=8e02c8ab-1600-0000-d4a7-043fe10c0000 pid=3297 /usr/bin/cp guuid=7430aca2-1600-0000-d4a7-043fb40c0000 pid=3252->guuid=8e02c8ab-1600-0000-d4a7-043fe10c0000 pid=3297 execve guuid=4f741fac-1600-0000-d4a7-043fe40c0000 pid=3300 /usr/bin/cp guuid=7430aca2-1600-0000-d4a7-043fb40c0000 pid=3252->guuid=4f741fac-1600-0000-d4a7-043fe40c0000 pid=3300 execve guuid=f99980ac-1600-0000-d4a7-043fe60c0000 pid=3302 /usr/bin/cp guuid=7430aca2-1600-0000-d4a7-043fb40c0000 pid=3252->guuid=f99980ac-1600-0000-d4a7-043fe60c0000 pid=3302 execve guuid=c4dddaac-1600-0000-d4a7-043fe80c0000 pid=3304 /usr/bin/cp guuid=7430aca2-1600-0000-d4a7-043fb40c0000 pid=3252->guuid=c4dddaac-1600-0000-d4a7-043fe80c0000 pid=3304 execve guuid=2e1637ad-1600-0000-d4a7-043fea0c0000 pid=3306 /usr/bin/touch guuid=7430aca2-1600-0000-d4a7-043fb40c0000 pid=3252->guuid=2e1637ad-1600-0000-d4a7-043fea0c0000 pid=3306 execve guuid=1e727aad-1600-0000-d4a7-043fec0c0000 pid=3308 /usr/bin/bash guuid=7430aca2-1600-0000-d4a7-043fb40c0000 pid=3252->guuid=1e727aad-1600-0000-d4a7-043fec0c0000 pid=3308 clone guuid=41bc81ad-1600-0000-d4a7-043fed0c0000 pid=3309 /usr/bin/bash guuid=7430aca2-1600-0000-d4a7-043fb40c0000 pid=3252->guuid=41bc81ad-1600-0000-d4a7-043fed0c0000 pid=3309 clone guuid=c14d9ead-1600-0000-d4a7-043fee0c0000 pid=3310 /usr/bin/bash guuid=7430aca2-1600-0000-d4a7-043fb40c0000 pid=3252->guuid=c14d9ead-1600-0000-d4a7-043fee0c0000 pid=3310 clone guuid=235fa7ad-1600-0000-d4a7-043fef0c0000 pid=3311 /usr/bin/base64 write-file guuid=7430aca2-1600-0000-d4a7-043fb40c0000 pid=3252->guuid=235fa7ad-1600-0000-d4a7-043fef0c0000 pid=3311 execve guuid=3b187bae-1600-0000-d4a7-043ff10c0000 pid=3313 /usr/bin/bash guuid=7430aca2-1600-0000-d4a7-043fb40c0000 pid=3252->guuid=3b187bae-1600-0000-d4a7-043ff10c0000 pid=3313 execve guuid=719f34b4-1600-0000-d4a7-043f120d0000 pid=3346 /usr/bin/rm delete-file guuid=7430aca2-1600-0000-d4a7-043fb40c0000 pid=3252->guuid=719f34b4-1600-0000-d4a7-043f120d0000 pid=3346 execve guuid=62d37db4-1600-0000-d4a7-043f140d0000 pid=3348 /usr/bin/bash guuid=7430aca2-1600-0000-d4a7-043fb40c0000 pid=3252->guuid=62d37db4-1600-0000-d4a7-043f140d0000 pid=3348 clone guuid=8ab786b4-1600-0000-d4a7-043f150d0000 pid=3349 /usr/bin/bash guuid=7430aca2-1600-0000-d4a7-043fb40c0000 pid=3252->guuid=8ab786b4-1600-0000-d4a7-043f150d0000 pid=3349 clone guuid=724fb1b4-1600-0000-d4a7-043f170d0000 pid=3351 /usr/bin/bash guuid=7430aca2-1600-0000-d4a7-043fb40c0000 pid=3252->guuid=724fb1b4-1600-0000-d4a7-043f170d0000 pid=3351 execve guuid=6fec00b5-1600-0000-d4a7-043f190d0000 pid=3353 /usr/bin/rm guuid=7430aca2-1600-0000-d4a7-043fb40c0000 pid=3252->guuid=6fec00b5-1600-0000-d4a7-043f190d0000 pid=3353 execve guuid=3db23aaf-1600-0000-d4a7-043ff40c0000 pid=3316 /usr/bin/bash guuid=3b187bae-1600-0000-d4a7-043ff10c0000 pid=3313->guuid=3db23aaf-1600-0000-d4a7-043ff40c0000 pid=3316 clone guuid=729746af-1600-0000-d4a7-043ff50c0000 pid=3317 /usr/bin/bash guuid=3b187bae-1600-0000-d4a7-043ff10c0000 pid=3313->guuid=729746af-1600-0000-d4a7-043ff50c0000 pid=3317 clone guuid=a3c36baf-1600-0000-d4a7-043ff70c0000 pid=3319 /usr/bin/ls guuid=3b187bae-1600-0000-d4a7-043ff10c0000 pid=3313->guuid=a3c36baf-1600-0000-d4a7-043ff70c0000 pid=3319 execve guuid=2a00feaf-1600-0000-d4a7-043ff90c0000 pid=3321 /usr/bin/cat guuid=3b187bae-1600-0000-d4a7-043ff10c0000 pid=3313->guuid=2a00feaf-1600-0000-d4a7-043ff90c0000 pid=3321 execve guuid=a5bc3bb0-1600-0000-d4a7-043ffb0c0000 pid=3323 /usr/bin/ls guuid=3b187bae-1600-0000-d4a7-043ff10c0000 pid=3313->guuid=a5bc3bb0-1600-0000-d4a7-043ffb0c0000 pid=3323 execve guuid=e8ecc6b0-1600-0000-d4a7-043ffc0c0000 pid=3324 /usr/bin/mkdir guuid=3b187bae-1600-0000-d4a7-043ff10c0000 pid=3313->guuid=e8ecc6b0-1600-0000-d4a7-043ffc0c0000 pid=3324 execve guuid=fe8d41b1-1600-0000-d4a7-043ffe0c0000 pid=3326 /usr/bin/mv guuid=3b187bae-1600-0000-d4a7-043ff10c0000 pid=3313->guuid=fe8d41b1-1600-0000-d4a7-043ffe0c0000 pid=3326 execve guuid=626eacb1-1600-0000-d4a7-043f000d0000 pid=3328 /usr/bin/bash guuid=3b187bae-1600-0000-d4a7-043ff10c0000 pid=3313->guuid=626eacb1-1600-0000-d4a7-043f000d0000 pid=3328 clone guuid=8b48b3b1-1600-0000-d4a7-043f010d0000 pid=3329 /usr/bin/base64 write-file guuid=3b187bae-1600-0000-d4a7-043ff10c0000 pid=3313->guuid=8b48b3b1-1600-0000-d4a7-043f010d0000 pid=3329 execve guuid=e99613b2-1600-0000-d4a7-043f030d0000 pid=3331 /usr/bin/rm delete-file guuid=3b187bae-1600-0000-d4a7-043ff10c0000 pid=3313->guuid=e99613b2-1600-0000-d4a7-043f030d0000 pid=3331 execve guuid=90f955b2-1600-0000-d4a7-043f050d0000 pid=3333 /usr/bin/ls guuid=3b187bae-1600-0000-d4a7-043ff10c0000 pid=3313->guuid=90f955b2-1600-0000-d4a7-043f050d0000 pid=3333 execve guuid=7254abb2-1600-0000-d4a7-043f070d0000 pid=3335 /usr/bin/bash guuid=3b187bae-1600-0000-d4a7-043ff10c0000 pid=3313->guuid=7254abb2-1600-0000-d4a7-043f070d0000 pid=3335 clone guuid=62bfafb2-1600-0000-d4a7-043f080d0000 pid=3336 /usr/bin/base64 write-file guuid=3b187bae-1600-0000-d4a7-043ff10c0000 pid=3313->guuid=62bfafb2-1600-0000-d4a7-043f080d0000 pid=3336 execve guuid=60f508b3-1600-0000-d4a7-043f0b0d0000 pid=3339 /usr/bin/ls guuid=3b187bae-1600-0000-d4a7-043ff10c0000 pid=3313->guuid=60f508b3-1600-0000-d4a7-043f0b0d0000 pid=3339 execve guuid=b74780b3-1600-0000-d4a7-043f0e0d0000 pid=3342 /usr/bin/cat guuid=3b187bae-1600-0000-d4a7-043ff10c0000 pid=3313->guuid=b74780b3-1600-0000-d4a7-043f0e0d0000 pid=3342 execve guuid=3583c0b3-1600-0000-d4a7-043f0f0d0000 pid=3343 /usr/bin/ls guuid=3b187bae-1600-0000-d4a7-043ff10c0000 pid=3313->guuid=3583c0b3-1600-0000-d4a7-043f0f0d0000 pid=3343 execve
Score:
81%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/7ebd67ffeebda248fade75c15719b8033a8f88eb289c226144dacf62b3cab327
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7ebd67ffeebda248fade75c15719b8033a8f88eb289c226144dacf62b3cab327/
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/7ebd67ffeebda248fade75c15719b8033a8f88eb289c226144dacf62b3cab327
Threat name:
Script-Shell.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2026-03-11 14:22:26 UTC
File Type:
Text (Shell)
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p26wp77oxwrer6w6oxavognyam5i7chlfcoceyke3lhwfm6kwmtq._file
Result
Malware family:
n/a
Score:
  4/10
Tags:
defense_evasion discovery linux
Link:
https://tria.ge/reports/260311-rpn6esbw9r/
Behaviour
Reads runtime system information
Writes file to tmp directory
Deobfuscate/Decode Files or Information
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/7ebd67ffeebda248fade75c15719b8033a8f88eb289c226144dacf62b3cab327

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_LNX_Base64_Exec_Apr24
Create hunting rule
Author:Christian Burkard
Description:Detects suspicious base64 encoded shell commands (as seen in Palo Alto CVE-2024-3400 exploitation)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 7ebd67ffeebda248fade75c15719b8033a8f88eb289c226144dacf62b3cab327

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3784565/
  
Delivery method
Distributed via web download

Comments