MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f08de2db662531be25f28cdea63b3b9e85051ddf9ddf96064ec50a63cf26e21. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7f08de2db662531be25f28cdea63b3b9e85051ddf9ddf96064ec50a63cf26e21
SHA3-384 hash: 8b03ea8c100d2adbae685ca4f2c2efbb961e992d41a165b6bfa01d1726f8f877878ad9cdda72d1a06ea39157a8f3b3fa
SHA1 hash: 1a578ac62a782dcee0b5a3e93b01ef560c5af289
MD5 hash: 7ee2fcda1ae18440b3e444a42fcdd84e
humanhash: blue-tennessee-michigan-zulu
File name:k.php
Download: download sample
File size:19'499 bytes
First seen:2026-03-27 16:04:00 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 384:jDFcuQpWx+BL0SWL0g6zsO9a4cbddrME8jyfzsO9a4cbddrME8jy4:/F8i+BL0SI0JzsP4cbddr7zsP4cbddrk
TLSH T165925DB512896C79FBD1CE399F3C6F4DADE8C2C42124E3ACBA4F39215A1166DC70534A
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:sh

Intelligence

File Origin
# of uploads :
1
# of downloads :
50
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive masquerade
Link:
https://www.filescan.io/uploads/69c6aa7f2346b9da57ab78d0/reports/4cf53f32-b42b-4ff8-8bf9-266ae6749952/overview
Result
Gathering data
Verdict:
Malicious
File Type:
unix shell
Detections:
HEUR:Trojan-Downloader.Shell.Agent.bc
Link:
https://opentip.kaspersky.com/7f08de2db662531be25f28cdea63b3b9e85051ddf9ddf96064ec50a63cf26e21/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/2828c7f4-13e7-4bea-9772-0db82b4d222a
Behavior Graph:
Download SVG
%3 guuid=1e4bf920-1800-0000-082d-f8719c0b0000 pid=2972 /usr/bin/sudo guuid=f110eb23-1800-0000-082d-f871a50b0000 pid=2981 /tmp/sample.bin guuid=1e4bf920-1800-0000-082d-f8719c0b0000 pid=2972->guuid=f110eb23-1800-0000-082d-f871a50b0000 pid=2981 execve guuid=03253125-1800-0000-082d-f871a70b0000 pid=2983 /usr/bin/bash guuid=f110eb23-1800-0000-082d-f871a50b0000 pid=2981->guuid=03253125-1800-0000-082d-f871a70b0000 pid=2983 clone guuid=754c4725-1800-0000-082d-f871a80b0000 pid=2984 /usr/bin/bash guuid=f110eb23-1800-0000-082d-f871a50b0000 pid=2981->guuid=754c4725-1800-0000-082d-f871a80b0000 pid=2984 clone guuid=62a7d125-1800-0000-082d-f871aa0b0000 pid=2986 /usr/bin/mkdir guuid=f110eb23-1800-0000-082d-f871a50b0000 pid=2981->guuid=62a7d125-1800-0000-082d-f871aa0b0000 pid=2986 execve guuid=3b503626-1800-0000-082d-f871ac0b0000 pid=2988 /usr/bin/mkdir guuid=f110eb23-1800-0000-082d-f871a50b0000 pid=2981->guuid=3b503626-1800-0000-082d-f871ac0b0000 pid=2988 execve guuid=41bbb726-1800-0000-082d-f871af0b0000 pid=2991 /usr/bin/mkdir guuid=f110eb23-1800-0000-082d-f871a50b0000 pid=2981->guuid=41bbb726-1800-0000-082d-f871af0b0000 pid=2991 execve guuid=9c6e1827-1800-0000-082d-f871b10b0000 pid=2993 /usr/bin/mkdir guuid=f110eb23-1800-0000-082d-f871a50b0000 pid=2981->guuid=9c6e1827-1800-0000-082d-f871b10b0000 pid=2993 execve guuid=04837127-1800-0000-082d-f871b30b0000 pid=2995 /usr/bin/mkdir guuid=f110eb23-1800-0000-082d-f871a50b0000 pid=2981->guuid=04837127-1800-0000-082d-f871b30b0000 pid=2995 execve guuid=cd29c927-1800-0000-082d-f871b50b0000 pid=2997 /usr/bin/mkdir guuid=f110eb23-1800-0000-082d-f871a50b0000 pid=2981->guuid=cd29c927-1800-0000-082d-f871b50b0000 pid=2997 execve guuid=c51c1f28-1800-0000-082d-f871b70b0000 pid=2999 /usr/bin/mkdir guuid=f110eb23-1800-0000-082d-f871a50b0000 pid=2981->guuid=c51c1f28-1800-0000-082d-f871b70b0000 pid=2999 execve guuid=d35d9b28-1800-0000-082d-f871b80b0000 pid=3000 /usr/bin/cp guuid=f110eb23-1800-0000-082d-f871a50b0000 pid=2981->guuid=d35d9b28-1800-0000-082d-f871b80b0000 pid=3000 execve guuid=930a2f29-1800-0000-082d-f871b90b0000 pid=3001 /usr/bin/cp guuid=f110eb23-1800-0000-082d-f871a50b0000 pid=2981->guuid=930a2f29-1800-0000-082d-f871b90b0000 pid=3001 execve guuid=a7feaf29-1800-0000-082d-f871bb0b0000 pid=3003 /usr/bin/cp guuid=f110eb23-1800-0000-082d-f871a50b0000 pid=2981->guuid=a7feaf29-1800-0000-082d-f871bb0b0000 pid=3003 execve guuid=a16d4b2a-1800-0000-082d-f871bd0b0000 pid=3005 /usr/bin/cp guuid=f110eb23-1800-0000-082d-f871a50b0000 pid=2981->guuid=a16d4b2a-1800-0000-082d-f871bd0b0000 pid=3005 execve guuid=a828ad2a-1800-0000-082d-f871bf0b0000 pid=3007 /usr/bin/cp guuid=f110eb23-1800-0000-082d-f871a50b0000 pid=2981->guuid=a828ad2a-1800-0000-082d-f871bf0b0000 pid=3007 execve guuid=8c18092b-1800-0000-082d-f871c20b0000 pid=3010 /usr/bin/cp guuid=f110eb23-1800-0000-082d-f871a50b0000 pid=2981->guuid=8c18092b-1800-0000-082d-f871c20b0000 pid=3010 execve guuid=a46d632b-1800-0000-082d-f871c40b0000 pid=3012 /usr/bin/cp guuid=f110eb23-1800-0000-082d-f871a50b0000 pid=2981->guuid=a46d632b-1800-0000-082d-f871c40b0000 pid=3012 execve guuid=551de52b-1800-0000-082d-f871c70b0000 pid=3015 /usr/bin/cp guuid=f110eb23-1800-0000-082d-f871a50b0000 pid=2981->guuid=551de52b-1800-0000-082d-f871c70b0000 pid=3015 execve guuid=14a3612c-1800-0000-082d-f871c90b0000 pid=3017 /usr/bin/cp guuid=f110eb23-1800-0000-082d-f871a50b0000 pid=2981->guuid=14a3612c-1800-0000-082d-f871c90b0000 pid=3017 execve guuid=8fe0c92c-1800-0000-082d-f871cc0b0000 pid=3020 /usr/bin/cp guuid=f110eb23-1800-0000-082d-f871a50b0000 pid=2981->guuid=8fe0c92c-1800-0000-082d-f871cc0b0000 pid=3020 execve guuid=b096292d-1800-0000-082d-f871ce0b0000 pid=3022 /usr/bin/cp guuid=f110eb23-1800-0000-082d-f871a50b0000 pid=2981->guuid=b096292d-1800-0000-082d-f871ce0b0000 pid=3022 execve guuid=2d649d2d-1800-0000-082d-f871d10b0000 pid=3025 /usr/bin/cp guuid=f110eb23-1800-0000-082d-f871a50b0000 pid=2981->guuid=2d649d2d-1800-0000-082d-f871d10b0000 pid=3025 execve guuid=d245fc2d-1800-0000-082d-f871d30b0000 pid=3027 /usr/bin/cp guuid=f110eb23-1800-0000-082d-f871a50b0000 pid=2981->guuid=d245fc2d-1800-0000-082d-f871d30b0000 pid=3027 execve guuid=b8115f2e-1800-0000-082d-f871d50b0000 pid=3029 /usr/bin/cp guuid=f110eb23-1800-0000-082d-f871a50b0000 pid=2981->guuid=b8115f2e-1800-0000-082d-f871d50b0000 pid=3029 execve guuid=7d34bf2e-1800-0000-082d-f871d70b0000 pid=3031 /usr/bin/cp guuid=f110eb23-1800-0000-082d-f871a50b0000 pid=2981->guuid=7d34bf2e-1800-0000-082d-f871d70b0000 pid=3031 execve guuid=ec1a4b2f-1800-0000-082d-f871da0b0000 pid=3034 /usr/bin/touch guuid=f110eb23-1800-0000-082d-f871a50b0000 pid=2981->guuid=ec1a4b2f-1800-0000-082d-f871da0b0000 pid=3034 execve guuid=a9e4b12f-1800-0000-082d-f871db0b0000 pid=3035 /usr/bin/bash guuid=f110eb23-1800-0000-082d-f871a50b0000 pid=2981->guuid=a9e4b12f-1800-0000-082d-f871db0b0000 pid=3035 clone guuid=c0fac22f-1800-0000-082d-f871dd0b0000 pid=3037 /usr/bin/bash guuid=f110eb23-1800-0000-082d-f871a50b0000 pid=2981->guuid=c0fac22f-1800-0000-082d-f871dd0b0000 pid=3037 clone guuid=5e1cec2f-1800-0000-082d-f871de0b0000 pid=3038 /usr/bin/bash guuid=f110eb23-1800-0000-082d-f871a50b0000 pid=2981->guuid=5e1cec2f-1800-0000-082d-f871de0b0000 pid=3038 clone guuid=fc820930-1800-0000-082d-f871df0b0000 pid=3039 /usr/bin/base64 write-file guuid=f110eb23-1800-0000-082d-f871a50b0000 pid=2981->guuid=fc820930-1800-0000-082d-f871df0b0000 pid=3039 execve guuid=1c03b730-1800-0000-082d-f871e00b0000 pid=3040 /usr/bin/bash guuid=f110eb23-1800-0000-082d-f871a50b0000 pid=2981->guuid=1c03b730-1800-0000-082d-f871e00b0000 pid=3040 execve guuid=211c7436-1800-0000-082d-f871fd0b0000 pid=3069 /usr/bin/rm delete-file guuid=f110eb23-1800-0000-082d-f871a50b0000 pid=2981->guuid=211c7436-1800-0000-082d-f871fd0b0000 pid=3069 execve guuid=af852237-1800-0000-082d-f871000c0000 pid=3072 /usr/bin/bash guuid=f110eb23-1800-0000-082d-f871a50b0000 pid=2981->guuid=af852237-1800-0000-082d-f871000c0000 pid=3072 clone guuid=f9cf2937-1800-0000-082d-f871010c0000 pid=3073 /usr/bin/bash guuid=f110eb23-1800-0000-082d-f871a50b0000 pid=2981->guuid=f9cf2937-1800-0000-082d-f871010c0000 pid=3073 clone guuid=b8a49e37-1800-0000-082d-f871030c0000 pid=3075 /usr/bin/bash guuid=f110eb23-1800-0000-082d-f871a50b0000 pid=2981->guuid=b8a49e37-1800-0000-082d-f871030c0000 pid=3075 execve guuid=c05a1338-1800-0000-082d-f871060c0000 pid=3078 /usr/bin/rm guuid=f110eb23-1800-0000-082d-f871a50b0000 pid=2981->guuid=c05a1338-1800-0000-082d-f871060c0000 pid=3078 execve guuid=e1f82131-1800-0000-082d-f871e10b0000 pid=3041 /usr/bin/bash guuid=1c03b730-1800-0000-082d-f871e00b0000 pid=3040->guuid=e1f82131-1800-0000-082d-f871e10b0000 pid=3041 clone guuid=84ec2831-1800-0000-082d-f871e20b0000 pid=3042 /usr/bin/bash guuid=1c03b730-1800-0000-082d-f871e00b0000 pid=3040->guuid=84ec2831-1800-0000-082d-f871e20b0000 pid=3042 clone guuid=4f975731-1800-0000-082d-f871e40b0000 pid=3044 /usr/bin/ls guuid=1c03b730-1800-0000-082d-f871e00b0000 pid=3040->guuid=4f975731-1800-0000-082d-f871e40b0000 pid=3044 execve guuid=b6cf1f32-1800-0000-082d-f871e70b0000 pid=3047 /usr/bin/cat guuid=1c03b730-1800-0000-082d-f871e00b0000 pid=3040->guuid=b6cf1f32-1800-0000-082d-f871e70b0000 pid=3047 execve guuid=0ea66e32-1800-0000-082d-f871ea0b0000 pid=3050 /usr/bin/ls guuid=1c03b730-1800-0000-082d-f871e00b0000 pid=3040->guuid=0ea66e32-1800-0000-082d-f871ea0b0000 pid=3050 execve guuid=e486e032-1800-0000-082d-f871ec0b0000 pid=3052 /usr/bin/mkdir guuid=1c03b730-1800-0000-082d-f871e00b0000 pid=3040->guuid=e486e032-1800-0000-082d-f871ec0b0000 pid=3052 execve guuid=50fc3433-1800-0000-082d-f871ee0b0000 pid=3054 /usr/bin/mv guuid=1c03b730-1800-0000-082d-f871e00b0000 pid=3040->guuid=50fc3433-1800-0000-082d-f871ee0b0000 pid=3054 execve guuid=85bb9a33-1800-0000-082d-f871f10b0000 pid=3057 /usr/bin/bash guuid=1c03b730-1800-0000-082d-f871e00b0000 pid=3040->guuid=85bb9a33-1800-0000-082d-f871f10b0000 pid=3057 clone guuid=895ba433-1800-0000-082d-f871f20b0000 pid=3058 /usr/bin/base64 write-file guuid=1c03b730-1800-0000-082d-f871e00b0000 pid=3040->guuid=895ba433-1800-0000-082d-f871f20b0000 pid=3058 execve guuid=77e7f333-1800-0000-082d-f871f40b0000 pid=3060 /usr/bin/rm delete-file guuid=1c03b730-1800-0000-082d-f871e00b0000 pid=3040->guuid=77e7f333-1800-0000-082d-f871f40b0000 pid=3060 execve guuid=40b73434-1800-0000-082d-f871f60b0000 pid=3062 /usr/bin/ls guuid=1c03b730-1800-0000-082d-f871e00b0000 pid=3040->guuid=40b73434-1800-0000-082d-f871f60b0000 pid=3062 execve guuid=9fd39b34-1800-0000-082d-f871f70b0000 pid=3063 /usr/bin/bash guuid=1c03b730-1800-0000-082d-f871e00b0000 pid=3040->guuid=9fd39b34-1800-0000-082d-f871f70b0000 pid=3063 clone guuid=4214a234-1800-0000-082d-f871f80b0000 pid=3064 /usr/bin/base64 write-file guuid=1c03b730-1800-0000-082d-f871e00b0000 pid=3040->guuid=4214a234-1800-0000-082d-f871f80b0000 pid=3064 execve guuid=e61ffe34-1800-0000-082d-f871f90b0000 pid=3065 /usr/bin/ls guuid=1c03b730-1800-0000-082d-f871e00b0000 pid=3040->guuid=e61ffe34-1800-0000-082d-f871f90b0000 pid=3065 execve guuid=a99e7235-1800-0000-082d-f871fa0b0000 pid=3066 /usr/bin/cat guuid=1c03b730-1800-0000-082d-f871e00b0000 pid=3040->guuid=a99e7235-1800-0000-082d-f871fa0b0000 pid=3066 execve guuid=c19fbd35-1800-0000-082d-f871fb0b0000 pid=3067 /usr/bin/ls guuid=1c03b730-1800-0000-082d-f871e00b0000 pid=3040->guuid=c19fbd35-1800-0000-082d-f871fb0b0000 pid=3067 execve
Score:
81%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/7f08de2db662531be25f28cdea63b3b9e85051ddf9ddf96064ec50a63cf26e21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7f08de2db662531be25f28cdea63b3b9e85051ddf9ddf96064ec50a63cf26e21/
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/7f08de2db662531be25f28cdea63b3b9e85051ddf9ddf96064ec50a63cf26e21
Threat name:
Linux.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-03-27 16:04:23 UTC
File Type:
Text (Shell)
AV detection:
17 of 36 (47.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p4en4lnwmjjrxys7fdg6uy5txhufauo57ho7syde5rikmphsnyqq._file
Result
Malware family:
n/a
Score:
  4/10
Tags:
defense_evasion discovery linux
Link:
https://tria.ge/reports/260327-th18hshz5y/
Behaviour
Reads runtime system information
Writes file to tmp directory
Deobfuscate/Decode Files or Information
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/7f08de2db662531be25f28cdea63b3b9e85051ddf9ddf96064ec50a63cf26e21

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_LNX_Base64_Exec_Apr24
Create hunting rule
Author:Christian Burkard
Description:Detects suspicious base64 encoded shell commands (as seen in Palo Alto CVE-2024-3400 exploitation)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 7f08de2db662531be25f28cdea63b3b9e85051ddf9ddf96064ec50a63cf26e21

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3792476/
  
Delivery method
Distributed via web download

Comments