MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 802e3a8de77a50ace30d380f9d02f0179047a7eb2768efcd5d39b16137cbef08. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 802e3a8de77a50ace30d380f9d02f0179047a7eb2768efcd5d39b16137cbef08
SHA3-384 hash: ba1b905c14b07c5a6fc59a957d20de783c80256b4d53aef16f1c8b7070a2d15bf8452cbbc5dbf2f235f16f1e84696e3d
SHA1 hash: bff61ba21b8f4ba220681cba1bf721632bcff266
MD5 hash: b877be25cd9a874c26ccbe39828d9342
humanhash: leopard-october-winner-pip
File name:k.php
Download: download sample
File size:19'499 bytes
First seen:2026-03-10 06:34:50 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 384:TycuQpWx+BL0SWL0gbzsO9a4cbddrME8jyfzsO9a4cbddrME8jy4:Ty8i+BL0SI0AzsP4cbddr7zsP4cbddrk
TLSH T1D3925CB512896C79FBD1CE399F3C7F4CADE9C2C42124A3ACBA4F39205A1166DC705359
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:sh

Intelligence

File Origin
# of uploads :
1
# of downloads :
61
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Linux.MulDrop.187.21561.15651.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive masquerade
Link:
https://www.filescan.io/uploads/69afbba510e80629d4066e6f/reports/004b2548-7ee8-45b6-8fc3-72e9a66a6aad/overview
Verdict:
Malicious
File Type:
unix shell
Detections:
HEUR:Trojan-Downloader.Shell.Agent.bc
Link:
https://opentip.kaspersky.com/802e3a8de77a50ace30d380f9d02f0179047a7eb2768efcd5d39b16137cbef08/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/7b464800-5d2e-4059-b012-a204fc50c9ac
Behavior Graph:
Download SVG
%3 guuid=002421fa-1600-0000-b83b-b5983e0d0000 pid=3390 /usr/bin/sudo guuid=db690ffd-1600-0000-b83b-b598470d0000 pid=3399 /tmp/sample.bin guuid=002421fa-1600-0000-b83b-b5983e0d0000 pid=3390->guuid=db690ffd-1600-0000-b83b-b598470d0000 pid=3399 execve guuid=a17f81fd-1600-0000-b83b-b598490d0000 pid=3401 /usr/bin/bash guuid=db690ffd-1600-0000-b83b-b598470d0000 pid=3399->guuid=a17f81fd-1600-0000-b83b-b598490d0000 pid=3401 clone guuid=69928afd-1600-0000-b83b-b5984a0d0000 pid=3402 /usr/bin/bash guuid=db690ffd-1600-0000-b83b-b598470d0000 pid=3399->guuid=69928afd-1600-0000-b83b-b5984a0d0000 pid=3402 clone guuid=07c9bbfd-1600-0000-b83b-b5984c0d0000 pid=3404 /usr/bin/mkdir guuid=db690ffd-1600-0000-b83b-b598470d0000 pid=3399->guuid=07c9bbfd-1600-0000-b83b-b5984c0d0000 pid=3404 execve guuid=95d93dfe-1600-0000-b83b-b5984e0d0000 pid=3406 /usr/bin/mkdir guuid=db690ffd-1600-0000-b83b-b598470d0000 pid=3399->guuid=95d93dfe-1600-0000-b83b-b5984e0d0000 pid=3406 execve guuid=db89c3fe-1600-0000-b83b-b598500d0000 pid=3408 /usr/bin/mkdir guuid=db690ffd-1600-0000-b83b-b598470d0000 pid=3399->guuid=db89c3fe-1600-0000-b83b-b598500d0000 pid=3408 execve guuid=3b542bff-1600-0000-b83b-b598520d0000 pid=3410 /usr/bin/mkdir guuid=db690ffd-1600-0000-b83b-b598470d0000 pid=3399->guuid=3b542bff-1600-0000-b83b-b598520d0000 pid=3410 execve guuid=01189bff-1600-0000-b83b-b598540d0000 pid=3412 /usr/bin/mkdir guuid=db690ffd-1600-0000-b83b-b598470d0000 pid=3399->guuid=01189bff-1600-0000-b83b-b598540d0000 pid=3412 execve guuid=22b50300-1700-0000-b83b-b598570d0000 pid=3415 /usr/bin/mkdir guuid=db690ffd-1600-0000-b83b-b598470d0000 pid=3399->guuid=22b50300-1700-0000-b83b-b598570d0000 pid=3415 execve guuid=34ae7400-1700-0000-b83b-b598590d0000 pid=3417 /usr/bin/mkdir guuid=db690ffd-1600-0000-b83b-b598470d0000 pid=3399->guuid=34ae7400-1700-0000-b83b-b598590d0000 pid=3417 execve guuid=891ae700-1700-0000-b83b-b5985b0d0000 pid=3419 /usr/bin/cp guuid=db690ffd-1600-0000-b83b-b598470d0000 pid=3399->guuid=891ae700-1700-0000-b83b-b5985b0d0000 pid=3419 execve guuid=bd078c01-1700-0000-b83b-b5985e0d0000 pid=3422 /usr/bin/cp guuid=db690ffd-1600-0000-b83b-b598470d0000 pid=3399->guuid=bd078c01-1700-0000-b83b-b5985e0d0000 pid=3422 execve guuid=4cd91602-1700-0000-b83b-b598610d0000 pid=3425 /usr/bin/cp guuid=db690ffd-1600-0000-b83b-b598470d0000 pid=3399->guuid=4cd91602-1700-0000-b83b-b598610d0000 pid=3425 execve guuid=df65ed02-1700-0000-b83b-b598640d0000 pid=3428 /usr/bin/cp guuid=db690ffd-1600-0000-b83b-b598470d0000 pid=3399->guuid=df65ed02-1700-0000-b83b-b598640d0000 pid=3428 execve guuid=22fb7f03-1700-0000-b83b-b598660d0000 pid=3430 /usr/bin/cp guuid=db690ffd-1600-0000-b83b-b598470d0000 pid=3399->guuid=22fb7f03-1700-0000-b83b-b598660d0000 pid=3430 execve guuid=68e71304-1700-0000-b83b-b598690d0000 pid=3433 /usr/bin/cp guuid=db690ffd-1600-0000-b83b-b598470d0000 pid=3399->guuid=68e71304-1700-0000-b83b-b598690d0000 pid=3433 execve guuid=76bdaf04-1700-0000-b83b-b5986b0d0000 pid=3435 /usr/bin/cp guuid=db690ffd-1600-0000-b83b-b598470d0000 pid=3399->guuid=76bdaf04-1700-0000-b83b-b5986b0d0000 pid=3435 execve guuid=805a4f05-1700-0000-b83b-b5986e0d0000 pid=3438 /usr/bin/cp guuid=db690ffd-1600-0000-b83b-b598470d0000 pid=3399->guuid=805a4f05-1700-0000-b83b-b5986e0d0000 pid=3438 execve guuid=253ee705-1700-0000-b83b-b598710d0000 pid=3441 /usr/bin/cp guuid=db690ffd-1600-0000-b83b-b598470d0000 pid=3399->guuid=253ee705-1700-0000-b83b-b598710d0000 pid=3441 execve guuid=6b608c06-1700-0000-b83b-b598740d0000 pid=3444 /usr/bin/cp guuid=db690ffd-1600-0000-b83b-b598470d0000 pid=3399->guuid=6b608c06-1700-0000-b83b-b598740d0000 pid=3444 execve guuid=8fba3007-1700-0000-b83b-b598760d0000 pid=3446 /usr/bin/cp guuid=db690ffd-1600-0000-b83b-b598470d0000 pid=3399->guuid=8fba3007-1700-0000-b83b-b598760d0000 pid=3446 execve guuid=5d3bcd07-1700-0000-b83b-b598790d0000 pid=3449 /usr/bin/cp guuid=db690ffd-1600-0000-b83b-b598470d0000 pid=3399->guuid=5d3bcd07-1700-0000-b83b-b598790d0000 pid=3449 execve guuid=02436908-1700-0000-b83b-b5987c0d0000 pid=3452 /usr/bin/cp guuid=db690ffd-1600-0000-b83b-b598470d0000 pid=3399->guuid=02436908-1700-0000-b83b-b5987c0d0000 pid=3452 execve guuid=c60e1809-1700-0000-b83b-b5987f0d0000 pid=3455 /usr/bin/cp guuid=db690ffd-1600-0000-b83b-b598470d0000 pid=3399->guuid=c60e1809-1700-0000-b83b-b5987f0d0000 pid=3455 execve guuid=3b88b009-1700-0000-b83b-b598810d0000 pid=3457 /usr/bin/cp guuid=db690ffd-1600-0000-b83b-b598470d0000 pid=3399->guuid=3b88b009-1700-0000-b83b-b598810d0000 pid=3457 execve guuid=e76e4d0a-1700-0000-b83b-b598830d0000 pid=3459 /usr/bin/touch guuid=db690ffd-1600-0000-b83b-b598470d0000 pid=3399->guuid=e76e4d0a-1700-0000-b83b-b598830d0000 pid=3459 execve guuid=e6aabd0a-1700-0000-b83b-b598840d0000 pid=3460 /usr/bin/bash guuid=db690ffd-1600-0000-b83b-b598470d0000 pid=3399->guuid=e6aabd0a-1700-0000-b83b-b598840d0000 pid=3460 clone guuid=1bd9c60a-1700-0000-b83b-b598850d0000 pid=3461 /usr/bin/bash guuid=db690ffd-1600-0000-b83b-b598470d0000 pid=3399->guuid=1bd9c60a-1700-0000-b83b-b598850d0000 pid=3461 clone guuid=b3ff060b-1700-0000-b83b-b598870d0000 pid=3463 /usr/bin/bash guuid=db690ffd-1600-0000-b83b-b598470d0000 pid=3399->guuid=b3ff060b-1700-0000-b83b-b598870d0000 pid=3463 clone guuid=07ad130b-1700-0000-b83b-b598880d0000 pid=3464 /usr/bin/base64 write-file guuid=db690ffd-1600-0000-b83b-b598470d0000 pid=3399->guuid=07ad130b-1700-0000-b83b-b598880d0000 pid=3464 execve guuid=23dfb70b-1700-0000-b83b-b598890d0000 pid=3465 /usr/bin/bash guuid=db690ffd-1600-0000-b83b-b598470d0000 pid=3399->guuid=23dfb70b-1700-0000-b83b-b598890d0000 pid=3465 execve guuid=82aaab12-1700-0000-b83b-b598ac0d0000 pid=3500 /usr/bin/rm delete-file guuid=db690ffd-1600-0000-b83b-b598470d0000 pid=3399->guuid=82aaab12-1700-0000-b83b-b598ac0d0000 pid=3500 execve guuid=135c1713-1700-0000-b83b-b598af0d0000 pid=3503 /usr/bin/bash guuid=db690ffd-1600-0000-b83b-b598470d0000 pid=3399->guuid=135c1713-1700-0000-b83b-b598af0d0000 pid=3503 clone guuid=c0db2013-1700-0000-b83b-b598b00d0000 pid=3504 /usr/bin/bash guuid=db690ffd-1600-0000-b83b-b598470d0000 pid=3399->guuid=c0db2013-1700-0000-b83b-b598b00d0000 pid=3504 clone guuid=b8616b13-1700-0000-b83b-b598b20d0000 pid=3506 /usr/bin/bash guuid=db690ffd-1600-0000-b83b-b598470d0000 pid=3399->guuid=b8616b13-1700-0000-b83b-b598b20d0000 pid=3506 execve guuid=0a58fa13-1700-0000-b83b-b598b40d0000 pid=3508 /usr/bin/rm guuid=db690ffd-1600-0000-b83b-b598470d0000 pid=3399->guuid=0a58fa13-1700-0000-b83b-b598b40d0000 pid=3508 execve guuid=f695170c-1700-0000-b83b-b5988b0d0000 pid=3467 /usr/bin/bash guuid=23dfb70b-1700-0000-b83b-b598890d0000 pid=3465->guuid=f695170c-1700-0000-b83b-b5988b0d0000 pid=3467 clone guuid=0e371f0c-1700-0000-b83b-b5988c0d0000 pid=3468 /usr/bin/bash guuid=23dfb70b-1700-0000-b83b-b598890d0000 pid=3465->guuid=0e371f0c-1700-0000-b83b-b5988c0d0000 pid=3468 clone guuid=7bae430c-1700-0000-b83b-b5988d0d0000 pid=3469 /usr/bin/ls guuid=23dfb70b-1700-0000-b83b-b598890d0000 pid=3465->guuid=7bae430c-1700-0000-b83b-b5988d0d0000 pid=3469 execve guuid=2caaed0c-1700-0000-b83b-b5988f0d0000 pid=3471 /usr/bin/cat guuid=23dfb70b-1700-0000-b83b-b598890d0000 pid=3465->guuid=2caaed0c-1700-0000-b83b-b5988f0d0000 pid=3471 execve guuid=3915630d-1700-0000-b83b-b598910d0000 pid=3473 /usr/bin/ls guuid=23dfb70b-1700-0000-b83b-b598890d0000 pid=3465->guuid=3915630d-1700-0000-b83b-b598910d0000 pid=3473 execve guuid=c5a0030e-1700-0000-b83b-b598940d0000 pid=3476 /usr/bin/mkdir guuid=23dfb70b-1700-0000-b83b-b598890d0000 pid=3465->guuid=c5a0030e-1700-0000-b83b-b598940d0000 pid=3476 execve guuid=f387720e-1700-0000-b83b-b598960d0000 pid=3478 /usr/bin/mv guuid=23dfb70b-1700-0000-b83b-b598890d0000 pid=3465->guuid=f387720e-1700-0000-b83b-b598960d0000 pid=3478 execve guuid=49c50e0f-1700-0000-b83b-b598990d0000 pid=3481 /usr/bin/bash guuid=23dfb70b-1700-0000-b83b-b598890d0000 pid=3465->guuid=49c50e0f-1700-0000-b83b-b598990d0000 pid=3481 clone guuid=0027170f-1700-0000-b83b-b5989a0d0000 pid=3482 /usr/bin/base64 write-file guuid=23dfb70b-1700-0000-b83b-b598890d0000 pid=3465->guuid=0027170f-1700-0000-b83b-b5989a0d0000 pid=3482 execve guuid=7a95910f-1700-0000-b83b-b5989d0d0000 pid=3485 /usr/bin/rm delete-file guuid=23dfb70b-1700-0000-b83b-b598890d0000 pid=3465->guuid=7a95910f-1700-0000-b83b-b5989d0d0000 pid=3485 execve guuid=8be2fd0f-1700-0000-b83b-b5989f0d0000 pid=3487 /usr/bin/ls guuid=23dfb70b-1700-0000-b83b-b598890d0000 pid=3465->guuid=8be2fd0f-1700-0000-b83b-b5989f0d0000 pid=3487 execve guuid=877a9310-1700-0000-b83b-b598a10d0000 pid=3489 /usr/bin/bash guuid=23dfb70b-1700-0000-b83b-b598890d0000 pid=3465->guuid=877a9310-1700-0000-b83b-b598a10d0000 pid=3489 clone guuid=a26a9b10-1700-0000-b83b-b598a30d0000 pid=3491 /usr/bin/base64 write-file guuid=23dfb70b-1700-0000-b83b-b598890d0000 pid=3465->guuid=a26a9b10-1700-0000-b83b-b598a30d0000 pid=3491 execve guuid=aea31111-1700-0000-b83b-b598a50d0000 pid=3493 /usr/bin/ls guuid=23dfb70b-1700-0000-b83b-b598890d0000 pid=3465->guuid=aea31111-1700-0000-b83b-b598a50d0000 pid=3493 execve guuid=9c5a9f11-1700-0000-b83b-b598a70d0000 pid=3495 /usr/bin/cat guuid=23dfb70b-1700-0000-b83b-b598890d0000 pid=3465->guuid=9c5a9f11-1700-0000-b83b-b598a70d0000 pid=3495 execve guuid=63000c12-1700-0000-b83b-b598aa0d0000 pid=3498 /usr/bin/ls guuid=23dfb70b-1700-0000-b83b-b598890d0000 pid=3465->guuid=63000c12-1700-0000-b83b-b598aa0d0000 pid=3498 execve
Score:
80%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/802e3a8de77a50ace30d380f9d02f0179047a7eb2768efcd5d39b16137cbef08
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/802e3a8de77a50ace30d380f9d02f0179047a7eb2768efcd5d39b16137cbef08/
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/802e3a8de77a50ace30d380f9d02f0179047a7eb2768efcd5d39b16137cbef08
Threat name:
Script-Shell.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2026-03-10 06:35:23 UTC
File Type:
Text (Shell)
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qaxdvdphpjikzyynhahz2axqc6iepj7le5uo7tk5hgywcn6l54ea._file
Result
Malware family:
n/a
Score:
  4/10
Tags:
defense_evasion discovery linux
Link:
https://tria.ge/reports/260310-hcgfdaez6j/
Behaviour
Reads runtime system information
Writes file to tmp directory
Deobfuscate/Decode Files or Information
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/802e3a8de77a50ace30d380f9d02f0179047a7eb2768efcd5d39b16137cbef08

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_LNX_Base64_Exec_Apr24
Create hunting rule
Author:Christian Burkard
Description:Detects suspicious base64 encoded shell commands (as seen in Palo Alto CVE-2024-3400 exploitation)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 802e3a8de77a50ace30d380f9d02f0179047a7eb2768efcd5d39b16137cbef08

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3784565/
  
Delivery method
Distributed via web download

Comments