MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 838622a264b15e8426ae6ff503dcbb3b89588ae3b1362cfb5e3cd7640a64253c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 838622a264b15e8426ae6ff503dcbb3b89588ae3b1362cfb5e3cd7640a64253c
SHA3-384 hash: c1d6663e8a8a4a08b98c2f4a1dba70b8953e0c2cee3e9b8dac3f50f7a0698930bd284c10c9ab7625432f1401a43f5f75
SHA1 hash: 09b347cf4fcbc65a99e3d0f8fe33f867c688120b
MD5 hash: db29c217807f7b8a827d653827b12fba
humanhash: mike-fourteen-uranus-oranges
File name:k.php
Download: download sample
File size:19'499 bytes
First seen:2026-03-18 02:44:35 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 384:CFcuQpWx+BL0SWL0gLzsO9a4cbddrME8jyfzsO9a4cbddrME8jy4:CF8i+BL0SI0kzsP4cbddr7zsP4cbddrk
TLSH T117925CB512896C79FBD0CE39AF3C6F4CADE8C2C42124A3ACBA4F39215A1166DC705359
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:sh

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Linux.MulDrop.187.7389.14797.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive masquerade
Link:
https://www.filescan.io/uploads/69ba11bd4ec2f522cc4d4242/reports/89d074a2-1d86-4deb-bd1d-973b95f7b164/overview
Verdict:
Malicious
File Type:
unix shell
Detections:
HEUR:Trojan-Downloader.Shell.Agent.bc
Link:
https://opentip.kaspersky.com/838622a264b15e8426ae6ff503dcbb3b89588ae3b1362cfb5e3cd7640a64253c/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/c0276246-e810-4191-91e0-644480f6465e
Behavior Graph:
Download SVG
%3 guuid=f367253b-2100-0000-80c2-56f174090000 pid=2420 /usr/bin/sudo guuid=c49f9b3e-2100-0000-80c2-56f175090000 pid=2421 /tmp/sample.bin guuid=f367253b-2100-0000-80c2-56f174090000 pid=2420->guuid=c49f9b3e-2100-0000-80c2-56f175090000 pid=2421 execve guuid=aaae9d3f-2100-0000-80c2-56f177090000 pid=2423 /usr/bin/bash guuid=c49f9b3e-2100-0000-80c2-56f175090000 pid=2421->guuid=aaae9d3f-2100-0000-80c2-56f177090000 pid=2423 clone guuid=0e3aad3f-2100-0000-80c2-56f178090000 pid=2424 /usr/bin/bash guuid=c49f9b3e-2100-0000-80c2-56f175090000 pid=2421->guuid=0e3aad3f-2100-0000-80c2-56f178090000 pid=2424 clone guuid=37c2ec3f-2100-0000-80c2-56f179090000 pid=2425 /usr/bin/mkdir guuid=c49f9b3e-2100-0000-80c2-56f175090000 pid=2421->guuid=37c2ec3f-2100-0000-80c2-56f179090000 pid=2425 execve guuid=70337e40-2100-0000-80c2-56f17a090000 pid=2426 /usr/bin/mkdir guuid=c49f9b3e-2100-0000-80c2-56f175090000 pid=2421->guuid=70337e40-2100-0000-80c2-56f17a090000 pid=2426 execve guuid=c2440141-2100-0000-80c2-56f17b090000 pid=2427 /usr/bin/mkdir guuid=c49f9b3e-2100-0000-80c2-56f175090000 pid=2421->guuid=c2440141-2100-0000-80c2-56f17b090000 pid=2427 execve guuid=946ae741-2100-0000-80c2-56f17e090000 pid=2430 /usr/bin/mkdir guuid=c49f9b3e-2100-0000-80c2-56f175090000 pid=2421->guuid=946ae741-2100-0000-80c2-56f17e090000 pid=2430 execve guuid=2f2b4642-2100-0000-80c2-56f180090000 pid=2432 /usr/bin/mkdir guuid=c49f9b3e-2100-0000-80c2-56f175090000 pid=2421->guuid=2f2b4642-2100-0000-80c2-56f180090000 pid=2432 execve guuid=8e3fca42-2100-0000-80c2-56f182090000 pid=2434 /usr/bin/mkdir guuid=c49f9b3e-2100-0000-80c2-56f175090000 pid=2421->guuid=8e3fca42-2100-0000-80c2-56f182090000 pid=2434 execve guuid=80984343-2100-0000-80c2-56f184090000 pid=2436 /usr/bin/mkdir guuid=c49f9b3e-2100-0000-80c2-56f175090000 pid=2421->guuid=80984343-2100-0000-80c2-56f184090000 pid=2436 execve guuid=8be2e543-2100-0000-80c2-56f187090000 pid=2439 /usr/bin/cp guuid=c49f9b3e-2100-0000-80c2-56f175090000 pid=2421->guuid=8be2e543-2100-0000-80c2-56f187090000 pid=2439 execve guuid=62227c44-2100-0000-80c2-56f189090000 pid=2441 /usr/bin/cp guuid=c49f9b3e-2100-0000-80c2-56f175090000 pid=2421->guuid=62227c44-2100-0000-80c2-56f189090000 pid=2441 execve guuid=b8751f45-2100-0000-80c2-56f18a090000 pid=2442 /usr/bin/cp guuid=c49f9b3e-2100-0000-80c2-56f175090000 pid=2421->guuid=b8751f45-2100-0000-80c2-56f18a090000 pid=2442 execve guuid=91877346-2100-0000-80c2-56f18b090000 pid=2443 /usr/bin/cp guuid=c49f9b3e-2100-0000-80c2-56f175090000 pid=2421->guuid=91877346-2100-0000-80c2-56f18b090000 pid=2443 execve guuid=1277fa46-2100-0000-80c2-56f18d090000 pid=2445 /usr/bin/cp guuid=c49f9b3e-2100-0000-80c2-56f175090000 pid=2421->guuid=1277fa46-2100-0000-80c2-56f18d090000 pid=2445 execve guuid=863a7c47-2100-0000-80c2-56f190090000 pid=2448 /usr/bin/cp guuid=c49f9b3e-2100-0000-80c2-56f175090000 pid=2421->guuid=863a7c47-2100-0000-80c2-56f190090000 pid=2448 execve guuid=5dd3fe47-2100-0000-80c2-56f192090000 pid=2450 /usr/bin/cp guuid=c49f9b3e-2100-0000-80c2-56f175090000 pid=2421->guuid=5dd3fe47-2100-0000-80c2-56f192090000 pid=2450 execve guuid=5da1a248-2100-0000-80c2-56f195090000 pid=2453 /usr/bin/cp guuid=c49f9b3e-2100-0000-80c2-56f175090000 pid=2421->guuid=5da1a248-2100-0000-80c2-56f195090000 pid=2453 execve guuid=f29a8649-2100-0000-80c2-56f199090000 pid=2457 /usr/bin/cp guuid=c49f9b3e-2100-0000-80c2-56f175090000 pid=2421->guuid=f29a8649-2100-0000-80c2-56f199090000 pid=2457 execve guuid=5bd63f4a-2100-0000-80c2-56f19c090000 pid=2460 /usr/bin/cp guuid=c49f9b3e-2100-0000-80c2-56f175090000 pid=2421->guuid=5bd63f4a-2100-0000-80c2-56f19c090000 pid=2460 execve guuid=fcc3e64a-2100-0000-80c2-56f19e090000 pid=2462 /usr/bin/cp guuid=c49f9b3e-2100-0000-80c2-56f175090000 pid=2421->guuid=fcc3e64a-2100-0000-80c2-56f19e090000 pid=2462 execve guuid=be486c4b-2100-0000-80c2-56f19f090000 pid=2463 /usr/bin/cp guuid=c49f9b3e-2100-0000-80c2-56f175090000 pid=2421->guuid=be486c4b-2100-0000-80c2-56f19f090000 pid=2463 execve guuid=5caa004c-2100-0000-80c2-56f1a0090000 pid=2464 /usr/bin/cp guuid=c49f9b3e-2100-0000-80c2-56f175090000 pid=2421->guuid=5caa004c-2100-0000-80c2-56f1a0090000 pid=2464 execve guuid=8d52b14c-2100-0000-80c2-56f1a2090000 pid=2466 /usr/bin/cp guuid=c49f9b3e-2100-0000-80c2-56f175090000 pid=2421->guuid=8d52b14c-2100-0000-80c2-56f1a2090000 pid=2466 execve guuid=7b1e504d-2100-0000-80c2-56f1a5090000 pid=2469 /usr/bin/cp guuid=c49f9b3e-2100-0000-80c2-56f175090000 pid=2421->guuid=7b1e504d-2100-0000-80c2-56f1a5090000 pid=2469 execve guuid=e15dfb4d-2100-0000-80c2-56f1a8090000 pid=2472 /usr/bin/touch guuid=c49f9b3e-2100-0000-80c2-56f175090000 pid=2421->guuid=e15dfb4d-2100-0000-80c2-56f1a8090000 pid=2472 execve guuid=c0167f4e-2100-0000-80c2-56f1aa090000 pid=2474 /usr/bin/bash guuid=c49f9b3e-2100-0000-80c2-56f175090000 pid=2421->guuid=c0167f4e-2100-0000-80c2-56f1aa090000 pid=2474 clone guuid=27118c4e-2100-0000-80c2-56f1ab090000 pid=2475 /usr/bin/bash guuid=c49f9b3e-2100-0000-80c2-56f175090000 pid=2421->guuid=27118c4e-2100-0000-80c2-56f1ab090000 pid=2475 clone guuid=a60dc24e-2100-0000-80c2-56f1ac090000 pid=2476 /usr/bin/bash guuid=c49f9b3e-2100-0000-80c2-56f175090000 pid=2421->guuid=a60dc24e-2100-0000-80c2-56f1ac090000 pid=2476 clone guuid=84b5cb4e-2100-0000-80c2-56f1ad090000 pid=2477 /usr/bin/base64 write-file guuid=c49f9b3e-2100-0000-80c2-56f175090000 pid=2421->guuid=84b5cb4e-2100-0000-80c2-56f1ad090000 pid=2477 execve guuid=0c98814f-2100-0000-80c2-56f1b0090000 pid=2480 /usr/bin/bash guuid=c49f9b3e-2100-0000-80c2-56f175090000 pid=2421->guuid=0c98814f-2100-0000-80c2-56f1b0090000 pid=2480 execve guuid=93147857-2100-0000-80c2-56f1d4090000 pid=2516 /usr/bin/rm delete-file guuid=c49f9b3e-2100-0000-80c2-56f175090000 pid=2421->guuid=93147857-2100-0000-80c2-56f1d4090000 pid=2516 execve guuid=525be857-2100-0000-80c2-56f1d5090000 pid=2517 /usr/bin/bash guuid=c49f9b3e-2100-0000-80c2-56f175090000 pid=2421->guuid=525be857-2100-0000-80c2-56f1d5090000 pid=2517 clone guuid=f3ebf157-2100-0000-80c2-56f1d6090000 pid=2518 /usr/bin/bash guuid=c49f9b3e-2100-0000-80c2-56f175090000 pid=2421->guuid=f3ebf157-2100-0000-80c2-56f1d6090000 pid=2518 clone guuid=ed081858-2100-0000-80c2-56f1d7090000 pid=2519 /usr/bin/bash guuid=c49f9b3e-2100-0000-80c2-56f175090000 pid=2421->guuid=ed081858-2100-0000-80c2-56f1d7090000 pid=2519 execve guuid=c533cf58-2100-0000-80c2-56f1d9090000 pid=2521 /usr/bin/rm guuid=c49f9b3e-2100-0000-80c2-56f175090000 pid=2421->guuid=c533cf58-2100-0000-80c2-56f1d9090000 pid=2521 execve guuid=d6bcf74f-2100-0000-80c2-56f1b2090000 pid=2482 /usr/bin/bash guuid=0c98814f-2100-0000-80c2-56f1b0090000 pid=2480->guuid=d6bcf74f-2100-0000-80c2-56f1b2090000 pid=2482 clone guuid=a56e0650-2100-0000-80c2-56f1b3090000 pid=2483 /usr/bin/bash guuid=0c98814f-2100-0000-80c2-56f1b0090000 pid=2480->guuid=a56e0650-2100-0000-80c2-56f1b3090000 pid=2483 clone guuid=5fea6650-2100-0000-80c2-56f1b4090000 pid=2484 /usr/bin/ls guuid=0c98814f-2100-0000-80c2-56f1b0090000 pid=2480->guuid=5fea6650-2100-0000-80c2-56f1b4090000 pid=2484 execve guuid=bef53351-2100-0000-80c2-56f1b7090000 pid=2487 /usr/bin/cat guuid=0c98814f-2100-0000-80c2-56f1b0090000 pid=2480->guuid=bef53351-2100-0000-80c2-56f1b7090000 pid=2487 execve guuid=b0f19b51-2100-0000-80c2-56f1b9090000 pid=2489 /usr/bin/ls guuid=0c98814f-2100-0000-80c2-56f1b0090000 pid=2480->guuid=b0f19b51-2100-0000-80c2-56f1b9090000 pid=2489 execve guuid=62445152-2100-0000-80c2-56f1bc090000 pid=2492 /usr/bin/mkdir guuid=0c98814f-2100-0000-80c2-56f1b0090000 pid=2480->guuid=62445152-2100-0000-80c2-56f1bc090000 pid=2492 execve guuid=d215f352-2100-0000-80c2-56f1bf090000 pid=2495 /usr/bin/mv guuid=0c98814f-2100-0000-80c2-56f1b0090000 pid=2480->guuid=d215f352-2100-0000-80c2-56f1bf090000 pid=2495 execve guuid=4376ab53-2100-0000-80c2-56f1c1090000 pid=2497 /usr/bin/bash guuid=0c98814f-2100-0000-80c2-56f1b0090000 pid=2480->guuid=4376ab53-2100-0000-80c2-56f1c1090000 pid=2497 clone guuid=f01ab853-2100-0000-80c2-56f1c2090000 pid=2498 /usr/bin/base64 write-file guuid=0c98814f-2100-0000-80c2-56f1b0090000 pid=2480->guuid=f01ab853-2100-0000-80c2-56f1c2090000 pid=2498 execve guuid=cc423954-2100-0000-80c2-56f1c5090000 pid=2501 /usr/bin/rm delete-file guuid=0c98814f-2100-0000-80c2-56f1b0090000 pid=2480->guuid=cc423954-2100-0000-80c2-56f1c5090000 pid=2501 execve guuid=37bba754-2100-0000-80c2-56f1c7090000 pid=2503 /usr/bin/ls guuid=0c98814f-2100-0000-80c2-56f1b0090000 pid=2480->guuid=37bba754-2100-0000-80c2-56f1c7090000 pid=2503 execve guuid=23fa4d55-2100-0000-80c2-56f1c9090000 pid=2505 /usr/bin/bash guuid=0c98814f-2100-0000-80c2-56f1b0090000 pid=2480->guuid=23fa4d55-2100-0000-80c2-56f1c9090000 pid=2505 clone guuid=18b95755-2100-0000-80c2-56f1cb090000 pid=2507 /usr/bin/base64 write-file guuid=0c98814f-2100-0000-80c2-56f1b0090000 pid=2480->guuid=18b95755-2100-0000-80c2-56f1cb090000 pid=2507 execve guuid=b9a6d455-2100-0000-80c2-56f1cd090000 pid=2509 /usr/bin/ls guuid=0c98814f-2100-0000-80c2-56f1b0090000 pid=2480->guuid=b9a6d455-2100-0000-80c2-56f1cd090000 pid=2509 execve guuid=ae107356-2100-0000-80c2-56f1cf090000 pid=2511 /usr/bin/cat guuid=0c98814f-2100-0000-80c2-56f1b0090000 pid=2480->guuid=ae107356-2100-0000-80c2-56f1cf090000 pid=2511 execve guuid=ad77c656-2100-0000-80c2-56f1d1090000 pid=2513 /usr/bin/ls guuid=0c98814f-2100-0000-80c2-56f1b0090000 pid=2480->guuid=ad77c656-2100-0000-80c2-56f1d1090000 pid=2513 execve
Score:
81%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/838622a264b15e8426ae6ff503dcbb3b89588ae3b1362cfb5e3cd7640a64253c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/838622a264b15e8426ae6ff503dcbb3b89588ae3b1362cfb5e3cd7640a64253c/
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/838622a264b15e8426ae6ff503dcbb3b89588ae3b1362cfb5e3cd7640a64253c
Threat name:
Script-Shell.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2026-03-18 02:45:34 UTC
File Type:
Text (Shell)
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qodcfitewfpiijvon72qhxf3hoevrcxdwe3cz626htlwicteeu6a._file
Result
Malware family:
n/a
Score:
  4/10
Tags:
defense_evasion discovery linux
Link:
https://tria.ge/reports/260318-c8xvcags6m/
Behaviour
Reads runtime system information
Writes file to tmp directory
Deobfuscate/Decode Files or Information
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/838622a264b15e8426ae6ff503dcbb3b89588ae3b1362cfb5e3cd7640a64253c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_LNX_Base64_Exec_Apr24
Create hunting rule
Author:Christian Burkard
Description:Detects suspicious base64 encoded shell commands (as seen in Palo Alto CVE-2024-3400 exploitation)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 838622a264b15e8426ae6ff503dcbb3b89588ae3b1362cfb5e3cd7640a64253c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3792476/
  
Delivery method
Distributed via web download

Comments