MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84c9e0ef4b05b19efd1efedaa3731a83f2a0c9c65050943ce428522a198c9419. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 84c9e0ef4b05b19efd1efedaa3731a83f2a0c9c65050943ce428522a198c9419
SHA3-384 hash: 9f329ca309524824a9d6e324ee892b8db464696b6339e13c4650b1157a396c9dfc43a0077dedf9b6b156d58210035042
SHA1 hash: cbb5650d3083632029696a43d91ee654aec7fd4e
MD5 hash: b0583cbca711451ee4fcde92ab4ee7f6
humanhash: cat-missouri-william-paris
File name:k.php
Download: download sample
File size:19'499 bytes
First seen:2026-03-11 02:57:03 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 384:zFcuQpWx+BL0SWL0g/zsO9a4cbddrME8jyfzsO9a4cbddrME8jy4:zF8i+BL0SI0UzsP4cbddr7zsP4cbddrk
TLSH T1B3925CB512896C79FBD0CE399F3C7F4CADE882C42124A3ACBA4F39205A1166DC60535A
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:sh

Intelligence

File Origin
# of uploads :
1
# of downloads :
59
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Linux.MulDrop.187.24756.14927.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive masquerade
Link:
https://www.filescan.io/uploads/69b0da0f10e80629d407f584/reports/452da41e-3006-4744-aeea-fa2cb8a9d8f7/overview
Verdict:
Malicious
File Type:
unix shell
Detections:
HEUR:Trojan-Downloader.Shell.Agent.bc
Link:
https://opentip.kaspersky.com/84c9e0ef4b05b19efd1efedaa3731a83f2a0c9c65050943ce428522a198c9419/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/1d9e466f-b02f-47af-a1dc-82882a0e1453
Behavior Graph:
Download SVG
%3 guuid=0a946c16-1600-0000-170f-af79d00d0000 pid=3536 /usr/bin/sudo guuid=4fc92318-1600-0000-170f-af79da0d0000 pid=3546 /tmp/sample.bin guuid=0a946c16-1600-0000-170f-af79d00d0000 pid=3536->guuid=4fc92318-1600-0000-170f-af79da0d0000 pid=3546 execve guuid=7e57e518-1600-0000-170f-af79dc0d0000 pid=3548 /usr/bin/bash guuid=4fc92318-1600-0000-170f-af79da0d0000 pid=3546->guuid=7e57e518-1600-0000-170f-af79dc0d0000 pid=3548 clone guuid=d4c9f318-1600-0000-170f-af79dd0d0000 pid=3549 /usr/bin/bash guuid=4fc92318-1600-0000-170f-af79da0d0000 pid=3546->guuid=d4c9f318-1600-0000-170f-af79dd0d0000 pid=3549 clone guuid=023b1519-1600-0000-170f-af79de0d0000 pid=3550 /usr/bin/mkdir guuid=4fc92318-1600-0000-170f-af79da0d0000 pid=3546->guuid=023b1519-1600-0000-170f-af79de0d0000 pid=3550 execve guuid=3f159a19-1600-0000-170f-af79e00d0000 pid=3552 /usr/bin/mkdir guuid=4fc92318-1600-0000-170f-af79da0d0000 pid=3546->guuid=3f159a19-1600-0000-170f-af79e00d0000 pid=3552 execve guuid=0e85e619-1600-0000-170f-af79e10d0000 pid=3553 /usr/bin/mkdir guuid=4fc92318-1600-0000-170f-af79da0d0000 pid=3546->guuid=0e85e619-1600-0000-170f-af79e10d0000 pid=3553 execve guuid=2c07361a-1600-0000-170f-af79e30d0000 pid=3555 /usr/bin/mkdir guuid=4fc92318-1600-0000-170f-af79da0d0000 pid=3546->guuid=2c07361a-1600-0000-170f-af79e30d0000 pid=3555 execve guuid=49228b1a-1600-0000-170f-af79e50d0000 pid=3557 /usr/bin/mkdir guuid=4fc92318-1600-0000-170f-af79da0d0000 pid=3546->guuid=49228b1a-1600-0000-170f-af79e50d0000 pid=3557 execve guuid=9d57df1a-1600-0000-170f-af79e80d0000 pid=3560 /usr/bin/mkdir guuid=4fc92318-1600-0000-170f-af79da0d0000 pid=3546->guuid=9d57df1a-1600-0000-170f-af79e80d0000 pid=3560 execve guuid=53f65a1b-1600-0000-170f-af79ea0d0000 pid=3562 /usr/bin/mkdir guuid=4fc92318-1600-0000-170f-af79da0d0000 pid=3546->guuid=53f65a1b-1600-0000-170f-af79ea0d0000 pid=3562 execve guuid=9522b41b-1600-0000-170f-af79eb0d0000 pid=3563 /usr/bin/cp guuid=4fc92318-1600-0000-170f-af79da0d0000 pid=3546->guuid=9522b41b-1600-0000-170f-af79eb0d0000 pid=3563 execve guuid=32234b1c-1600-0000-170f-af79ee0d0000 pid=3566 /usr/bin/cp guuid=4fc92318-1600-0000-170f-af79da0d0000 pid=3546->guuid=32234b1c-1600-0000-170f-af79ee0d0000 pid=3566 execve guuid=931da91c-1600-0000-170f-af79f00d0000 pid=3568 /usr/bin/cp guuid=4fc92318-1600-0000-170f-af79da0d0000 pid=3546->guuid=931da91c-1600-0000-170f-af79f00d0000 pid=3568 execve guuid=7452471d-1600-0000-170f-af79f30d0000 pid=3571 /usr/bin/cp guuid=4fc92318-1600-0000-170f-af79da0d0000 pid=3546->guuid=7452471d-1600-0000-170f-af79f30d0000 pid=3571 execve guuid=d8bfa91d-1600-0000-170f-af79f50d0000 pid=3573 /usr/bin/cp guuid=4fc92318-1600-0000-170f-af79da0d0000 pid=3546->guuid=d8bfa91d-1600-0000-170f-af79f50d0000 pid=3573 execve guuid=8c60111e-1600-0000-170f-af79f70d0000 pid=3575 /usr/bin/cp guuid=4fc92318-1600-0000-170f-af79da0d0000 pid=3546->guuid=8c60111e-1600-0000-170f-af79f70d0000 pid=3575 execve guuid=4966801e-1600-0000-170f-af79f90d0000 pid=3577 /usr/bin/cp guuid=4fc92318-1600-0000-170f-af79da0d0000 pid=3546->guuid=4966801e-1600-0000-170f-af79f90d0000 pid=3577 execve guuid=3834f41e-1600-0000-170f-af79fc0d0000 pid=3580 /usr/bin/cp guuid=4fc92318-1600-0000-170f-af79da0d0000 pid=3546->guuid=3834f41e-1600-0000-170f-af79fc0d0000 pid=3580 execve guuid=27f5571f-1600-0000-170f-af79fe0d0000 pid=3582 /usr/bin/cp guuid=4fc92318-1600-0000-170f-af79da0d0000 pid=3546->guuid=27f5571f-1600-0000-170f-af79fe0d0000 pid=3582 execve guuid=4cedb61f-1600-0000-170f-af79000e0000 pid=3584 /usr/bin/cp guuid=4fc92318-1600-0000-170f-af79da0d0000 pid=3546->guuid=4cedb61f-1600-0000-170f-af79000e0000 pid=3584 execve guuid=58fe1b20-1600-0000-170f-af79020e0000 pid=3586 /usr/bin/cp guuid=4fc92318-1600-0000-170f-af79da0d0000 pid=3546->guuid=58fe1b20-1600-0000-170f-af79020e0000 pid=3586 execve guuid=cd787620-1600-0000-170f-af79040e0000 pid=3588 /usr/bin/cp guuid=4fc92318-1600-0000-170f-af79da0d0000 pid=3546->guuid=cd787620-1600-0000-170f-af79040e0000 pid=3588 execve guuid=c017dd20-1600-0000-170f-af79070e0000 pid=3591 /usr/bin/cp guuid=4fc92318-1600-0000-170f-af79da0d0000 pid=3546->guuid=c017dd20-1600-0000-170f-af79070e0000 pid=3591 execve guuid=44583921-1600-0000-170f-af79090e0000 pid=3593 /usr/bin/cp guuid=4fc92318-1600-0000-170f-af79da0d0000 pid=3546->guuid=44583921-1600-0000-170f-af79090e0000 pid=3593 execve guuid=9346ae21-1600-0000-170f-af790b0e0000 pid=3595 /usr/bin/cp guuid=4fc92318-1600-0000-170f-af79da0d0000 pid=3546->guuid=9346ae21-1600-0000-170f-af790b0e0000 pid=3595 execve guuid=ca77fe21-1600-0000-170f-af790d0e0000 pid=3597 /usr/bin/touch guuid=4fc92318-1600-0000-170f-af79da0d0000 pid=3546->guuid=ca77fe21-1600-0000-170f-af790d0e0000 pid=3597 execve guuid=f3974622-1600-0000-170f-af790f0e0000 pid=3599 /usr/bin/bash guuid=4fc92318-1600-0000-170f-af79da0d0000 pid=3546->guuid=f3974622-1600-0000-170f-af790f0e0000 pid=3599 clone guuid=38a24b22-1600-0000-170f-af79100e0000 pid=3600 /usr/bin/bash guuid=4fc92318-1600-0000-170f-af79da0d0000 pid=3546->guuid=38a24b22-1600-0000-170f-af79100e0000 pid=3600 clone guuid=43427222-1600-0000-170f-af79120e0000 pid=3602 /usr/bin/bash guuid=4fc92318-1600-0000-170f-af79da0d0000 pid=3546->guuid=43427222-1600-0000-170f-af79120e0000 pid=3602 clone guuid=57077922-1600-0000-170f-af79130e0000 pid=3603 /usr/bin/base64 write-file guuid=4fc92318-1600-0000-170f-af79da0d0000 pid=3546->guuid=57077922-1600-0000-170f-af79130e0000 pid=3603 execve guuid=deca1923-1600-0000-170f-af79160e0000 pid=3606 /usr/bin/bash guuid=4fc92318-1600-0000-170f-af79da0d0000 pid=3546->guuid=deca1923-1600-0000-170f-af79160e0000 pid=3606 execve guuid=959de028-1600-0000-170f-af79330e0000 pid=3635 /usr/bin/rm delete-file guuid=4fc92318-1600-0000-170f-af79da0d0000 pid=3546->guuid=959de028-1600-0000-170f-af79330e0000 pid=3635 execve guuid=df971d29-1600-0000-170f-af79350e0000 pid=3637 /usr/bin/bash guuid=4fc92318-1600-0000-170f-af79da0d0000 pid=3546->guuid=df971d29-1600-0000-170f-af79350e0000 pid=3637 clone guuid=1d4a2329-1600-0000-170f-af79360e0000 pid=3638 /usr/bin/bash guuid=4fc92318-1600-0000-170f-af79da0d0000 pid=3546->guuid=1d4a2329-1600-0000-170f-af79360e0000 pid=3638 clone guuid=cb934229-1600-0000-170f-af79380e0000 pid=3640 /usr/bin/bash guuid=4fc92318-1600-0000-170f-af79da0d0000 pid=3546->guuid=cb934229-1600-0000-170f-af79380e0000 pid=3640 execve guuid=04649229-1600-0000-170f-af793a0e0000 pid=3642 /usr/bin/rm guuid=4fc92318-1600-0000-170f-af79da0d0000 pid=3546->guuid=04649229-1600-0000-170f-af793a0e0000 pid=3642 execve guuid=90db9923-1600-0000-170f-af79180e0000 pid=3608 /usr/bin/bash guuid=deca1923-1600-0000-170f-af79160e0000 pid=3606->guuid=90db9923-1600-0000-170f-af79180e0000 pid=3608 clone guuid=9722b823-1600-0000-170f-af79190e0000 pid=3609 /usr/bin/bash guuid=deca1923-1600-0000-170f-af79160e0000 pid=3606->guuid=9722b823-1600-0000-170f-af79190e0000 pid=3609 clone guuid=38b3de23-1600-0000-170f-af791a0e0000 pid=3610 /usr/bin/ls guuid=deca1923-1600-0000-170f-af79160e0000 pid=3606->guuid=38b3de23-1600-0000-170f-af791a0e0000 pid=3610 execve guuid=1e886024-1600-0000-170f-af791c0e0000 pid=3612 /usr/bin/cat guuid=deca1923-1600-0000-170f-af79160e0000 pid=3606->guuid=1e886024-1600-0000-170f-af791c0e0000 pid=3612 execve guuid=5e09b624-1600-0000-170f-af791e0e0000 pid=3614 /usr/bin/ls guuid=deca1923-1600-0000-170f-af79160e0000 pid=3606->guuid=5e09b624-1600-0000-170f-af791e0e0000 pid=3614 execve guuid=f7ad6525-1600-0000-170f-af79210e0000 pid=3617 /usr/bin/mkdir guuid=deca1923-1600-0000-170f-af79160e0000 pid=3606->guuid=f7ad6525-1600-0000-170f-af79210e0000 pid=3617 execve guuid=574eda25-1600-0000-170f-af79230e0000 pid=3619 /usr/bin/mv guuid=deca1923-1600-0000-170f-af79160e0000 pid=3606->guuid=574eda25-1600-0000-170f-af79230e0000 pid=3619 execve guuid=7e853226-1600-0000-170f-af79250e0000 pid=3621 /usr/bin/bash guuid=deca1923-1600-0000-170f-af79160e0000 pid=3606->guuid=7e853226-1600-0000-170f-af79250e0000 pid=3621 clone guuid=a8623826-1600-0000-170f-af79260e0000 pid=3622 /usr/bin/base64 write-file guuid=deca1923-1600-0000-170f-af79160e0000 pid=3606->guuid=a8623826-1600-0000-170f-af79260e0000 pid=3622 execve guuid=acaf8626-1600-0000-170f-af79270e0000 pid=3623 /usr/bin/rm delete-file guuid=deca1923-1600-0000-170f-af79160e0000 pid=3606->guuid=acaf8626-1600-0000-170f-af79270e0000 pid=3623 execve guuid=d421c426-1600-0000-170f-af79290e0000 pid=3625 /usr/bin/ls guuid=deca1923-1600-0000-170f-af79160e0000 pid=3606->guuid=d421c426-1600-0000-170f-af79290e0000 pid=3625 execve guuid=1dba3527-1600-0000-170f-af792c0e0000 pid=3628 /usr/bin/bash guuid=deca1923-1600-0000-170f-af79160e0000 pid=3606->guuid=1dba3527-1600-0000-170f-af792c0e0000 pid=3628 clone guuid=836a3c27-1600-0000-170f-af792d0e0000 pid=3629 /usr/bin/base64 write-file guuid=deca1923-1600-0000-170f-af79160e0000 pid=3606->guuid=836a3c27-1600-0000-170f-af792d0e0000 pid=3629 execve guuid=21088a27-1600-0000-170f-af792e0e0000 pid=3630 /usr/bin/ls guuid=deca1923-1600-0000-170f-af79160e0000 pid=3606->guuid=21088a27-1600-0000-170f-af792e0e0000 pid=3630 execve guuid=6eb4e627-1600-0000-170f-af79300e0000 pid=3632 /usr/bin/cat guuid=deca1923-1600-0000-170f-af79160e0000 pid=3606->guuid=6eb4e627-1600-0000-170f-af79300e0000 pid=3632 execve guuid=43f34628-1600-0000-170f-af79310e0000 pid=3633 /usr/bin/ls guuid=deca1923-1600-0000-170f-af79160e0000 pid=3606->guuid=43f34628-1600-0000-170f-af79310e0000 pid=3633 execve
Score:
80%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/84c9e0ef4b05b19efd1efedaa3731a83f2a0c9c65050943ce428522a198c9419
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/84c9e0ef4b05b19efd1efedaa3731a83f2a0c9c65050943ce428522a198c9419/
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/84c9e0ef4b05b19efd1efedaa3731a83f2a0c9c65050943ce428522a198c9419
Threat name:
Script-Shell.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2026-03-11 02:57:24 UTC
File Type:
Text (Shell)
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qte6b32lawyz57i673nkg4y2qpzkbsogkbijiphefbjcugmmsqmq._file
Result
Malware family:
n/a
Score:
  4/10
Tags:
defense_evasion discovery linux
Link:
https://tria.ge/reports/260311-dfrcjacx2z/
Behaviour
Reads runtime system information
Writes file to tmp directory
Deobfuscate/Decode Files or Information
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/84c9e0ef4b05b19efd1efedaa3731a83f2a0c9c65050943ce428522a198c9419

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_LNX_Base64_Exec_Apr24
Create hunting rule
Author:Christian Burkard
Description:Detects suspicious base64 encoded shell commands (as seen in Palo Alto CVE-2024-3400 exploitation)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 84c9e0ef4b05b19efd1efedaa3731a83f2a0c9c65050943ce428522a198c9419

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3792476/
  
Delivery method
Distributed via web download

Comments