MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a93c12202445a324a04eebfe872c8125ea453101513f6ed6a5c8ed274ecfb5a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a93c12202445a324a04eebfe872c8125ea453101513f6ed6a5c8ed274ecfb5a5
SHA3-384 hash: c0b81df5e5846f2f164148d8bbadb64bd9549573a03ff5bab2b9bf904a5b2d51a1729c164ec5507d5194a845e1387438
SHA1 hash: 141430a29823bb080601b8ecbbbe8dc1536f239d
MD5 hash: d85427494db36753a398563524308625
humanhash: failed-white-floor-early
File name:k.php
Download: download sample
File size:19'491 bytes
First seen:2026-03-11 06:34:20 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 384:jOIncuxOLnVYMSmzsO9a4cbddrME8jyfzsO9a4cbddrME8jy4:jOLuQL+mzsP4cbddr7zsP4cbddrk
TLSH T1AC924CB906496C79FBC0CE799F3C7F0CAEE582C42129E39DBA1F39704A2165DC609359
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:sh

Intelligence

File Origin
# of uploads :
1
# of downloads :
55
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Linux.MulDrop.187.20362.20551.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive masquerade
Link:
https://www.filescan.io/uploads/69b10d26cd25bfe1dfe7a72c/reports/3bacdb35-350a-4629-9a96-de2983a21d48/overview
Verdict:
Malicious
File Type:
unix shell
Detections:
HEUR:Trojan-Downloader.Shell.Agent.bc
Link:
https://opentip.kaspersky.com/a93c12202445a324a04eebfe872c8125ea453101513f6ed6a5c8ed274ecfb5a5/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/449f5cfe-9991-4cfb-b417-1b90eb448cad
Behavior Graph:
Download SVG
%3 guuid=d9ff6c29-1700-0000-860d-4154f10d0000 pid=3569 /usr/bin/sudo guuid=7f316a2b-1700-0000-860d-4154f90d0000 pid=3577 /tmp/sample.bin guuid=d9ff6c29-1700-0000-860d-4154f10d0000 pid=3569->guuid=7f316a2b-1700-0000-860d-4154f90d0000 pid=3577 execve guuid=4179cb2b-1700-0000-860d-4154fa0d0000 pid=3578 /usr/bin/bash guuid=7f316a2b-1700-0000-860d-4154f90d0000 pid=3577->guuid=4179cb2b-1700-0000-860d-4154fa0d0000 pid=3578 clone guuid=24b5d32b-1700-0000-860d-4154fc0d0000 pid=3580 /usr/bin/bash guuid=7f316a2b-1700-0000-860d-4154f90d0000 pid=3577->guuid=24b5d32b-1700-0000-860d-4154fc0d0000 pid=3580 clone guuid=0ef3fc2b-1700-0000-860d-4154fd0d0000 pid=3581 /usr/bin/mkdir guuid=7f316a2b-1700-0000-860d-4154f90d0000 pid=3577->guuid=0ef3fc2b-1700-0000-860d-4154fd0d0000 pid=3581 execve guuid=9a6f652c-1700-0000-860d-4154000e0000 pid=3584 /usr/bin/mkdir guuid=7f316a2b-1700-0000-860d-4154f90d0000 pid=3577->guuid=9a6f652c-1700-0000-860d-4154000e0000 pid=3584 execve guuid=54f4d62c-1700-0000-860d-4154020e0000 pid=3586 /usr/bin/mkdir guuid=7f316a2b-1700-0000-860d-4154f90d0000 pid=3577->guuid=54f4d62c-1700-0000-860d-4154020e0000 pid=3586 execve guuid=6581412d-1700-0000-860d-4154040e0000 pid=3588 /usr/bin/mkdir guuid=7f316a2b-1700-0000-860d-4154f90d0000 pid=3577->guuid=6581412d-1700-0000-860d-4154040e0000 pid=3588 execve guuid=07c9be2d-1700-0000-860d-4154070e0000 pid=3591 /usr/bin/mkdir guuid=7f316a2b-1700-0000-860d-4154f90d0000 pid=3577->guuid=07c9be2d-1700-0000-860d-4154070e0000 pid=3591 execve guuid=8480252e-1700-0000-860d-4154090e0000 pid=3593 /usr/bin/mkdir guuid=7f316a2b-1700-0000-860d-4154f90d0000 pid=3577->guuid=8480252e-1700-0000-860d-4154090e0000 pid=3593 execve guuid=40db732e-1700-0000-860d-41540c0e0000 pid=3596 /usr/bin/mkdir guuid=7f316a2b-1700-0000-860d-4154f90d0000 pid=3577->guuid=40db732e-1700-0000-860d-41540c0e0000 pid=3596 execve guuid=49cfd12e-1700-0000-860d-41540d0e0000 pid=3597 /usr/bin/cp guuid=7f316a2b-1700-0000-860d-4154f90d0000 pid=3577->guuid=49cfd12e-1700-0000-860d-41540d0e0000 pid=3597 execve guuid=a7392c2f-1700-0000-860d-41540f0e0000 pid=3599 /usr/bin/cp guuid=7f316a2b-1700-0000-860d-4154f90d0000 pid=3577->guuid=a7392c2f-1700-0000-860d-41540f0e0000 pid=3599 execve guuid=5e12aa2f-1700-0000-860d-4154120e0000 pid=3602 /usr/bin/cp guuid=7f316a2b-1700-0000-860d-4154f90d0000 pid=3577->guuid=5e12aa2f-1700-0000-860d-4154120e0000 pid=3602 execve guuid=0fad0630-1700-0000-860d-4154140e0000 pid=3604 /usr/bin/cp guuid=7f316a2b-1700-0000-860d-4154f90d0000 pid=3577->guuid=0fad0630-1700-0000-860d-4154140e0000 pid=3604 execve guuid=e9485e30-1700-0000-860d-4154160e0000 pid=3606 /usr/bin/cp guuid=7f316a2b-1700-0000-860d-4154f90d0000 pid=3577->guuid=e9485e30-1700-0000-860d-4154160e0000 pid=3606 execve guuid=a706b630-1700-0000-860d-4154180e0000 pid=3608 /usr/bin/cp guuid=7f316a2b-1700-0000-860d-4154f90d0000 pid=3577->guuid=a706b630-1700-0000-860d-4154180e0000 pid=3608 execve guuid=828f1031-1700-0000-860d-41541b0e0000 pid=3611 /usr/bin/cp guuid=7f316a2b-1700-0000-860d-4154f90d0000 pid=3577->guuid=828f1031-1700-0000-860d-41541b0e0000 pid=3611 execve guuid=efea6831-1700-0000-860d-41541d0e0000 pid=3613 /usr/bin/cp guuid=7f316a2b-1700-0000-860d-4154f90d0000 pid=3577->guuid=efea6831-1700-0000-860d-41541d0e0000 pid=3613 execve guuid=df44e131-1700-0000-860d-41541f0e0000 pid=3615 /usr/bin/cp guuid=7f316a2b-1700-0000-860d-4154f90d0000 pid=3577->guuid=df44e131-1700-0000-860d-41541f0e0000 pid=3615 execve guuid=82c65d32-1700-0000-860d-4154200e0000 pid=3616 /usr/bin/cp guuid=7f316a2b-1700-0000-860d-4154f90d0000 pid=3577->guuid=82c65d32-1700-0000-860d-4154200e0000 pid=3616 execve guuid=1389d532-1700-0000-860d-4154220e0000 pid=3618 /usr/bin/cp guuid=7f316a2b-1700-0000-860d-4154f90d0000 pid=3577->guuid=1389d532-1700-0000-860d-4154220e0000 pid=3618 execve guuid=a8473333-1700-0000-860d-4154240e0000 pid=3620 /usr/bin/cp guuid=7f316a2b-1700-0000-860d-4154f90d0000 pid=3577->guuid=a8473333-1700-0000-860d-4154240e0000 pid=3620 execve guuid=778ca133-1700-0000-860d-4154270e0000 pid=3623 /usr/bin/cp guuid=7f316a2b-1700-0000-860d-4154f90d0000 pid=3577->guuid=778ca133-1700-0000-860d-4154270e0000 pid=3623 execve guuid=b5f30034-1700-0000-860d-4154290e0000 pid=3625 /usr/bin/cp guuid=7f316a2b-1700-0000-860d-4154f90d0000 pid=3577->guuid=b5f30034-1700-0000-860d-4154290e0000 pid=3625 execve guuid=f7ba5c34-1700-0000-860d-41542b0e0000 pid=3627 /usr/bin/cp guuid=7f316a2b-1700-0000-860d-4154f90d0000 pid=3577->guuid=f7ba5c34-1700-0000-860d-41542b0e0000 pid=3627 execve guuid=2829c134-1700-0000-860d-41542e0e0000 pid=3630 /usr/bin/touch guuid=7f316a2b-1700-0000-860d-4154f90d0000 pid=3577->guuid=2829c134-1700-0000-860d-41542e0e0000 pid=3630 execve guuid=27ae0535-1700-0000-860d-4154300e0000 pid=3632 /usr/bin/bash guuid=7f316a2b-1700-0000-860d-4154f90d0000 pid=3577->guuid=27ae0535-1700-0000-860d-4154300e0000 pid=3632 clone guuid=d7f90b35-1700-0000-860d-4154310e0000 pid=3633 /usr/bin/bash guuid=7f316a2b-1700-0000-860d-4154f90d0000 pid=3577->guuid=d7f90b35-1700-0000-860d-4154310e0000 pid=3633 clone guuid=c8f82635-1700-0000-860d-4154330e0000 pid=3635 /usr/bin/bash guuid=7f316a2b-1700-0000-860d-4154f90d0000 pid=3577->guuid=c8f82635-1700-0000-860d-4154330e0000 pid=3635 clone guuid=d0502f35-1700-0000-860d-4154340e0000 pid=3636 /usr/bin/base64 write-file guuid=7f316a2b-1700-0000-860d-4154f90d0000 pid=3577->guuid=d0502f35-1700-0000-860d-4154340e0000 pid=3636 execve guuid=2f02a635-1700-0000-860d-4154360e0000 pid=3638 /usr/bin/bash guuid=7f316a2b-1700-0000-860d-4154f90d0000 pid=3577->guuid=2f02a635-1700-0000-860d-4154360e0000 pid=3638 execve guuid=f595843a-1700-0000-860d-41545e0e0000 pid=3678 /usr/bin/rm delete-file guuid=7f316a2b-1700-0000-860d-4154f90d0000 pid=3577->guuid=f595843a-1700-0000-860d-41545e0e0000 pid=3678 execve guuid=6ab2c73a-1700-0000-860d-4154620e0000 pid=3682 /usr/bin/bash guuid=7f316a2b-1700-0000-860d-4154f90d0000 pid=3577->guuid=6ab2c73a-1700-0000-860d-4154620e0000 pid=3682 clone guuid=eac8cd3a-1700-0000-860d-4154630e0000 pid=3683 /usr/bin/bash guuid=7f316a2b-1700-0000-860d-4154f90d0000 pid=3577->guuid=eac8cd3a-1700-0000-860d-4154630e0000 pid=3683 clone guuid=3352ef3a-1700-0000-860d-4154640e0000 pid=3684 /usr/bin/bash guuid=7f316a2b-1700-0000-860d-4154f90d0000 pid=3577->guuid=3352ef3a-1700-0000-860d-4154640e0000 pid=3684 execve guuid=1f33433b-1700-0000-860d-4154680e0000 pid=3688 /usr/bin/rm guuid=7f316a2b-1700-0000-860d-4154f90d0000 pid=3577->guuid=1f33433b-1700-0000-860d-4154680e0000 pid=3688 execve guuid=c003f335-1700-0000-860d-41543a0e0000 pid=3642 /usr/bin/bash guuid=2f02a635-1700-0000-860d-4154360e0000 pid=3638->guuid=c003f335-1700-0000-860d-41543a0e0000 pid=3642 clone guuid=2745f835-1700-0000-860d-41543b0e0000 pid=3643 /usr/bin/bash guuid=2f02a635-1700-0000-860d-4154360e0000 pid=3638->guuid=2745f835-1700-0000-860d-41543b0e0000 pid=3643 clone guuid=017a2136-1700-0000-860d-41543c0e0000 pid=3644 /usr/bin/ls guuid=2f02a635-1700-0000-860d-4154360e0000 pid=3638->guuid=017a2136-1700-0000-860d-41543c0e0000 pid=3644 execve guuid=37508f36-1700-0000-860d-41543f0e0000 pid=3647 /usr/bin/cat guuid=2f02a635-1700-0000-860d-4154360e0000 pid=3638->guuid=37508f36-1700-0000-860d-41543f0e0000 pid=3647 execve guuid=5e2edb36-1700-0000-860d-4154400e0000 pid=3648 /usr/bin/ls guuid=2f02a635-1700-0000-860d-4154360e0000 pid=3638->guuid=5e2edb36-1700-0000-860d-4154400e0000 pid=3648 execve guuid=891a4537-1700-0000-860d-4154450e0000 pid=3653 /usr/bin/mkdir guuid=2f02a635-1700-0000-860d-4154360e0000 pid=3638->guuid=891a4537-1700-0000-860d-4154450e0000 pid=3653 execve guuid=0aaf9537-1700-0000-860d-4154470e0000 pid=3655 /usr/bin/mv guuid=2f02a635-1700-0000-860d-4154360e0000 pid=3638->guuid=0aaf9537-1700-0000-860d-4154470e0000 pid=3655 execve guuid=7f670e38-1700-0000-860d-41544d0e0000 pid=3661 /usr/bin/bash guuid=2f02a635-1700-0000-860d-4154360e0000 pid=3638->guuid=7f670e38-1700-0000-860d-41544d0e0000 pid=3661 clone guuid=ba771438-1700-0000-860d-41544e0e0000 pid=3662 /usr/bin/base64 write-file guuid=2f02a635-1700-0000-860d-4154360e0000 pid=3638->guuid=ba771438-1700-0000-860d-41544e0e0000 pid=3662 execve guuid=2bd68038-1700-0000-860d-4154500e0000 pid=3664 /usr/bin/rm delete-file guuid=2f02a635-1700-0000-860d-4154360e0000 pid=3638->guuid=2bd68038-1700-0000-860d-4154500e0000 pid=3664 execve guuid=bc31c938-1700-0000-860d-4154520e0000 pid=3666 /usr/bin/ls guuid=2f02a635-1700-0000-860d-4154360e0000 pid=3638->guuid=bc31c938-1700-0000-860d-4154520e0000 pid=3666 execve guuid=79a02839-1700-0000-860d-4154540e0000 pid=3668 /usr/bin/bash guuid=2f02a635-1700-0000-860d-4154360e0000 pid=3638->guuid=79a02839-1700-0000-860d-4154540e0000 pid=3668 clone guuid=26172f39-1700-0000-860d-4154550e0000 pid=3669 /usr/bin/base64 write-file guuid=2f02a635-1700-0000-860d-4154360e0000 pid=3638->guuid=26172f39-1700-0000-860d-4154550e0000 pid=3669 execve guuid=07247a39-1700-0000-860d-4154580e0000 pid=3672 /usr/bin/ls guuid=2f02a635-1700-0000-860d-4154360e0000 pid=3638->guuid=07247a39-1700-0000-860d-4154580e0000 pid=3672 execve guuid=b099d639-1700-0000-860d-41545a0e0000 pid=3674 /usr/bin/cat guuid=2f02a635-1700-0000-860d-4154360e0000 pid=3638->guuid=b099d639-1700-0000-860d-41545a0e0000 pid=3674 execve guuid=7bab163a-1700-0000-860d-41545c0e0000 pid=3676 /usr/bin/ls guuid=2f02a635-1700-0000-860d-4154360e0000 pid=3638->guuid=7bab163a-1700-0000-860d-41545c0e0000 pid=3676 execve
Score:
80%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/a93c12202445a324a04eebfe872c8125ea453101513f6ed6a5c8ed274ecfb5a5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a93c12202445a324a04eebfe872c8125ea453101513f6ed6a5c8ed274ecfb5a5/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/a93c12202445a324a04eebfe872c8125ea453101513f6ed6a5c8ed274ecfb5a5
Threat name:
Script-Shell.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2026-03-11 06:35:26 UTC
File Type:
Text (Shell)
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ve6beibeiwrsjico5p7iolebexvekmibke7w5vvfzdwsotwpwwsq._file
Result
Malware family:
n/a
Score:
  4/10
Tags:
defense_evasion discovery linux
Link:
https://tria.ge/reports/260311-hcg2xaf15s/
Behaviour
Reads runtime system information
Writes file to tmp directory
Deobfuscate/Decode Files or Information
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/a93c12202445a324a04eebfe872c8125ea453101513f6ed6a5c8ed274ecfb5a5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_LNX_Base64_Exec_Apr24
Create hunting rule
Author:Christian Burkard
Description:Detects suspicious base64 encoded shell commands (as seen in Palo Alto CVE-2024-3400 exploitation)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh a93c12202445a324a04eebfe872c8125ea453101513f6ed6a5c8ed274ecfb5a5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3784565/
  
Delivery method
Distributed via web download

Comments