MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb8694eb9d551d6bfef282f696f893032641dc9b6d9de3e0c26375873be7c394. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb8694eb9d551d6bfef282f696f893032641dc9b6d9de3e0c26375873be7c394
SHA3-384 hash: 2bddc3924ee93442df25a6d97115626b4e1e673512227eb4e9d5ed7041cd21ac58e01c2bc0201ab7152dbe4f843ac90e
SHA1 hash: 32a1bd9acce53280b33eaa17e4db87f579d75779
MD5 hash: e5fa56295e14db8a3516f3d3fa761fef
humanhash: yankee-massachusetts-stairway-table
File name:k.php
Download: download sample
File size:19'499 bytes
First seen:2026-03-08 13:55:40 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 384:dyc0M3vgRjGlsaq7jzsO9a4cbddrME8jyfzsO9a4cbddrME8jy4:dyGmjfXzsP4cbddr7zsP4cbddrk
TLSH T1BD925BA916496C79BBC0CE7D9F3C7F0CADE4C1C02219A39CBA4F39715A2069DDA0535D
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:sh

Intelligence

File Origin
# of uploads :
1
# of downloads :
56
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive masquerade
Link:
https://www.filescan.io/uploads/69ad7ffc97feb4afd674e13a/reports/494b6a15-39df-4aa9-8632-8b217928b801/overview
Verdict:
Malicious
File Type:
unix shell
Detections:
HEUR:Trojan-Downloader.Shell.Agent.bc
Link:
https://opentip.kaspersky.com/bb8694eb9d551d6bfef282f696f893032641dc9b6d9de3e0c26375873be7c394/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/b531ddce-b823-4403-a534-81c19bc8ce3d
Behavior Graph:
Download SVG
%3 guuid=85d74ee2-1600-0000-044f-107bbb0c0000 pid=3259 /usr/bin/sudo guuid=07cc8be4-1600-0000-044f-107bbd0c0000 pid=3261 /tmp/sample.bin guuid=85d74ee2-1600-0000-044f-107bbb0c0000 pid=3259->guuid=07cc8be4-1600-0000-044f-107bbd0c0000 pid=3261 execve guuid=deabe4e4-1600-0000-044f-107bbf0c0000 pid=3263 /usr/bin/bash guuid=07cc8be4-1600-0000-044f-107bbd0c0000 pid=3261->guuid=deabe4e4-1600-0000-044f-107bbf0c0000 pid=3263 clone guuid=5d56ebe4-1600-0000-044f-107bc00c0000 pid=3264 /usr/bin/bash guuid=07cc8be4-1600-0000-044f-107bbd0c0000 pid=3261->guuid=5d56ebe4-1600-0000-044f-107bc00c0000 pid=3264 clone guuid=b58720e5-1600-0000-044f-107bc20c0000 pid=3266 /usr/bin/mkdir guuid=07cc8be4-1600-0000-044f-107bbd0c0000 pid=3261->guuid=b58720e5-1600-0000-044f-107bc20c0000 pid=3266 execve guuid=47a0abe5-1600-0000-044f-107bc50c0000 pid=3269 /usr/bin/mkdir guuid=07cc8be4-1600-0000-044f-107bbd0c0000 pid=3261->guuid=47a0abe5-1600-0000-044f-107bc50c0000 pid=3269 execve guuid=ea0b31e6-1600-0000-044f-107bc70c0000 pid=3271 /usr/bin/mkdir guuid=07cc8be4-1600-0000-044f-107bbd0c0000 pid=3261->guuid=ea0b31e6-1600-0000-044f-107bc70c0000 pid=3271 execve guuid=900b84e6-1600-0000-044f-107bca0c0000 pid=3274 /usr/bin/mkdir guuid=07cc8be4-1600-0000-044f-107bbd0c0000 pid=3261->guuid=900b84e6-1600-0000-044f-107bca0c0000 pid=3274 execve guuid=03cee5e6-1600-0000-044f-107bcc0c0000 pid=3276 /usr/bin/mkdir guuid=07cc8be4-1600-0000-044f-107bbd0c0000 pid=3261->guuid=03cee5e6-1600-0000-044f-107bcc0c0000 pid=3276 execve guuid=1f323be7-1600-0000-044f-107bcd0c0000 pid=3277 /usr/bin/mkdir guuid=07cc8be4-1600-0000-044f-107bbd0c0000 pid=3261->guuid=1f323be7-1600-0000-044f-107bcd0c0000 pid=3277 execve guuid=b04891e7-1600-0000-044f-107bce0c0000 pid=3278 /usr/bin/mkdir guuid=07cc8be4-1600-0000-044f-107bbd0c0000 pid=3261->guuid=b04891e7-1600-0000-044f-107bce0c0000 pid=3278 execve guuid=f50ff0e7-1600-0000-044f-107bd00c0000 pid=3280 /usr/bin/cp guuid=07cc8be4-1600-0000-044f-107bbd0c0000 pid=3261->guuid=f50ff0e7-1600-0000-044f-107bd00c0000 pid=3280 execve guuid=447356e8-1600-0000-044f-107bd20c0000 pid=3282 /usr/bin/cp guuid=07cc8be4-1600-0000-044f-107bbd0c0000 pid=3261->guuid=447356e8-1600-0000-044f-107bd20c0000 pid=3282 execve guuid=7772b2e8-1600-0000-044f-107bd40c0000 pid=3284 /usr/bin/cp guuid=07cc8be4-1600-0000-044f-107bbd0c0000 pid=3261->guuid=7772b2e8-1600-0000-044f-107bd40c0000 pid=3284 execve guuid=c29442e9-1600-0000-044f-107bd80c0000 pid=3288 /usr/bin/cp guuid=07cc8be4-1600-0000-044f-107bbd0c0000 pid=3261->guuid=c29442e9-1600-0000-044f-107bd80c0000 pid=3288 execve guuid=1514ade9-1600-0000-044f-107bda0c0000 pid=3290 /usr/bin/cp guuid=07cc8be4-1600-0000-044f-107bbd0c0000 pid=3261->guuid=1514ade9-1600-0000-044f-107bda0c0000 pid=3290 execve guuid=999029ea-1600-0000-044f-107bdd0c0000 pid=3293 /usr/bin/cp guuid=07cc8be4-1600-0000-044f-107bbd0c0000 pid=3261->guuid=999029ea-1600-0000-044f-107bdd0c0000 pid=3293 execve guuid=deefe3ea-1600-0000-044f-107be00c0000 pid=3296 /usr/bin/cp guuid=07cc8be4-1600-0000-044f-107bbd0c0000 pid=3261->guuid=deefe3ea-1600-0000-044f-107be00c0000 pid=3296 execve guuid=f0257aeb-1600-0000-044f-107be30c0000 pid=3299 /usr/bin/cp guuid=07cc8be4-1600-0000-044f-107bbd0c0000 pid=3261->guuid=f0257aeb-1600-0000-044f-107be30c0000 pid=3299 execve guuid=06f00eec-1600-0000-044f-107be50c0000 pid=3301 /usr/bin/cp guuid=07cc8be4-1600-0000-044f-107bbd0c0000 pid=3261->guuid=06f00eec-1600-0000-044f-107be50c0000 pid=3301 execve guuid=32f466ec-1600-0000-044f-107be70c0000 pid=3303 /usr/bin/cp guuid=07cc8be4-1600-0000-044f-107bbd0c0000 pid=3261->guuid=32f466ec-1600-0000-044f-107be70c0000 pid=3303 execve guuid=919302ed-1600-0000-044f-107be90c0000 pid=3305 /usr/bin/cp guuid=07cc8be4-1600-0000-044f-107bbd0c0000 pid=3261->guuid=919302ed-1600-0000-044f-107be90c0000 pid=3305 execve guuid=8e9daeed-1600-0000-044f-107beb0c0000 pid=3307 /usr/bin/cp guuid=07cc8be4-1600-0000-044f-107bbd0c0000 pid=3261->guuid=8e9daeed-1600-0000-044f-107beb0c0000 pid=3307 execve guuid=f4a481ee-1600-0000-044f-107bed0c0000 pid=3309 /usr/bin/cp guuid=07cc8be4-1600-0000-044f-107bbd0c0000 pid=3261->guuid=f4a481ee-1600-0000-044f-107bed0c0000 pid=3309 execve guuid=455102ef-1600-0000-044f-107bee0c0000 pid=3310 /usr/bin/cp guuid=07cc8be4-1600-0000-044f-107bbd0c0000 pid=3261->guuid=455102ef-1600-0000-044f-107bee0c0000 pid=3310 execve guuid=a0e7cdef-1600-0000-044f-107bef0c0000 pid=3311 /usr/bin/cp guuid=07cc8be4-1600-0000-044f-107bbd0c0000 pid=3261->guuid=a0e7cdef-1600-0000-044f-107bef0c0000 pid=3311 execve guuid=2e145af0-1600-0000-044f-107bf00c0000 pid=3312 /usr/bin/touch guuid=07cc8be4-1600-0000-044f-107bbd0c0000 pid=3261->guuid=2e145af0-1600-0000-044f-107bf00c0000 pid=3312 execve guuid=78ecbff0-1600-0000-044f-107bf20c0000 pid=3314 /usr/bin/bash guuid=07cc8be4-1600-0000-044f-107bbd0c0000 pid=3261->guuid=78ecbff0-1600-0000-044f-107bf20c0000 pid=3314 clone guuid=2535c8f0-1600-0000-044f-107bf30c0000 pid=3315 /usr/bin/bash guuid=07cc8be4-1600-0000-044f-107bbd0c0000 pid=3261->guuid=2535c8f0-1600-0000-044f-107bf30c0000 pid=3315 clone guuid=6d6afef0-1600-0000-044f-107bf50c0000 pid=3317 /usr/bin/bash guuid=07cc8be4-1600-0000-044f-107bbd0c0000 pid=3261->guuid=6d6afef0-1600-0000-044f-107bf50c0000 pid=3317 clone guuid=e96705f1-1600-0000-044f-107bf60c0000 pid=3318 /usr/bin/base64 write-file guuid=07cc8be4-1600-0000-044f-107bbd0c0000 pid=3261->guuid=e96705f1-1600-0000-044f-107bf60c0000 pid=3318 execve guuid=232c8af1-1600-0000-044f-107bf80c0000 pid=3320 /usr/bin/bash guuid=07cc8be4-1600-0000-044f-107bbd0c0000 pid=3261->guuid=232c8af1-1600-0000-044f-107bf80c0000 pid=3320 execve guuid=dd1114f7-1600-0000-044f-107b190d0000 pid=3353 /usr/bin/rm delete-file guuid=07cc8be4-1600-0000-044f-107bbd0c0000 pid=3261->guuid=dd1114f7-1600-0000-044f-107b190d0000 pid=3353 execve guuid=b9d684f7-1600-0000-044f-107b1a0d0000 pid=3354 /usr/bin/bash guuid=07cc8be4-1600-0000-044f-107bbd0c0000 pid=3261->guuid=b9d684f7-1600-0000-044f-107b1a0d0000 pid=3354 clone guuid=702690f7-1600-0000-044f-107b1b0d0000 pid=3355 /usr/bin/bash guuid=07cc8be4-1600-0000-044f-107bbd0c0000 pid=3261->guuid=702690f7-1600-0000-044f-107b1b0d0000 pid=3355 clone guuid=b573b6f7-1600-0000-044f-107b1c0d0000 pid=3356 /usr/bin/bash guuid=07cc8be4-1600-0000-044f-107bbd0c0000 pid=3261->guuid=b573b6f7-1600-0000-044f-107b1c0d0000 pid=3356 execve guuid=f98626f8-1600-0000-044f-107b1d0d0000 pid=3357 /usr/bin/rm guuid=07cc8be4-1600-0000-044f-107bbd0c0000 pid=3261->guuid=f98626f8-1600-0000-044f-107b1d0d0000 pid=3357 execve guuid=6990f3f1-1600-0000-044f-107bfb0c0000 pid=3323 /usr/bin/bash guuid=232c8af1-1600-0000-044f-107bf80c0000 pid=3320->guuid=6990f3f1-1600-0000-044f-107bfb0c0000 pid=3323 clone guuid=57e1fbf1-1600-0000-044f-107bfc0c0000 pid=3324 /usr/bin/bash guuid=232c8af1-1600-0000-044f-107bf80c0000 pid=3320->guuid=57e1fbf1-1600-0000-044f-107bfc0c0000 pid=3324 clone guuid=157f1cf2-1600-0000-044f-107bfd0c0000 pid=3325 /usr/bin/ls guuid=232c8af1-1600-0000-044f-107bf80c0000 pid=3320->guuid=157f1cf2-1600-0000-044f-107bfd0c0000 pid=3325 execve guuid=a3ad9bf2-1600-0000-044f-107bff0c0000 pid=3327 /usr/bin/cat guuid=232c8af1-1600-0000-044f-107bf80c0000 pid=3320->guuid=a3ad9bf2-1600-0000-044f-107bff0c0000 pid=3327 execve guuid=da4cfcf2-1600-0000-044f-107b020d0000 pid=3330 /usr/bin/ls guuid=232c8af1-1600-0000-044f-107bf80c0000 pid=3320->guuid=da4cfcf2-1600-0000-044f-107b020d0000 pid=3330 execve guuid=f8b563f3-1600-0000-044f-107b040d0000 pid=3332 /usr/bin/mkdir guuid=232c8af1-1600-0000-044f-107bf80c0000 pid=3320->guuid=f8b563f3-1600-0000-044f-107b040d0000 pid=3332 execve guuid=de63d7f3-1600-0000-044f-107b060d0000 pid=3334 /usr/bin/mv guuid=232c8af1-1600-0000-044f-107bf80c0000 pid=3320->guuid=de63d7f3-1600-0000-044f-107b060d0000 pid=3334 execve guuid=d5334af4-1600-0000-044f-107b090d0000 pid=3337 /usr/bin/bash guuid=232c8af1-1600-0000-044f-107bf80c0000 pid=3320->guuid=d5334af4-1600-0000-044f-107b090d0000 pid=3337 clone guuid=634655f4-1600-0000-044f-107b0a0d0000 pid=3338 /usr/bin/base64 write-file guuid=232c8af1-1600-0000-044f-107bf80c0000 pid=3320->guuid=634655f4-1600-0000-044f-107b0a0d0000 pid=3338 execve guuid=e008aaf4-1600-0000-044f-107b0c0d0000 pid=3340 /usr/bin/rm delete-file guuid=232c8af1-1600-0000-044f-107bf80c0000 pid=3320->guuid=e008aaf4-1600-0000-044f-107b0c0d0000 pid=3340 execve guuid=7505f5f4-1600-0000-044f-107b0e0d0000 pid=3342 /usr/bin/ls guuid=232c8af1-1600-0000-044f-107bf80c0000 pid=3320->guuid=7505f5f4-1600-0000-044f-107b0e0d0000 pid=3342 execve guuid=6dae5df5-1600-0000-044f-107b100d0000 pid=3344 /usr/bin/bash guuid=232c8af1-1600-0000-044f-107bf80c0000 pid=3320->guuid=6dae5df5-1600-0000-044f-107b100d0000 pid=3344 clone guuid=8d3c65f5-1600-0000-044f-107b110d0000 pid=3345 /usr/bin/base64 write-file guuid=232c8af1-1600-0000-044f-107bf80c0000 pid=3320->guuid=8d3c65f5-1600-0000-044f-107b110d0000 pid=3345 execve guuid=244bddf5-1600-0000-044f-107b130d0000 pid=3347 /usr/bin/ls guuid=232c8af1-1600-0000-044f-107bf80c0000 pid=3320->guuid=244bddf5-1600-0000-044f-107b130d0000 pid=3347 execve guuid=45ff48f6-1600-0000-044f-107b160d0000 pid=3350 /usr/bin/cat guuid=232c8af1-1600-0000-044f-107bf80c0000 pid=3320->guuid=45ff48f6-1600-0000-044f-107b160d0000 pid=3350 execve guuid=c90289f6-1600-0000-044f-107b170d0000 pid=3351 /usr/bin/ls guuid=232c8af1-1600-0000-044f-107bf80c0000 pid=3320->guuid=c90289f6-1600-0000-044f-107b170d0000 pid=3351 execve
Score:
81%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/bb8694eb9d551d6bfef282f696f893032641dc9b6d9de3e0c26375873be7c394
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bb8694eb9d551d6bfef282f696f893032641dc9b6d9de3e0c26375873be7c394/
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/bb8694eb9d551d6bfef282f696f893032641dc9b6d9de3e0c26375873be7c394
Threat name:
Script-Shell.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2026-03-08 13:56:16 UTC
File Type:
Text (Shell)
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xodjj245kuowx7xsql3jn6etamtedxe3nwo6hygcmn2yoo7hyoka._file
Result
Malware family:
n/a
Score:
  4/10
Tags:
defense_evasion discovery linux
Link:
https://tria.ge/reports/260308-q8q9fsbs2w/
Behaviour
Reads runtime system information
Writes file to tmp directory
Deobfuscate/Decode Files or Information
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/bb8694eb9d551d6bfef282f696f893032641dc9b6d9de3e0c26375873be7c394

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_LNX_Base64_Exec_Apr24
Create hunting rule
Author:Christian Burkard
Description:Detects suspicious base64 encoded shell commands (as seen in Palo Alto CVE-2024-3400 exploitation)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh bb8694eb9d551d6bfef282f696f893032641dc9b6d9de3e0c26375873be7c394

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3784565/
  
Delivery method
Distributed via web download

Comments