MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd245b4fe3aaf778d0a018bd144ecb2dabc55fbbdd61ff2f0ceed2e0cf44e393. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd245b4fe3aaf778d0a018bd144ecb2dabc55fbbdd61ff2f0ceed2e0cf44e393
SHA3-384 hash: 3ddb492b03c1a4df572510d953e21ad3e01a0927fd667c18d98cdf059deb47926a255b0a9957ea158bbb53ba4c9d2063
SHA1 hash: bad13a8207e39c16b871e42cac6c5bddf337c8aa
MD5 hash: 88c5eebd8c71084db4e73d2a698a3d83
humanhash: football-jersey-undress-comet
File name:k.php
Download: download sample
File size:19'499 bytes
First seen:2026-03-25 22:55:44 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 384:1FcuQpWx+BL0SWL0grzsO9a4cbddrME8jyfzsO9a4cbddrME8jy4:1F8i+BL0SI0AzsP4cbddr7zsP4cbddrk
TLSH T1CE925DB512896C79FBD1CE39AF3C6F4CADE8C2C42124A3ACBA4F39215A1166DC705359
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:sh

Intelligence

File Origin
# of uploads :
1
# of downloads :
57
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Linux.MulDrop.187.14637.6963.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive masquerade
Link:
https://www.filescan.io/uploads/69c46811e2df9aa488b7fe0d/reports/44d35b15-7ab5-4403-8e35-a53709d3c102/overview
Verdict:
Malicious
File Type:
unix shell
Detections:
HEUR:Trojan-Downloader.Shell.Agent.bc
Link:
https://opentip.kaspersky.com/bd245b4fe3aaf778d0a018bd144ecb2dabc55fbbdd61ff2f0ceed2e0cf44e393/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/f299c45f-44e8-4f61-a8bb-a114b6a89029
Behavior Graph:
Download SVG
%3 guuid=996f8bda-1600-0000-5e96-d607bf0d0000 pid=3519 /usr/bin/sudo guuid=5825bddc-1600-0000-5e96-d607c10d0000 pid=3521 /tmp/sample.bin guuid=996f8bda-1600-0000-5e96-d607bf0d0000 pid=3519->guuid=5825bddc-1600-0000-5e96-d607c10d0000 pid=3521 execve guuid=d8c41fdd-1600-0000-5e96-d607c20d0000 pid=3522 /usr/bin/bash guuid=5825bddc-1600-0000-5e96-d607c10d0000 pid=3521->guuid=d8c41fdd-1600-0000-5e96-d607c20d0000 pid=3522 clone guuid=cf4727dd-1600-0000-5e96-d607c30d0000 pid=3523 /usr/bin/bash guuid=5825bddc-1600-0000-5e96-d607c10d0000 pid=3521->guuid=cf4727dd-1600-0000-5e96-d607c30d0000 pid=3523 clone guuid=3d7b51dd-1600-0000-5e96-d607c40d0000 pid=3524 /usr/bin/mkdir guuid=5825bddc-1600-0000-5e96-d607c10d0000 pid=3521->guuid=3d7b51dd-1600-0000-5e96-d607c40d0000 pid=3524 execve guuid=7832a5dd-1600-0000-5e96-d607c70d0000 pid=3527 /usr/bin/mkdir guuid=5825bddc-1600-0000-5e96-d607c10d0000 pid=3521->guuid=7832a5dd-1600-0000-5e96-d607c70d0000 pid=3527 execve guuid=7f29f7dd-1600-0000-5e96-d607c90d0000 pid=3529 /usr/bin/mkdir guuid=5825bddc-1600-0000-5e96-d607c10d0000 pid=3521->guuid=7f29f7dd-1600-0000-5e96-d607c90d0000 pid=3529 execve guuid=d90745de-1600-0000-5e96-d607cb0d0000 pid=3531 /usr/bin/mkdir guuid=5825bddc-1600-0000-5e96-d607c10d0000 pid=3521->guuid=d90745de-1600-0000-5e96-d607cb0d0000 pid=3531 execve guuid=00b48ede-1600-0000-5e96-d607cd0d0000 pid=3533 /usr/bin/mkdir guuid=5825bddc-1600-0000-5e96-d607c10d0000 pid=3521->guuid=00b48ede-1600-0000-5e96-d607cd0d0000 pid=3533 execve guuid=69d0d3de-1600-0000-5e96-d607cf0d0000 pid=3535 /usr/bin/mkdir guuid=5825bddc-1600-0000-5e96-d607c10d0000 pid=3521->guuid=69d0d3de-1600-0000-5e96-d607cf0d0000 pid=3535 execve guuid=07ec24df-1600-0000-5e96-d607d10d0000 pid=3537 /usr/bin/mkdir guuid=5825bddc-1600-0000-5e96-d607c10d0000 pid=3521->guuid=07ec24df-1600-0000-5e96-d607d10d0000 pid=3537 execve guuid=d44e6ddf-1600-0000-5e96-d607d30d0000 pid=3539 /usr/bin/cp guuid=5825bddc-1600-0000-5e96-d607c10d0000 pid=3521->guuid=d44e6ddf-1600-0000-5e96-d607d30d0000 pid=3539 execve guuid=9d93c6df-1600-0000-5e96-d607d60d0000 pid=3542 /usr/bin/cp guuid=5825bddc-1600-0000-5e96-d607c10d0000 pid=3521->guuid=9d93c6df-1600-0000-5e96-d607d60d0000 pid=3542 execve guuid=70ed5ae0-1600-0000-5e96-d607d90d0000 pid=3545 /usr/bin/cp guuid=5825bddc-1600-0000-5e96-d607c10d0000 pid=3521->guuid=70ed5ae0-1600-0000-5e96-d607d90d0000 pid=3545 execve guuid=128eb2e0-1600-0000-5e96-d607db0d0000 pid=3547 /usr/bin/cp guuid=5825bddc-1600-0000-5e96-d607c10d0000 pid=3521->guuid=128eb2e0-1600-0000-5e96-d607db0d0000 pid=3547 execve guuid=7ae30ae1-1600-0000-5e96-d607de0d0000 pid=3550 /usr/bin/cp guuid=5825bddc-1600-0000-5e96-d607c10d0000 pid=3521->guuid=7ae30ae1-1600-0000-5e96-d607de0d0000 pid=3550 execve guuid=ced36fe1-1600-0000-5e96-d607e00d0000 pid=3552 /usr/bin/cp guuid=5825bddc-1600-0000-5e96-d607c10d0000 pid=3521->guuid=ced36fe1-1600-0000-5e96-d607e00d0000 pid=3552 execve guuid=e922c7e1-1600-0000-5e96-d607e20d0000 pid=3554 /usr/bin/cp guuid=5825bddc-1600-0000-5e96-d607c10d0000 pid=3521->guuid=e922c7e1-1600-0000-5e96-d607e20d0000 pid=3554 execve guuid=736139e2-1600-0000-5e96-d607e50d0000 pid=3557 /usr/bin/cp guuid=5825bddc-1600-0000-5e96-d607c10d0000 pid=3521->guuid=736139e2-1600-0000-5e96-d607e50d0000 pid=3557 execve guuid=b93e97e2-1600-0000-5e96-d607e70d0000 pid=3559 /usr/bin/cp guuid=5825bddc-1600-0000-5e96-d607c10d0000 pid=3521->guuid=b93e97e2-1600-0000-5e96-d607e70d0000 pid=3559 execve guuid=05d6fae2-1600-0000-5e96-d607ea0d0000 pid=3562 /usr/bin/cp guuid=5825bddc-1600-0000-5e96-d607c10d0000 pid=3521->guuid=05d6fae2-1600-0000-5e96-d607ea0d0000 pid=3562 execve guuid=64f354e3-1600-0000-5e96-d607ec0d0000 pid=3564 /usr/bin/cp guuid=5825bddc-1600-0000-5e96-d607c10d0000 pid=3521->guuid=64f354e3-1600-0000-5e96-d607ec0d0000 pid=3564 execve guuid=0614b2e3-1600-0000-5e96-d607ef0d0000 pid=3567 /usr/bin/cp guuid=5825bddc-1600-0000-5e96-d607c10d0000 pid=3521->guuid=0614b2e3-1600-0000-5e96-d607ef0d0000 pid=3567 execve guuid=094310e4-1600-0000-5e96-d607f10d0000 pid=3569 /usr/bin/cp guuid=5825bddc-1600-0000-5e96-d607c10d0000 pid=3521->guuid=094310e4-1600-0000-5e96-d607f10d0000 pid=3569 execve guuid=fbf47ce4-1600-0000-5e96-d607f30d0000 pid=3571 /usr/bin/cp guuid=5825bddc-1600-0000-5e96-d607c10d0000 pid=3521->guuid=fbf47ce4-1600-0000-5e96-d607f30d0000 pid=3571 execve guuid=49e6d5e4-1600-0000-5e96-d607f50d0000 pid=3573 /usr/bin/cp guuid=5825bddc-1600-0000-5e96-d607c10d0000 pid=3521->guuid=49e6d5e4-1600-0000-5e96-d607f50d0000 pid=3573 execve guuid=4e6b41e5-1600-0000-5e96-d607fa0d0000 pid=3578 /usr/bin/touch guuid=5825bddc-1600-0000-5e96-d607c10d0000 pid=3521->guuid=4e6b41e5-1600-0000-5e96-d607fa0d0000 pid=3578 execve guuid=5f217ce5-1600-0000-5e96-d607fc0d0000 pid=3580 /usr/bin/bash guuid=5825bddc-1600-0000-5e96-d607c10d0000 pid=3521->guuid=5f217ce5-1600-0000-5e96-d607fc0d0000 pid=3580 clone guuid=d93083e5-1600-0000-5e96-d607fd0d0000 pid=3581 /usr/bin/bash guuid=5825bddc-1600-0000-5e96-d607c10d0000 pid=3521->guuid=d93083e5-1600-0000-5e96-d607fd0d0000 pid=3581 clone guuid=8bfc9de5-1600-0000-5e96-d607fe0d0000 pid=3582 /usr/bin/bash guuid=5825bddc-1600-0000-5e96-d607c10d0000 pid=3521->guuid=8bfc9de5-1600-0000-5e96-d607fe0d0000 pid=3582 clone guuid=1883a3e5-1600-0000-5e96-d607ff0d0000 pid=3583 /usr/bin/base64 write-file guuid=5825bddc-1600-0000-5e96-d607c10d0000 pid=3521->guuid=1883a3e5-1600-0000-5e96-d607ff0d0000 pid=3583 execve guuid=b6e932e6-1600-0000-5e96-d607010e0000 pid=3585 /usr/bin/bash guuid=5825bddc-1600-0000-5e96-d607c10d0000 pid=3521->guuid=b6e932e6-1600-0000-5e96-d607010e0000 pid=3585 execve guuid=5842d3ea-1600-0000-5e96-d607210e0000 pid=3617 /usr/bin/rm delete-file guuid=5825bddc-1600-0000-5e96-d607c10d0000 pid=3521->guuid=5842d3ea-1600-0000-5e96-d607210e0000 pid=3617 execve guuid=fd7119eb-1600-0000-5e96-d607230e0000 pid=3619 /usr/bin/bash guuid=5825bddc-1600-0000-5e96-d607c10d0000 pid=3521->guuid=fd7119eb-1600-0000-5e96-d607230e0000 pid=3619 clone guuid=01f61feb-1600-0000-5e96-d607250e0000 pid=3621 /usr/bin/bash guuid=5825bddc-1600-0000-5e96-d607c10d0000 pid=3521->guuid=01f61feb-1600-0000-5e96-d607250e0000 pid=3621 clone guuid=0edc8ceb-1600-0000-5e96-d607270e0000 pid=3623 /usr/bin/bash guuid=5825bddc-1600-0000-5e96-d607c10d0000 pid=3521->guuid=0edc8ceb-1600-0000-5e96-d607270e0000 pid=3623 execve guuid=7a92feeb-1600-0000-5e96-d607290e0000 pid=3625 /usr/bin/rm guuid=5825bddc-1600-0000-5e96-d607c10d0000 pid=3521->guuid=7a92feeb-1600-0000-5e96-d607290e0000 pid=3625 execve guuid=0daa81e6-1600-0000-5e96-d607030e0000 pid=3587 /usr/bin/bash guuid=b6e932e6-1600-0000-5e96-d607010e0000 pid=3585->guuid=0daa81e6-1600-0000-5e96-d607030e0000 pid=3587 clone guuid=153c87e6-1600-0000-5e96-d607040e0000 pid=3588 /usr/bin/bash guuid=b6e932e6-1600-0000-5e96-d607010e0000 pid=3585->guuid=153c87e6-1600-0000-5e96-d607040e0000 pid=3588 clone guuid=c30da2e6-1600-0000-5e96-d607060e0000 pid=3590 /usr/bin/ls guuid=b6e932e6-1600-0000-5e96-d607010e0000 pid=3585->guuid=c30da2e6-1600-0000-5e96-d607060e0000 pid=3590 execve guuid=106646e7-1600-0000-5e96-d607090e0000 pid=3593 /usr/bin/cat guuid=b6e932e6-1600-0000-5e96-d607010e0000 pid=3585->guuid=106646e7-1600-0000-5e96-d607090e0000 pid=3593 execve guuid=961785e7-1600-0000-5e96-d6070b0e0000 pid=3595 /usr/bin/ls guuid=b6e932e6-1600-0000-5e96-d607010e0000 pid=3585->guuid=961785e7-1600-0000-5e96-d6070b0e0000 pid=3595 execve guuid=378ceae7-1600-0000-5e96-d6070c0e0000 pid=3596 /usr/bin/mkdir guuid=b6e932e6-1600-0000-5e96-d607010e0000 pid=3585->guuid=378ceae7-1600-0000-5e96-d6070c0e0000 pid=3596 execve guuid=ee033ae8-1600-0000-5e96-d6070f0e0000 pid=3599 /usr/bin/mv guuid=b6e932e6-1600-0000-5e96-d607010e0000 pid=3585->guuid=ee033ae8-1600-0000-5e96-d6070f0e0000 pid=3599 execve guuid=70ed8ae8-1600-0000-5e96-d607110e0000 pid=3601 /usr/bin/bash guuid=b6e932e6-1600-0000-5e96-d607010e0000 pid=3585->guuid=70ed8ae8-1600-0000-5e96-d607110e0000 pid=3601 clone guuid=0f5790e8-1600-0000-5e96-d607120e0000 pid=3602 /usr/bin/base64 write-file guuid=b6e932e6-1600-0000-5e96-d607010e0000 pid=3585->guuid=0f5790e8-1600-0000-5e96-d607120e0000 pid=3602 execve guuid=e1c2d9e8-1600-0000-5e96-d607140e0000 pid=3604 /usr/bin/rm delete-file guuid=b6e932e6-1600-0000-5e96-d607010e0000 pid=3585->guuid=e1c2d9e8-1600-0000-5e96-d607140e0000 pid=3604 execve guuid=bb4815e9-1600-0000-5e96-d607160e0000 pid=3606 /usr/bin/ls guuid=b6e932e6-1600-0000-5e96-d607010e0000 pid=3585->guuid=bb4815e9-1600-0000-5e96-d607160e0000 pid=3606 execve guuid=080f69e9-1600-0000-5e96-d607180e0000 pid=3608 /usr/bin/bash guuid=b6e932e6-1600-0000-5e96-d607010e0000 pid=3585->guuid=080f69e9-1600-0000-5e96-d607180e0000 pid=3608 clone guuid=111070e9-1600-0000-5e96-d607190e0000 pid=3609 /usr/bin/base64 write-file guuid=b6e932e6-1600-0000-5e96-d607010e0000 pid=3585->guuid=111070e9-1600-0000-5e96-d607190e0000 pid=3609 execve guuid=b3b2b9e9-1600-0000-5e96-d6071b0e0000 pid=3611 /usr/bin/ls guuid=b6e932e6-1600-0000-5e96-d607010e0000 pid=3585->guuid=b3b2b9e9-1600-0000-5e96-d6071b0e0000 pid=3611 execve guuid=9d4a17ea-1600-0000-5e96-d6071d0e0000 pid=3613 /usr/bin/cat guuid=b6e932e6-1600-0000-5e96-d607010e0000 pid=3585->guuid=9d4a17ea-1600-0000-5e96-d6071d0e0000 pid=3613 execve guuid=f3cc5bea-1600-0000-5e96-d6071f0e0000 pid=3615 /usr/bin/ls guuid=b6e932e6-1600-0000-5e96-d607010e0000 pid=3585->guuid=f3cc5bea-1600-0000-5e96-d6071f0e0000 pid=3615 execve
Score:
81%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/bd245b4fe3aaf778d0a018bd144ecb2dabc55fbbdd61ff2f0ceed2e0cf44e393
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bd245b4fe3aaf778d0a018bd144ecb2dabc55fbbdd61ff2f0ceed2e0cf44e393/
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/bd245b4fe3aaf778d0a018bd144ecb2dabc55fbbdd61ff2f0ceed2e0cf44e393
Threat name:
Script-Shell.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2026-03-25 22:56:32 UTC
File Type:
Text (Shell)
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xusfwt7dvl3xrufadc6ritwlfwv4kx533vq76lym53jobt2e4ojq._file
Result
Malware family:
n/a
Score:
  4/10
Tags:
defense_evasion discovery linux
Link:
https://tria.ge/reports/260325-2wsgjafv5t/
Behaviour
Reads runtime system information
Writes file to tmp directory
Deobfuscate/Decode Files or Information
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/bd245b4fe3aaf778d0a018bd144ecb2dabc55fbbdd61ff2f0ceed2e0cf44e393

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_LNX_Base64_Exec_Apr24
Create hunting rule
Author:Christian Burkard
Description:Detects suspicious base64 encoded shell commands (as seen in Palo Alto CVE-2024-3400 exploitation)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh bd245b4fe3aaf778d0a018bd144ecb2dabc55fbbdd61ff2f0ceed2e0cf44e393

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3792476/
  
Delivery method
Distributed via web download

Comments