MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03bf8b6610e81d015f5e0e6023281b232b8d32e8510cef333f9f9eb8af1b4bde. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	03bf8b6610e81d015f5e0e6023281b232b8d32e8510cef333f9f9eb8af1b4bde
SHA3-384 hash:	b3d4c5630fb20dbdafb56feae37f45139fdd465696396c94914e745bc33adc569a759aaff3d6ec6a0ea7bbfff75e462c
SHA1 hash:	2c260624e6ed3233a43a3b65e6171878087f1fbb
MD5 hash:	fb069c04329d34c178e9b286ef844732
humanhash:	quebec-helium-yellow-oregon
File name:	cat.sh
Download:	download sample
File size:	1'433 bytes
First seen:	2026-02-17 17:12:59 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:TAl2atCr2Qdgyufm1B4ZNO47ONnfWkMznYFf410+3EC404KtSdSd:TA8atcfdgzfmf4ZE47an+FznYFf410+3
TLSH	T14421F4EE589588F2010DCE6AFA71D75850CC8BEFB85B2F42D9D8ACF19E91D05B034B15
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Gathering data

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

bash lolbin

Link:

https://www.filescan.io/uploads/6994a1b12ffccda097719e16/reports/ddaec62c-db58-40e3-a11b-7da63acb11ea/overview

Result

Gathering data

Verdict:

Malicious

File Type:

unix shell

Detections:

HEUR:Trojan-Downloader.Shell.Agent.a HEUR:Trojan-Downloader.Shell.Agent.cx

Link:

https://opentip.kaspersky.com/03bf8b6610e81d015f5e0e6023281b232b8d32e8510cef333f9f9eb8af1b4bde/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/c9f48506-d557-4389-9ed3-c22d409eaf1b

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/03bf8b6610e81d015f5e0e6023281b232b8d32e8510cef333f9f9eb8af1b4bde

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/03bf8b6610e81d015f5e0e6023281b232b8d32e8510cef333f9f9eb8af1b4bde/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/03bf8b6610e81d015f5e0e6023281b232b8d32e8510cef333f9f9eb8af1b4bde

Threat name:

Script-Shell.Downloader.Heuristic

Status:

Malicious

First seen:

2026-02-17 17:04:19 UTC

File Type:

Text (Shell)

AV detection:

9 of 36 (25.00%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ao7ywzqq5aoqcx26bzqcgka3emvy2mxikego6mz7t6plrly3jppa._file

Result

Malware family:

n/a

Score:

7/10

Tags:

antivm defense_evasion discovery linux

Link:

https://tria.ge/reports/260217-vrml6aft5b/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

Enumerates running processes

File and Directory Permissions Modification

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.34

Link:

https://yomi.yoroi.company/submissions/03bf8b6610e81d015f5e0e6023281b232b8d32e8510cef333f9f9eb8af1b4bde

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh