MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 05b42d715d54d8323e5880d2e8081ad1fbe2a1ecbdb6f125cfcca011a042079e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	05b42d715d54d8323e5880d2e8081ad1fbe2a1ecbdb6f125cfcca011a042079e
SHA3-384 hash:	111da7d77c2ce6cc33ebb56db6e93631d4eaa40cabb88a0870d0ab8272556d86804cac4f623f25b67a6eac63b8c9faf6
SHA1 hash:	097b0b61638fdbdfa8f8e21e72dd00737b5209e4
MD5 hash:	71075cdbcc330b42f0ae68be6ff44ea3
humanhash:	autumn-carbon-minnesota-sixteen
File name:	cat.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	1'901 bytes
First seen:	2026-03-25 21:34:21 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:3Ddc21aa/BM/h9C1bua2wo6fQo7+gKXJB4DH9:G21a9No7+I
TLSH	T14641088E70B42B418D9CCE0071E149CA7707A5A3A6A787F3E94D0EF68899D4A741DA37
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://94.249.228.212/iran.x86_64	n/a	n/a	n/a
http://94.249.228.212/iran.aarch64	n/a	n/a	n/a
http://94.249.228.212/iran.m68k	n/a	n/a	n/a
http://94.249.228.212/iran.mips	n/a	n/a	n/a
http://94.249.228.212/iran.mipsel	b59627803c1e36b3dce1b27831f01e70ad9c0a754dd02200ec58f9c271574430	Mirai	elf mirai ua-wget
http://94.249.228.212/iran.powerpc	efa1a2bfb85f8d16c46e879bad1c786c26df58377f346bba92b515e07abf4189	Mirai	elf mirai ua-wget
http://94.249.228.212/iran.sparc	d739cf94dce3ff153cc22a4b8af4c4fe4fc82cb3ca132f23faa77c9beffa7306	Mirai	elf mirai ua-wget
http://94.249.228.212/iran.sh4	dfd4e8bf4ee5b630791cd1f0bbfffdd2146bde0c28fdd241fc818b7fbc1e9e8a	Mirai	elf mirai ua-wget
http://94.249.228.212/iran.arc	62ea0dff63ad36645cff88b905c3fb0096c92db4bf571ddc312b20142cc0c03f	Mirai	elf mirai ua-wget
http://94.249.228.212/iran.i486	501a02eba46a0e103b38964a2e6a9bc1b0a8f53824544f84e8a12b41d562c313	Mirai	elf mirai ua-wget
http://94.249.228.212/iran.armv4l	42258aad7bdd5e063523159905dbf35a87b4a9e13a091d9d9e17f030dfe9af6a	Mirai	elf mirai ua-wget
http://94.249.228.212/iran.armv5l	98bc000407544dd8e14d30a3c90ae5422076bdcbd0afb6976729a2c4ccb3c54b	Mirai	elf mirai ua-wget
http://94.249.228.212/iran.armv6l	0a05916360192b441abe9eb1aa42f3b12c963d22a92893aa62a07afce26dbc27	Mirai	elf mirai ua-wget
http://94.249.228.212/iran.armv7l	8d13aea9c3759414f1888998dd75f3f52d027587cf010f9570adccce8b96301b	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

mirai

Link:

https://www.filescan.io/uploads/69c4551e2346b9da57a6c5fa/reports/c15233ff-7f6b-4471-bbe4-cf8e54003bf5/overview

Result

Gathering data

Verdict:

Malicious

File Type:

unix shell

Detections:

HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/05b42d715d54d8323e5880d2e8081ad1fbe2a1ecbdb6f125cfcca011a042079e/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/7a4c98c5-197d-4315-bdd1-026a7fd887ae

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/05b42d715d54d8323e5880d2e8081ad1fbe2a1ecbdb6f125cfcca011a042079e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/05b42d715d54d8323e5880d2e8081ad1fbe2a1ecbdb6f125cfcca011a042079e/

Verdict:

Malicious

Threat:

Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/05b42d715d54d8323e5880d2e8081ad1fbe2a1ecbdb6f125cfcca011a042079e

Threat name:

Script.Downloader.Iranbot

Status:

Malicious

First seen:

2026-03-25 21:35:39 UTC

File Type:

Text (Shell)

AV detection:

11 of 36 (30.56%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=aw2c24k5ktmdepsyqdjoqca22h56fipmxw3pcjopzsqbdicca6pa._file

Result

Malware family:

n/a

Score:

7/10

Tags:

defense_evasion discovery linux upx

Link:

https://tria.ge/reports/260325-1fjzsaby3n/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

UPX packed file

Enumerates running processes

File and Directory Permissions Modification

Deletes itself

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.11

Link:

https://yomi.yoroi.company/submissions/05b42d715d54d8323e5880d2e8081ad1fbe2a1ecbdb6f125cfcca011a042079e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh