MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1fbc9d3b461fd05685a0e760d3f6e7f4e06647bfadea71302be7277d35fcea91. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	1fbc9d3b461fd05685a0e760d3f6e7f4e06647bfadea71302be7277d35fcea91
SHA3-384 hash:	80f3e4e94525aa899dc9ff094ff6f49cd19cd6e7be26c11be13beb3c5abb296a769c795177e3f0f750ebb3d19b4d8fdc
SHA1 hash:	b8be68b2a3a1007fe742556fa2f2168f4ded085e
MD5 hash:	926e6a3293a8a382b0407edfeb791982
humanhash:	ten-mountain-leopard-ceiling
File name:	cat.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	1'433 bytes
First seen:	2026-01-18 18:14:53 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:82a3PBy/1U1nNOhNJWsNM9ohtch10+RsZFSd:Dapy+1nE7Gitch10++a
TLSH	T15321B6EED1B51BD545098F66FE715B785A2A87C320DB0A44D9C8AC3DC0B9D853630A1D
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://208.84.101.162/x86_64	d9eddbbc1e56a52d4419e98cfcc208f6091f77c14b038c467fa89026021e9cd8	Mirai	elf mirai ua-wget
http://208.84.101.162/aarch64	d010b47f44bb079dfa4b5aa5a030c08e017a8a53a23aad58421192a9afbea6da	Mirai	elf mirai ua-wget
http://208.84.101.162/armhf	50934bea88366c111ff1cc62337ac849460d29497bb9d11ceb6bc1b4921ec885	Mirai	elf mirai ua-wget
http://208.84.101.162/arm	b29a3acbcf0bf44e5a281ebb00076734f7411d3ac3739fcb8f8af7d53940e2d0	Mirai	elf mirai ua-wget
http://208.84.101.162/i686	259910bc66ad7527820f8b2c2647266732af4235c99a22d997bffa2ad00b9e87	Mirai	elf mirai ua-wget
http://208.84.101.162/m68k	0935c58a45487fdb52516c3c4af92090bdaa982129716f60be3aef1659f41373	Mirai	elf mirai ua-wget
http://208.84.101.162/mips	e54e863418e25c7aca34c8f2dbfee4b90b71a1e6b6465d3235e6737d89a7e3d4	Mirai	elf mirai ua-wget
http://208.84.101.162/mipsel	7dd2a61406fa696c7fa34f7df6349f0adad8135442ec776f5a89760c683bcc8d	Mirai	elf geofenced mips mirai ua-wget USA
http://208.84.101.162/powerpc64	6d078105d9e6dba8e5811ae30e15b2b9990ae9013e583f661ce6cab3f81517c4	Mirai	elf mirai ua-wget
http://208.84.101.162/sparc	79ca3d40c53be071bf3e5764e934b32a907094742ac8cc885e34ab33fd999523	Mirai	elf mirai ua-wget
http://208.84.101.162/sh4	d93bda010dfaaf2c41a842b3283d7dcfccf7d7d15c22b723b2594395da7004cf	Mirai	elf mirai ua-wget
http://208.84.101.162/arc	n/a	n/a	elf ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/696d2351584f1963ad5a3582/reports/3d7a09aa-933c-459f-bc3f-eff72a18bf8d/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2026-01-18T15:19:00Z UTC

Last seen:

2026-01-19T12:53:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.cx HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/1fbc9d3b461fd05685a0e760d3f6e7f4e06647bfadea71302be7277d35fcea91/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/1fa76edf-63c1-4635-8da8-7c277522c631

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/1fbc9d3b461fd05685a0e760d3f6e7f4e06647bfadea71302be7277d35fcea91

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1fbc9d3b461fd05685a0e760d3f6e7f4e06647bfadea71302be7277d35fcea91/

Verdict:

Malicious

Threat:

Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/1fbc9d3b461fd05685a0e760d3f6e7f4e06647bfadea71302be7277d35fcea91

Threat name:

Win32.Trojan.Vigorf

Status:

Malicious

First seen:

2026-01-18 18:07:47 UTC

File Type:

Text (Shell)

AV detection:

14 of 37 (37.84%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=d66j2o2gd7ifnbna45qnh5xh6tqgmr57vxvhcmbl44tx2np45kiq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

antivm defense_evasion discovery linux

Link:

https://tria.ge/reports/260118-wv93ascv6d/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

Reads system network configuration

Enumerates active TCP sockets

Enumerates running processes

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh