MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 473961d2cdfd1285563626458ba7bd8aeb2285e32351f5c63c5ad2914698527e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	473961d2cdfd1285563626458ba7bd8aeb2285e32351f5c63c5ad2914698527e
SHA3-384 hash:	119bdc0d1586879a3622c2592103bebbb4b1ec0c3f5f849e57c550ab7df8cc46a0156ce0c0ad3c1ee9d66ff24680a1ad
SHA1 hash:	f7e4f3ca467e3b7333e3b83633635feb32ccf2b5
MD5 hash:	45a160258e51e30c74ec313f452dbe89
humanhash:	jig-blue-video-sweet
File name:	cat.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	1'901 bytes
First seen:	2026-06-04 16:21:11 UTC
Last seen:	2026-06-04 19:24:54 UTC
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:sJrJzIOq/H1lQp5OwaBbp7+fD9o78igqxv4DPy:4e1OrU
TLSH	T1F141EECE60F4A143CAEEEE0070E58DC86316B59271DE2B3AEDC12E67C4C9D547129B36
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	BlinkzSec

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://176.65.139.121/iran.x86_64	fdb23bb9b3ae0a735a7d266aad0270c4d15e6eedf2b55e2191a2827adb42bf6e	Mirai	176-65-139-121 elf mirai ua-wget
http://176.65.139.121/iran.aarch64	70a2c694f99f71b9f50687160576df946aa0913e690ee7ab7c782e639ab57252	Mirai	176-65-139-121 elf mirai ua-wget
http://176.65.139.121/iran.m68k	89ae81fd7960d65e1af50b4c0f67165844fbc3d482096d2d01c8ba05a2a0602d	Mirai	176-65-139-121 elf mirai ua-wget
http://176.65.139.121/iran.mips	4112cdba058d75bde177300a5f2b39cda82064ffe3321f01052eaa91437671d6	Mirai	176-65-139-121 elf mirai ua-wget
http://176.65.139.121/iran.mipsel	n/a	n/a	176-65-139-121 elf ua-wget
http://176.65.139.121/iran.powerpc	n/a	n/a	176-65-139-121 elf ua-wget
http://176.65.139.121/iran.sparc	ed7d5573aa0ace39b03111f592c40c347ba755f2c78f2e1c59afe0bdc5fb2fec	Mirai	176-65-139-121 elf ua-wget
http://176.65.139.121/iran.sh4	7420c8efb8f5506d6537b529b0a8258148a944e51e18a6308a02e8c97c6e0e90	Mirai	176-65-139-121 elf mirai ua-wget
http://176.65.139.121/iran.arc	643961437fea0c9ffa8a92c11ef4ea86368941d2a900032a62c9648e188c5ba5	Mirai	176-65-139-121 elf mirai ua-wget
http://176.65.139.121/iran.i486	cd011ab180e993cd2561ec94cb3974c13c0f088ba1f0974c6f5c1921aa733e65	Mirai	176-65-139-121 elf mirai ua-wget
http://176.65.139.121/iran.armv4l	be0dcb5bac5a78f56d5db1dc395d5b2668bbeb351a328e93ff3685a353887a4f	Mirai	176-65-139-121 elf mirai ua-wget
http://176.65.139.121/iran.armv5l	ff821dfed03f88a2a57934f3b9dbaca04b7a03ccb732542e5f6fa8bac25c5a12	Mirai	176-65-139-121 elf mirai ua-wget
http://176.65.139.121/iran.armv6l	e491eededd994278e57901d82b0a110ad90c4f55cf87e1536312d8f413e24ba1	Mirai	176-65-139-121 elf mirai ua-wget
http://176.65.139.121/iran.armv7l	9962949f5efc98de597354485cbbf487516cbd50379f0d0393ff341e61188f82	Mirai	176-65-139-121 elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

File Type:

unix shell

First seen:

2026-06-03T21:02:00Z UTC

Last seen:

2026-06-06T01:24:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/473961d2cdfd1285563626458ba7bd8aeb2285e32351f5c63c5ad2914698527e/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/a44fde63-2c23-4ae3-ba54-ba8728df27c0

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/473961d2cdfd1285563626458ba7bd8aeb2285e32351f5c63c5ad2914698527e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/473961d2cdfd1285563626458ba7bd8aeb2285e32351f5c63c5ad2914698527e/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/473961d2cdfd1285563626458ba7bd8aeb2285e32351f5c63c5ad2914698527e

Threat name:

Script.Downloader.Iranbot

Status:

Malicious

First seen:

2026-06-04 00:46:32 UTC

File Type:

Text (Shell)

AV detection:

10 of 23 (43.48%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=i44wduwn7ujikvrwezcyxj55rlvsfbpdeni7lrr4lljjcruykj7a._file

Result

Malware family:

n/a

Score:

7/10

Tags:

defense_evasion discovery linux upx

Link:

https://tria.ge/reports/260604-tttb2sbv2r/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

UPX packed file

Enumerates running processes

File and Directory Permissions Modification

Deletes itself

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.11

Link:

https://yomi.yoroi.company/submissions/473961d2cdfd1285563626458ba7bd8aeb2285e32351f5c63c5ad2914698527e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh