MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49c9a1b4a3f7f5b5badaccf2e837e90c9067b207a5d5ff941f1383a2ee70ccdf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	49c9a1b4a3f7f5b5badaccf2e837e90c9067b207a5d5ff941f1383a2ee70ccdf
SHA3-384 hash:	52712132a9ba2b03b5587cb631e76e762e26dfb36412e6066fba23642c91a2278fd0050c5a00b82c1c6bf05a510f9b95
SHA1 hash:	c21182c2c66d51ad0e59d5ba159b35c186293027
MD5 hash:	fc453bc95d34da863f4c3d1cbec45df7
humanhash:	maine-indigo-happy-nuts
File name:	cat.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	1'887 bytes
First seen:	2026-02-22 08:50:23 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:fzDdl3Cw14HCnvBM/hb1m1bEZ1O2wOxx6fnZOo7PCgK+CZJwCR42C5HZ:ff3Cw14HCSBVZXMZOo7PCyCMCfCb
TLSH	T114417F8EB17082C1868CCF4B71F449C67705A693F1F46A72ECC12D7A8899E48356DEB7
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://140.233.190.82/iran.x86_64	336826db561250198b6bf289998ac94c504929984f5f2b80406307dd240d2a08	Mirai	censys elf mirai ua-wget
http://140.233.190.82/iran.aarch64	e35d6edd468c3b13c909bd91c7bac21491acfea4e9a43387770b5b82f06280f1	Mirai	censys elf mirai ua-wget
http://140.233.190.82/iran.m68k	5efc9e0edb71af4a3c4590a998ee393ccf1692fdbfeeb9ecb6eff6300f26b3b9	Mirai	censys elf mirai ua-wget
http://140.233.190.82/iran.mips	5eb4a749b0390cd3afb22f5d4ac9f9776a70037fe2bb4ce2ac2fe158fabf6015	Mirai	censys elf mirai ua-wget
http://140.233.190.82/iran.mipsel	504b10cb02d1ca93f1ed87aa310f23aa6947a1912c746db53a5287a41b745ab5	Mirai	censys elf mirai ua-wget
http://140.233.190.82/iran.powerpc	ed2a969282cd755d934c153096c680a4270633e4a92a39703c086ecd9e910fb8	Mirai	censys elf mirai ua-wget
http://140.233.190.82/iran.sparc	1c3f751ebcc3b3120ed9bfe25055f3c4783d5201528d6a977e921413ab8d564e	Mirai	censys elf mirai ua-wget
http://140.233.190.82/iran.sh4	5ec789decb23daf80798176bbae0ab69298127e8ff1977bb9c50c012e7e1de7d	Mirai	censys elf mirai ua-wget
http://140.233.190.82/iran.arc	b6a9fd633492c3d43a91c1516e7e2f84e272c38b73355c886fba15ece5e65d9d	Mirai	censys elf mirai ua-wget
http://140.233.190.82/iran.i486	21d8b4b092cef625032a9fdc22317954a1641f348fdf0c7da90416ca7a459b35	Mirai	censys elf mirai ua-wget
http://140.233.190.82/iran.armv4l	b2c1ec5f468e7b2c6938fc46746d85c0adf717fa510fa4ba05a7c058de9cfa42	Mirai	censys elf mirai ua-wget
http://140.233.190.82/iran.armv5l	af00e8b3f24ba4d386ab459e94bbe906043e4cd4efc3f5e8c2f8a89016a89039	Mirai	censys elf mirai ua-wget
http://140.233.190.82/iran.armv6l	c8434d4800bf13bb1c4779ccfc1cf7d2df0ffa705d2d28c01d4bd69f8877f5ed	Mirai	censys elf mirai ua-wget
http://140.233.190.82/iran.armv7l	210fef0b7498cf8883987ed45e45b7cc2b679ea556da2e632df82c77cbfb1012	Mirai	censys elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

bash lolbin mirai

Link:

https://www.filescan.io/uploads/699ac38097feb4afd6519dc6/reports/52353ecd-500a-4d84-8213-4f134da4e986/overview

Result

Gathering data

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/a74d2e1c-1093-43aa-be0a-03a74847002b

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/49c9a1b4a3f7f5b5badaccf2e837e90c9067b207a5d5ff941f1383a2ee70ccdf

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/49c9a1b4a3f7f5b5badaccf2e837e90c9067b207a5d5ff941f1383a2ee70ccdf/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/49c9a1b4a3f7f5b5badaccf2e837e90c9067b207a5d5ff941f1383a2ee70ccdf

Threat name:

Script-Shell.Downloader.Heuristic

Status:

Malicious

First seen:

2026-02-22 08:51:13 UTC

File Type:

Text (Shell)

AV detection:

10 of 36 (27.78%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jhe2dnfd6723low2ztzoqn7jbsigpmqhuxk77fa7cob2f3tqztpq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

defense_evasion discovery linux

Link:

https://tria.ge/reports/260222-kr61padz5f/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Enumerates running processes

File and Directory Permissions Modification

Deletes itself

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.11

Link:

https://yomi.yoroi.company/submissions/49c9a1b4a3f7f5b5badaccf2e837e90c9067b207a5d5ff941f1383a2ee70ccdf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh