MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4cd465ecc8e6022579105e247cef98e5fcc418b84eb5857a642bb179f74ae356. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	4cd465ecc8e6022579105e247cef98e5fcc418b84eb5857a642bb179f74ae356
SHA3-384 hash:	5455fcdc2550bda15046380fa8f6859cfdc531fbdf23aa5ac0dc7aa11b397ec7d69ae179cdbc188871f288f82d9c4cd4
SHA1 hash:	1caeddd6847e52c6b45fa0f6e1b642f6112db436
MD5 hash:	321109554233cc67a316b812131e1bc3
humanhash:	blue-yellow-nineteen-mobile
File name:	cat.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	1'901 bytes
First seen:	2026-04-27 13:30:21 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:spKpGpkpWpLp3qp8pw1lpLpg5pvpHapop+pspWp3pSpApSo78phpPqpSpqp/pep8:KoUikt3Iaw1Htg7RYmMKk5weSfDgwIhN
TLSH	T12641FFCE60F46043E6DCDE0470F58DCB6706959163DF2A7AED812E67C4C9D54702AB3A
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://176.65.139.177/iran.x86_64	3164f6882b65bbf58d08919d3ea1b69f00e2757e6e4a8b76e8af1a057ae707cd	Mirai	64-bit elf mirai x86-64
http://176.65.139.177/iran.aarch64	9c766990cdd7d73c4a1d8c00e281a05a194f7a3f3ae58629beba202e847696a2	Mirai	elf mirai ua-wget
http://176.65.139.177/iran.m68k	c06a2446a9d8680f7ecd2e453daa5472af2dd9a93579b793241de3f861fa7d0b	Mirai	elf mirai ua-wget
http://176.65.139.177/iran.mips	961082df4ef13fd7cc589ffc7091d2764ca6f5f6f2af0416f4c76b2de1a781ed	Mirai	elf mirai ua-wget
http://176.65.139.177/iran.mipsel	919b062d23bcfa0968319f56967965ffe8ecdbbc3ced30521d7448fa6433d7d4	Mirai	elf mirai ua-wget
http://176.65.139.177/iran.powerpc	e76c1268558776e81ddaad587a8aeef906bd4c67ec133ab8532bc3757d974722	Mirai	elf mirai ua-wget
http://176.65.139.177/iran.sparc	ad358a598bc9c8b45b0009e78f4f535614227c617f3aef8b0b7c5bcec5d5229a	Mirai	elf mirai ua-wget
http://176.65.139.177/iran.sh4	18ff201b2a1eddf913af74a02ac80eb3d17f7a759c23a101c11c2027dc29c58d	Mirai	elf mirai ua-wget
http://176.65.139.177/iran.arc	d68e81c8ecf018e3202812329344122ebfe5f41782243ae4b7231fbbce92059b	Mirai	elf mirai ua-wget
http://176.65.139.177/iran.i486	4dfc4b56da42b47dafaefd6e3c15272cf64918d6ee666957f126cb652e7b2312	Mirai	elf mirai ua-wget
http://176.65.139.177/iran.armv4l	c36d042bd9352b86858d03984e2a3f7000e31cf3308a50e7dadb3b8011c00f3c	Mirai	elf mirai ua-wget
http://176.65.139.177/iran.armv5l	378cc36e46b6aa98c6ff65e2de5cc64b03ec1af15aac3ce61faa86ef425b986a	Mirai	elf mirai ua-wget
http://176.65.139.177/iran.armv6l	46f5bb5a40a2e136b6b111b650795d3560f0ff670717da1103d71f0be73e9a49	Mirai	elf mirai ua-wget
http://176.65.139.177/iran.armv7l	7c74da0acdc43b599890548f5c3849eb96b4df63cf8ce8de6ddccaa300a682b3	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

mirai

Link:

https://www.filescan.io/uploads/69ef65068a82359247b5475d/reports/001e0df0-13d3-4516-9d6c-ba84cfb44c9f/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2026-04-26T22:28:00Z UTC

Last seen:

2026-04-27T12:58:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/4cd465ecc8e6022579105e247cef98e5fcc418b84eb5857a642bb179f74ae356/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/44624498-f0cd-403f-88a5-c2483e75a664

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/4cd465ecc8e6022579105e247cef98e5fcc418b84eb5857a642bb179f74ae356

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4cd465ecc8e6022579105e247cef98e5fcc418b84eb5857a642bb179f74ae356/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/4cd465ecc8e6022579105e247cef98e5fcc418b84eb5857a642bb179f74ae356

Threat name:

Script.Downloader.Iranbot

Status:

Malicious

First seen:

2026-04-27 02:28:27 UTC

File Type:

Text (Shell)

AV detection:

14 of 36 (38.89%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jtkgl3gi4ybck6iqlyshz34y4x6migfyj22yk6tefoyxt52k4nla._file

Result

Malware family:

n/a

Score:

7/10

Tags:

defense_evasion discovery linux upx

Link:

https://tria.ge/reports/260427-qr76msft8l/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

UPX packed file

Enumerates running processes

File and Directory Permissions Modification

Deletes itself

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.75

Link:

https://yomi.yoroi.company/submissions/4cd465ecc8e6022579105e247cef98e5fcc418b84eb5857a642bb179f74ae356

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh