MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 687c9846d337edeb2c68957dccd59137251a7adb8b2f68c46fc50c16cf33dcf8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	687c9846d337edeb2c68957dccd59137251a7adb8b2f68c46fc50c16cf33dcf8
SHA3-384 hash:	5bca06513691864343b0d8c271aaa61feca37d90879bac591e63c811a5c0081cec965c5be111feeb395b6cf1f33269d9
SHA1 hash:	61291b8ef3f07601abbd6a1962dd5df17bb65890
MD5 hash:	a970b7993c42a8372cfe4f2fca711968
humanhash:	cola-beer-music-item
File name:	cat.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'734 bytes
First seen:	2026-04-14 00:39:46 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	96:W2MC80saW6sNlKXc+Qg9k/kvfkVkq7kVXRkV3DlVkaStIrK40hqCGY26:W2MC80FW6sNlKXcLg9mc8fcXRc3DPka6
TLSH	T1B471FB852350CB326C6AE9977475534832A1A2C999EBFFE0FFFE7450A48CD50F4486A3
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://194.163.140.58:1212/zyre.apk	12b165ab7840411c1457634b4a73d4c3123de09773b9cae85b9766dc8a1a84b7	Mirai	elf mirai ua-wget
http://194.163.140.58:1212/zyre.arm4	f1b7491c865a930e1cc298bf870438789351f74d0f11c6b2cc32063d7f75b00b	Mirai	elf mirai ua-wget
http://194.163.140.58:1212/zyre.arm5	57d634c5b4af44ef175b07327b2d3a35343245132213e23ce30cfa9399766976	Mirai	elf mirai ua-wget
http://194.163.140.58:1212/zyre.arm6	68f3603f86dd18028d145a5f615b33fb210c175a4b3bcd5b124679839cede0b6	Mirai	elf mirai ua-wget
http://194.163.140.58:1212/zyre.arm7	adb0466e3a15e6ef451d468e43970e832f5791c6bacf4c04124dbe7733139218	Mirai	elf mirai ua-wget
http://194.163.140.58:1212/zyre.dbg	d6f9855920fbb203bb5afed6d5ae80f86dd1b56b10d7fab4e51ee98c2fb5d72d	Mirai	elf mirai ua-wget
http://194.163.140.58:1212/zyre.i486	34ca536b0a1bcb24e70a5a9d50fd9181a4e65915d10e79aa93f0d2cb71736e36	Mirai	elf mirai ua-wget
http://194.163.140.58:1212/zyre.i686	6876214d47847c9d09fcc84cca8dc2202f79187a77d3fa05bffcfef93ebe95f1	Mirai	elf mirai ua-wget
http://194.163.140.58:1212/zyre.m68k	b899a1db33e65dd29c0d2cffc7749a2f6bc7b81b47f3a623686d6da74e946152	Mirai	elf mirai ua-wget
http://194.163.140.58:1212/zyre.mips	fbe8f279e4aebc772e4e6c57d13869bcd09aedb0e3dc5f723b5809888195afb3	Mirai	elf mirai ua-wget
http://194.163.140.58:1212/zyre.mpsl	e2f85b84d420f49fce2ef958987e07cf44f32b295ee41640e3cd54226b5aab6e	Mirai	elf mirai ua-wget
http://194.163.140.58:1212/zyre.ppc	bf101f897477443d080335427b93edf0261d810895deab6b0072fb2659219be2	Mirai	elf mirai ua-wget
http://194.163.140.58:1212/zyre.ppc440	97b6f1f8382ea9b6fbaee404d991e3f71bb141f1e5c6f0f5c3bf5d8e42e0689e	Mirai	elf mirai ua-wget
http://194.163.140.58:1212/zyre.sh4	8c5f89c6d0af5a2fea9d123f13915c8a4abf8c1da2d0a0044c359daa3cd17207	Mirai	elf mirai ua-wget
http://194.163.140.58:1212/zyre.spc	f88206a54e9b76e9d713971aa5a1f531a60b622cd29e9de7a5473d60f02efd5a	Mirai	elf mirai ua-wget
http://194.163.140.58:1212/zyre.x64	01b6d8294a47ba078ffd0e06b520879ea993d2417c6f2210862d1751714a5028	Mirai	elf mirai ua-wget
http://194.163.140.58:1212/zyre.x86	4829512beb5625824506c5117de05916883ffa24532120e7605fce73bf88e90a	Mirai	elf mirai ua-wget x86

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

Gathering data

Verdict:

Malicious

File Type:

unix shell

First seen:

2026-04-13T21:48:00Z UTC

Last seen:

2026-04-13T22:02:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a HEUR:Trojan-Downloader.Shell.Agent.p

Link:

https://opentip.kaspersky.com/687c9846d337edeb2c68957dccd59137251a7adb8b2f68c46fc50c16cf33dcf8/results?tab=lookup

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/687c9846d337edeb2c68957dccd59137251a7adb8b2f68c46fc50c16cf33dcf8

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/687c9846d337edeb2c68957dccd59137251a7adb8b2f68c46fc50c16cf33dcf8/

Verdict:

Malicious

Threat:

Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/687c9846d337edeb2c68957dccd59137251a7adb8b2f68c46fc50c16cf33dcf8

Threat name:

Linux.Trojan.Vigorf

Status:

Malicious

First seen:

2026-04-14 00:40:51 UTC

File Type:

Text (Shell)

AV detection:

13 of 24 (54.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nb6jqrwtg7w6wldisv64zvmrg4sru6w3rmxwrrdpyugbntzt3t4a._file

Result

Malware family:

n/a

Score:

7/10

Tags:

antivm defense_evasion discovery linux

Link:

https://tria.ge/reports/260414-a1jxeads3t/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

File and Directory Permissions Modification

Executes dropped EXE

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/687c9846d337/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.11

Link:

https://yomi.yoroi.company/submissions/687c9846d337edeb2c68957dccd59137251a7adb8b2f68c46fc50c16cf33dcf8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Linux_Shellscript_Downloader Create hunting rule
Author:	albertzsigovits
Description:	Generic Approach to Shellscript downloaders

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh