MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 857a7bd53687d574906c513adbcff9fecb1269a69756446327e6cee07980e817. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	857a7bd53687d574906c513adbcff9fecb1269a69756446327e6cee07980e817
SHA3-384 hash:	2c3a85263c3033bd02abac7b646d6093b6e8cbec21ff0fb60669bb4f88a30b61baab989e6b3a0445ddcb2f15999013c3
SHA1 hash:	04f894cbfbca34e8bf5db8506dd8d5ac9bf5267d
MD5 hash:	2b1931ca78a0c1832deb0d154fbd17a1
humanhash:	failed-mars-virginia-utah
File name:	cat.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	1'901 bytes
First seen:	2026-02-25 06:20:23 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:U/+/C/s/S/b/3e/k/w1Z/b/gl/3/HO/4/6/U/S///m/Q/So7k/N/Pe/m/e/H/a/C:U/+/C/s/S/b/3e/k/w1Z/b/gl/3/u/4S
TLSH	T1D44173BE70F04841A98CDE1170E18DCA6329B5E167F0EE7ADD722EE36499D44740DE39
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://134.199.219.57/iran.x86_64	2b40237fa268dd81ec44e10f185d10da344d116dd8e566dbb18ec61a15590609	Mirai	elf mirai ua-wget
http://134.199.219.57/iran.aarch64	a4f7b8c997d248e9c5dd3eeebca12c564ac98d6240e3b115e51f6c0f4693aa5d	Mirai	elf mirai ua-wget
http://134.199.219.57/iran.m68k	9fc56422a874797270f38452ad65be9a9e5626aa8ea3ab0daa0ba52daec931ed	Mirai	elf mirai ua-wget
http://134.199.219.57/iran.mips	40e8cff1533cadd997f406fae014328c48b30b46f4d3f56166605daed077ae28	Mirai	elf mirai ua-wget
http://134.199.219.57/iran.mipsel	333cb5f771c828d85004e9842dbd1c01edd7b7295e2d0c1fb8d32b112a2be9e6	Mirai	elf mirai ua-wget
http://134.199.219.57/iran.powerpc	5b3dce5e66f16d232532c34188f6cebebc0fc5b987bb1d2a426d92d148a706f1	Mirai	elf mirai ua-wget
http://134.199.219.57/iran.sparc	22ffc6049a2dcf9ea8aef5bb95367f820cce4b220fdfff739010456ab278134e	Mirai	elf mirai ua-wget
http://134.199.219.57/iran.sh4	ebd0f4b199ef35e23850d170d92436058e7beb3fd4a37291e0c4304dcd96564d	Mirai	elf mirai ua-wget
http://134.199.219.57/iran.arc	1fa43c3b5fcf1f01c4a9d961fa7c97b53103ea65bf27e4815e55d4ec4f5be497	Mirai	elf mirai ua-wget
http://134.199.219.57/iran.i486	b683f75b4d148ee87892db75e268901702d9c126548aac22654ee8b061eea6ce	Mirai	elf mirai ua-wget
http://134.199.219.57/iran.armv4l	90b66cc73c8b1746d91b9e5247e6827499c9d99a94912d29a0f437c6a8ab5507	Mirai	elf mirai ua-wget
http://134.199.219.57/iran.armv5l	e62fb431f629a2237769068064f7d01c932a3b467581b2dc99ac807f3542f999	Mirai	elf mirai ua-wget
http://134.199.219.57/iran.armv6l	6ddafb2228db6334f44afd23775fec15477d7bf128986d7ba1214dd2999c9f78	Mirai	elf mirai ua-wget
http://134.199.219.57/iran.armv7l	57a20a038a9dffe4a120cfb2c7bbc871d241c7121752208d9f07d889742d6bcc	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

mirai

Link:

https://www.filescan.io/uploads/699e94ad91ad9169e533e3a1/reports/35986d4a-3f3c-4923-9949-880d48a530c1/overview

Verdict:

Malicious

File Type:

unix shell

Detections:

HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/857a7bd53687d574906c513adbcff9fecb1269a69756446327e6cee07980e817/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/7ff421ac-7db0-40f3-93dc-bd8b2542f040

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/857a7bd53687d574906c513adbcff9fecb1269a69756446327e6cee07980e817

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/857a7bd53687d574906c513adbcff9fecb1269a69756446327e6cee07980e817/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/857a7bd53687d574906c513adbcff9fecb1269a69756446327e6cee07980e817

Threat name:

Script.Trojan.Multiverze

Status:

Malicious

First seen:

2026-02-25 06:21:36 UTC

File Type:

Text (Shell)

AV detection:

16 of 38 (42.11%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qv5hxvjwq7kxjedmke5nxt7z73fre2ngs5leiyzh43hoa6ma5alq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

defense_evasion discovery linux upx

Link:

https://tria.ge/reports/260225-g3yxnses3a/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

UPX packed file

Enumerates running processes

File and Directory Permissions Modification

Deletes itself

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.37

Link:

https://yomi.yoroi.company/submissions/857a7bd53687d574906c513adbcff9fecb1269a69756446327e6cee07980e817

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh