MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93e71b122a432c2b7acf6a5db6ee3e42e792ef240acee466c4310b052e2416db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	93e71b122a432c2b7acf6a5db6ee3e42e792ef240acee466c4310b052e2416db
SHA3-384 hash:	a5370e51ac46283cd6497acfbe9dc7862bd0a6a66d7713b4a9233ba2a52a93cdaea6a37cb976ad3bb6d54fc10bf51827
SHA1 hash:	67d3521e93081f62d8827392cf946bfcbadda041
MD5 hash:	d7b744ff3009216a5453685a23d292e5
humanhash:	beer-oranges-wisconsin-eighteen
File name:	re.sh
Download:	download sample
File size:	2'321 bytes
First seen:	2026-06-09 02:32:22 UTC
Last seen:	2026-06-09 17:53:34 UTC
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:WZExgiRiKbWIo7lSOYFYQjpoJQQEPpmEcDRw+ETL:74KbWIW0HZ
TLSH	T1C441419BE1F4C2A1CC734D00B0515AD461EB979A1FB81766D6DC286EA0CFEC07C0DA2D
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://83.168.110.191/updaterros.x86_64	f193db11dceb855f8b50a6dc966164199282a0a9eff24fa1d859913370205443	Mirai	elf mirai ua-wget
http://83.168.110.191/updaterros.aarch64	21e99667e2f0e73d12aae89f8cabd338426ab1fe4ce828ec93c07de615ef754c	Mirai	elf mirai ua-wget
http://83.168.110.191/updaterros.m68k	6aa904125beb01924243b0dd04e0988b16b8bccd5479224f8bbcd762814b303e	Mirai	elf mirai ua-wget
http://83.168.110.191/updaterros.mips	3910f46fe809d723d169b5723e0724dba7aed441a065b53b98e2f1b0a9736569	Mirai	elf mirai ua-wget
http://83.168.110.191/updaterros.mipsel	cc653189103bd14e46958bae5f37f94852b7d54ced5662bf7858801c138645a8	Mirai	elf mirai ua-wget
http://83.168.110.191/updaterros.powerpc	122d401e549ed15c3a1da53b6f042852f03fab7af4b7fba71d8a58311ec404f3	Mirai	elf mirai ua-wget
http://83.168.110.191/updaterros.sparc	95077aa12ee9e710746f896a03728e2bbd0199eb24d228ffc9254f8721e0684b	Mirai	elf mirai ua-wget
http://83.168.110.191/updaterros.sh4	3da4118754c0efb0d55883df372d0a2281a9cbb86dafe3cbdacfe60f2b0d6d16	Mirai	elf mirai ua-wget
http://83.168.110.191/updaterros.arc	eda32690d58912c7af348e5bb86b5c512a92df36c6a25940462c51aef165d8e4	Mirai	elf mirai ua-wget
http://83.168.110.191/updaterros.i486	a07d9f4ec6ec082b328409b6e9b881d4d2f01ccfb9635e0013daf9eac495c16a	Mirai	elf mirai ua-wget
http://83.168.110.191/updaterros.armv4l	n/a	n/a	elf ua-wget
http://83.168.110.191/updaterros.armv5l	db438a070bf17891aae00a7fc9ce6abe7d799dbbf8320de74e0ba807ed54db24	Mirai	elf mirai ua-wget
http://83.168.110.191/updaterros.armv6l	a74490f7f69e7eb40e827f00ffcd1194861fde9bf94521ec004fd81e66d92779	Mirai	elf mirai ua-wget
http://83.168.110.191/updaterros.armv7l	d3b35febaaa3842282e923a8bb9dc954ca172cf0f8ffd9a6b85761175913d6ec	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/6a277b411f652d6865712af7/reports/cf12b5b8-f17d-43ea-bdbf-f782a299c01b/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2026-06-08T23:38:00Z UTC

Last seen:

2026-06-11T00:22:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/93e71b122a432c2b7acf6a5db6ee3e42e792ef240acee466c4310b052e2416db/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/cdcbce36-86b3-404e-9ccb-ff80d76208fc

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/93e71b122a432c2b7acf6a5db6ee3e42e792ef240acee466c4310b052e2416db

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/93e71b122a432c2b7acf6a5db6ee3e42e792ef240acee466c4310b052e2416db/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/93e71b122a432c2b7acf6a5db6ee3e42e792ef240acee466c4310b052e2416db

Threat name:

Win32.Trojan.Vigorf

Status:

Malicious

First seen:

2026-06-09 02:33:35 UTC

File Type:

Text (Shell)

AV detection:

11 of 24 (45.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sptrwerkimwcw6wpnjo3n3r6iltzf3zeblhoizwegefqklrec3nq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

defense_evasion discovery linux upx

Link:

https://tria.ge/reports/260609-c1jmrabs6p/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

UPX packed file

Enumerates running processes

File and Directory Permissions Modification

Deletes itself

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.11

Link:

https://yomi.yoroi.company/submissions/93e71b122a432c2b7acf6a5db6ee3e42e792ef240acee466c4310b052e2416db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh