MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9401c933c9f2d1b2100fbe39d46723492c174ecebfa82be8c73f9b4dd9471339. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	9401c933c9f2d1b2100fbe39d46723492c174ecebfa82be8c73f9b4dd9471339
SHA3-384 hash:	52d33f3cfedaa263f859ce265a52157638d2d245bb014346ee40daac984a3f3037ce53977c4c18a796df833d4fa2695b
SHA1 hash:	3f1df062495d5b8c1d1794c6ba25815422cc82a2
MD5 hash:	ae2603ba9a74e6a2f517e42c5fdfda69
humanhash:	earth-failed-kansas-nevada
File name:	cat.sh
Download:	download sample
File size:	1'732 bytes
First seen:	2026-01-31 23:32:00 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:nDdCfDiSXdXVOJXZO8dCZDadmgydXe3gdYAWRdeGRdeHpWt6dR0zR0jJdRoBRIAh:nDoBSVUaUVIgJ6dRu3IY3QIA3ES3kGJT
TLSH	T1663194EE70414B622A8D8F40B3B29148F88189D5E6F56F74ADD504E68FD7704379C6B4
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://130.12.180.20:36695/x86_64	b6db8bb39c7305a6a0a1024ab9b51e7d7b4c016455865504909644b4381ede78	Mirai	elf geofenced mirai ua-wget USA x86
http://130.12.180.20:36695/x86	75cb064f489b12d4130786e1aa6963dfa2fc9de82b8d3b2150385ce9d65d27dc	Mirai	elf geofenced mirai ua-wget USA x86
http://130.12.180.20:36695/m68k	4dae9f444d6d484da953f928ac5ea4ddd9c556e54fed41146d5059183d18fa54	Mirai	elf geofenced m68k mirai ua-wget USA
http://130.12.180.20:36695/mips	115ba7461c23928d82557c16bf70b0b1b06d0dcec8a28622463d349ee696d4b0	Mirai	elf gafgyt geofenced mips mirai ua-wget USA
http://130.12.180.20:36695/mpsl	fcc742b8f1948c436d4c9037b8cc2aae0200714fd8d4bad28f87a6b45f718603	Mirai	elf geofenced mips mirai ua-wget USA
http://130.12.180.20:36695/ppc	d3a33ffcb6fda21a7452f7507449b038465aa7fc48087839a7c7efe7c523d6c8	Mirai	elf geofenced mirai PowerPC ua-wget USA
http://130.12.180.20:36695/spc	effa5b76a489de0777fda6ea9c1fd46699987377bada094c570001adc2df5fa9	Mirai	elf geofenced mirai sparc ua-wget USA
http://130.12.180.20:36695/sh4	b69541b3230b41bb3c596fba4f79aa8b0cec4d67c147597f74412f44f395c43a	Mirai	elf geofenced mirai SuperH ua-wget USA
http://130.12.180.20:36695/arm4	1ac2472a7266925354978d482153be974077046d46a8126b9fbd19bd4646eab2	Mirai	arm elf geofenced mirai ua-wget USA
http://130.12.180.20:36695/arm5	645e42550a44d8d0e0a2abe2b214eed4a608425b4107b9eac8d13a3121f1971a	Mirai	arm elf geofenced mirai ua-wget USA
http://130.12.180.20:36695/arm6	89d0c7f66ee96d3d02258a2369e482376291517e3d383a3fb2364ec8abbca6af	Mirai	arm elf geofenced mirai ua-wget USA
http://130.12.180.20:36695/arm7	5f522e269bf35cf78d80e6341ec953775adbffaf35871f710255f81d5ca0723c	Mirai	arm elf geofenced mirai ua-wget USA
http://130.12.180.20:36695/aarch64	n/a	n/a	arm elf geofenced mirai ua-wget USA

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive mirai

Link:

https://www.filescan.io/uploads/697e91062ffccda0976516b0/reports/b3b6c08f-a590-4084-b2c2-e7818a4ba77f/overview

Result

Gathering data

Verdict:

Malicious

File Type:

unix shell

First seen:

2026-01-26T12:17:00Z UTC

Last seen:

2026-01-26T13:18:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.cx HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/9401c933c9f2d1b2100fbe39d46723492c174ecebfa82be8c73f9b4dd9471339/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/f43ad076-e895-49e2-b7c3-c255fc9d4ce7

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/9401c933c9f2d1b2100fbe39d46723492c174ecebfa82be8c73f9b4dd9471339

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9401c933c9f2d1b2100fbe39d46723492c174ecebfa82be8c73f9b4dd9471339/

Verdict:

Malicious

Threat:

Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/9401c933c9f2d1b2100fbe39d46723492c174ecebfa82be8c73f9b4dd9471339

Threat name:

Document-HTML.Trojan.Vigorf

Status:

Malicious

First seen:

2026-01-26 17:13:14 UTC

File Type:

Text (Shell)

AV detection:

14 of 36 (38.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sqa4sm6j6li3eeapxy45izzdjewbotwox6ucx2ghh6nu3wkhcm4q._file

Result

Malware family:

n/a

Score:

1/10

Tags:

linux

Link:

https://tria.ge/reports/260131-3jfgwabw8e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/9401c933c9f2d1b2100fbe39d46723492c174ecebfa82be8c73f9b4dd9471339

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh