MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab60ddea7281cd4fc39d94668a431f7e23159a4430f504c83be30ba27c511ff7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	ab60ddea7281cd4fc39d94668a431f7e23159a4430f504c83be30ba27c511ff7
SHA3-384 hash:	c75c9f797d097f56fff26f88074c0ea1b9436da8af0810ac25f9a0ed0a1c16002412cda2d09c95cdb2c52fe35db65962
SHA1 hash:	bac66884058f4f82d3eb0496022fc30f1b0cbd10
MD5 hash:	2c135e3d6ec2cbf9535b071f09b2576c
humanhash:	mississippi-alpha-triple-purple
File name:	cat.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	1'831 bytes
First seen:	2026-04-30 06:03:56 UTC
Last seen:	2026-05-01 00:45:34 UTC
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:3xdTPtTa8CTnQ14Ta2CTmnBT7rZTXtTu3ZTTyo7PTsvyCT5SCT22CT7b:n1+RIvgC
TLSH	T11931158B60749065C584DE15B1F4EBC4D325B69963F4063AFCD10D6AB08AD54306FEFD
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	BlinkzSec

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://31.59.104.25/iran.x86_64	c2a18aa6bc7c130cba97b02b96f47b3b3e71f08e4b4b48fe678ab70ac2aa21d8	Mirai	elf mirai ua-wget
http://31.59.104.25/iran.aarch64	n/a	n/a	elf ua-wget
http://31.59.104.25/iran.m68k	8fb4a0f1aa646ac1f2af66eb5b888e38f1ad63a809087b60a93f78db4087801c	Mirai	elf mirai ua-wget
http://31.59.104.25/iran.mips	e47146ccd375c8b273930571807f437c80cb682bb41e76b9773396b4ca0f7235	Mirai	elf mips mirai ua-wget
http://31.59.104.25/iran.mipsel	913ce9b38b2132729be84626fe4606f5b5364058e706d5af2d8ba529fd4da6f1	Mirai	elf mips mirai ua-wget
http://31.59.104.25/iran.powerpc	0735d9d662be4a6e5033a4e926f6a1a4d7221114aeb6aa5fcdbf3d21346efc4d	Mirai	elf mirai ua-wget
http://31.59.104.25/iran.sparc	db2272ccd055b6524c8360d0c8fa126670a8e1c2f783091436e2adf002a026c3	Mirai	elf mirai ua-wget
http://31.59.104.25/iran.sh4	9dd2cd073a0dc4eba7f048a541dd85fd859e2b22cff43053f9dcea6dc1a70ee5	Mirai	elf mirai ua-wget
http://31.59.104.25/iran.arc	n/a	n/a	elf ua-wget
http://31.59.104.25/iran.i486	d13be1b0704a68fa2a9ab3a5e6dd9d618d003949e1844548e747b4f1fe6af861	Mirai	elf mirai ua-wget
http://31.59.104.25/iran.armv4l	10433914187823e5c4ee9f83f9c270ce6a0fcc66fcf4f13e6f64e6142754a5c6	Mirai	elf mirai ua-wget
http://31.59.104.25/iran.armv5l	53ce494336ade6fb34f1fef2a7099cf981a6b52351353c9b9f41f15d2c5c10ac	Mirai	elf mirai ua-wget
http://31.59.104.25/iran.armv6l	043a247df856e148233519e579641420046dfd9696305b62369090274166dede	Mirai	elf mirai ua-wget
http://31.59.104.25/iran.armv7l	d3ffce49fd6a0bd2e63253b722dd48420116c5ce73a8894b4afe73afd3732db1	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

File Type:

unix shell

First seen:

2026-04-30T03:07:00Z UTC

Last seen:

2026-04-30T12:58:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/ab60ddea7281cd4fc39d94668a431f7e23159a4430f504c83be30ba27c511ff7/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/23bc1469-9cde-436a-becd-6a2140b48c8c

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/ab60ddea7281cd4fc39d94668a431f7e23159a4430f504c83be30ba27c511ff7

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ab60ddea7281cd4fc39d94668a431f7e23159a4430f504c83be30ba27c511ff7/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/ab60ddea7281cd4fc39d94668a431f7e23159a4430f504c83be30ba27c511ff7

Threat name:

Script.Downloader.Iranbot

Status:

Malicious

First seen:

2026-04-30 06:01:43 UTC

File Type:

Text (Shell)

AV detection:

11 of 24 (45.83%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vnqn32tsqhgu7q45srtiuqy7pyrrlgsegd2qjsb34mf2e7crd73q._file

Result

Malware family:

n/a

Score:

1/10

Tags:

linux

Link:

https://tria.ge/reports/260430-gsvghaey7r/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.34

Link:

https://yomi.yoroi.company/submissions/ab60ddea7281cd4fc39d94668a431f7e23159a4430f504c83be30ba27c511ff7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh