MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc0b0ba344048bac47a4928efc1b87046f12c85656224096b637b8a6e9d59c31. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	dc0b0ba344048bac47a4928efc1b87046f12c85656224096b637b8a6e9d59c31
SHA3-384 hash:	cde97f86322d8fec416fafaf7c2491c51dca494b88954a61e7032671bcaf9192d5f9ca8a50e7af8513ba99bea915dd84
SHA1 hash:	6e45d08f1fdcc49a95fdc2218c07e421c644fc86
MD5 hash:	a2913a2ccbe45c273287dd285c0e54e1
humanhash:	blue-nine-failed-autumn
File name:	cat.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	1'845 bytes
First seen:	2026-02-12 06:30:21 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:A/C/m/I/2/R/3i/Q/w1H/R/gT/N/HS/E/O/A/2/l/6/M/So7Q/L/Pi/6/i/d/u/o:GMQOg13sWw1f1gbx86YGgJkCSnTUksBZ
TLSH	T1DA31D68E70B49B69C5CCEF01B0E58AC87717F590F2B5C632FD421E6AA0D9D543819A3A
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://34.107.120.7/iran.x86_64	0b86883c6e07f93c2fc256aae323340bffc6cc0b9cb753f361831b01d2c3183b	Mirai	elf ua-wget
http://34.107.120.7/iran.aarch64	8bc0a92bf66caf01130502dd61f9de4424f152aadd4b3c58b1cfcda4d8c9ff72	Mirai	elf mirai ua-wget
http://34.107.120.7/iran.m68k	597d8bc2e54eeed35c57970686e1b96a83814e6937d4c05da0cdd3f3c3139815	Mirai	elf mirai ua-wget
http://34.107.120.7/iran.mips	ad9dbf2200d4b998f20540d08b5d8f0b4a2f3e8938efa20e1663a6e7648557df	Mirai	elf mirai ua-wget
http://34.107.120.7/iran.mipsel	07e5ddab4f8f4aa4c80c0e5aa275269e2394a91436d052e1f2e576d2297c9570	Mirai	elf ua-wget
http://34.107.120.7/iran.powerpc	096a6b15204ce9ced41f97e4dae2c6837a1907e8ccddfbe80e914de49f08bf9a	Mirai	elf ua-wget
http://34.107.120.7/iran.sparc	e6a8843d347dd57213f4b032b2cdc64f42a853120b78174d0704afb5246cc69e	Mirai	elf mirai ua-wget
http://34.107.120.7/iran.sh4	c9e26efcaafe9ce1dc2681a463ada5c8cc94839227c61d018be7fa0b5dff5170	Mirai	elf mirai ua-wget
http://34.107.120.7/iran.arc	f0a0c9e3741457cafafd59cb2b675834b58584ac7c28d4d121b29701a52b57cf	Mirai	elf mirai ua-wget
http://34.107.120.7/iran.i486	692d565c13e6fc343860452caa828b402168d6f8dc4efbb81e289f469f5c6b02	Mirai	elf mirai ua-wget
http://34.107.120.7/iran.armv4l	df615a805418129319ddafe0e720642309762546cbc2fac69db279bccd8dc4fe	Mirai	elf ua-wget
http://34.107.120.7/iran.armv5l	ac2df5d9e7e1e117d3f8a1ccecd1b8d9fa5e90322ac161b08f40be76537910cf	Mirai	elf mirai ua-wget
http://34.107.120.7/iran.armv6l	659a0bff891c385f87965e94700bce2cb5adf29dd2d5d52ac9db8d081535d250	Mirai	elf mirai ua-wget
http://34.107.120.7/iran.armv7l	a6cadd3627a088f1a80c557edfc6fbece78ec246d1c01b717ce8e5b8693db8c2	Mirai	elf ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Result

Gathering data

Verdict:

Malicious

File Type:

unix shell

First seen:

2026-02-12T03:37:00Z UTC

Last seen:

2026-02-12T03:37:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/dc0b0ba344048bac47a4928efc1b87046f12c85656224096b637b8a6e9d59c31/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/fde6161f-14f0-41e1-859c-26c687f0874e

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/dc0b0ba344048bac47a4928efc1b87046f12c85656224096b637b8a6e9d59c31

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dc0b0ba344048bac47a4928efc1b87046f12c85656224096b637b8a6e9d59c31/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/dc0b0ba344048bac47a4928efc1b87046f12c85656224096b637b8a6e9d59c31

Threat name:

Script-Shell.Downloader.Heuristic

Status:

Malicious

First seen:

2026-02-11 09:29:14 UTC

File Type:

Text (Shell)

AV detection:

10 of 36 (27.78%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3qfqxi2easf2yr5eskhpyg4harxrfscwkyrebfvwg64kn2ovtqyq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

defense_evasion discovery linux upx

Link:

https://tria.ge/reports/260212-g93t7sbw8h/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

UPX packed file

Enumerates running processes

File and Directory Permissions Modification

Deletes itself

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh