MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec2913b36b2febcf01a9f097cf4bcb3a35553bdcf331c697f5acc54d59e0dc80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	ec2913b36b2febcf01a9f097cf4bcb3a35553bdcf331c697f5acc54d59e0dc80
SHA3-384 hash:	74acd77c3c11018746912b81fa77462c3c1d21bddf55f09adbec33a8257de4ce553d8a1827224c8e7c174a25e33c9d88
SHA1 hash:	eff46afe789c44e50be84cf405ea88adf7c9128d
MD5 hash:	f86dab9f11ba4aa886550c7a141f6f3a
humanhash:	angel-robert-berlin-don
File name:	cat.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'120 bytes
First seen:	2026-04-05 01:54:51 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:fiLElAgybCbrnRnEL+V6fT2IJCCCrlClrpsgx/C/V1Tb2TI:yJ+P2I
TLSH	T12451D28E125240F9BC45EE17F4669F9078A09FDA4EE38F4EDEDD2B5251CCC146834672
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://103.130.214.71:1212/mirai.apk	908a90f59dfcead5fcc6a8ad7eaac7799dadf1ebc083306c0b4c5b5ae23c9e63	Mirai	elf mirai ua-wget
http://103.130.214.71:1212/mirai.arm4	2bfa803d1e3de85337e3014217cd696395b2fcd43df64faf08d486ef430bf50c	Mirai	elf mirai ua-wget
http://103.130.214.71:1212/mirai.arm5	f99a34410fc5e5de197a0f7927188a653744860a7339eb18993dbe6c5de97c26	Mirai	elf mirai ua-wget
http://103.130.214.71:1212/mirai.arm6	a037866f92e33a4f8bf7083f211636ff053be45ff7d45fdca24388400323a486	Mirai	elf mirai ua-wget
http://103.130.214.71:1212/mirai.arm7	908a90f59dfcead5fcc6a8ad7eaac7799dadf1ebc083306c0b4c5b5ae23c9e63	Mirai	elf mirai ua-wget
http://103.130.214.71:1212/mirai.dbg	a95e4e2c9aeb0410f8ea3e48888eb2e386056336625dea408dd568f5d4c7d58e	Mirai	elf mirai ua-wget
http://103.130.214.71:1212/mirai.i486	179a6adc0d6377ea4b8d76483574e69e973615a6476c46cd0276b604f2e89d92	Mirai	elf mirai ua-wget
http://103.130.214.71:1212/mirai.i686	a9549846f4fed8c2067218770280c61a3457d4b2341047ef0682b9b6f158c115	Mirai	elf mirai ua-wget
http://103.130.214.71:1212/mirai.m68k	082121edb46ad791d60420d235560eeeb5a71520066c9fb0a1065e4e1d1879bd	Mirai	elf mirai ua-wget
http://103.130.214.71:1212/mirai.mips	228b01b7cbb4acff60ccf8894fb333efe662a445fc33f1347756e4fa0dd11c58	Mirai	elf mirai ua-wget
http://103.130.214.71:1212/mirai.mpsl	2301c22590b771b4283c13b8acb9e786e53f9e7e7e20fb558b8f969eac2afba9	Mirai	elf mirai ua-wget
http://103.130.214.71:1212/mirai.sh4	6bfebb9caeb383e28af35f4429ddd9410f087ce33cebdcaa4c894db9a13ad30c	Mirai	elf mirai ua-wget
http://103.130.214.71:1212/mirai.spc	f4814c2f30e6131789c31ba5219252de9c6fe92c373a62bf878599e9044c2477	Mirai	elf mirai ua-wget
http://103.130.214.71:1212/mirai.x64	a8fba0d6211e9897ef7dcce3728199aa8fb1f1442586865e74ba9b8dfa55a9cc	Mirai	elf mirai ua-wget
http://103.130.214.71:1212/mirai.x86	409fad8fa5203e0eeb4cbde4e6354cb4242c020c0874238593375dc1fd842ae4	Mirai	elf mirai ua-wget x86

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Gathering data

Detection(s):

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

Gathering data

Result

Gathering data

Verdict:

Malicious

File Type:

unix shell

Detections:

HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a HEUR:Trojan-Downloader.Shell.Agent.p

Link:

https://opentip.kaspersky.com/ec2913b36b2febcf01a9f097cf4bcb3a35553bdcf331c697f5acc54d59e0dc80/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/0bc77b68-5558-4348-905b-d0e507262f48

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/ec2913b36b2febcf01a9f097cf4bcb3a35553bdcf331c697f5acc54d59e0dc80

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ec2913b36b2febcf01a9f097cf4bcb3a35553bdcf331c697f5acc54d59e0dc80/

Verdict:

Malicious

Threat:

Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/ec2913b36b2febcf01a9f097cf4bcb3a35553bdcf331c697f5acc54d59e0dc80

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2026-04-05 01:55:31 UTC

AV detection:

15 of 36 (41.67%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5qurhm3lf7v46anj6cl46s6lhi2vko646my4nf7vvtcu2wpa3saa._file

Result

Malware family:

n/a

Score:

7/10

Tags:

defense_evasion discovery linux

Link:

https://tria.ge/reports/260405-cccvascy4s/

Behaviour

System Network Configuration Discovery

Writes file to tmp directory

File and Directory Permissions Modification

Executes dropped EXE

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ec2913b36b2f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.11

Link:

https://yomi.yoroi.company/submissions/ec2913b36b2febcf01a9f097cf4bcb3a35553bdcf331c697f5acc54d59e0dc80

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Linux_Shellscript_Downloader Create hunting rule
Author:	albertzsigovits
Description:	Generic Approach to Shellscript downloaders

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh