MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec2913b36b2febcf01a9f097cf4bcb3a35553bdcf331c697f5acc54d59e0dc80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	ec2913b36b2febcf01a9f097cf4bcb3a35553bdcf331c697f5acc54d59e0dc80
SHA3-384 hash:	74acd77c3c11018746912b81fa77462c3c1d21bddf55f09adbec33a8257de4ce553d8a1827224c8e7c174a25e33c9d88
SHA1 hash:	eff46afe789c44e50be84cf405ea88adf7c9128d
MD5 hash:	f86dab9f11ba4aa886550c7a141f6f3a
humanhash:	angel-robert-berlin-don
File name:	cat.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'120 bytes
First seen:	2026-04-05 01:54:51 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:fiLElAgybCbrnRnEL+V6fT2IJCCCrlClrpsgx/C/V1Tb2TI:yJ+P2I
TLSH	T12451D28E125240F9BC45EE17F4669F9078A09FDA4EE38F4EDEDD2B5251CCC146834672
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://103.130.214.71:1212/mirai.apk	f4b3f661c0002caeae308e75a5473b96c78c0513eed795121f10cfafaf6bdf77	Mirai	elf mirai ua-wget
http://103.130.214.71:1212/mirai.arm4	59d5de268d7695d2b3238ce264d6e9826cc1ad5d4871d0789b81cc9ac02a7228	Mirai	elf mirai ua-wget
http://103.130.214.71:1212/mirai.arm5	4d3030180b580cb608199dfbb1b67381e77587ba0290fe881372ef1c4711c3ee	Mirai	elf mirai ua-wget
http://103.130.214.71:1212/mirai.arm6	44f3e4569e2a76356e5d8195d97398119ac763c1b47a9f941eb98fa71e7dcfa0	Mirai	elf mirai ua-wget
http://103.130.214.71:1212/mirai.arm7	f4b3f661c0002caeae308e75a5473b96c78c0513eed795121f10cfafaf6bdf77	Mirai	elf mirai ua-wget
http://103.130.214.71:1212/mirai.dbg	b81062b3d00b297bfed142f5c79435678528dfb19d32adc576dcd94e21f41ded	Mirai	elf mirai ua-wget
http://103.130.214.71:1212/mirai.i486	aa2f6b54aa1f2d1f179924b1e5cd00167d9c1842fef9e756b285494ebd4af3ba	Mirai	elf mirai ua-wget
http://103.130.214.71:1212/mirai.i686	e37daef1c9ee225871ec67e761085f1e86d6b82e53d5f8a0c8635d8997ee2eff	Mirai	elf mirai ua-wget
http://103.130.214.71:1212/mirai.m68k	1725c67bdd98feb0c6bd2ae568ee2a959e9b564f1e533f1cff8ec87bb2ce9c72	Mirai	elf mirai ua-wget
http://103.130.214.71:1212/mirai.mips	c02ae9d038a511028b7c58c9aea89f42b0dda0f1f3898fa1b87260355b14e8b3	Mirai	elf mirai ua-wget
http://103.130.214.71:1212/mirai.mpsl	b505b3e61184d7406491ff14a04d79092dc5a5ee9efb24173ee3b86c1d00994a	Mirai	elf mirai ua-wget
http://103.130.214.71:1212/mirai.sh4	67d3e6a4b65761fccb08e8cc5d63d76fc1a460f6b7e191fdeca7ad1f55a6cc72	Mirai	elf mirai ua-wget
http://103.130.214.71:1212/mirai.spc	620ec0155acd9685c771a82e794da688dd0e278bed61ea9da89925453f8d336c	Mirai	elf mirai ua-wget
http://103.130.214.71:1212/mirai.x64	e37e149e08f5beae7d219bac7a070e72676251410c483b5f367c42e4ec752eca	Mirai	elf mirai ua-wget
http://103.130.214.71:1212/mirai.x86	579e0bb67f37d7ca86a9e093f471bfa5505200de9ae05753e758b6980706bce3	Mirai	elf mirai ua-wget x86

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Gathering data

Detection(s):

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

Gathering data

Verdict:

Malicious

File Type:

unix shell

First seen:

2026-04-04T23:02:00Z UTC

Last seen:

2026-04-04T23:23:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a HEUR:Trojan-Downloader.Shell.Agent.p

Link:

https://opentip.kaspersky.com/ec2913b36b2febcf01a9f097cf4bcb3a35553bdcf331c697f5acc54d59e0dc80/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/0bc77b68-5558-4348-905b-d0e507262f48

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/ec2913b36b2febcf01a9f097cf4bcb3a35553bdcf331c697f5acc54d59e0dc80

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ec2913b36b2febcf01a9f097cf4bcb3a35553bdcf331c697f5acc54d59e0dc80/

Verdict:

Malicious

Threat:

Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/ec2913b36b2febcf01a9f097cf4bcb3a35553bdcf331c697f5acc54d59e0dc80

Threat name:

Linux.Trojan.Vigorf

Status:

Malicious

First seen:

2026-04-05 01:55:31 UTC

File Type:

Text (Shell)

AV detection:

13 of 24 (54.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5qurhm3lf7v46anj6cl46s6lhi2vko646my4nf7vvtcu2wpa3saa._file

Result

Malware family:

n/a

Score:

7/10

Tags:

defense_evasion discovery linux

Link:

https://tria.ge/reports/260405-cccvascy4s/

Behaviour

System Network Configuration Discovery

Writes file to tmp directory

File and Directory Permissions Modification

Executes dropped EXE

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ec2913b36b2f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.11

Link:

https://yomi.yoroi.company/submissions/ec2913b36b2febcf01a9f097cf4bcb3a35553bdcf331c697f5acc54d59e0dc80

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Linux_Shellscript_Downloader Create hunting rule
Author:	albertzsigovits
Description:	Generic Approach to Shellscript downloaders

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh