MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fcbde44de84bd52312b5497108ff960b1c3b83a1a760535571dc7e3676e8b708. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	fcbde44de84bd52312b5497108ff960b1c3b83a1a760535571dc7e3676e8b708
SHA3-384 hash:	5f5a395f5d5b69414816b994a61a6db0074a1a5f8b78ad0a549137c303365bb84cba02e9c9e8aab987116160e9bba129
SHA1 hash:	512efac5c999cccdc4336eb7529a7c66ad21dca4
MD5 hash:	56c7916816349aebe450a16257b8448c
humanhash:	rugby-william-shade-shade
File name:	cat.sh
Download:	download sample
File size:	4'029 bytes
First seen:	2026-04-11 09:14:29 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:faHhTshhdYgEhqmThP/R/Wh/EECEPhErQ8QpjhQpfL4h+IvIshICIqI3hIDIVNIy:EQ0T6/Vjgchwsy/H3yEVuVSyVNv0++
TLSH	T15F81F68E235281F96C48ED17F471DF9078D09DD20DDB8F88CECD6B52A58CD647439AA1
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://103.130.214.71:1212/zyre.apk	5a9596683c81795db6460a46bf2815d5add974f9abf647886d8c3a8adaf2223c	Mirai	elf mirai ua-wget
http://103.130.214.71:1212/zyre.arm4	e9cff21e91ce80f33761642ee8dd103de41ba0c185e2b63e10bdee9fb5bbe52f	Gafgyt	elf gafgyt ua-wget
http://103.130.214.71:1212/zyre.arm5	3a39371ec2159897202d4711af93d6fb8bc6512733aeb2891d5f08a35bfd76ee	Mirai	elf mirai ua-wget
http://103.130.214.71:1212/zyre.arm6	f4e22081613108997397cb9f06a085560dc0b5df24bcadf95b19b7d7eddf8977	Mirai	elf mirai ua-wget
http://103.130.214.71:1212/zyre.arm7	bae9f047a954897fd367e3d7b796fe7821356c6ad4da521f42e044fd56bc9312	Mirai	elf mirai ua-wget
http://103.130.214.71:1212/zyre.dbg	831743b8b8e86014ce0837f05e12210794426f0751744492b23bb3b27fb1abba	Mirai	elf mirai ua-wget
http://103.130.214.71:1212/zyre.i486	c9ebb56f8b65387714a3d34a13605144f72b4d0c3e6aac21b1dd7e7406efbb29	Mirai	elf mirai ua-wget
http://103.130.214.71:1212/zyre.i686	f3e0e3a64129d9ab9f1f5f63c3234fc8cfefecd2e42e0e048fc04eb35be3094e	Mirai	elf mirai ua-wget
http://103.130.214.71:1212/zyre.m68k	8b20f7796ccace087779e32e7b76d010fc216419f48cda872b7f21e51f961e07	Mirai	elf mirai ua-wget
http://103.130.214.71:1212/zyre.mips	f353dfd83a50b2924f183f6b7bd4bbd9b8fe77698156b11d85959f86cac18c2e	Mirai	elf mirai ua-wget
http://103.130.214.71:1212/zyre.mpsl	280b43127e0ec992fcf8675ccdfca0f947bda32ba72a085c013a003051f9be84	Mirai	elf mirai ua-wget
http://103.130.214.71:1212/zyre.sh4	a4dd867f512c7fb2d17eccb98829c74d6df637f1acb66313dbece5d061c4f8b6	Mirai	elf mirai ua-wget
http://103.130.214.71:1212/zyre.spc	51a9f4cce2454c7b20323181b042cc33c60820e639c9783b3bea4720162da753	Mirai	elf mirai ua-wget
http://103.130.214.71:1212/zyre.x64	e428787b8ef1a9817f5f3629a1ecdd3271c368783153acdcea6ab35aa142f07a	Mirai	elf mirai ua-wget
http://103.130.214.71:1212/zyre.x86	324f1f8d21316886aac155d7fe025d4d138b045a980add95d9100c036d0099d0	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox evasive medusa mirai

Link:

https://www.filescan.io/uploads/69da113d5ea31bc68a1fed93/reports/f8e73afc-6d6c-4cde-9b3e-31d1a3d23fbb/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2026-04-08T20:55:00Z UTC

Last seen:

2026-04-13T02:50:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/fcbde44de84bd52312b5497108ff960b1c3b83a1a760535571dc7e3676e8b708/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/32490660-02b3-4d51-8ef7-447849d7b2cf

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/fcbde44de84bd52312b5497108ff960b1c3b83a1a760535571dc7e3676e8b708

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fcbde44de84bd52312b5497108ff960b1c3b83a1a760535571dc7e3676e8b708/

Verdict:

Malicious

Threat:

Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/fcbde44de84bd52312b5497108ff960b1c3b83a1a760535571dc7e3676e8b708

Threat name:

Linux.Trojan.Vigorf

Status:

Malicious

First seen:

2026-04-10 02:56:43 UTC

File Type:

Text (Shell)

AV detection:

12 of 24 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7s66itpijpksgevvjfyqr74wbmodxa5bu5qfgvlr3r7dm5xiw4ea._file

Result

Malware family:

n/a

Score:

7/10

Tags:

antivm defense_evasion discovery linux

Link:

https://tria.ge/reports/260411-k79frabv5k/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

Contacts third-party web service commonly abused for C2

File and Directory Permissions Modification

Executes dropped EXE

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fcbde44de84b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fcbde44de84bd52312b5497108ff960b1c3b83a1a760535571dc7e3676e8b708

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Linux_Shellscript_Downloader Create hunting rule
Author:	albertzsigovits
Description:	Generic Approach to Shellscript downloaders

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh