MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f7aec2de58561d342b73c8da344c06bd4e1e549cce6e9fd5e0862814bc2e8c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	2f7aec2de58561d342b73c8da344c06bd4e1e549cce6e9fd5e0862814bc2e8c7
SHA3-384 hash:	0bde606a4546f2a2efe45b081d0a7f8fc4022a99d275fbb6c24a9c29e4e5354a16af70ab5f38b7f5ad51ad2946bc8eeb
SHA1 hash:	d5217278f9e0aa1a18f8a5e99a150eee1b06388c
MD5 hash:	8bda6c69b8149dff7eb3690dba47dd6e
humanhash:	fish-arizona-oregon-beer
File name:	tplink.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	847 bytes
First seen:	2026-04-26 01:00:41 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:boWBG05pELMk0aNw/rXdoJQkUthBiI3XfKh:boGGMpzaartoJQkUthBiI3XfM
TLSH	T14E01A5DE66E2B567C5A8CE40B0A18818A01EA38621E93E1CEEC974679C95901F429F13
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://176.65.139.159/mips	9a774bcb163e55b4c6a5827bb51889c65fc04438f2837464ecac3711916c45fb	Mirai	elf gafgyt mips mirai ua-wget
http://176.65.139.159/mpsl	50a94147155c4cecdb814a1beada914aa2b0aa070e635658b1cf08608cd87a3e	Mirai	elf mips mirai ua-wget
http://176.65.139.159/arm4	860a38800f9165b3a7f954a29ad31f5b8872cc3a4c4fe8a492f78f518300cc2b	Mirai	arm elf mirai ua-wget
http://176.65.139.159/arm5	5b00f137391c7194b031b29ea8176e4131de58af3db713368d74635667667555	Mirai	arm elf mirai ua-wget
http://176.65.139.159/arm7	b50397272b6268d3ba59645ce9b60f60dc3fd6bcece4075d2af5489c3106e331	Mirai	arm elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

busybox mirai

Link:

https://www.filescan.io/uploads/69ed63d28a82359247b2f6b9/reports/04cfb185-a494-49a9-9697-8d24c0c95dd6/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2026-04-25T22:08:00Z UTC

Last seen:

2026-04-26T01:38:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/2f7aec2de58561d342b73c8da344c06bd4e1e549cce6e9fd5e0862814bc2e8c7/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/889091f7-42e7-473d-a5af-320ad450d138

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/2f7aec2de58561d342b73c8da344c06bd4e1e549cce6e9fd5e0862814bc2e8c7

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2f7aec2de58561d342b73c8da344c06bd4e1e549cce6e9fd5e0862814bc2e8c7/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/2f7aec2de58561d342b73c8da344c06bd4e1e549cce6e9fd5e0862814bc2e8c7

Threat name:

Linux.Worm.Mirai

Status:

Malicious

First seen:

2026-04-26 01:02:13 UTC

File Type:

Text (Shell)

AV detection:

12 of 24 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=f55oylpfqvq5gqvxhsg2grganpkodzkjzttot7k6bbrics6c5ddq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

credential_access defense_evasion discovery linux upx

Link:

https://tria.ge/reports/260426-bc75rsdv9n/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Reads system network configuration

Reads process memory

UPX packed file

Enumerates active TCP sockets

Enumerates running processes

File and Directory Permissions Modification

Executes dropped EXE

Unexpected DNS network traffic destination

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.93

Link:

https://yomi.yoroi.company/submissions/2f7aec2de58561d342b73c8da344c06bd4e1e549cce6e9fd5e0862814bc2e8c7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh