MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04f33ac957f3826b06df0efe0349dd878684e5f0bca8b7bc63fede9adbe4070f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	04f33ac957f3826b06df0efe0349dd878684e5f0bca8b7bc63fede9adbe4070f
SHA3-384 hash:	2a1a0ede72971649f57d7dea11e5f797fa9557068f547cddc4ab8fe652ffc628210303f466e46b00d70a1bdf3acb6a5f
SHA1 hash:	abcd68c86519003ede91093ebb09ff3b52085571
MD5 hash:	cb763c13fc46aef9a904570553ffc0e9
humanhash:	floor-echo-arizona-video
File name:	tvt.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	741 bytes
First seen:	2025-10-27 07:23:42 UTC
Last seen:	2025-10-28 06:25:26 UTC
File type:	sh
MIME type:	text/plain
ssdeep	12:wJ36srPu6oRYBDAPsEENonbIjD1I4EENon+DjEENoniW82dJ:g3HoWB/EENuba3EENu+fEENuD82D
TLSH	T1BE0122CF71E1037D194984693097C719A82CCAAA0EF20B9CE84938791388A94FC0CF72
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://42.112.26.45/arm	18b40a18fe04c05ee7bbdc7a07125633eb803dd7cd9f198e89a2b824df628c5c	Mirai	elf mirai ua-wget
http://42.112.26.45/arm5	be61d9c23d4359b4a4d4911f0f8fc09f69124f3cf991856d5c871e23568c5cd2	Mirai	elf mirai ua-wget
http://42.112.26.45/arm7	48f8ba323a18feb719e4cba9d502e85a73e89c0e7d4c6a5b2dae7e808b19f692	Mirai	elf mirai ua-wget
http://42.112.26.45/tvt.sh	900b9e804661b6d24721081a2bd6a22b356d5aebb815e02f086cbc45edfddec6	Mirai	mirai sh

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Linux.Downloader-36.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox evasive mirai

Link:

https://www.filescan.io/uploads/6919a111190d5f7fa2364346/reports/caf92f00-0161-4bd4-aa15-1b527adb32bf/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-10-27T05:13:00Z UTC

Last seen:

2025-10-27T05:50:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/04f33ac957f3826b06df0efe0349dd878684e5f0bca8b7bc63fede9adbe4070f/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/27aff65d-38ef-463a-ab00-191700e32d46

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/04f33ac957f3826b06df0efe0349dd878684e5f0bca8b7bc63fede9adbe4070f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/04f33ac957f3826b06df0efe0349dd878684e5f0bca8b7bc63fede9adbe4070f/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2025-10-27 07:24:42 UTC

File Type:

Text (Shell)

AV detection:

10 of 38 (26.32%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=atztvskx6obgwbw7b37agso5q6dijzpqxsulppdd73pjvw7ea4hq._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/251027-h8qzpabq7y/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/04f33ac957f3826b06df0efe0349dd878684e5f0bca8b7bc63fede9adbe4070f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.