MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 05bb46c2da318f9fd81b6e61aa5ba9c88d236e6665fb8d834e46ea6ed66207c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 05bb46c2da318f9fd81b6e61aa5ba9c88d236e6665fb8d834e46ea6ed66207c8
SHA3-384 hash: faa1bb799a5b51d87c42088857b50f6677d218bb588a33ac52fc3f46a0c4536c5810a03a9c0dd6501ca063d09bc3f618
SHA1 hash: bea225db387e70ba8ffd4bdd932137a523172563
MD5 hash: 1af794c89543dfbf7c8c4c6b86d90e66
humanhash: september-helium-early-winter
File name:w.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:801 bytes
First seen:2026-01-10 13:34:02 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 12:dUMxqU9UUeKlCEU9UAiKl2EU9UmdKAU9UYU9UX9qU9UGFG10qU9Uf1U9UBh7IAUe:dx7dlC5eKlQ8lSu5wQTUKUnHR
TLSH T1B501C0EB02BA9412866CCD8C34AB48386544D6C47DB38E8CDC5C04B96DC7A1E7116F4B
Magika html
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://158.94.208.27/bins/parm74274cc3016ed06a7b19211372807dbf087efe4fc19643d8615e740890995c20 Miraielf mirai ua-wget
http://158.94.208.27/bins/parmsn/an/an/a
http://158.94.208.27/bins/parm73d39bbd00e38822b51e2c63dd338a5751d6c05634bd6c7293ef1177d1d3f8a14 Miraielf mirai ua-wget
http://158.94.208.27/bins/psh458d58774c2c497deb1f96eb0cadc065dc8699a04c38111d212fcc68808a85cbe Miraielf mirai ua-wget
http://158.94.208.27/bins/pnpcn/an/an/a
http://158.94.208.27/bins/pmipsf8a94465e9304bde873bd3c8cd1f939097b7312fc1c7845c8499b274e16bd869 Miraielf mirai ua-wget
http://158.94.208.27/bins/pmpsl4947526318630ed5a8f64b762c62eec0e127a0aafdcba72cf860a26375906109 Miraielf mirai ua-wget
http://158.94.208.27/bins/pm68k374b27b29be2d11caa68c2d48e1b9f9935ac0ae37abe50ee5073942cc65f9e23 Miraielf mirai ua-wget
http://158.94.208.27/bins/px8622e5a9e790fe5bcfd184634d3d779ddea70bcb4e216ac7fe346679c15f2b610c Miraielf mirai ua-wget
http://158.94.208.27/bins/px86_64n/an/aelf ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
37
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Linux.Downloader-32.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
busybox mirai
Link:
https://www.filescan.io/uploads/6962556207ef5fa68e83b983/reports/0e0cdfde-437a-4a34-80ec-0ad3aae62a0c/overview
Verdict:
Clean
File Type:
unix shell
Link:
https://opentip.kaspersky.com/05bb46c2da318f9fd81b6e61aa5ba9c88d236e6665fb8d834e46ea6ed66207c8/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/b8c2f782-f899-48d5-982d-cfee893d9727
Behavior Graph:
Download SVG
%3 guuid=4bba8c14-1900-0000-af1e-35fa490b0000 pid=2889 /usr/bin/sudo guuid=3299fa16-1900-0000-af1e-35fa4d0b0000 pid=2893 /tmp/sample.bin guuid=4bba8c14-1900-0000-af1e-35fa490b0000 pid=2889->guuid=3299fa16-1900-0000-af1e-35fa4d0b0000 pid=2893 execve guuid=92b54217-1900-0000-af1e-35fa4f0b0000 pid=2895 /usr/bin/busybox net send-data write-file guuid=3299fa16-1900-0000-af1e-35fa4d0b0000 pid=2893->guuid=92b54217-1900-0000-af1e-35fa4f0b0000 pid=2895 execve guuid=d6518c20-1900-0000-af1e-35fa640b0000 pid=2916 /usr/bin/chmod guuid=3299fa16-1900-0000-af1e-35fa4d0b0000 pid=2893->guuid=d6518c20-1900-0000-af1e-35fa640b0000 pid=2916 execve guuid=00aad120-1900-0000-af1e-35fa660b0000 pid=2918 /usr/bin/dash guuid=3299fa16-1900-0000-af1e-35fa4d0b0000 pid=2893->guuid=00aad120-1900-0000-af1e-35fa660b0000 pid=2918 clone guuid=c8d3a222-1900-0000-af1e-35fa680b0000 pid=2920 /usr/bin/busybox net send-data guuid=3299fa16-1900-0000-af1e-35fa4d0b0000 pid=2893->guuid=c8d3a222-1900-0000-af1e-35fa680b0000 pid=2920 execve guuid=068be028-1900-0000-af1e-35fa6f0b0000 pid=2927 /usr/bin/chmod guuid=3299fa16-1900-0000-af1e-35fa4d0b0000 pid=2893->guuid=068be028-1900-0000-af1e-35fa6f0b0000 pid=2927 execve guuid=dcbe7629-1900-0000-af1e-35fa700b0000 pid=2928 /usr/bin/dash guuid=3299fa16-1900-0000-af1e-35fa4d0b0000 pid=2893->guuid=dcbe7629-1900-0000-af1e-35fa700b0000 pid=2928 clone guuid=123b8029-1900-0000-af1e-35fa710b0000 pid=2929 /usr/bin/busybox net send-data write-file guuid=3299fa16-1900-0000-af1e-35fa4d0b0000 pid=2893->guuid=123b8029-1900-0000-af1e-35fa710b0000 pid=2929 execve guuid=9d7c3436-1900-0000-af1e-35fa750b0000 pid=2933 /usr/bin/chmod guuid=3299fa16-1900-0000-af1e-35fa4d0b0000 pid=2893->guuid=9d7c3436-1900-0000-af1e-35fa750b0000 pid=2933 execve guuid=8a7e6a36-1900-0000-af1e-35fa770b0000 pid=2935 /usr/bin/dash guuid=3299fa16-1900-0000-af1e-35fa4d0b0000 pid=2893->guuid=8a7e6a36-1900-0000-af1e-35fa770b0000 pid=2935 clone guuid=0aed1438-1900-0000-af1e-35fa7c0b0000 pid=2940 /usr/bin/busybox net send-data write-file guuid=3299fa16-1900-0000-af1e-35fa4d0b0000 pid=2893->guuid=0aed1438-1900-0000-af1e-35fa7c0b0000 pid=2940 execve guuid=897ee644-1900-0000-af1e-35fa8e0b0000 pid=2958 /usr/bin/chmod guuid=3299fa16-1900-0000-af1e-35fa4d0b0000 pid=2893->guuid=897ee644-1900-0000-af1e-35fa8e0b0000 pid=2958 execve guuid=16675645-1900-0000-af1e-35fa900b0000 pid=2960 /usr/bin/dash guuid=3299fa16-1900-0000-af1e-35fa4d0b0000 pid=2893->guuid=16675645-1900-0000-af1e-35fa900b0000 pid=2960 clone guuid=6716c046-1900-0000-af1e-35fa950b0000 pid=2965 /usr/bin/busybox net send-data guuid=3299fa16-1900-0000-af1e-35fa4d0b0000 pid=2893->guuid=6716c046-1900-0000-af1e-35fa950b0000 pid=2965 execve guuid=f82af44c-1900-0000-af1e-35faa40b0000 pid=2980 /usr/bin/chmod guuid=3299fa16-1900-0000-af1e-35fa4d0b0000 pid=2893->guuid=f82af44c-1900-0000-af1e-35faa40b0000 pid=2980 execve guuid=504a2e4d-1900-0000-af1e-35faa50b0000 pid=2981 /usr/bin/dash guuid=3299fa16-1900-0000-af1e-35fa4d0b0000 pid=2893->guuid=504a2e4d-1900-0000-af1e-35faa50b0000 pid=2981 clone guuid=3e81334d-1900-0000-af1e-35faa60b0000 pid=2982 /usr/bin/busybox net send-data write-file guuid=3299fa16-1900-0000-af1e-35fa4d0b0000 pid=2893->guuid=3e81334d-1900-0000-af1e-35faa60b0000 pid=2982 execve guuid=0a18d956-1900-0000-af1e-35fabe0b0000 pid=3006 /usr/bin/chmod guuid=3299fa16-1900-0000-af1e-35fa4d0b0000 pid=2893->guuid=0a18d956-1900-0000-af1e-35fabe0b0000 pid=3006 execve guuid=78ab1b57-1900-0000-af1e-35fabf0b0000 pid=3007 /usr/bin/dash guuid=3299fa16-1900-0000-af1e-35fa4d0b0000 pid=2893->guuid=78ab1b57-1900-0000-af1e-35fabf0b0000 pid=3007 clone guuid=e4e6e058-1900-0000-af1e-35fac50b0000 pid=3013 /usr/bin/busybox net send-data write-file guuid=3299fa16-1900-0000-af1e-35fa4d0b0000 pid=2893->guuid=e4e6e058-1900-0000-af1e-35fac50b0000 pid=3013 execve guuid=5c982862-1900-0000-af1e-35fade0b0000 pid=3038 /usr/bin/chmod guuid=3299fa16-1900-0000-af1e-35fa4d0b0000 pid=2893->guuid=5c982862-1900-0000-af1e-35fade0b0000 pid=3038 execve guuid=6c8e6362-1900-0000-af1e-35fae00b0000 pid=3040 /usr/bin/dash guuid=3299fa16-1900-0000-af1e-35fa4d0b0000 pid=2893->guuid=6c8e6362-1900-0000-af1e-35fae00b0000 pid=3040 clone guuid=a28a9963-1900-0000-af1e-35fae40b0000 pid=3044 /usr/bin/busybox net send-data write-file guuid=3299fa16-1900-0000-af1e-35fa4d0b0000 pid=2893->guuid=a28a9963-1900-0000-af1e-35fae40b0000 pid=3044 execve guuid=65b2bf6f-1900-0000-af1e-35fa0c0c0000 pid=3084 /usr/bin/chmod guuid=3299fa16-1900-0000-af1e-35fa4d0b0000 pid=2893->guuid=65b2bf6f-1900-0000-af1e-35fa0c0c0000 pid=3084 execve guuid=2d3f1e70-1900-0000-af1e-35fa0e0c0000 pid=3086 /usr/bin/dash guuid=3299fa16-1900-0000-af1e-35fa4d0b0000 pid=2893->guuid=2d3f1e70-1900-0000-af1e-35fa0e0c0000 pid=3086 clone guuid=4bd50c71-1900-0000-af1e-35fa110c0000 pid=3089 /usr/bin/busybox net send-data write-file guuid=3299fa16-1900-0000-af1e-35fa4d0b0000 pid=2893->guuid=4bd50c71-1900-0000-af1e-35fa110c0000 pid=3089 execve guuid=ca87a47a-1900-0000-af1e-35fa240c0000 pid=3108 /usr/bin/chmod guuid=3299fa16-1900-0000-af1e-35fa4d0b0000 pid=2893->guuid=ca87a47a-1900-0000-af1e-35fa240c0000 pid=3108 execve guuid=95c8e87a-1900-0000-af1e-35fa260c0000 pid=3110 /home/sandbox/px86 delete-file net guuid=3299fa16-1900-0000-af1e-35fa4d0b0000 pid=2893->guuid=95c8e87a-1900-0000-af1e-35fa260c0000 pid=3110 execve guuid=6eff377b-1900-0000-af1e-35fa280c0000 pid=3112 /usr/bin/busybox net send-data guuid=3299fa16-1900-0000-af1e-35fa4d0b0000 pid=2893->guuid=6eff377b-1900-0000-af1e-35fa280c0000 pid=3112 execve guuid=d94f8981-1900-0000-af1e-35fa3c0c0000 pid=3132 /usr/bin/chmod guuid=3299fa16-1900-0000-af1e-35fa4d0b0000 pid=2893->guuid=d94f8981-1900-0000-af1e-35fa3c0c0000 pid=3132 execve guuid=1a99d681-1900-0000-af1e-35fa3e0c0000 pid=3134 /usr/bin/dash guuid=3299fa16-1900-0000-af1e-35fa4d0b0000 pid=2893->guuid=1a99d681-1900-0000-af1e-35fa3e0c0000 pid=3134 clone guuid=91ebdf81-1900-0000-af1e-35fa3f0c0000 pid=3135 /usr/bin/rm delete-file guuid=3299fa16-1900-0000-af1e-35fa4d0b0000 pid=2893->guuid=91ebdf81-1900-0000-af1e-35fa3f0c0000 pid=3135 execve b8c32f6f-e0ff-5b69-a443-652e84386a76 158.94.208.27:80 guuid=92b54217-1900-0000-af1e-35fa4f0b0000 pid=2895->b8c32f6f-e0ff-5b69-a443-652e84386a76 send: 85B guuid=c8d3a222-1900-0000-af1e-35fa680b0000 pid=2920->b8c32f6f-e0ff-5b69-a443-652e84386a76 send: 86B guuid=123b8029-1900-0000-af1e-35fa710b0000 pid=2929->b8c32f6f-e0ff-5b69-a443-652e84386a76 send: 86B guuid=0aed1438-1900-0000-af1e-35fa7c0b0000 pid=2940->b8c32f6f-e0ff-5b69-a443-652e84386a76 send: 85B guuid=6716c046-1900-0000-af1e-35fa950b0000 pid=2965->b8c32f6f-e0ff-5b69-a443-652e84386a76 send: 85B guuid=3e81334d-1900-0000-af1e-35faa60b0000 pid=2982->b8c32f6f-e0ff-5b69-a443-652e84386a76 send: 86B guuid=e4e6e058-1900-0000-af1e-35fac50b0000 pid=3013->b8c32f6f-e0ff-5b69-a443-652e84386a76 send: 86B guuid=a28a9963-1900-0000-af1e-35fae40b0000 pid=3044->b8c32f6f-e0ff-5b69-a443-652e84386a76 send: 86B guuid=4bd50c71-1900-0000-af1e-35fa110c0000 pid=3089->b8c32f6f-e0ff-5b69-a443-652e84386a76 send: 85B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=95c8e87a-1900-0000-af1e-35fa260c0000 pid=3110->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=020a317b-1900-0000-af1e-35fa270c0000 pid=3111 /home/sandbox/px86 net send-data zombie guuid=95c8e87a-1900-0000-af1e-35fa260c0000 pid=3110->guuid=020a317b-1900-0000-af1e-35fa270c0000 pid=3111 clone guuid=020a317b-1900-0000-af1e-35fa270c0000 pid=3111->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con acbee371-eca0-5786-9a2f-b70666f1e8a8 158.94.208.27:18129 guuid=020a317b-1900-0000-af1e-35fa270c0000 pid=3111->acbee371-eca0-5786-9a2f-b70666f1e8a8 send: 275B guuid=1c2f417b-1900-0000-af1e-35fa2a0c0000 pid=3114 /home/sandbox/px86 guuid=020a317b-1900-0000-af1e-35fa270c0000 pid=3111->guuid=1c2f417b-1900-0000-af1e-35fa2a0c0000 pid=3114 clone guuid=45ab447b-1900-0000-af1e-35fa2b0c0000 pid=3115 /home/sandbox/px86 guuid=020a317b-1900-0000-af1e-35fa270c0000 pid=3111->guuid=45ab447b-1900-0000-af1e-35fa2b0c0000 pid=3115 clone guuid=6eff377b-1900-0000-af1e-35fa280c0000 pid=3112->b8c32f6f-e0ff-5b69-a443-652e84386a76 send: 88B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/05bb46c2da318f9fd81b6e61aa5ba9c88d236e6665fb8d834e46ea6ed66207c8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/05bb46c2da318f9fd81b6e61aa5ba9c88d236e6665fb8d834e46ea6ed66207c8/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/05bb46c2da318f9fd81b6e61aa5ba9c88d236e6665fb8d834e46ea6ed66207c8
Threat name:
Document-HTML.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2026-01-10 13:34:30 UTC
File Type:
Text (Shell)
AV detection:
11 of 36 (30.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aw5unqw2gghz7wa3nzq2uw5jzcgsg3tgmx5y3a2oi3vg5vtca7ea._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/260110-qvbxlsas9f/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/05bb46c2da318f9fd81b6e61aa5ba9c88d236e6665fb8d834e46ea6ed66207c8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 05bb46c2da318f9fd81b6e61aa5ba9c88d236e6665fb8d834e46ea6ed66207c8

(this sample)

Mirai

elf 1f5aefed2302aaf700c9f12b4d4b531cfa08da8db8b77bb10009a2c51d3ad90c

Mirai

elf 74274cc3016ed06a7b19211372807dbf087efe4fc19643d8615e740890995c20

  
URLhaus
https://urlhaus.abuse.ch/url/3747933/
  
Delivery method
Distributed via web download
  
Dropping
MD5 8d663eb2ac4283756fd55c8738ff2168
  
Dropping
SHA256 74274cc3016ed06a7b19211372807dbf087efe4fc19643d8615e740890995c20

Comments