MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1203b21d4510c0ef5f481452cc0a59b8ed83257561b6acf8a81df23047ea0403. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1203b21d4510c0ef5f481452cc0a59b8ed83257561b6acf8a81df23047ea0403
SHA3-384 hash: b0898842b75b4e27d3d2dda062a3ef5f99c5c349b050608faed7684aa5653b129d32fb5d6526089a47ad2ca517f41fab
SHA1 hash: 72fd6fa66e762fd3f367bc730942e68dcccad6f9
MD5 hash: a3c6259477aedd5679013d19f0e3d140
humanhash: shade-lamp-rugby-texas
File name:massload
Download: download sample
Signature Mirai
Create hunting rule
File size:2'729 bytes
First seen:2026-01-28 16:30:18 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:rMpzaC56q6IwQgOh18W5uWebCwqgojUHx1HxWEfWq6D3E+Ji:r8+s6q6IwQFh18GuWebCwq/jevHfW5fi
TLSH T121518FF829B1AE3B4545DF46E0B14FB9A40FB9C894D00F68979F78ACBD6C405783065D
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://109.104.155.24/mipse21b7bea60a9530514cc047e69acc0a4f8fcd4aa0b0b740b44420536df8db05d Gafgyt32-bit elf gafgyt Mozi
http://109.104.155.24/mpsl10a7aff25c88eb3fb4ce17dbdd1d78e941b3c4696935f2843afae1a7403c73d3 Miraielf mirai ua-wget
http://109.104.155.24/arm4ac0de66ad392299c321c00db0b0f010ff5d63a18392364b8f07ea8da4f94c52f Miraielf mirai ua-wget
http://109.104.155.24/arm55a2f439cbeb1481de5ee95086d4119fbf28a8d8b89ae9a93ee9dd45472cf5f78 Miraielf mirai ua-wget
http://109.104.155.24/arm7fefec7b2d044fee96b0d7315c1a648a64c78fd6cbb1753c7d90e027676379e7e Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
62
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 bash busybox lolbin mirai
Link:
https://www.filescan.io/uploads/697a437e4156786ccbdd4f0e/reports/3edda0ae-ed3e-4cf7-b1a5-25ee02e77e18/overview
Verdict:
Malicious
Labled as:
Trojan[Downloader]/Shell.Agent
Link:
https://www.hybrid-analysis.com/sample/1203b21d4510c0ef5f481452cc0a59b8ed83257561b6acf8a81df23047ea0403
Result
Gathering data
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/9bf34f3b-cd35-4aeb-9cc5-d34398f227a4
Behavior Graph:
Download SVG
%3 guuid=05faa502-1900-0000-89d7-52dd230f0000 pid=3875 /usr/bin/sudo guuid=1e5f9804-1900-0000-89d7-52dd290f0000 pid=3881 /tmp/sample.bin guuid=05faa502-1900-0000-89d7-52dd230f0000 pid=3875->guuid=1e5f9804-1900-0000-89d7-52dd290f0000 pid=3881 execve guuid=94ab8764-1900-0000-89d7-52ddaa100000 pid=4266 /usr/bin/dash guuid=1e5f9804-1900-0000-89d7-52dd290f0000 pid=3881->guuid=94ab8764-1900-0000-89d7-52ddaa100000 pid=4266 clone guuid=0acb8565-1900-0000-89d7-52ddb2100000 pid=4274 /usr/bin/cp write-file guuid=1e5f9804-1900-0000-89d7-52dd290f0000 pid=3881->guuid=0acb8565-1900-0000-89d7-52ddb2100000 pid=4274 execve guuid=1d7dac6a-1900-0000-89d7-52ddc4100000 pid=4292 /usr/bin/chmod guuid=1e5f9804-1900-0000-89d7-52dd290f0000 pid=3881->guuid=1d7dac6a-1900-0000-89d7-52ddc4100000 pid=4292 execve guuid=7d01e36a-1900-0000-89d7-52ddc8100000 pid=4296 /usr/bin/rm delete-file guuid=1e5f9804-1900-0000-89d7-52dd290f0000 pid=3881->guuid=7d01e36a-1900-0000-89d7-52ddc8100000 pid=4296 execve guuid=9b905d6b-1900-0000-89d7-52ddca100000 pid=4298 /usr/bin/rm delete-file guuid=1e5f9804-1900-0000-89d7-52dd290f0000 pid=3881->guuid=9b905d6b-1900-0000-89d7-52ddca100000 pid=4298 execve guuid=e23ffb6c-1900-0000-89d7-52ddd0100000 pid=4304 /usr/bin/wget net send-data write-file guuid=1e5f9804-1900-0000-89d7-52dd290f0000 pid=3881->guuid=e23ffb6c-1900-0000-89d7-52ddd0100000 pid=4304 execve guuid=abcbeeaa-1900-0000-89d7-52dd97110000 pid=4503 /usr/bin/chmod guuid=1e5f9804-1900-0000-89d7-52dd290f0000 pid=3881->guuid=abcbeeaa-1900-0000-89d7-52dd97110000 pid=4503 execve guuid=e8c54eab-1900-0000-89d7-52dd98110000 pid=4504 /usr/bin/dash guuid=1e5f9804-1900-0000-89d7-52dd290f0000 pid=3881->guuid=e8c54eab-1900-0000-89d7-52dd98110000 pid=4504 clone guuid=5bb97bac-1900-0000-89d7-52dd9a110000 pid=4506 /usr/bin/wget net send-data write-file guuid=1e5f9804-1900-0000-89d7-52dd290f0000 pid=3881->guuid=5bb97bac-1900-0000-89d7-52dd9a110000 pid=4506 execve guuid=cf9eae0f-1a00-0000-89d7-52dd9c120000 pid=4764 /usr/bin/chmod guuid=1e5f9804-1900-0000-89d7-52dd290f0000 pid=3881->guuid=cf9eae0f-1a00-0000-89d7-52dd9c120000 pid=4764 execve guuid=0933ef0f-1a00-0000-89d7-52dd9e120000 pid=4766 /usr/bin/dash guuid=1e5f9804-1900-0000-89d7-52dd290f0000 pid=3881->guuid=0933ef0f-1a00-0000-89d7-52dd9e120000 pid=4766 clone guuid=246ec710-1a00-0000-89d7-52dda3120000 pid=4771 /usr/bin/wget net send-data write-file guuid=1e5f9804-1900-0000-89d7-52dd290f0000 pid=3881->guuid=246ec710-1a00-0000-89d7-52dda3120000 pid=4771 execve guuid=d8851874-1a00-0000-89d7-52ddd2130000 pid=5074 /usr/bin/chmod guuid=1e5f9804-1900-0000-89d7-52dd290f0000 pid=3881->guuid=d8851874-1a00-0000-89d7-52ddd2130000 pid=5074 execve guuid=cfff5b74-1a00-0000-89d7-52ddd3130000 pid=5075 /usr/bin/dash guuid=1e5f9804-1900-0000-89d7-52dd290f0000 pid=3881->guuid=cfff5b74-1a00-0000-89d7-52ddd3130000 pid=5075 clone guuid=66d3bf75-1a00-0000-89d7-52ddd5130000 pid=5077 /usr/bin/wget net send-data write-file guuid=1e5f9804-1900-0000-89d7-52dd290f0000 pid=3881->guuid=66d3bf75-1a00-0000-89d7-52ddd5130000 pid=5077 execve guuid=7f0d67b4-1a00-0000-89d7-52dd2e140000 pid=5166 /usr/bin/chmod guuid=1e5f9804-1900-0000-89d7-52dd290f0000 pid=3881->guuid=7f0d67b4-1a00-0000-89d7-52dd2e140000 pid=5166 execve guuid=ae26deb4-1a00-0000-89d7-52dd30140000 pid=5168 /usr/bin/dash guuid=1e5f9804-1900-0000-89d7-52dd290f0000 pid=3881->guuid=ae26deb4-1a00-0000-89d7-52dd30140000 pid=5168 clone guuid=4983d3b5-1a00-0000-89d7-52dd33140000 pid=5171 /usr/bin/wget net send-data write-file guuid=1e5f9804-1900-0000-89d7-52dd290f0000 pid=3881->guuid=4983d3b5-1a00-0000-89d7-52dd33140000 pid=5171 execve guuid=71a48bf3-1a00-0000-89d7-52dd81140000 pid=5249 /usr/bin/chmod guuid=1e5f9804-1900-0000-89d7-52dd290f0000 pid=3881->guuid=71a48bf3-1a00-0000-89d7-52dd81140000 pid=5249 execve guuid=3d6fc6f3-1a00-0000-89d7-52dd82140000 pid=5250 /usr/bin/dash guuid=1e5f9804-1900-0000-89d7-52dd290f0000 pid=3881->guuid=3d6fc6f3-1a00-0000-89d7-52dd82140000 pid=5250 clone guuid=8f2441f4-1a00-0000-89d7-52dd84140000 pid=5252 /usr/bin/curl net send-data write-file guuid=1e5f9804-1900-0000-89d7-52dd290f0000 pid=3881->guuid=8f2441f4-1a00-0000-89d7-52dd84140000 pid=5252 execve guuid=f9982058-1b00-0000-89d7-52dd85140000 pid=5253 /usr/bin/chmod guuid=1e5f9804-1900-0000-89d7-52dd290f0000 pid=3881->guuid=f9982058-1b00-0000-89d7-52dd85140000 pid=5253 execve guuid=b3df6658-1b00-0000-89d7-52dd86140000 pid=5254 /usr/bin/dash guuid=1e5f9804-1900-0000-89d7-52dd290f0000 pid=3881->guuid=b3df6658-1b00-0000-89d7-52dd86140000 pid=5254 clone guuid=d0daf958-1b00-0000-89d7-52dd88140000 pid=5256 /usr/bin/curl net send-data write-file guuid=1e5f9804-1900-0000-89d7-52dd290f0000 pid=3881->guuid=d0daf958-1b00-0000-89d7-52dd88140000 pid=5256 execve guuid=7d3faee7-1b00-0000-89d7-52dd90140000 pid=5264 /usr/bin/chmod guuid=1e5f9804-1900-0000-89d7-52dd290f0000 pid=3881->guuid=7d3faee7-1b00-0000-89d7-52dd90140000 pid=5264 execve guuid=238e02e8-1b00-0000-89d7-52dd91140000 pid=5265 /usr/bin/dash guuid=1e5f9804-1900-0000-89d7-52dd290f0000 pid=3881->guuid=238e02e8-1b00-0000-89d7-52dd91140000 pid=5265 clone guuid=1668c7e8-1b00-0000-89d7-52dd93140000 pid=5267 /usr/bin/curl net send-data write-file guuid=1e5f9804-1900-0000-89d7-52dd290f0000 pid=3881->guuid=1668c7e8-1b00-0000-89d7-52dd93140000 pid=5267 execve guuid=983e2023-1c00-0000-89d7-52dd94140000 pid=5268 /usr/bin/chmod guuid=1e5f9804-1900-0000-89d7-52dd290f0000 pid=3881->guuid=983e2023-1c00-0000-89d7-52dd94140000 pid=5268 execve guuid=84810625-1c00-0000-89d7-52dd95140000 pid=5269 /usr/bin/dash guuid=1e5f9804-1900-0000-89d7-52dd290f0000 pid=3881->guuid=84810625-1c00-0000-89d7-52dd95140000 pid=5269 clone guuid=da04f62a-1c00-0000-89d7-52dd97140000 pid=5271 /usr/bin/curl net send-data write-file guuid=1e5f9804-1900-0000-89d7-52dd290f0000 pid=3881->guuid=da04f62a-1c00-0000-89d7-52dd97140000 pid=5271 execve guuid=b1e5a064-1c00-0000-89d7-52dd98140000 pid=5272 /usr/bin/chmod guuid=1e5f9804-1900-0000-89d7-52dd290f0000 pid=3881->guuid=b1e5a064-1c00-0000-89d7-52dd98140000 pid=5272 execve guuid=13700d65-1c00-0000-89d7-52dd99140000 pid=5273 /usr/bin/dash guuid=1e5f9804-1900-0000-89d7-52dd290f0000 pid=3881->guuid=13700d65-1c00-0000-89d7-52dd99140000 pid=5273 clone guuid=113d3766-1c00-0000-89d7-52dd9b140000 pid=5275 /usr/bin/curl net send-data write-file guuid=1e5f9804-1900-0000-89d7-52dd290f0000 pid=3881->guuid=113d3766-1c00-0000-89d7-52dd9b140000 pid=5275 execve guuid=e87296a6-1c00-0000-89d7-52dda2140000 pid=5282 /usr/bin/chmod guuid=1e5f9804-1900-0000-89d7-52dd290f0000 pid=3881->guuid=e87296a6-1c00-0000-89d7-52dda2140000 pid=5282 execve guuid=f5c3d4a6-1c00-0000-89d7-52dda3140000 pid=5283 /usr/bin/dash guuid=1e5f9804-1900-0000-89d7-52dd290f0000 pid=3881->guuid=f5c3d4a6-1c00-0000-89d7-52dda3140000 pid=5283 clone guuid=91dd5fa7-1c00-0000-89d7-52dda5140000 pid=5285 /usr/bin/busybox net send-data guuid=1e5f9804-1900-0000-89d7-52dd290f0000 pid=3881->guuid=91dd5fa7-1c00-0000-89d7-52dda5140000 pid=5285 execve guuid=55d89164-1900-0000-89d7-52ddab100000 pid=4267 /usr/bin/cat guuid=94ab8764-1900-0000-89d7-52ddaa100000 pid=4266->guuid=55d89164-1900-0000-89d7-52ddab100000 pid=4267 execve guuid=8c5a9864-1900-0000-89d7-52ddac100000 pid=4268 /usr/bin/grep guuid=94ab8764-1900-0000-89d7-52ddaa100000 pid=4266->guuid=8c5a9864-1900-0000-89d7-52ddac100000 pid=4268 execve guuid=f3a49c64-1900-0000-89d7-52ddad100000 pid=4269 /usr/bin/grep guuid=94ab8764-1900-0000-89d7-52ddaa100000 pid=4266->guuid=f3a49c64-1900-0000-89d7-52ddad100000 pid=4269 execve guuid=d71ca364-1900-0000-89d7-52ddae100000 pid=4270 /usr/bin/grep guuid=94ab8764-1900-0000-89d7-52ddaa100000 pid=4266->guuid=d71ca364-1900-0000-89d7-52ddae100000 pid=4270 execve guuid=74e9a764-1900-0000-89d7-52ddb0100000 pid=4272 /usr/bin/cut guuid=94ab8764-1900-0000-89d7-52ddaa100000 pid=4266->guuid=74e9a764-1900-0000-89d7-52ddb0100000 pid=4272 execve 385d8803-1747-5868-8d2c-7f0b0905a0a5 109.104.155.24:80 guuid=e23ffb6c-1900-0000-89d7-52ddd0100000 pid=4304->385d8803-1747-5868-8d2c-7f0b0905a0a5 send: 133B guuid=5bb97bac-1900-0000-89d7-52dd9a110000 pid=4506->385d8803-1747-5868-8d2c-7f0b0905a0a5 send: 133B guuid=246ec710-1a00-0000-89d7-52dda3120000 pid=4771->385d8803-1747-5868-8d2c-7f0b0905a0a5 send: 133B guuid=66d3bf75-1a00-0000-89d7-52ddd5130000 pid=5077->385d8803-1747-5868-8d2c-7f0b0905a0a5 send: 133B guuid=4983d3b5-1a00-0000-89d7-52dd33140000 pid=5171->385d8803-1747-5868-8d2c-7f0b0905a0a5 send: 133B guuid=8f2441f4-1a00-0000-89d7-52dd84140000 pid=5252->385d8803-1747-5868-8d2c-7f0b0905a0a5 send: 82B guuid=d0daf958-1b00-0000-89d7-52dd88140000 pid=5256->385d8803-1747-5868-8d2c-7f0b0905a0a5 send: 82B guuid=1668c7e8-1b00-0000-89d7-52dd93140000 pid=5267->385d8803-1747-5868-8d2c-7f0b0905a0a5 send: 82B guuid=da04f62a-1c00-0000-89d7-52dd97140000 pid=5271->385d8803-1747-5868-8d2c-7f0b0905a0a5 send: 82B guuid=113d3766-1c00-0000-89d7-52dd9b140000 pid=5275->385d8803-1747-5868-8d2c-7f0b0905a0a5 send: 82B bd4d1b66-e4b7-59ea-be72-a996a788ff6c 109.104.155.24:21 guuid=91dd5fa7-1c00-0000-89d7-52dda5140000 pid=5285->bd4d1b66-e4b7-59ea-be72-a996a788ff6c send: 72B 496bdb1c-76d1-597c-b5be-40ae7f90fe32 109.104.155.24:15843 guuid=91dd5fa7-1c00-0000-89d7-52dda5140000 pid=5285->496bdb1c-76d1-597c-b5be-40ae7f90fe32 con
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/1203b21d4510c0ef5f481452cc0a59b8ed83257561b6acf8a81df23047ea0403
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1203b21d4510c0ef5f481452cc0a59b8ed83257561b6acf8a81df23047ea0403/
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/1203b21d4510c0ef5f481452cc0a59b8ed83257561b6acf8a81df23047ea0403
Threat name:
Linux.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2026-01-28 16:24:23 UTC
File Type:
Text (Shell)
AV detection:
8 of 36 (22.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cib3ehkfcdao6x2icrjmycszxdwygjlvmg3kz6fidxzdar7kaqbq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
credential_access defense_evasion discovery linux
Link:
https://tria.ge/reports/260128-vq38hsgv6d/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Changes its process name
Reads process memory
Enumerates running processes
File and Directory Permissions Modification
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 1203b21d4510c0ef5f481452cc0a59b8ed83257561b6acf8a81df23047ea0403

(this sample)

Gafgyt

elf e21b7bea60a9530514cc047e69acc0a4f8fcd4aa0b0b740b44420536df8db05d

  
URLhaus
https://urlhaus.abuse.ch/url/3765136/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3765155/
  
URLhaus
https://urlhaus.abuse.ch/url/3765156/
  
Dropping
MD5 8526b44220e0c103f843854638746dcc
  
Dropping
SHA256 e21b7bea60a9530514cc047e69acc0a4f8fcd4aa0b0b740b44420536df8db05d

Comments