MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12ef71076e671f3c6823f1b05a4d62eefba6acc49fe48a921fc5f4b668e683cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 5

Intelligence 5 IOCs YARA 1 File information Comments

SHA256 hash:	12ef71076e671f3c6823f1b05a4d62eefba6acc49fe48a921fc5f4b668e683cc
SHA3-384 hash:	b946203130e42d8faf38d259871ea101df3d489e5ea1352e137d443b5adaa22b7f0512d50c92fcf4e7c8e86ed93e0be8
SHA1 hash:	ea8c5e2f4c75d11383515cfdf797e9ca03004479
MD5 hash:	0ae45e89c289092e1189a2c2c6019f96
humanhash:	october-monkey-green-happy
File name:	w.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	1'072 bytes
First seen:	2026-01-10 19:36:08 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	12:dUfwVUPVU1kVUDc+HVUAAAVUEAVUuOsVUAjCVUApVUE1ZVU+/pcKAVU5eTtaKAV0:nk1wj/ZDytB/vxn
TLSH	T1D11190EE91F57656C46C4E0870AE95589889CBC53EA3CF88EC5C08F36A87D10F166F1B
Magika	txt
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://158.94.208.27/armv4l	6c388fd0fb424d6c7eaf86abb617ff9bea68325989e3b9b7a0365e4ef6b62954	Mirai	elf mirai ua-wget
http://158.94.208.27/armv5l	b9180c611ddf84ffbb1eedb68a12c188b684bc40867ab11e78738e417e07acaa	Mirai	elf mirai ua-wget
http://158.94.208.27/armv6l	758b1a7d6126ebf7a706f0db37fe92bddd6d8bec9cf18c7e8c68ce480f697ce6	Mirai	elf mirai ua-wget
http://158.94.208.27/armv7l	9398f4ee9fbbd3a0545c1dad7f32828a54e63dee3d9429ede67cb9b0ea6ff304	Mirai	elf mirai ua-wget
http://158.94.208.27/i586	37aa2c17037a3840080cf58523875ea9c690ed7151bdb93d8173ff4527d2c9f0	Mirai	elf mirai ua-wget
http://158.94.208.27/i686	b914b60bd6ed779eeee07d42598e861352e3cbb8e2377d13920d95b9d78aef10	Mirai	elf mirai ua-wget
http://158.94.208.27/m68k	b898eecac207321d32c8c9427b0ade7f408bab1b4db1292da972ab84a17d8b7e	Mirai	elf mirai ua-wget
http://158.94.208.27/mips	1cb169f9b7afe6d1169ea0cc5334cd86f2d9b4ad6992520d3ebebd9c5046a75f	Mirai	elf mirai ua-wget
http://158.94.208.27/mipsel	041a575f6849cb644373776a1e90252551a2a4305843b07b2b61d46007b42a13	Mirai	elf mirai ua-wget
http://158.94.208.27/powerpc	c9758e8673f82badfaceb99df6f38b837e4b567f8e6aae5fd9c4b628540633dd	Mirai	elf mirai ua-wget
http://158.94.208.27/powerpc-440fp	021681aab424f1cb19bc0d332cd98b8816753355a91b51fb960c44ac3a78add4	Mirai	elf mirai ua-wget
http://158.94.208.27/sh4	2980a32ffc3407a8aa51b5600936f840a4041c1cb07c4f23a288e502ff91e2f9	Mirai	elf mirai ua-wget
http://158.94.208.27/sparc	30efb0c3c09e70adc0c067a1109f8d81d9165859717f16f045fcd93dbc0ea664	Mirai	elf mirai ua-wget
http://158.94.208.27/x86_64	b45624c3b4cf4ecc07e00097427b19dc0e0bc83e25e3afe50a5ce74e903aac76	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

SecuriteInfo.com.Linux.Downloader-32.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox mirai

Link:

https://www.filescan.io/uploads/6962aa3b1a20a4c87b1a78c7/reports/00f4e49f-267f-4991-bd3a-4e0f681c0d5b/overview

Verdict:

Clean

File Type:

text

Link:

https://opentip.kaspersky.com/12ef71076e671f3c6823f1b05a4d62eefba6acc49fe48a921fc5f4b668e683cc/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/de8baa01-5e13-4539-985e-b53160e1e714

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/12ef71076e671f3c6823f1b05a4d62eefba6acc49fe48a921fc5f4b668e683cc

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/12ef71076e671f3c6823f1b05a4d62eefba6acc49fe48a921fc5f4b668e683cc/

Verdict:

Clean

Link:

https://tip.neiki.dev/file/12ef71076e671f3c6823f1b05a4d62eefba6acc49fe48a921fc5f4b668e683cc

Threat name:

Document-HTML.Worm.Mirai

Status:

Malicious

First seen:

2026-01-10 19:24:06 UTC

File Type:

Text (Shell)

AV detection:

18 of 38 (47.37%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=clxxcb3om4pty2bd6gyfutlc5352nlget7siveq7yx2lm2hgqpga._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/260110-ybfqfscv5f/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/12ef71076e671f3c6823f1b05a4d62eefba6acc49fe48a921fc5f4b668e683cc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh