MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f9b2b3d258a3f573e29fd040166b8a7edc05772c912021e0438c5d655bd548a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Mirai


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash: 1f9b2b3d258a3f573e29fd040166b8a7edc05772c912021e0438c5d655bd548a
SHA3-384 hash: 46beac2a5956ddbe5338defbcfbacdfa674819d158e969e4395ce0244e781ecd2bc3b8ab68082f34ce4d67048ef429c0
SHA1 hash: 28261e2a3a0727ab69b48b5406ded15d6b1f87d4
MD5 hash: c99a93d0bf89dff1756317ed4334c08d
humanhash: golf-music-south-bluebird
File name:li.sh
Download: download sample
Signature Mirai
File size:492 bytes
First seen:2025-12-21 15:13:42 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 6:SdLbTZ6WY+x8duKZjXI+x8dFzPEixx8dqNELx8dYNIF+KZEBFIhx8dQFa6rE21:6XTcuJbFeqBYNIbMbBG
TLSH T1A8F0BB8FF0553E53614D9D9BB7A2080E909583CC0A170FBEFDE5507A48DD64033ACB94
Magika batch
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://130.12.180.64/mipse15ce931f64fb95cd28b67b04f354997e6b8c105f6ccc75c8656e860398d4590 Miraielf mirai ua-wget
http://130.12.180.64/mpslfc78c3225e4096e99aad35aa16bbcda1b445d65aab408a140a3ce2ab384b3b09 Miraielf mirai ua-wget
http://130.12.180.64/arma7664a410794615c68167bb4956aac61a82fffd153248757b92f49de4c0c4cea Miraielf gafgyt mirai ua-wget
http://130.12.180.64/arm5016550a25f05a8555c3c6da0822f2abb4ffce15527acb8c1e2cb4983869f2244 Miraielf gafgyt mirai ua-wget
http://130.12.180.64/arm68a2a01453a985c4eb967ebb5453d54d6548531851f86a7ce709653fbf52b7c95 Miraielf mirai ua-wget
http://130.12.180.64/arm7e6f45ab9ea9c6728ad5977a6c4fff85b1558d431d86b1bc26ff1ccc5e4838c6f Miraielf mirai ua-wget

Intelligence


File Origin
# of uploads :
1
# of downloads :
49
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive mirai
Verdict:
Malicious
File Type:
text
First seen:
2025-12-21T13:44:00Z UTC
Last seen:
2025-12-21T15:02:00Z UTC
Hits:
~10
Status:
terminated
Behavior Graph:
%3 guuid=99bf6832-1700-0000-d53d-4bc1970c0000 pid=3223 /usr/bin/sudo guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228 /tmp/sample.bin guuid=99bf6832-1700-0000-d53d-4bc1970c0000 pid=3223->guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228 execve guuid=0ad7a535-1700-0000-d53d-4bc19e0c0000 pid=3230 /usr/bin/wget net send-data write-file guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=0ad7a535-1700-0000-d53d-4bc19e0c0000 pid=3230 execve guuid=dbe61f44-1700-0000-d53d-4bc1ad0c0000 pid=3245 /usr/bin/chmod guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=dbe61f44-1700-0000-d53d-4bc1ad0c0000 pid=3245 execve guuid=e59a5744-1700-0000-d53d-4bc1af0c0000 pid=3247 /usr/bin/dash guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=e59a5744-1700-0000-d53d-4bc1af0c0000 pid=3247 clone guuid=66e1c144-1700-0000-d53d-4bc1b20c0000 pid=3250 /usr/bin/rm delete-file guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=66e1c144-1700-0000-d53d-4bc1b20c0000 pid=3250 execve guuid=688efb44-1700-0000-d53d-4bc1b40c0000 pid=3252 /usr/bin/rm guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=688efb44-1700-0000-d53d-4bc1b40c0000 pid=3252 execve guuid=cb173c45-1700-0000-d53d-4bc1b50c0000 pid=3253 /usr/bin/wget net send-data write-file guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=cb173c45-1700-0000-d53d-4bc1b50c0000 pid=3253 execve guuid=8f0bfa49-1700-0000-d53d-4bc1c20c0000 pid=3266 /usr/bin/chmod guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=8f0bfa49-1700-0000-d53d-4bc1c20c0000 pid=3266 execve guuid=b327334a-1700-0000-d53d-4bc1c40c0000 pid=3268 /usr/bin/dash guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=b327334a-1700-0000-d53d-4bc1c40c0000 pid=3268 clone guuid=35bdec4a-1700-0000-d53d-4bc1c60c0000 pid=3270 /usr/bin/rm delete-file guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=35bdec4a-1700-0000-d53d-4bc1c60c0000 pid=3270 execve guuid=c62b5b4b-1700-0000-d53d-4bc1c70c0000 pid=3271 /usr/bin/rm guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=c62b5b4b-1700-0000-d53d-4bc1c70c0000 pid=3271 execve guuid=d064964b-1700-0000-d53d-4bc1c80c0000 pid=3272 /usr/bin/wget net send-data write-file guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=d064964b-1700-0000-d53d-4bc1c80c0000 pid=3272 execve guuid=41a73f4f-1700-0000-d53d-4bc1d40c0000 pid=3284 /usr/bin/chmod guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=41a73f4f-1700-0000-d53d-4bc1d40c0000 pid=3284 execve guuid=a0d2764f-1700-0000-d53d-4bc1d60c0000 pid=3286 /usr/bin/dash guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=a0d2764f-1700-0000-d53d-4bc1d60c0000 pid=3286 clone guuid=2760f24f-1700-0000-d53d-4bc1da0c0000 pid=3290 /usr/bin/rm delete-file guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=2760f24f-1700-0000-d53d-4bc1da0c0000 pid=3290 execve guuid=d8293250-1700-0000-d53d-4bc1dc0c0000 pid=3292 /usr/bin/rm guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=d8293250-1700-0000-d53d-4bc1dc0c0000 pid=3292 execve guuid=78a56a50-1700-0000-d53d-4bc1de0c0000 pid=3294 /usr/bin/wget net send-data write-file guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=78a56a50-1700-0000-d53d-4bc1de0c0000 pid=3294 execve guuid=8b391954-1700-0000-d53d-4bc1eb0c0000 pid=3307 /usr/bin/chmod guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=8b391954-1700-0000-d53d-4bc1eb0c0000 pid=3307 execve guuid=e2ba5154-1700-0000-d53d-4bc1ed0c0000 pid=3309 /usr/bin/dash guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=e2ba5154-1700-0000-d53d-4bc1ed0c0000 pid=3309 clone guuid=8162c954-1700-0000-d53d-4bc1f10c0000 pid=3313 /usr/bin/rm delete-file guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=8162c954-1700-0000-d53d-4bc1f10c0000 pid=3313 execve guuid=71750755-1700-0000-d53d-4bc1f30c0000 pid=3315 /usr/bin/rm guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=71750755-1700-0000-d53d-4bc1f30c0000 pid=3315 execve guuid=ebe54355-1700-0000-d53d-4bc1f50c0000 pid=3317 /usr/bin/wget net send-data write-file guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=ebe54355-1700-0000-d53d-4bc1f50c0000 pid=3317 execve guuid=502e2059-1700-0000-d53d-4bc1020d0000 pid=3330 /usr/bin/chmod guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=502e2059-1700-0000-d53d-4bc1020d0000 pid=3330 execve guuid=a53b5759-1700-0000-d53d-4bc1030d0000 pid=3331 /usr/bin/dash guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=a53b5759-1700-0000-d53d-4bc1030d0000 pid=3331 clone guuid=ea92f259-1700-0000-d53d-4bc1060d0000 pid=3334 /usr/bin/rm delete-file guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=ea92f259-1700-0000-d53d-4bc1060d0000 pid=3334 execve guuid=24112a5a-1700-0000-d53d-4bc1070d0000 pid=3335 /usr/bin/rm guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=24112a5a-1700-0000-d53d-4bc1070d0000 pid=3335 execve guuid=668d645a-1700-0000-d53d-4bc1090d0000 pid=3337 /usr/bin/wget net send-data write-file guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=668d645a-1700-0000-d53d-4bc1090d0000 pid=3337 execve guuid=3135cc5e-1700-0000-d53d-4bc1190d0000 pid=3353 /usr/bin/chmod guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=3135cc5e-1700-0000-d53d-4bc1190d0000 pid=3353 execve guuid=03541b5f-1700-0000-d53d-4bc11b0d0000 pid=3355 /usr/bin/dash guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=03541b5f-1700-0000-d53d-4bc11b0d0000 pid=3355 clone guuid=6e99d45f-1700-0000-d53d-4bc11e0d0000 pid=3358 /usr/bin/rm delete-file guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=6e99d45f-1700-0000-d53d-4bc11e0d0000 pid=3358 execve guuid=ba4b0e60-1700-0000-d53d-4bc1200d0000 pid=3360 /usr/bin/rm guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=ba4b0e60-1700-0000-d53d-4bc1200d0000 pid=3360 execve f22fee75-ab34-540d-95fe-696883c6f4ad 130.12.180.64:80 guuid=0ad7a535-1700-0000-d53d-4bc19e0c0000 pid=3230->f22fee75-ab34-540d-95fe-696883c6f4ad send: 132B guuid=cb173c45-1700-0000-d53d-4bc1b50c0000 pid=3253->f22fee75-ab34-540d-95fe-696883c6f4ad send: 132B guuid=d064964b-1700-0000-d53d-4bc1c80c0000 pid=3272->f22fee75-ab34-540d-95fe-696883c6f4ad send: 131B guuid=78a56a50-1700-0000-d53d-4bc1de0c0000 pid=3294->f22fee75-ab34-540d-95fe-696883c6f4ad send: 132B guuid=ebe54355-1700-0000-d53d-4bc1f50c0000 pid=3317->f22fee75-ab34-540d-95fe-696883c6f4ad send: 132B guuid=668d645a-1700-0000-d53d-4bc1090d0000 pid=3337->f22fee75-ab34-540d-95fe-696883c6f4ad send: 132B
Threat name:
Document-HTML.Trojan.Vigorf
Status:
Malicious
First seen:
2025-12-21 15:14:29 UTC
File Type:
Text (Shell)
AV detection:
10 of 36 (27.78%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 1f9b2b3d258a3f573e29fd040166b8a7edc05772c912021e0438c5d655bd548a

(this sample)

  
Delivery method
Distributed via web download

Comments