MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f9b2b3d258a3f573e29fd040166b8a7edc05772c912021e0438c5d655bd548a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1f9b2b3d258a3f573e29fd040166b8a7edc05772c912021e0438c5d655bd548a
SHA3-384 hash: 46beac2a5956ddbe5338defbcfbacdfa674819d158e969e4395ce0244e781ecd2bc3b8ab68082f34ce4d67048ef429c0
SHA1 hash: 28261e2a3a0727ab69b48b5406ded15d6b1f87d4
MD5 hash: c99a93d0bf89dff1756317ed4334c08d
humanhash: golf-music-south-bluebird
File name:li.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:492 bytes
First seen:2025-12-21 15:13:42 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 6:SdLbTZ6WY+x8duKZjXI+x8dFzPEixx8dqNELx8dYNIF+KZEBFIhx8dQFa6rE21:6XTcuJbFeqBYNIbMbBG
TLSH T1A8F0BB8FF0553E53614D9D9BB7A2080E909583CC0A170FBEFDE5507A48DD64033ACB94
Magika batch
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://130.12.180.64/mips04755c04ffac694a8200f1f424c15a9d8824002b8d810da57bc2cc144e3b4089 Miraielf mirai ua-wget
http://130.12.180.64/mpsl574756f3e9e054d464fee7d6f2b0f299159453b7b75823aa30bb576ac10c6419 Miraielf mirai ua-wget
http://130.12.180.64/armb9bd8c3bc138f3a2cd136b6224358d2ac7f4a779efe65e5b8c96458e79950e88 Miraielf mirai ua-wget
http://130.12.180.64/arm5b8cad988a2ec304d97b01cfc7bde3fd2d7182d6df39782ac3891053e453e4bfc Miraielf mirai ua-wget
http://130.12.180.64/arm63e56c62db421fb2d64a341f91b8efcc433c83db5a3dfceebf6e5475419564c2d Miraielf mirai ua-wget
http://130.12.180.64/arm7a05621105654ed8765a3c2b240d7c5118929cf915f6b9374fc62be50df2d0bfd Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
38
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive mirai
Link:
https://www.filescan.io/uploads/69480ecf84afa5547b5b6cee/reports/d089e0bd-43b9-44f0-9f77-d37967524f9b/overview
Verdict:
Malicious
File Type:
text
First seen:
2025-12-21T13:44:00Z UTC
Last seen:
2025-12-21T15:02:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/1f9b2b3d258a3f573e29fd040166b8a7edc05772c912021e0438c5d655bd548a/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/9d916ad9-4cae-4848-97c0-9f6b3642a5de
Behavior Graph:
Download SVG
%3 guuid=99bf6832-1700-0000-d53d-4bc1970c0000 pid=3223 /usr/bin/sudo guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228 /tmp/sample.bin guuid=99bf6832-1700-0000-d53d-4bc1970c0000 pid=3223->guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228 execve guuid=0ad7a535-1700-0000-d53d-4bc19e0c0000 pid=3230 /usr/bin/wget net send-data write-file guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=0ad7a535-1700-0000-d53d-4bc19e0c0000 pid=3230 execve guuid=dbe61f44-1700-0000-d53d-4bc1ad0c0000 pid=3245 /usr/bin/chmod guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=dbe61f44-1700-0000-d53d-4bc1ad0c0000 pid=3245 execve guuid=e59a5744-1700-0000-d53d-4bc1af0c0000 pid=3247 /usr/bin/dash guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=e59a5744-1700-0000-d53d-4bc1af0c0000 pid=3247 clone guuid=66e1c144-1700-0000-d53d-4bc1b20c0000 pid=3250 /usr/bin/rm delete-file guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=66e1c144-1700-0000-d53d-4bc1b20c0000 pid=3250 execve guuid=688efb44-1700-0000-d53d-4bc1b40c0000 pid=3252 /usr/bin/rm guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=688efb44-1700-0000-d53d-4bc1b40c0000 pid=3252 execve guuid=cb173c45-1700-0000-d53d-4bc1b50c0000 pid=3253 /usr/bin/wget net send-data write-file guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=cb173c45-1700-0000-d53d-4bc1b50c0000 pid=3253 execve guuid=8f0bfa49-1700-0000-d53d-4bc1c20c0000 pid=3266 /usr/bin/chmod guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=8f0bfa49-1700-0000-d53d-4bc1c20c0000 pid=3266 execve guuid=b327334a-1700-0000-d53d-4bc1c40c0000 pid=3268 /usr/bin/dash guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=b327334a-1700-0000-d53d-4bc1c40c0000 pid=3268 clone guuid=35bdec4a-1700-0000-d53d-4bc1c60c0000 pid=3270 /usr/bin/rm delete-file guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=35bdec4a-1700-0000-d53d-4bc1c60c0000 pid=3270 execve guuid=c62b5b4b-1700-0000-d53d-4bc1c70c0000 pid=3271 /usr/bin/rm guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=c62b5b4b-1700-0000-d53d-4bc1c70c0000 pid=3271 execve guuid=d064964b-1700-0000-d53d-4bc1c80c0000 pid=3272 /usr/bin/wget net send-data write-file guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=d064964b-1700-0000-d53d-4bc1c80c0000 pid=3272 execve guuid=41a73f4f-1700-0000-d53d-4bc1d40c0000 pid=3284 /usr/bin/chmod guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=41a73f4f-1700-0000-d53d-4bc1d40c0000 pid=3284 execve guuid=a0d2764f-1700-0000-d53d-4bc1d60c0000 pid=3286 /usr/bin/dash guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=a0d2764f-1700-0000-d53d-4bc1d60c0000 pid=3286 clone guuid=2760f24f-1700-0000-d53d-4bc1da0c0000 pid=3290 /usr/bin/rm delete-file guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=2760f24f-1700-0000-d53d-4bc1da0c0000 pid=3290 execve guuid=d8293250-1700-0000-d53d-4bc1dc0c0000 pid=3292 /usr/bin/rm guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=d8293250-1700-0000-d53d-4bc1dc0c0000 pid=3292 execve guuid=78a56a50-1700-0000-d53d-4bc1de0c0000 pid=3294 /usr/bin/wget net send-data write-file guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=78a56a50-1700-0000-d53d-4bc1de0c0000 pid=3294 execve guuid=8b391954-1700-0000-d53d-4bc1eb0c0000 pid=3307 /usr/bin/chmod guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=8b391954-1700-0000-d53d-4bc1eb0c0000 pid=3307 execve guuid=e2ba5154-1700-0000-d53d-4bc1ed0c0000 pid=3309 /usr/bin/dash guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=e2ba5154-1700-0000-d53d-4bc1ed0c0000 pid=3309 clone guuid=8162c954-1700-0000-d53d-4bc1f10c0000 pid=3313 /usr/bin/rm delete-file guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=8162c954-1700-0000-d53d-4bc1f10c0000 pid=3313 execve guuid=71750755-1700-0000-d53d-4bc1f30c0000 pid=3315 /usr/bin/rm guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=71750755-1700-0000-d53d-4bc1f30c0000 pid=3315 execve guuid=ebe54355-1700-0000-d53d-4bc1f50c0000 pid=3317 /usr/bin/wget net send-data write-file guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=ebe54355-1700-0000-d53d-4bc1f50c0000 pid=3317 execve guuid=502e2059-1700-0000-d53d-4bc1020d0000 pid=3330 /usr/bin/chmod guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=502e2059-1700-0000-d53d-4bc1020d0000 pid=3330 execve guuid=a53b5759-1700-0000-d53d-4bc1030d0000 pid=3331 /usr/bin/dash guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=a53b5759-1700-0000-d53d-4bc1030d0000 pid=3331 clone guuid=ea92f259-1700-0000-d53d-4bc1060d0000 pid=3334 /usr/bin/rm delete-file guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=ea92f259-1700-0000-d53d-4bc1060d0000 pid=3334 execve guuid=24112a5a-1700-0000-d53d-4bc1070d0000 pid=3335 /usr/bin/rm guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=24112a5a-1700-0000-d53d-4bc1070d0000 pid=3335 execve guuid=668d645a-1700-0000-d53d-4bc1090d0000 pid=3337 /usr/bin/wget net send-data write-file guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=668d645a-1700-0000-d53d-4bc1090d0000 pid=3337 execve guuid=3135cc5e-1700-0000-d53d-4bc1190d0000 pid=3353 /usr/bin/chmod guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=3135cc5e-1700-0000-d53d-4bc1190d0000 pid=3353 execve guuid=03541b5f-1700-0000-d53d-4bc11b0d0000 pid=3355 /usr/bin/dash guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=03541b5f-1700-0000-d53d-4bc11b0d0000 pid=3355 clone guuid=6e99d45f-1700-0000-d53d-4bc11e0d0000 pid=3358 /usr/bin/rm delete-file guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=6e99d45f-1700-0000-d53d-4bc11e0d0000 pid=3358 execve guuid=ba4b0e60-1700-0000-d53d-4bc1200d0000 pid=3360 /usr/bin/rm guuid=29476035-1700-0000-d53d-4bc19c0c0000 pid=3228->guuid=ba4b0e60-1700-0000-d53d-4bc1200d0000 pid=3360 execve f22fee75-ab34-540d-95fe-696883c6f4ad 130.12.180.64:80 guuid=0ad7a535-1700-0000-d53d-4bc19e0c0000 pid=3230->f22fee75-ab34-540d-95fe-696883c6f4ad send: 132B guuid=cb173c45-1700-0000-d53d-4bc1b50c0000 pid=3253->f22fee75-ab34-540d-95fe-696883c6f4ad send: 132B guuid=d064964b-1700-0000-d53d-4bc1c80c0000 pid=3272->f22fee75-ab34-540d-95fe-696883c6f4ad send: 131B guuid=78a56a50-1700-0000-d53d-4bc1de0c0000 pid=3294->f22fee75-ab34-540d-95fe-696883c6f4ad send: 132B guuid=ebe54355-1700-0000-d53d-4bc1f50c0000 pid=3317->f22fee75-ab34-540d-95fe-696883c6f4ad send: 132B guuid=668d645a-1700-0000-d53d-4bc1090d0000 pid=3337->f22fee75-ab34-540d-95fe-696883c6f4ad send: 132B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/1f9b2b3d258a3f573e29fd040166b8a7edc05772c912021e0438c5d655bd548a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1f9b2b3d258a3f573e29fd040166b8a7edc05772c912021e0438c5d655bd548a/
Threat name:
Document-HTML.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2025-12-21 15:14:29 UTC
File Type:
Text (Shell)
AV detection:
10 of 36 (27.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d6nswpjfri7voprj7ucaczvyu7w4av3szejaehqehdc5mvn5ksfa._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/251223-lmgexasjew/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/1f9b2b3d258a3f573e29fd040166b8a7edc05772c912021e0438c5d655bd548a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 1f9b2b3d258a3f573e29fd040166b8a7edc05772c912021e0438c5d655bd548a

(this sample)

Mirai

elf 67a7a0f8fc730923427afee83ea893b0f20779e37eeeaf88065ec1208bacefcc

  
URLhaus
https://urlhaus.abuse.ch/url/3739284/
  
Delivery method
Distributed via web download
  
Dropping
MD5 2745918b9a55fe21643f5750a33ff0c7
  
Dropping
SHA256 67a7a0f8fc730923427afee83ea893b0f20779e37eeeaf88065ec1208bacefcc

Comments