MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20ea8978c8c543e4d1b3947bb533277e3e1318eed2bc9570a1e4bf3daeb03123. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 20ea8978c8c543e4d1b3947bb533277e3e1318eed2bc9570a1e4bf3daeb03123
SHA3-384 hash: 49a37b9ebe6354c688c39347ae4755832ae0cfb4b4669b34654a84eaa1c57f5ae6867a023b4e0d16f4bf0ce8aece065f
SHA1 hash: 22edb5065c94c76c7d700c9eeed3a08880f68f2f
MD5 hash: 82ddea893b4db33263f14e17a686b75b
humanhash: monkey-gee-friend-snake
File name:tplink.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:1'148 bytes
First seen:2026-05-31 02:28:28 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 24:QvQhBh9M0oy1ZdLqMbiiVKGLxZmLPxbinVKTLy:QvQhnoIRiaiFiV5
TLSH T14321D48C3DE93A6A4D38CDCCF2A2AE05D11AE6CF33960A24E7C6363A5C981203D15F55
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://92.42.100.131/tplink/mips6380463007c664be8873080075281d40dba1da8c703f9336eebce4f1f5709f90 Miraielf mirai ua-wget
http://92.42.100.131/tplink/mpslef59883df2f7d787cb605d61a765b1208975ac6f5a547d3b85b0eaff870a96bf Miraielf mirai ua-wget
http://92.42.100.131/tplink/armc48e90bf0b336d05f0e18994c0d5be637ca123d6fdeeceb6a83ad9c393e78b9d Miraielf mirai ua-wget
http://92.42.100.131/tplink/arm506ad53d2aaab6b416594537875f9104c4b3dfeae24b35b0cc5f799d2482afa21 Miraielf mirai ua-wget
http://92.42.100.131/tplink/arm713276d04bfb4ed0b81c38cb49e70571319fd61f593179bc3bacc6c8e29fc1bad Miraielf mirai ua-wget
http://92.42.100.131/tplink/x86283878b622d6838d8bed8df3fc16b94eec9ea301bd8082027d4ec03be96d8a26 Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
58
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Linux.Downloader-35.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6a1b9d03099ef368af107424/reports/b2bc70e0-957d-48eb-8945-dcc26baaa05b/overview
Verdict:
Malicious
File Type:
text
First seen:
2026-05-30T23:44:00Z UTC
Last seen:
2026-06-01T03:24:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.a
Link:
https://opentip.kaspersky.com/20ea8978c8c543e4d1b3947bb533277e3e1318eed2bc9570a1e4bf3daeb03123/results?tab=lookup
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/20ea8978c8c543e4d1b3947bb533277e3e1318eed2bc9570a1e4bf3daeb03123
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/20ea8978c8c543e4d1b3947bb533277e3e1318eed2bc9570a1e4bf3daeb03123/
Threat name:
Linux.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2026-05-31 03:21:35 UTC
AV detection:
15 of 38 (39.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=edvis6giyvb6juntsr53kmzhpy7bggho2k6jk4fb4s7t3lvqgerq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/260531-cyrkksgy2v/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/20ea8978c8c543e4d1b3947bb533277e3e1318eed2bc9570a1e4bf3daeb03123

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 20ea8978c8c543e4d1b3947bb533277e3e1318eed2bc9570a1e4bf3daeb03123

(this sample)

Mirai

elf 6380463007c664be8873080075281d40dba1da8c703f9336eebce4f1f5709f90

  
URLhaus
https://urlhaus.abuse.ch/url/3850201/
  
Delivery method
Distributed via web download
  
Dropping
MD5 2c7d393ba52c69175d910fbcd0ae2921
  
Dropping
SHA256 6380463007c664be8873080075281d40dba1da8c703f9336eebce4f1f5709f90

Comments