MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21256ac39b77b97aa62fc6dcf2b77f08b2e2aa0b127a322c80357de54844840f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 21256ac39b77b97aa62fc6dcf2b77f08b2e2aa0b127a322c80357de54844840f
SHA3-384 hash: 47e1e16295f9b34e0356c37170600573344f5e32687931308387e9ff07d70c479ef7c7047159d1a2e0efae33a297f4cf
SHA1 hash: 004cf69f4fe7a07f9b5f4bf13d047bf3a69a52c0
MD5 hash: c13d6338ce9bd11f7c420e86085bdde1
humanhash: mango-october-may-oxygen
File name:curl.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:1'514 bytes
First seen:2025-07-20 03:57:54 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 24:OKj6Z5KBLiKnFBssK+qBOKFrBmy0YKNBWJKRBomc9KbOqBBUKdB6lOiKtB0jKjB7:l+S9n7SXljoTdnfcobO6BTDFzN9I6p3v
TLSH T15D3160C052D1AFB3DDC5881472EAA17D622C40C77E3BEAC4985B5CF463803D6B754A4E
Magika shell
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://156.238.225.44/ocarm4nk1520a0ba594304906d9d0a8b67c8ec6b55ab6ae6e36fff513a3386e2040fc256 Miraielf mirai ua-wget
http://156.238.225.44/ocarm5nkfc5f8ad13f1db8e302a3e5c20f8f7d2f180bbdbbcceb28d2b07fa4816a3bec4c Miraielf mirai ua-wget
http://156.238.225.44/ocarm6nkfaabe593773a753322b1e5c73779d065924ed94788ac06fa8022d82674951535 Miraielf mirai ua-wget
http://156.238.225.44/ocarm7nk361d9af173e65094e383a0802165eb3dd104e6a1bf31d99b77e3ddc1ec69bc51 Miraielf mirai ua-wget
http://156.238.225.44/ocm68knk2bcaa59d18a41b92b8b74971de8846964cc3889187c14caad80446a10a3d9990 Miraielf mirai ua-wget
http://156.238.225.44/ocmipsnke373f74cd04bb3842adf846f13fdf3817e7b48b468647395b022cc011bcb7579 Miraielf mirai ua-wget
http://156.238.225.44/ocmpslnk7a1299c4336fab179a9a1ba1759ba142048acf2de7c87fdd3920fddc48e7b5b7 Miraielf mirai ua-wget
http://156.238.225.44/ocppcnk11a782e43c187c518d08bb81156afdebe9b2bf7432484aae050351605025bfdd Miraielf mirai ua-wget
http://156.238.225.44/ocsh4nk29282bbb6733ffff8d5971b0b2a6f65e0bbdade44ec52b7225890fd74a0d77f4 Miraielf mirai ua-wget
http://156.238.225.44/ocspcnkn/an/aua-wget
http://156.238.225.44/ocx86nk1c8aaf58daf4932c875576e9195c4bb8c6fd0c6159cc7c211125e08de5981f44 Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
28
Origin country :
DE DE
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
busybox evasive
Link:
https://www.filescan.io/uploads/687c69618a7d628a81b81345/reports/7b5eacbd-8d69-4a81-9968-534636364604/overview
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/39adc85d-3ca8-477c-a884-63ab9affa5f6
Behavior Graph:
Download SVG
%3 guuid=3544985a-1a00-0000-59ff-0101170b0000 pid=2839 /usr/bin/sudo guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841 /tmp/sample.bin guuid=3544985a-1a00-0000-59ff-0101170b0000 pid=2839->guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841 execve guuid=aa58bc5c-1a00-0000-59ff-01011a0b0000 pid=2842 /usr/bin/busybox guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=aa58bc5c-1a00-0000-59ff-01011a0b0000 pid=2842 execve guuid=6d95f35c-1a00-0000-59ff-01011c0b0000 pid=2844 /usr/bin/busybox guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=6d95f35c-1a00-0000-59ff-01011c0b0000 pid=2844 execve guuid=929f1c5d-1a00-0000-59ff-01011d0b0000 pid=2845 /usr/bin/dash guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=929f1c5d-1a00-0000-59ff-01011d0b0000 pid=2845 clone guuid=c573275d-1a00-0000-59ff-01011e0b0000 pid=2846 /usr/bin/busybox guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=c573275d-1a00-0000-59ff-01011e0b0000 pid=2846 execve guuid=3e4d4a5d-1a00-0000-59ff-0101200b0000 pid=2848 /usr/bin/busybox guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=3e4d4a5d-1a00-0000-59ff-0101200b0000 pid=2848 execve guuid=81f0705d-1a00-0000-59ff-0101210b0000 pid=2849 /usr/bin/busybox guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=81f0705d-1a00-0000-59ff-0101210b0000 pid=2849 execve guuid=edde9f5d-1a00-0000-59ff-0101220b0000 pid=2850 /usr/bin/dash guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=edde9f5d-1a00-0000-59ff-0101220b0000 pid=2850 clone guuid=ee74b15d-1a00-0000-59ff-0101240b0000 pid=2852 /usr/bin/busybox guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=ee74b15d-1a00-0000-59ff-0101240b0000 pid=2852 execve guuid=e642d25d-1a00-0000-59ff-0101250b0000 pid=2853 /usr/bin/busybox guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=e642d25d-1a00-0000-59ff-0101250b0000 pid=2853 execve guuid=c880ff5d-1a00-0000-59ff-0101270b0000 pid=2855 /usr/bin/busybox guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=c880ff5d-1a00-0000-59ff-0101270b0000 pid=2855 execve guuid=af122a5e-1a00-0000-59ff-0101280b0000 pid=2856 /usr/bin/dash guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=af122a5e-1a00-0000-59ff-0101280b0000 pid=2856 clone guuid=bdf4305e-1a00-0000-59ff-0101290b0000 pid=2857 /usr/bin/busybox guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=bdf4305e-1a00-0000-59ff-0101290b0000 pid=2857 execve guuid=305b525e-1a00-0000-59ff-01012b0b0000 pid=2859 /usr/bin/busybox guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=305b525e-1a00-0000-59ff-01012b0b0000 pid=2859 execve guuid=42c7785e-1a00-0000-59ff-01012c0b0000 pid=2860 /usr/bin/busybox guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=42c7785e-1a00-0000-59ff-01012c0b0000 pid=2860 execve guuid=9e019f5e-1a00-0000-59ff-01012d0b0000 pid=2861 /usr/bin/dash guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=9e019f5e-1a00-0000-59ff-01012d0b0000 pid=2861 clone guuid=f006b65e-1a00-0000-59ff-01012e0b0000 pid=2862 /usr/bin/busybox guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=f006b65e-1a00-0000-59ff-01012e0b0000 pid=2862 execve guuid=041ae25e-1a00-0000-59ff-01012f0b0000 pid=2863 /usr/bin/busybox guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=041ae25e-1a00-0000-59ff-01012f0b0000 pid=2863 execve guuid=0a370c5f-1a00-0000-59ff-0101310b0000 pid=2865 /usr/bin/busybox guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=0a370c5f-1a00-0000-59ff-0101310b0000 pid=2865 execve guuid=2a6f3d5f-1a00-0000-59ff-0101320b0000 pid=2866 /usr/bin/dash guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=2a6f3d5f-1a00-0000-59ff-0101320b0000 pid=2866 clone guuid=7536585f-1a00-0000-59ff-0101330b0000 pid=2867 /usr/bin/busybox guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=7536585f-1a00-0000-59ff-0101330b0000 pid=2867 execve guuid=200d815f-1a00-0000-59ff-0101340b0000 pid=2868 /usr/bin/busybox guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=200d815f-1a00-0000-59ff-0101340b0000 pid=2868 execve guuid=d73eb15f-1a00-0000-59ff-0101360b0000 pid=2870 /usr/bin/busybox guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=d73eb15f-1a00-0000-59ff-0101360b0000 pid=2870 execve guuid=d91dd95f-1a00-0000-59ff-0101370b0000 pid=2871 /usr/bin/dash guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=d91dd95f-1a00-0000-59ff-0101370b0000 pid=2871 clone guuid=e6b9e65f-1a00-0000-59ff-0101380b0000 pid=2872 /usr/bin/busybox guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=e6b9e65f-1a00-0000-59ff-0101380b0000 pid=2872 execve guuid=2fbc0d60-1a00-0000-59ff-01013a0b0000 pid=2874 /usr/bin/busybox guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=2fbc0d60-1a00-0000-59ff-01013a0b0000 pid=2874 execve guuid=55c93060-1a00-0000-59ff-01013b0b0000 pid=2875 /usr/bin/busybox guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=55c93060-1a00-0000-59ff-01013b0b0000 pid=2875 execve guuid=2cb16760-1a00-0000-59ff-01013d0b0000 pid=2877 /usr/bin/dash guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=2cb16760-1a00-0000-59ff-01013d0b0000 pid=2877 clone guuid=c85d7860-1a00-0000-59ff-01013e0b0000 pid=2878 /usr/bin/busybox guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=c85d7860-1a00-0000-59ff-01013e0b0000 pid=2878 execve guuid=99c39b60-1a00-0000-59ff-01013f0b0000 pid=2879 /usr/bin/busybox guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=99c39b60-1a00-0000-59ff-01013f0b0000 pid=2879 execve guuid=d78ec860-1a00-0000-59ff-0101410b0000 pid=2881 /usr/bin/busybox guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=d78ec860-1a00-0000-59ff-0101410b0000 pid=2881 execve guuid=58d3f460-1a00-0000-59ff-0101430b0000 pid=2883 /usr/bin/dash guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=58d3f460-1a00-0000-59ff-0101430b0000 pid=2883 clone guuid=1bf70b61-1a00-0000-59ff-0101440b0000 pid=2884 /usr/bin/busybox guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=1bf70b61-1a00-0000-59ff-0101440b0000 pid=2884 execve guuid=442b2f61-1a00-0000-59ff-0101450b0000 pid=2885 /usr/bin/busybox guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=442b2f61-1a00-0000-59ff-0101450b0000 pid=2885 execve guuid=37375161-1a00-0000-59ff-0101470b0000 pid=2887 /usr/bin/busybox guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=37375161-1a00-0000-59ff-0101470b0000 pid=2887 execve guuid=0e796e61-1a00-0000-59ff-0101480b0000 pid=2888 /usr/bin/dash guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=0e796e61-1a00-0000-59ff-0101480b0000 pid=2888 clone guuid=10267561-1a00-0000-59ff-0101490b0000 pid=2889 /usr/bin/busybox guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=10267561-1a00-0000-59ff-0101490b0000 pid=2889 execve guuid=8bab9061-1a00-0000-59ff-01014a0b0000 pid=2890 /usr/bin/busybox guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=8bab9061-1a00-0000-59ff-01014a0b0000 pid=2890 execve guuid=6621c361-1a00-0000-59ff-01014c0b0000 pid=2892 /usr/bin/busybox guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=6621c361-1a00-0000-59ff-01014c0b0000 pid=2892 execve guuid=b5a8f961-1a00-0000-59ff-01014e0b0000 pid=2894 /usr/bin/dash guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=b5a8f961-1a00-0000-59ff-01014e0b0000 pid=2894 clone guuid=93f10762-1a00-0000-59ff-01014f0b0000 pid=2895 /usr/bin/busybox guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=93f10762-1a00-0000-59ff-01014f0b0000 pid=2895 execve guuid=593d3362-1a00-0000-59ff-0101510b0000 pid=2897 /usr/bin/busybox guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=593d3362-1a00-0000-59ff-0101510b0000 pid=2897 execve guuid=c6ef5762-1a00-0000-59ff-0101520b0000 pid=2898 /usr/bin/busybox guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=c6ef5762-1a00-0000-59ff-0101520b0000 pid=2898 execve guuid=5b8f8162-1a00-0000-59ff-0101540b0000 pid=2900 /usr/bin/dash guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=5b8f8162-1a00-0000-59ff-0101540b0000 pid=2900 clone guuid=530d8862-1a00-0000-59ff-0101550b0000 pid=2901 /usr/bin/busybox guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=530d8862-1a00-0000-59ff-0101550b0000 pid=2901 execve guuid=e16eab62-1a00-0000-59ff-0101560b0000 pid=2902 /usr/bin/busybox guuid=aaff755c-1a00-0000-59ff-0101190b0000 pid=2841->guuid=e16eab62-1a00-0000-59ff-0101560b0000 pid=2902 execve
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/21256ac39b77b97aa62fc6dcf2b77f08b2e2aa0b127a322c80357de54844840f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/21256ac39b77b97aa62fc6dcf2b77f08b2e2aa0b127a322c80357de54844840f/
Verdict:
Malicious
Threat:
HEUR:Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/21256ac39b77b97aa62fc6dcf2b77f08b2e2aa0b127a322c80357de54844840f
Threat name:
Document-HTML.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-07-20 03:22:53 UTC
File Type:
Text (Shell)
AV detection:
11 of 23 (47.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eeswvq43o64xvjrpy3opfn37bczofkqlcj5deleagv66ksceqqhq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery linux
Link:
https://tria.ge/reports/250720-ejnlgsw1et/
Behaviour
System Network Configuration Discovery
File and Directory Permissions Modification
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/21256ac39b77b97aa62fc6dcf2b77f08b2e2aa0b127a322c80357de54844840f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 21256ac39b77b97aa62fc6dcf2b77f08b2e2aa0b127a322c80357de54844840f

(this sample)

Mirai

elf 4c0c56b81e1779706f3fd050029c81ea4772605604b125c292b76a4c98e5d7ad

Mirai

elf 1520a0ba594304906d9d0a8b67c8ec6b55ab6ae6e36fff513a3386e2040fc256

  
URLhaus
https://urlhaus.abuse.ch/url/3586088/
  
Delivery method
Distributed via web download
  
Dropping
MD5 0aaf9b65b5a3a3a020b05cf7b87267f8
  
Dropping
SHA256 1520a0ba594304906d9d0a8b67c8ec6b55ab6ae6e36fff513a3386e2040fc256

Comments