MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2250f3ef0499e14c3ff16da2a0fdab67490ce64dcaaacf44761cd849f58ea015. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2250f3ef0499e14c3ff16da2a0fdab67490ce64dcaaacf44761cd849f58ea015
SHA3-384 hash: fbd743161a2259fae980ee808fe368d52b37403a177dcd27eedae0d7f58e6d39d94980f48046a4ea7ca35a81e024dd8d
SHA1 hash: 215d8a5e66cec33ebff714d3afa60b8837cdd7ac
MD5 hash: b90cc0d475962e6eb77225d9d3336dbe
humanhash: hot-mockingbird-angel-double
File name:bins.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:1'640 bytes
First seen:2026-06-01 14:19:16 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:/Nu7ZMjx215itPHvZvMOiVrKPvbKPO72vLj2vyB9g:FOe3Aq
TLSH T1DA31E78B236082FB850D8D5BF36450C4D0DF85D3E1AB8EB8F4A464625D5A00CFADAF62
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter BlinkzSec
URLMalware sample (SHA256 hash)SignatureTags
http://192.142.55.159/x86f29525ef6bbc16debc7a1db3045899727be9fd7b80798a6730fd2bbd782ed932 Mirai192-142-55-159 elf mirai ua-wget
http://192.142.55.159/i386f29525ef6bbc16debc7a1db3045899727be9fd7b80798a6730fd2bbd782ed932 Mirai192-142-55-159 elf mirai ua-wget
http://192.142.55.159/amd64578f3c5dab9cd9b6ca58a635e5c9e717e8331649898c2918dda45f5a613703c6 Mirai192-142-55-159 elf mirai ua-wget
http://192.142.55.159/armff6bdf02a401c62c889182f7d984d951121acd76e3ad8fbeffad399a645c5f45 Mirai192-142-55-159 elf mirai ua-wget
http://192.142.55.159/armv7lff6bdf02a401c62c889182f7d984d951121acd76e3ad8fbeffad399a645c5f45 Mirai192-142-55-159 elf mirai ua-wget
http://192.142.55.159/arm5834cb02d22c345b571d87dd5d7f7b4cd8950a304545566ec11260558538cb2da Mirai192-142-55-159 elf mirai ua-wget
http://192.142.55.159/arm61bc18899afaca84f0cbbe01e4d5724d202f19f76208548e4c5bc64d8e665aacf Mirai192-142-55-159 elf mirai ua-wget
http://192.142.55.159/arm643a83e4587d2793fb2b3da5b9e19b77bd4a7b82a223cc84861a7131296fe06e6c Mirai192-142-55-159 elf mirai ua-wget
http://192.142.55.159/android_arm649c98c5301e877b2105c86e2f5de78a8a575947e72b0f5862e2321c6ddeb4745a Mirai192-142-55-159 elf mirai ua-wget
http://192.142.55.159/bot.exen/an/a192-142-55-159 exe ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
43
Origin country :
RO RO
Vendor Threat Intelligence
No detections
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/570c0564-efab-41f8-84e3-f328ba9f3e1b
Behavior Graph:
Download SVG
%3 guuid=6c9696b6-1b00-0000-8dde-5a6e8f0b0000 pid=2959 /usr/bin/sudo guuid=6f333db9-1b00-0000-8dde-5a6e950b0000 pid=2965 /tmp/sample.bin guuid=6c9696b6-1b00-0000-8dde-5a6e8f0b0000 pid=2959->guuid=6f333db9-1b00-0000-8dde-5a6e950b0000 pid=2965 execve guuid=485802ba-1b00-0000-8dde-5a6e960b0000 pid=2966 /usr/bin/wget net send-data write-file guuid=6f333db9-1b00-0000-8dde-5a6e950b0000 pid=2965->guuid=485802ba-1b00-0000-8dde-5a6e960b0000 pid=2966 execve guuid=ed1eaeec-1b00-0000-8dde-5a6eca0b0000 pid=3018 /usr/bin/chmod guuid=6f333db9-1b00-0000-8dde-5a6e950b0000 pid=2965->guuid=ed1eaeec-1b00-0000-8dde-5a6eca0b0000 pid=3018 execve guuid=e96b2ded-1b00-0000-8dde-5a6ecc0b0000 pid=3020 /tmp/x86 delete-file net send-data write-config write-file guuid=6f333db9-1b00-0000-8dde-5a6e950b0000 pid=2965->guuid=e96b2ded-1b00-0000-8dde-5a6ecc0b0000 pid=3020 execve d6a51c18-b5e1-5f30-9410-f66a87359017 192.142.55.159:80 guuid=485802ba-1b00-0000-8dde-5a6e960b0000 pid=2966->d6a51c18-b5e1-5f30-9410-f66a87359017 send: 132B 10e03b13-e8ea-5297-8f3e-debad2bb47d2 192.142.55.159:9111 guuid=e96b2ded-1b00-0000-8dde-5a6ecc0b0000 pid=3020->10e03b13-e8ea-5297-8f3e-debad2bb47d2 send: 143B guuid=e96b2ded-1b00-0000-8dde-5a6ecc0b0000 pid=3029 /tmp/x86 guuid=e96b2ded-1b00-0000-8dde-5a6ecc0b0000 pid=3020->guuid=e96b2ded-1b00-0000-8dde-5a6ecc0b0000 pid=3029 clone guuid=e96b2ded-1b00-0000-8dde-5a6ecc0b0000 pid=3031 /tmp/x86 send-data guuid=e96b2ded-1b00-0000-8dde-5a6ecc0b0000 pid=3020->guuid=e96b2ded-1b00-0000-8dde-5a6ecc0b0000 pid=3031 clone guuid=e96b2ded-1b00-0000-8dde-5a6ecc0b0000 pid=3032 /tmp/x86 send-data guuid=e96b2ded-1b00-0000-8dde-5a6ecc0b0000 pid=3020->guuid=e96b2ded-1b00-0000-8dde-5a6ecc0b0000 pid=3032 clone guuid=e96b2ded-1b00-0000-8dde-5a6ecc0b0000 pid=3033 /tmp/x86 send-data guuid=e96b2ded-1b00-0000-8dde-5a6ecc0b0000 pid=3020->guuid=e96b2ded-1b00-0000-8dde-5a6ecc0b0000 pid=3033 clone guuid=e96b2ded-1b00-0000-8dde-5a6ecc0b0000 pid=3036 /tmp/x86 send-data guuid=e96b2ded-1b00-0000-8dde-5a6ecc0b0000 pid=3020->guuid=e96b2ded-1b00-0000-8dde-5a6ecc0b0000 pid=3036 clone guuid=e96b2ded-1b00-0000-8dde-5a6ecc0b0000 pid=5255 /tmp/x86 send-data guuid=e96b2ded-1b00-0000-8dde-5a6ecc0b0000 pid=3020->guuid=e96b2ded-1b00-0000-8dde-5a6ecc0b0000 pid=5255 clone guuid=e96b2ded-1b00-0000-8dde-5a6ecc0b0000 pid=3031->10e03b13-e8ea-5297-8f3e-debad2bb47d2 send: 108B guuid=e96b2ded-1b00-0000-8dde-5a6ecc0b0000 pid=3032->10e03b13-e8ea-5297-8f3e-debad2bb47d2 send: 247B guuid=e96b2ded-1b00-0000-8dde-5a6ecc0b0000 pid=3033->10e03b13-e8ea-5297-8f3e-debad2bb47d2 send: 175B guuid=e96b2ded-1b00-0000-8dde-5a6ecc0b0000 pid=3036->10e03b13-e8ea-5297-8f3e-debad2bb47d2 send: 108B guuid=e96b2ded-1b00-0000-8dde-5a6ecc0b0000 pid=5255->10e03b13-e8ea-5297-8f3e-debad2bb47d2 send: 141B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/2250f3ef0499e14c3ff16da2a0fdab67490ce64dcaaacf44761cd849f58ea015
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2250f3ef0499e14c3ff16da2a0fdab67490ce64dcaaacf44761cd849f58ea015/
Threat name:
Linux.Downloader.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-06-01 14:12:42 UTC
File Type:
Text (Shell)
AV detection:
13 of 36 (36.11%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ejiph3yethquyp7rnwrkb7nlm5eqzzsnzkvm6rdwdtmet5mouakq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
antivm defense_evasion discovery linux persistence privilege_escalation
Link:
https://tria.ge/reports/260601-rm4hbsgz9n/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to tmp directory
Checks CPU configuration
Modifies Bash startup script
Creates/modifies environment variables
Write file to user bin folder
File and Directory Permissions Modification
Executes dropped EXE
Downloads MZ/PE file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.42
Link:
https://yomi.yoroi.company/submissions/2250f3ef0499e14c3ff16da2a0fdab67490ce64dcaaacf44761cd849f58ea015

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 2250f3ef0499e14c3ff16da2a0fdab67490ce64dcaaacf44761cd849f58ea015

(this sample)

Mirai

elf f29525ef6bbc16debc7a1db3045899727be9fd7b80798a6730fd2bbd782ed932

  
URLhaus
https://urlhaus.abuse.ch/url/3857083/
  
Delivery method
Distributed via web download
  
Dropping
MD5 317ed6fb1d79b7b1edd2f632819ac040
  
Dropping
SHA256 f29525ef6bbc16debc7a1db3045899727be9fd7b80798a6730fd2bbd782ed932

Comments