MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24af424af9dd319bf065789da9991b0848607ea35e94ee4575ea8c56c6e150b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	24af424af9dd319bf065789da9991b0848607ea35e94ee4575ea8c56c6e150b4
SHA3-384 hash:	2d490404a275c7c098e537e614169220720abe1c3d6f709b344fe21d154f4ad2fbeeb3ef8fd56852a01197827037ea6e
SHA1 hash:	075d67efe4c637ebff2bd0b7b7790168439bbde2
MD5 hash:	19a319e978b13300cd1b62d7dfb92f79
humanhash:	august-georgia-mountain-massachusetts
File name:	arm7.urbotnetisass
Download:	download sample
Signature	Mirai Create hunting rule
File size:	1'961 bytes
First seen:	2025-09-21 15:01:47 UTC
Last seen:	2025-09-21 15:05:19 UTC
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:iXISnRcB7M/grS8bQgdq4NvgqT1Y1XgBATaxyagUdLErgAP9wXrGDgbRtgMf9cbh:iXISnRcB7M/grS8bQgdq4NvgqT1aXgBw
TLSH	T1114171C638101953031EFE8CA3A2C898A04E80DDA74B36D8F6A91EBD9D4C70E7930F4C
Magika	shell
Reporter	rollcalcifer
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://94.154.35.154/powerpc.urbotnetisass	09a18ca51af0504d1de3691d6a5c290d3e2c1a6c98043957b8518267a3bb12ed	Mirai	elf geofenced mirai ua-wget USA
http://94.154.35.154/mips.urbotnetisass	b18659cad3db34b8d2d82ad5786c5696454ce7dd79e4de554f3da84f8f9d2aa0	Mirai	elf geofenced mirai ua-wget USA
http://94.154.35.154/mipsel.urbotnetisass	9b01970e468137eceb8f401e6f20a643826cb19b724a73de07c5d4abee718237	Mirai	elf geofenced mirai ua-wget USA
http://94.154.35.154/arm.urbotnetisass	a28ba2c86793fdc59244babe507f419e4cfa658bd61a5dd178ae090a5e795984	Mirai	arm elf geofenced mirai ua-wget USA
http://94.154.35.154/arm5.urbotnetisass	98b0356eb57747abf0f7aa3aac9c5ebee23164227fcbdf7a6e2984647b207334	Mirai	arm elf geofenced mirai ua-wget USA
http://94.154.35.154/arm6.urbotnetisass	4080cdfcf00475b9709de913f4fadccb5e43164702fa9c8247cc4927982eb9b0	Mirai	arm elf geofenced mirai ua-wget USA
http://94.154.35.154/arm7.urbotnetisass	483994d47c07d3cc14da050b1c6db9167bb9eef388a33aad5b3910ece49a830c	Mirai	arm elf geofenced mirai ua-wget USA
http://94.154.35.154/sparc.urbotnetisass	n/a	n/a	elf ua-wget
http://94.154.35.154/m68k.urbotnetisass	f4946b27267c603871ff2a00cfce51e49993eb1528240d4d028030f119bab328	Mirai	elf geofenced mirai ua-wget USA
http://94.154.35.154/sh4.urbotnetisass	89936f49e50a14f7c17b9ed52f01677b1cba93ff5d631fff8675a5eb68c7ceb2	Mirai	elf geofenced mirai ua-wget USA

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-09-13T21:43:00Z UTC

Last seen:

2025-09-13T21:43:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.a HEUR:Trojan-Downloader.Shell.Agent.p

Link:

https://opentip.kaspersky.com/24af424af9dd319bf065789da9991b0848607ea35e94ee4575ea8c56c6e150b4/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/824e1cf1-9312-4e69-8c63-ad51f06f7de6

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/24af424af9dd319bf065789da9991b0848607ea35e94ee4575ea8c56c6e150b4

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/24af424af9dd319bf065789da9991b0848607ea35e94ee4575ea8c56c6e150b4/

Verdict:

Malicious

Threat:

Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/24af424af9dd319bf065789da9991b0848607ea35e94ee4575ea8c56c6e150b4

Threat name:

Linux.Trojan.Geninst

Status:

Malicious

First seen:

2025-09-14 02:35:57 UTC

File Type:

Text (Shell)

AV detection:

19 of 36 (52.78%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=esxuesxz3uyzx4dfpco2tgi3bbega7vdl2ko4rlv5kgfnrxbkc2a._file

Result

Malware family:

n/a

Score:

7/10

Tags:

antivm credential_access defense_evasion discovery execution linux persistence privilege_escalation

Link:

https://tria.ge/reports/250921-sel4racl3t/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

Reads system network configuration

Modifies Bash startup script

Reads process memory

Creates/modifies Cron job

Creates/modifies environment variables

Deletes log files

Enumerates active TCP sockets

Enumerates running processes

Modifies rc script

Writes file to system bin folder

File and Directory Permissions Modification

Deletes system logs

Executes dropped EXE

Modifies Watchdog functionality

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/24af424af9dd319bf065789da9991b0848607ea35e94ee4575ea8c56c6e150b4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.