MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28d9b4fbf99bea103bfa2aa0758f705347a5695ea4f722b783802c9e788a2a39. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 28d9b4fbf99bea103bfa2aa0758f705347a5695ea4f722b783802c9e788a2a39
SHA3-384 hash: 1422ac1ac19ced12a1d642fddd6da9fb85d38857a302fa98f893a3d0fd24c9b9d08029d257b4f3dc78437d9c8ec86355
SHA1 hash: d8b827da624fcfdf2989db8d30ff0e556f18b6d2
MD5 hash: 8e38114b19c8f7abf9b261877201f069
humanhash: chicken-montana-beer-friend
File name:Ciabins.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:1'713 bytes
First seen:2026-04-24 09:52:46 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 48:1pipbKpqp+rpy5pn6pR/spupRIpWpn+rpGp5:1ENKE8A58TUwjII843
TLSH T11E3172C660D29875BEF5F52732A8890178C5A2C751CF7F4AAEEC39E584CED08B445B83
Magika txt
Reporter BlinkzSec
URLMalware sample (SHA256 hash)SignatureTags
http://176.65.139.115/MIPS41ae9c9293e3fa20bb467cd3e0551837101ec592f84a12bb3a649dbb79cf7638 Mirai176-65-139-115 elf mirai ua-wget
http://176.65.139.115/MIPSELn/an/a176-65-139-115 elf ua-wget
http://176.65.139.115/SH42c203bf2914035458200a9300783e6a08d624693febf17650e8f8b6b39c18488 Mirai176-65-139-115 elf mirai ua-wget
http://176.65.139.115/X86_64c876cffb991d5916bf5fd3bc4991dabf3e7ee776481f77bfc11bb3d20cf92ada Mirai176-65-139-115 elf mirai ua-wget
http://176.65.139.115/I6861608f9c477cd52dd4f36eb9af46cb65d7a719019d7ff60e858446c397cc75bde Mirai176-65-139-115 elf mirai ua-wget
http://176.65.139.115/POWERPC2f7d62f92942a794d1bbc33a6447d2665b98538a9c7a49a236b1d1dd2423cc28 Mirai176-65-139-115 elf mirai ua-wget
http://176.65.139.115/I586bf0df86359d4d81f8e6c752b52824748b5ac223fd6ce5e28891f703cc946e432 Mirai176-65-139-115 elf mirai ua-wget
http://176.65.139.115/M68K9bfe534e6df528c366b30b62cfffc2b13fe9ceb6a7e49418d58585b4463ca6da Mirai176-65-139-115 elf mirai ua-wget
http://176.65.139.115/SPARC4c5979118963c5f00fee20087e7ea65f7a07234f6befd17a39b943aa5d294f61 Mirai176-65-139-115 elf mirai ua-wget
http://176.65.139.115/ARMV4L9ad3b2928edfa615d0d19220dfc52c0a176f8d2f55ba3fe129879325840da4d4 Gafgyt176-65-139-115 elf gafgyt ua-wget
http://176.65.139.115/ARMV5Le141465a9a44bd03a86e594d80609921771a1f12bcc656e97b39d5bd01c63a56 Gafgyt176-65-139-115 elf gafgyt ua-wget
http://176.65.139.115/ARMV6Lf4fa39763da0dd7a2b6f2033442fb586557ea23451b797ab5cf9699e2ae4b6f1 Gafgyt176-65-139-115 elf gafgyt ua-wget
http://176.65.139.115/ARMV7Lcdca813e68da420c7aae63fc7a31f926413c8d24e42c0add78795e339509a3f0 Gafgyt176-65-139-115 elf gafgyt ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
47
Origin country :
SK SK
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
File Type:
text
First seen:
2026-04-24T07:27:00Z UTC
Last seen:
2026-04-26T01:38:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.a HEUR:Trojan-Downloader.Shell.Agent.p
Link:
https://opentip.kaspersky.com/28d9b4fbf99bea103bfa2aa0758f705347a5695ea4f722b783802c9e788a2a39/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/2ee3be74-d295-47fe-a69f-2fc951cfcdc5
Behavior Graph:
Download SVG
%3 guuid=2573b472-1c00-0000-80e2-7263eb080000 pid=2283 /usr/bin/sudo guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288 /tmp/sample.bin guuid=2573b472-1c00-0000-80e2-7263eb080000 pid=2283->guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288 execve guuid=bfd2c075-1c00-0000-80e2-7263f1080000 pid=2289 /usr/bin/wget net send-data write-file guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=bfd2c075-1c00-0000-80e2-7263f1080000 pid=2289 execve guuid=79966a7d-1c00-0000-80e2-7263fd080000 pid=2301 /usr/bin/chmod guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=79966a7d-1c00-0000-80e2-7263fd080000 pid=2301 execve guuid=2f5dea7d-1c00-0000-80e2-7263fe080000 pid=2302 /usr/bin/dash guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=2f5dea7d-1c00-0000-80e2-7263fe080000 pid=2302 clone guuid=3625017e-1c00-0000-80e2-7263ff080000 pid=2303 /usr/bin/rm delete-file guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=3625017e-1c00-0000-80e2-7263ff080000 pid=2303 execve guuid=3ef26e7e-1c00-0000-80e2-726300090000 pid=2304 /usr/bin/wget net send-data write-file guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=3ef26e7e-1c00-0000-80e2-726300090000 pid=2304 execve guuid=eeb0fd84-1c00-0000-80e2-72630b090000 pid=2315 /usr/bin/chmod guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=eeb0fd84-1c00-0000-80e2-72630b090000 pid=2315 execve guuid=50d18c85-1c00-0000-80e2-72630d090000 pid=2317 /usr/bin/dash guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=50d18c85-1c00-0000-80e2-72630d090000 pid=2317 clone guuid=4a03ae85-1c00-0000-80e2-72630e090000 pid=2318 /usr/bin/rm delete-file guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=4a03ae85-1c00-0000-80e2-72630e090000 pid=2318 execve guuid=967c3386-1c00-0000-80e2-726310090000 pid=2320 /usr/bin/wget net send-data write-file guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=967c3386-1c00-0000-80e2-726310090000 pid=2320 execve guuid=e55c718b-1c00-0000-80e2-72631a090000 pid=2330 /usr/bin/chmod guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=e55c718b-1c00-0000-80e2-72631a090000 pid=2330 execve guuid=cee8e38b-1c00-0000-80e2-72631b090000 pid=2331 /usr/bin/dash guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=cee8e38b-1c00-0000-80e2-72631b090000 pid=2331 clone guuid=a304018c-1c00-0000-80e2-72631c090000 pid=2332 /usr/bin/rm delete-file guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=a304018c-1c00-0000-80e2-72631c090000 pid=2332 execve guuid=b4dccf8c-1c00-0000-80e2-72631e090000 pid=2334 /usr/bin/wget net send-data write-file guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=b4dccf8c-1c00-0000-80e2-72631e090000 pid=2334 execve guuid=30c17192-1c00-0000-80e2-726326090000 pid=2342 /usr/bin/chmod guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=30c17192-1c00-0000-80e2-726326090000 pid=2342 execve guuid=5434fb92-1c00-0000-80e2-726327090000 pid=2343 /usr/bin/dash guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=5434fb92-1c00-0000-80e2-726327090000 pid=2343 clone guuid=dde90f93-1c00-0000-80e2-726328090000 pid=2344 /usr/bin/rm delete-file guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=dde90f93-1c00-0000-80e2-726328090000 pid=2344 execve guuid=1570a193-1c00-0000-80e2-72632a090000 pid=2346 /usr/bin/wget net send-data write-file guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=1570a193-1c00-0000-80e2-72632a090000 pid=2346 execve guuid=7f59c799-1c00-0000-80e2-726330090000 pid=2352 /usr/bin/chmod guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=7f59c799-1c00-0000-80e2-726330090000 pid=2352 execve guuid=4fe93b9a-1c00-0000-80e2-726332090000 pid=2354 /usr/bin/dash guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=4fe93b9a-1c00-0000-80e2-726332090000 pid=2354 clone guuid=f2b1609b-1c00-0000-80e2-726333090000 pid=2355 /usr/bin/rm delete-file guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=f2b1609b-1c00-0000-80e2-726333090000 pid=2355 execve guuid=729d7f9c-1c00-0000-80e2-726334090000 pid=2356 /usr/bin/wget net send-data write-file guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=729d7f9c-1c00-0000-80e2-726334090000 pid=2356 execve guuid=2b1880a5-1c00-0000-80e2-72633e090000 pid=2366 /usr/bin/chmod guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=2b1880a5-1c00-0000-80e2-72633e090000 pid=2366 execve guuid=b0fe2ba6-1c00-0000-80e2-726340090000 pid=2368 /usr/bin/dash guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=b0fe2ba6-1c00-0000-80e2-726340090000 pid=2368 clone guuid=3e0481a6-1c00-0000-80e2-726341090000 pid=2369 /usr/bin/rm delete-file guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=3e0481a6-1c00-0000-80e2-726341090000 pid=2369 execve guuid=8de913a8-1c00-0000-80e2-726343090000 pid=2371 /usr/bin/wget net send-data write-file guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=8de913a8-1c00-0000-80e2-726343090000 pid=2371 execve guuid=ce4376ae-1c00-0000-80e2-72634a090000 pid=2378 /usr/bin/chmod guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=ce4376ae-1c00-0000-80e2-72634a090000 pid=2378 execve guuid=2a60f6ae-1c00-0000-80e2-72634b090000 pid=2379 /usr/bin/dash guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=2a60f6ae-1c00-0000-80e2-72634b090000 pid=2379 clone guuid=352c0baf-1c00-0000-80e2-72634c090000 pid=2380 /usr/bin/rm delete-file guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=352c0baf-1c00-0000-80e2-72634c090000 pid=2380 execve guuid=4dd18faf-1c00-0000-80e2-72634d090000 pid=2381 /usr/bin/wget net send-data write-file guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=4dd18faf-1c00-0000-80e2-72634d090000 pid=2381 execve guuid=070694b7-1c00-0000-80e2-726356090000 pid=2390 /usr/bin/chmod guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=070694b7-1c00-0000-80e2-726356090000 pid=2390 execve guuid=3cf335b8-1c00-0000-80e2-726358090000 pid=2392 /usr/bin/dash guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=3cf335b8-1c00-0000-80e2-726358090000 pid=2392 clone guuid=07434bb8-1c00-0000-80e2-726359090000 pid=2393 /usr/bin/rm delete-file guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=07434bb8-1c00-0000-80e2-726359090000 pid=2393 execve guuid=fceefbb8-1c00-0000-80e2-72635c090000 pid=2396 /usr/bin/wget net send-data write-file guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=fceefbb8-1c00-0000-80e2-72635c090000 pid=2396 execve guuid=6f5f64bf-1c00-0000-80e2-726364090000 pid=2404 /usr/bin/chmod guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=6f5f64bf-1c00-0000-80e2-726364090000 pid=2404 execve guuid=e78ee7bf-1c00-0000-80e2-726366090000 pid=2406 /usr/bin/dash guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=e78ee7bf-1c00-0000-80e2-726366090000 pid=2406 clone guuid=aa5f02c0-1c00-0000-80e2-726367090000 pid=2407 /usr/bin/rm delete-file guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=aa5f02c0-1c00-0000-80e2-726367090000 pid=2407 execve guuid=4f7385c0-1c00-0000-80e2-726368090000 pid=2408 /usr/bin/wget net send-data write-file guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=4f7385c0-1c00-0000-80e2-726368090000 pid=2408 execve guuid=60b1e1c6-1c00-0000-80e2-72636c090000 pid=2412 /usr/bin/chmod guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=60b1e1c6-1c00-0000-80e2-72636c090000 pid=2412 execve guuid=35858cc7-1c00-0000-80e2-72636e090000 pid=2414 /usr/bin/dash guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=35858cc7-1c00-0000-80e2-72636e090000 pid=2414 clone guuid=505695c7-1c00-0000-80e2-72636f090000 pid=2415 /usr/bin/rm delete-file guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=505695c7-1c00-0000-80e2-72636f090000 pid=2415 execve guuid=0d782ac8-1c00-0000-80e2-726370090000 pid=2416 /usr/bin/wget net send-data write-file guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=0d782ac8-1c00-0000-80e2-726370090000 pid=2416 execve guuid=142aacce-1c00-0000-80e2-726375090000 pid=2421 /usr/bin/chmod guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=142aacce-1c00-0000-80e2-726375090000 pid=2421 execve guuid=17a480cf-1c00-0000-80e2-726377090000 pid=2423 /usr/bin/dash guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=17a480cf-1c00-0000-80e2-726377090000 pid=2423 clone guuid=f7f1c4cf-1c00-0000-80e2-726379090000 pid=2425 /usr/bin/rm delete-file guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=f7f1c4cf-1c00-0000-80e2-726379090000 pid=2425 execve guuid=e0913ed0-1c00-0000-80e2-72637b090000 pid=2427 /usr/bin/wget net send-data write-file guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=e0913ed0-1c00-0000-80e2-72637b090000 pid=2427 execve guuid=f596a1d5-1c00-0000-80e2-726383090000 pid=2435 /usr/bin/chmod guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=f596a1d5-1c00-0000-80e2-726383090000 pid=2435 execve guuid=86143bd6-1c00-0000-80e2-726386090000 pid=2438 /usr/bin/dash guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=86143bd6-1c00-0000-80e2-726386090000 pid=2438 clone guuid=d77f59d6-1c00-0000-80e2-726387090000 pid=2439 /usr/bin/rm delete-file guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=d77f59d6-1c00-0000-80e2-726387090000 pid=2439 execve guuid=62effad6-1c00-0000-80e2-726388090000 pid=2440 /usr/bin/wget net send-data write-file guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=62effad6-1c00-0000-80e2-726388090000 pid=2440 execve guuid=853608eb-1c00-0000-80e2-72639f090000 pid=2463 /usr/bin/chmod guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=853608eb-1c00-0000-80e2-72639f090000 pid=2463 execve guuid=b9fb98eb-1c00-0000-80e2-7263a0090000 pid=2464 /usr/bin/dash guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=b9fb98eb-1c00-0000-80e2-7263a0090000 pid=2464 clone guuid=5981b1eb-1c00-0000-80e2-7263a1090000 pid=2465 /usr/bin/rm delete-file guuid=1a575f75-1c00-0000-80e2-7263f0080000 pid=2288->guuid=5981b1eb-1c00-0000-80e2-7263a1090000 pid=2465 execve 38fcf1c2-9535-5d52-a9e6-3b00441a8433 176.65.139.115:80 guuid=bfd2c075-1c00-0000-80e2-7263f1080000 pid=2289->38fcf1c2-9535-5d52-a9e6-3b00441a8433 send: 133B guuid=3ef26e7e-1c00-0000-80e2-726300090000 pid=2304->38fcf1c2-9535-5d52-a9e6-3b00441a8433 send: 135B guuid=967c3386-1c00-0000-80e2-726310090000 pid=2320->38fcf1c2-9535-5d52-a9e6-3b00441a8433 send: 132B guuid=b4dccf8c-1c00-0000-80e2-72631e090000 pid=2334->38fcf1c2-9535-5d52-a9e6-3b00441a8433 send: 135B guuid=1570a193-1c00-0000-80e2-72632a090000 pid=2346->38fcf1c2-9535-5d52-a9e6-3b00441a8433 send: 133B guuid=729d7f9c-1c00-0000-80e2-726334090000 pid=2356->38fcf1c2-9535-5d52-a9e6-3b00441a8433 send: 136B guuid=8de913a8-1c00-0000-80e2-726343090000 pid=2371->38fcf1c2-9535-5d52-a9e6-3b00441a8433 send: 133B guuid=4dd18faf-1c00-0000-80e2-72634d090000 pid=2381->38fcf1c2-9535-5d52-a9e6-3b00441a8433 send: 133B guuid=fceefbb8-1c00-0000-80e2-72635c090000 pid=2396->38fcf1c2-9535-5d52-a9e6-3b00441a8433 send: 134B guuid=4f7385c0-1c00-0000-80e2-726368090000 pid=2408->38fcf1c2-9535-5d52-a9e6-3b00441a8433 send: 135B guuid=0d782ac8-1c00-0000-80e2-726370090000 pid=2416->38fcf1c2-9535-5d52-a9e6-3b00441a8433 send: 135B guuid=e0913ed0-1c00-0000-80e2-72637b090000 pid=2427->38fcf1c2-9535-5d52-a9e6-3b00441a8433 send: 135B guuid=62effad6-1c00-0000-80e2-726388090000 pid=2440->38fcf1c2-9535-5d52-a9e6-3b00441a8433 send: 135B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/28d9b4fbf99bea103bfa2aa0758f705347a5695ea4f722b783802c9e788a2a39
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/28d9b4fbf99bea103bfa2aa0758f705347a5695ea4f722b783802c9e788a2a39/
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/28d9b4fbf99bea103bfa2aa0758f705347a5695ea4f722b783802c9e788a2a39
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2026-04-24 09:48:21 UTC
File Type:
Text (Shell)
AV detection:
23 of 38 (60.53%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fdm3j67ztpvbao72fkqhld3qknd2k2k6ut3sfn4dqawj46ekfi4q._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/260424-lwwwysev5v/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/28d9b4fbf99bea103bfa2aa0758f705347a5695ea4f722b783802c9e788a2a39

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 28d9b4fbf99bea103bfa2aa0758f705347a5695ea4f722b783802c9e788a2a39

(this sample)

Mirai

elf 41ae9c9293e3fa20bb467cd3e0551837101ec592f84a12bb3a649dbb79cf7638

  
URLhaus
https://urlhaus.abuse.ch/url/3830224/
  
Delivery method
Distributed via web download
  
Dropping
MD5 ae62b761eab286b75c058d7f0bef1f70
  
Dropping
SHA256 41ae9c9293e3fa20bb467cd3e0551837101ec592f84a12bb3a649dbb79cf7638

Comments