MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2990ecb627c39d0c0d987c7dd00f0bae177b0b5a2411f736439e86004d5d6e93. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	2990ecb627c39d0c0d987c7dd00f0bae177b0b5a2411f736439e86004d5d6e93
SHA3-384 hash:	843e692bcf4ed8c881b5e05ee3cf94b14d70228315fad09db671e3b64c0b72d9534ee44ec0ddf854bcc4a84645de7b90
SHA1 hash:	cad27b060fb4c357888a1e200bd8493de0ca0ba2
MD5 hash:	15c8ba6dfb03c4abe97885ab23be5f34
humanhash:	music-video-sixteen-queen
File name:	sshbins.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'496 bytes
First seen:	2026-03-21 08:38:05 UTC
Last seen:	2026-03-23 05:08:12 UTC
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:Za1zqf2lveezXQScxkcJ+Yu/YwV41z/0EqFEQKtYZ/D5+O:Za1zqf2xJzCXsv4zicy5n
TLSH	T1DA71A6C4C830A4375C868A0BF561C6AA6DDC93E599B4C16C53A99E3712E1F3D7C8B643
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://88.214.20.143/bins/tux.x86	ce86f67220e57e39fe2cf009b28c45742e371ab3a5445cf304af0c29a6c5c8ab	Mirai	elf ua-wget
http://88.214.20.143/bins/tux.mips	c031158e151eb44a8274a09628409f4ca1e6800796846e765b04ec236b458595	Mirai	elf ua-wget
http://88.214.20.143/bins/tux.mpsl	837cbeb0525af6bcba6f8f1c21dc015282dcd5656f666e5b1061459fc4046140	Mirai	elf ua-wget
http://88.214.20.143/bins/tux.arm	7083d76b20f2e852a32ca482fcc68aee6f0d809872aaf2c9ef55b7c9159e10bb	Mirai	elf ua-wget
http://88.214.20.143/bins/tux.arc	n/a	n/a	elf ua-wget
http://88.214.20.143/bins/tux.arm4	n/a	n/a	elf ua-wget
http://88.214.20.143/bins/tux.arm5	e98188fb59ac4ace244eaedacb7eb765b3cdca29bae74ce59ed7a2137c2afacf	Mirai	elf ua-wget
http://88.214.20.143/bins/tux.arm6	4c2b21c9b013305c1f7d40351b1692dee7c86c72785ce53e27da621900b78ad5	Mirai	elf ua-wget
http://88.214.20.143/bins/tux.arm7	6ba5c3ac96539322332397adecb18cbace6f57ae9cfd509bb3600c7ead29d319	Mirai	elf ua-wget
http://88.214.20.143/bins/tux.ppc	24517ddb231e26591cc6225c747f8a422e53546d16410c82d4919728849e4668	Mirai	elf ua-wget
http://88.214.20.143/bins/tux.m68k	03b36e3abd751b69530806a45611ddb81841e7ad414ab076ae20b1ea3991987b	Mirai	elf ua-wget
http://88.214.20.143/bins/tux.sh4	47fcc3426f3d0e563b5c7692b0ea2a22321fa804747d7228c93a2c9dd45b7bc1	Mirai	elf ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox evasive

Link:

https://www.filescan.io/uploads/69be59014ec2f522cc51c2c3/reports/5c77409b-9a6c-49d8-9e4e-493d0cc4f193/overview

Verdict:

Malicious

File Type:

unix shell

Detections:

HEUR:Trojan-Downloader.Shell.Agent.gen

Link:

https://opentip.kaspersky.com/2990ecb627c39d0c0d987c7dd00f0bae177b0b5a2411f736439e86004d5d6e93/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/925a8dde-e2c2-4553-bd23-a890c16a0594

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/2990ecb627c39d0c0d987c7dd00f0bae177b0b5a2411f736439e86004d5d6e93

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2990ecb627c39d0c0d987c7dd00f0bae177b0b5a2411f736439e86004d5d6e93/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/2990ecb627c39d0c0d987c7dd00f0bae177b0b5a2411f736439e86004d5d6e93

Threat name:

Win32.Trojan.Vigorf

Status:

Malicious

First seen:

2026-03-21 08:12:35 UTC

File Type:

Text (Shell)

AV detection:

9 of 24 (37.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fgioznrhyooqydmypr65adylvylxwc22eqi7onsdt2daatk5n2jq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet defense_evasion discovery linux

Link:

https://tria.ge/reports/260321-kjx3tah16x/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

Reads system network configuration

Enumerates active TCP sockets

Enumerates running processes

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Contacts a large (23847) amount of remote hosts

Creates a large amount of network flows

Mirai

Mirai family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2990ecb627c39d0c0d987c7dd00f0bae177b0b5a2411f736439e86004d5d6e93

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh