MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2dbf0acf2ca6e52fa4e626d82ffa5921acc704981f9623ad3ebcbc21beba7ef9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2dbf0acf2ca6e52fa4e626d82ffa5921acc704981f9623ad3ebcbc21beba7ef9
SHA3-384 hash: 8a97893e71757e7300c3946d05a6a5d91f8fe503f5cd01a16c3869a98ebd2ca9af2054e46209bbbabacc5ce9a6d192ac
SHA1 hash: 3e7848521a320b59c4d6ccd76dd181e3e3929dd0
MD5 hash: 139da04689e5174fc86a332a6f999fbb
humanhash: blossom-bakerloo-virginia-nineteen
File name:lilin.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:1'169 bytes
First seen:2025-09-30 09:38:52 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 24:E22IbO5zOt+MB0CJZk4NaNmk4q2k8kW0mkikV:EAO5CEA0Gkgkgk8kqkikV
TLSH T1DB21C8CF0274AC6158C4499E35974D2874DBC9FC1BCACE89608B0536B8C9918F276F99
Magika txt
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://194.31.222.17/v/armv4le333d6098ba7af114b4e8b290f0e587592067b8e153798bf4763262d2074ad96 Miraiarm elf geofenced mirai ua-wget USA
http://194.31.222.17/v/armv5l79d810e67c7bd6c6669214c1c4b631829d90726886b4167a232813d8434ef3f7 Miraiarm elf geofenced mirai ua-wget USA
http://194.31.222.17/v/armv7lc3788d92bfc3a08dbcca4476832c46b099bcad182c56cdbccf837eb0edb6cd77 Miraiarm elf geofenced mirai ua-wget USA
http://194.31.222.17/kk/armv4lfa2969618c11630496f8784ca73bfb3734ceb7b7d6bc861729ab1080a3e70a55 Miraielf mirai ua-wget
http://194.31.222.17/kk/armv5l196d4187438354ffda9b8a211b1dbb69e789036bc98c9b533584c38ee1b6ad9d Miraielf mirai ua-wget
http://194.31.222.17/kk/armv7lc08227c99e5c062c360c13a7e23e0eba8786615f3a68c8b4abe1305898084cc5 Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
49
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.32150.LX.BOT.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
busybox
Link:
https://www.filescan.io/uploads/68dba55b674d5fd6aa10fb41/reports/7019fe0a-03f7-442c-bf58-ae4d54caa27a/overview
Verdict:
Malicious
File Type:
ps1
First seen:
2025-09-30T06:53:00Z UTC
Last seen:
2025-10-01T01:02:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.p
Link:
https://opentip.kaspersky.com/2dbf0acf2ca6e52fa4e626d82ffa5921acc704981f9623ad3ebcbc21beba7ef9/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/f8a69071-d7ec-4313-982c-e4975ab693d1
Behavior Graph:
Download SVG
%3 guuid=86000a67-1900-0000-fc05-ba8116140000 pid=5142 /usr/bin/sudo guuid=e2244869-1900-0000-fc05-ba811d140000 pid=5149 /tmp/sample.bin guuid=86000a67-1900-0000-fc05-ba8116140000 pid=5142->guuid=e2244869-1900-0000-fc05-ba811d140000 pid=5149 execve guuid=a1d59069-1900-0000-fc05-ba811f140000 pid=5151 /usr/bin/dash guuid=e2244869-1900-0000-fc05-ba811d140000 pid=5149->guuid=a1d59069-1900-0000-fc05-ba811f140000 pid=5151 clone guuid=6ad23e6a-1900-0000-fc05-ba8127140000 pid=5159 /usr/bin/rm delete-file guuid=e2244869-1900-0000-fc05-ba811d140000 pid=5149->guuid=6ad23e6a-1900-0000-fc05-ba8127140000 pid=5159 execve guuid=efe19d6a-1900-0000-fc05-ba8128140000 pid=5160 /usr/bin/rm delete-file guuid=e2244869-1900-0000-fc05-ba811d140000 pid=5149->guuid=efe19d6a-1900-0000-fc05-ba8128140000 pid=5160 execve guuid=7c9ff36a-1900-0000-fc05-ba812a140000 pid=5162 /usr/bin/rm delete-file guuid=e2244869-1900-0000-fc05-ba811d140000 pid=5149->guuid=7c9ff36a-1900-0000-fc05-ba812a140000 pid=5162 execve guuid=8675456b-1900-0000-fc05-ba812c140000 pid=5164 /usr/bin/dash guuid=e2244869-1900-0000-fc05-ba811d140000 pid=5149->guuid=8675456b-1900-0000-fc05-ba812c140000 pid=5164 clone guuid=85d84a6c-1900-0000-fc05-ba8131140000 pid=5169 /usr/bin/dash guuid=e2244869-1900-0000-fc05-ba811d140000 pid=5149->guuid=85d84a6c-1900-0000-fc05-ba8131140000 pid=5169 clone guuid=4f229e6c-1900-0000-fc05-ba8134140000 pid=5172 /usr/bin/dash guuid=e2244869-1900-0000-fc05-ba811d140000 pid=5149->guuid=4f229e6c-1900-0000-fc05-ba8134140000 pid=5172 clone guuid=d25fef77-1900-0000-fc05-ba816c140000 pid=5228 /usr/bin/chmod guuid=e2244869-1900-0000-fc05-ba811d140000 pid=5149->guuid=d25fef77-1900-0000-fc05-ba816c140000 pid=5228 execve guuid=f3416478-1900-0000-fc05-ba816d140000 pid=5229 /usr/bin/dash guuid=e2244869-1900-0000-fc05-ba811d140000 pid=5149->guuid=f3416478-1900-0000-fc05-ba816d140000 pid=5229 clone guuid=37af1679-1900-0000-fc05-ba8170140000 pid=5232 /usr/bin/dash guuid=e2244869-1900-0000-fc05-ba811d140000 pid=5149->guuid=37af1679-1900-0000-fc05-ba8170140000 pid=5232 clone guuid=f7a65883-1900-0000-fc05-ba8172140000 pid=5234 /usr/bin/chmod guuid=e2244869-1900-0000-fc05-ba811d140000 pid=5149->guuid=f7a65883-1900-0000-fc05-ba8172140000 pid=5234 execve guuid=1d9c9483-1900-0000-fc05-ba8173140000 pid=5235 /usr/bin/dash guuid=e2244869-1900-0000-fc05-ba811d140000 pid=5149->guuid=1d9c9483-1900-0000-fc05-ba8173140000 pid=5235 clone guuid=e6311884-1900-0000-fc05-ba8175140000 pid=5237 /usr/bin/dash guuid=e2244869-1900-0000-fc05-ba811d140000 pid=5149->guuid=e6311884-1900-0000-fc05-ba8175140000 pid=5237 clone guuid=ad18928e-1900-0000-fc05-ba8177140000 pid=5239 /usr/bin/chmod guuid=e2244869-1900-0000-fc05-ba811d140000 pid=5149->guuid=ad18928e-1900-0000-fc05-ba8177140000 pid=5239 execve guuid=96291b8f-1900-0000-fc05-ba8178140000 pid=5240 /usr/bin/dash guuid=e2244869-1900-0000-fc05-ba811d140000 pid=5149->guuid=96291b8f-1900-0000-fc05-ba8178140000 pid=5240 clone guuid=8a5a4090-1900-0000-fc05-ba817a140000 pid=5242 /usr/bin/dash guuid=e2244869-1900-0000-fc05-ba811d140000 pid=5149->guuid=8a5a4090-1900-0000-fc05-ba817a140000 pid=5242 clone guuid=4f93689a-1900-0000-fc05-ba817e140000 pid=5246 /usr/bin/chmod guuid=e2244869-1900-0000-fc05-ba811d140000 pid=5149->guuid=4f93689a-1900-0000-fc05-ba817e140000 pid=5246 execve guuid=4c1da79a-1900-0000-fc05-ba817f140000 pid=5247 /usr/bin/dash guuid=e2244869-1900-0000-fc05-ba811d140000 pid=5149->guuid=4c1da79a-1900-0000-fc05-ba817f140000 pid=5247 clone guuid=dca0b79b-1900-0000-fc05-ba8182140000 pid=5250 /usr/bin/dash guuid=e2244869-1900-0000-fc05-ba811d140000 pid=5149->guuid=dca0b79b-1900-0000-fc05-ba8182140000 pid=5250 clone guuid=9b3d89a4-1900-0000-fc05-ba818c140000 pid=5260 /usr/bin/chmod guuid=e2244869-1900-0000-fc05-ba811d140000 pid=5149->guuid=9b3d89a4-1900-0000-fc05-ba818c140000 pid=5260 execve guuid=e1ebc3a4-1900-0000-fc05-ba818d140000 pid=5261 /usr/bin/dash guuid=e2244869-1900-0000-fc05-ba811d140000 pid=5149->guuid=e1ebc3a4-1900-0000-fc05-ba818d140000 pid=5261 clone guuid=23583da5-1900-0000-fc05-ba818f140000 pid=5263 /usr/bin/dash guuid=e2244869-1900-0000-fc05-ba811d140000 pid=5149->guuid=23583da5-1900-0000-fc05-ba818f140000 pid=5263 clone guuid=7967edad-1900-0000-fc05-ba8191140000 pid=5265 /usr/bin/chmod guuid=e2244869-1900-0000-fc05-ba811d140000 pid=5149->guuid=7967edad-1900-0000-fc05-ba8191140000 pid=5265 execve guuid=6ff922ae-1900-0000-fc05-ba8192140000 pid=5266 /usr/bin/dash guuid=e2244869-1900-0000-fc05-ba811d140000 pid=5149->guuid=6ff922ae-1900-0000-fc05-ba8192140000 pid=5266 clone guuid=edd19969-1900-0000-fc05-ba8120140000 pid=5152 /usr/bin/cat guuid=a1d59069-1900-0000-fc05-ba811f140000 pid=5151->guuid=edd19969-1900-0000-fc05-ba8120140000 pid=5152 execve guuid=a9029f69-1900-0000-fc05-ba8121140000 pid=5153 /usr/bin/grep guuid=a1d59069-1900-0000-fc05-ba811f140000 pid=5151->guuid=a9029f69-1900-0000-fc05-ba8121140000 pid=5153 execve guuid=b972a369-1900-0000-fc05-ba8122140000 pid=5154 /usr/bin/grep guuid=a1d59069-1900-0000-fc05-ba811f140000 pid=5151->guuid=b972a369-1900-0000-fc05-ba8122140000 pid=5154 execve guuid=fd26a769-1900-0000-fc05-ba8123140000 pid=5155 /usr/bin/grep guuid=a1d59069-1900-0000-fc05-ba811f140000 pid=5151->guuid=fd26a769-1900-0000-fc05-ba8123140000 pid=5155 execve guuid=7e1fab69-1900-0000-fc05-ba8124140000 pid=5156 /usr/bin/cut guuid=a1d59069-1900-0000-fc05-ba811f140000 pid=5151->guuid=7e1fab69-1900-0000-fc05-ba8124140000 pid=5156 execve guuid=2bc24f6b-1900-0000-fc05-ba812d140000 pid=5165 /usr/bin/cp write-file guuid=8675456b-1900-0000-fc05-ba812c140000 pid=5164->guuid=2bc24f6b-1900-0000-fc05-ba812d140000 pid=5165 execve guuid=cea0536c-1900-0000-fc05-ba8132140000 pid=5170 /usr/bin/chmod guuid=85d84a6c-1900-0000-fc05-ba8131140000 pid=5169->guuid=cea0536c-1900-0000-fc05-ba8132140000 pid=5170 execve guuid=b4afbd6c-1900-0000-fc05-ba8135140000 pid=5173 /usr/bin/wget net send-data write-file guuid=4f229e6c-1900-0000-fc05-ba8134140000 pid=5172->guuid=b4afbd6c-1900-0000-fc05-ba8135140000 pid=5173 execve 287749b9-1937-53b1-8818-44b73ae22708 194.31.222.17:80 guuid=b4afbd6c-1900-0000-fc05-ba8135140000 pid=5173->287749b9-1937-53b1-8818-44b73ae22708 send: 136B guuid=83a01c79-1900-0000-fc05-ba8171140000 pid=5233 /usr/bin/wget net send-data write-file guuid=37af1679-1900-0000-fc05-ba8170140000 pid=5232->guuid=83a01c79-1900-0000-fc05-ba8171140000 pid=5233 execve guuid=83a01c79-1900-0000-fc05-ba8171140000 pid=5233->287749b9-1937-53b1-8818-44b73ae22708 send: 136B guuid=acd11e84-1900-0000-fc05-ba8176140000 pid=5238 /usr/bin/wget net send-data write-file guuid=e6311884-1900-0000-fc05-ba8175140000 pid=5237->guuid=acd11e84-1900-0000-fc05-ba8176140000 pid=5238 execve guuid=acd11e84-1900-0000-fc05-ba8176140000 pid=5238->287749b9-1937-53b1-8818-44b73ae22708 send: 136B guuid=f3055890-1900-0000-fc05-ba817b140000 pid=5243 /usr/bin/wget net send-data write-file guuid=8a5a4090-1900-0000-fc05-ba817a140000 pid=5242->guuid=f3055890-1900-0000-fc05-ba817b140000 pid=5243 execve guuid=f3055890-1900-0000-fc05-ba817b140000 pid=5243->287749b9-1937-53b1-8818-44b73ae22708 send: 137B guuid=1843c19b-1900-0000-fc05-ba8183140000 pid=5251 /usr/bin/wget net send-data write-file guuid=dca0b79b-1900-0000-fc05-ba8182140000 pid=5250->guuid=1843c19b-1900-0000-fc05-ba8183140000 pid=5251 execve guuid=1843c19b-1900-0000-fc05-ba8183140000 pid=5251->287749b9-1937-53b1-8818-44b73ae22708 send: 137B guuid=35ca42a5-1900-0000-fc05-ba8190140000 pid=5264 /usr/bin/wget net send-data write-file guuid=23583da5-1900-0000-fc05-ba818f140000 pid=5263->guuid=35ca42a5-1900-0000-fc05-ba8190140000 pid=5264 execve guuid=35ca42a5-1900-0000-fc05-ba8190140000 pid=5264->287749b9-1937-53b1-8818-44b73ae22708 send: 137B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/2dbf0acf2ca6e52fa4e626d82ffa5921acc704981f9623ad3ebcbc21beba7ef9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2dbf0acf2ca6e52fa4e626d82ffa5921acc704981f9623ad3ebcbc21beba7ef9/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/2dbf0acf2ca6e52fa4e626d82ffa5921acc704981f9623ad3ebcbc21beba7ef9
Threat name:
Script-Shell.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-09-30 09:39:33 UTC
File Type:
Text (Shell)
AV detection:
9 of 24 (37.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fw7qvtzmu3ss7jhge3mc76szegwmobeyd6lchlj6xs6cdpv2p34q._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/250930-lmv83adp7y/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/2dbf0acf2ca6e52fa4e626d82ffa5921acc704981f9623ad3ebcbc21beba7ef9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 2dbf0acf2ca6e52fa4e626d82ffa5921acc704981f9623ad3ebcbc21beba7ef9

(this sample)

Mirai

elf e333d6098ba7af114b4e8b290f0e587592067b8e153798bf4763262d2074ad96

  
URLhaus
https://urlhaus.abuse.ch/url/3631140/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3631166/
  
Dropping
MD5 f79e16a572b31fd90195274c2a38baf7
  
Dropping
SHA256 e333d6098ba7af114b4e8b290f0e587592067b8e153798bf4763262d2074ad96

Comments