MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e581136bb3d0caca689e3b69c7c3c39d41e38f2cb64990d19edf191743f0729. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	2e581136bb3d0caca689e3b69c7c3c39d41e38f2cb64990d19edf191743f0729
SHA3-384 hash:	316f218b741ce35a60707cc99e8a6dd82c3da5d702e493956d6fbf7e5c9f76d5f36987b664ea1703343922357811417f
SHA1 hash:	987579ed81ebc7e2b2959cb9fa2969c7168996c9
MD5 hash:	846218b842a2cb117fd1ec42a08240f2
humanhash:	lemon-november-eight-washington
File name:	bins.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	1'959 bytes
First seen:	2026-02-11 05:33:58 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	48:9XeXBXCAXWXHXEX0XNXSX7X1QfXaXfXciXpiTXQXm:9XeXBXCAXWXHXEX0XNXSX7X1QfXaXfXI
TLSH	T1DD4192D980619DA97D9D5D01707B8C40F0E1EDBA2A48DF066ECCB8B3DC8DF41282AB64
Magika	txt
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://163.245.209.150/mush/bin.armv4eb	af5ea6d7cd56c0d8a6d51ee1815de1b5dc327c14b7a8871992f2ee020e8f5479	Mirai	elf mirai ua-wget
http://163.245.209.150/mush/bin.armv4l	e45a52959c4b82db82af83ea793eef41221055241c46ce7acecb83fb17a36077	Mirai	elf mirai ua-wget
http://163.245.209.150/mush/bin.armv4tl	8854cb8d59af4ff41fc8457e43b4effcaf61b985167c4d1dbb045d2e8e50edce	Mirai	elf mirai ua-wget
http://163.245.209.150/mush/bin.armv5l	3923ca2c9b70f8d55c3ebf4c977a2c2a26963f3f2b2c62530d30e9e58e7d3fe9	Mirai	elf mirai ua-wget
http://163.245.209.150/mush/bin.armv6l	2fde3cc1e650ac0572d644e6464d8eea331f33abae4332e3a98d7b14366e6a97	Mirai	elf mirai ua-wget
http://163.245.209.150/mush/bin.armv7l	4dfa6b414f4833c202e39c40ea6345d8907d15e21b59b4e7bed2a62c7fa04cb0	Mirai	elf mirai ua-wget
http://163.245.209.150/mush/bin.i486	ba082cdbdaf772f6f3ba04fc5fc23a2f80e2a514555e5c536817fca223ea936c	Mirai	elf mirai ua-wget
http://163.245.209.150/mush/bin.i586	61d7b6965abddd9050b70f0f05ab7bb3930406082e52872a7c90bd04c7813613	Mirai	elf mirai ua-wget
http://163.245.209.150/mush/bin.i686	26a135b4e6dedb38cd7d8725f918776cd49e0250ad7419a86b0550c503d994e9	Mirai	elf mirai ua-wget
http://163.245.209.150/mush/bin.m68k	ffc10217f903e2b3c90e43c9297ce4829e15506a0d213a1f090afd190fdd7ee5	Mirai	elf mirai ua-wget
http://163.245.209.150/mush/bin.mips	68917c76aef394bce019bc70fa8d907f53fe635918fa29ecea2bd23439ed54df	Mirai	elf mirai ua-wget
http://163.245.209.150/mush/bin.mips64	2ff1842ac3f7f21a55a8ae3fb748d46d7852f25fc3edef328ec6349302090c14	Mirai	elf mirai ua-wget
http://163.245.209.150/mush/bin.mipsel	631d4550e114bebdd5e6da4f9360d963e8aea4521c3437fb17de763fadd53300	Mirai	elf mirai ua-wget
http://163.245.209.150/mush/bin.powerpc	154b5e4e2a18ab34cdbc7c9b08ef69e1f62ca9da48e62f347d28532d55a5fcb4	Mirai	elf mirai ua-wget
http://163.245.209.150/mush/bin.powerpc-440fp	094cb0bb8013c6ae41d88d878b163964d53ee9c98c366b21da3c5139e92c88d6	Mirai	elf mirai ua-wget
http://163.245.209.150/mush/bin.sh4	5f17d3a2354e1153dfbc1a926b6cdce42cc524dfb0ace45088c5fdc756912e59	Mirai	elf mirai ua-wget
http://163.245.209.150/mush/bin.x86_64	6285197b5bf2b12051296f7ae07482d3dce2f4f2822b860be64779b80555d703	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

File Type:

text

First seen:

2026-02-10T02:54:00Z UTC

Last seen:

2026-02-11T17:11:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.a HEUR:Trojan-Downloader.Shell.Agent.p

Link:

https://opentip.kaspersky.com/2e581136bb3d0caca689e3b69c7c3c39d41e38f2cb64990d19edf191743f0729/results?tab=lookup

Status:

Failed

Link:

https://sandbox.kunai.rocks/analysis/6a1769e4-8138-48ec-bf5b-f3c58a9734c1

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/2e581136bb3d0caca689e3b69c7c3c39d41e38f2cb64990d19edf191743f0729

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2e581136bb3d0caca689e3b69c7c3c39d41e38f2cb64990d19edf191743f0729/

Verdict:

Malicious

Threat:

Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/2e581136bb3d0caca689e3b69c7c3c39d41e38f2cb64990d19edf191743f0729

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2026-02-10 04:44:16 UTC

File Type:

Text (Shell)

AV detection:

18 of 36 (50.00%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fzmbcnv3hugkzjuj4o3jy7b4hhkb4ohsznsjsdiz5xyzc5b7a4uq._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/260211-f9h95aht6d/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/2e581136bb3d0caca689e3b69c7c3c39d41e38f2cb64990d19edf191743f0729

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh