MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3046a730c53d084e825493abb25e7d7ec1e65c5d13f941f62f8e5fef71f8eda7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	3046a730c53d084e825493abb25e7d7ec1e65c5d13f941f62f8e5fef71f8eda7
SHA3-384 hash:	5b55e7d8bc8afd07f8b647f79abf15c51e93df69f8e0d4ffed9878c53a87c23843580b2a908bee4ac7117973705f84e0
SHA1 hash:	55eddd4b2835e51406d753326148948e36057366
MD5 hash:	83e48641d2e62e3e7f2623aea869920d
humanhash:	hotel-alabama-lithium-spring
File name:	w.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	989 bytes
First seen:	2026-01-02 02:00:48 UTC
Last seen:	2026-01-02 07:47:11 UTC
File type:	sh
MIME type:	text/plain
ssdeep	24:DRDNAR3hURhNIRRxKuAbKnY/ZLACgLtFA3lsDdKA:l583hI6xqFLejDV
TLSH	T13411E4EF70601A7205CC4F4872B2980CF8448AC591F65FAD5EDD04BB5FC6B14B798AB4
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://130.12.180.20:36695/arm4	1ac2472a7266925354978d482153be974077046d46a8126b9fbd19bd4646eab2	Mirai	arm elf geofenced mirai ua-wget USA
http://130.12.180.20:36695/arm5	645e42550a44d8d0e0a2abe2b214eed4a608425b4107b9eac8d13a3121f1971a	Mirai	arm elf geofenced mirai ua-wget USA
http://130.12.180.20:36695/arm6	89d0c7f66ee96d3d02258a2369e482376291517e3d383a3fb2364ec8abbca6af	Mirai	arm elf geofenced mirai ua-wget USA
http://130.12.180.20:36695/arm7	5f522e269bf35cf78d80e6341ec953775adbffaf35871f710255f81d5ca0723c	Mirai	arm elf geofenced mirai ua-wget USA
http://130.12.180.20:36695/m68k	4dae9f444d6d484da953f928ac5ea4ddd9c556e54fed41146d5059183d18fa54	Mirai	elf geofenced m68k mirai ua-wget USA
http://130.12.180.20:36695/mips	115ba7461c23928d82557c16bf70b0b1b06d0dcec8a28622463d349ee696d4b0	Mirai	elf gafgyt geofenced mips mirai ua-wget USA
http://130.12.180.20:36695/mpsl	fcc742b8f1948c436d4c9037b8cc2aae0200714fd8d4bad28f87a6b45f718603	Mirai	elf geofenced mips mirai ua-wget USA
http://130.12.180.20:36695/ppc	d3a33ffcb6fda21a7452f7507449b038465aa7fc48087839a7c7efe7c523d6c8	Mirai	elf geofenced mirai PowerPC ua-wget USA
http://130.12.180.20:36695/sh4	b69541b3230b41bb3c596fba4f79aa8b0cec4d67c147597f74412f44f395c43a	Mirai	elf geofenced mirai SuperH ua-wget USA
http://130.12.180.20:36695/spc	effa5b76a489de0777fda6ea9c1fd46699987377bada094c570001adc2df5fa9	Mirai	elf geofenced mirai sparc ua-wget USA
http://130.12.180.20:36695/x86	75cb064f489b12d4130786e1aa6963dfa2fc9de82b8d3b2150385ce9d65d27dc	Mirai	elf geofenced mirai ua-wget USA x86
http://130.12.180.20:36695/x86_64	b6db8bb39c7305a6a0a1024ab9b51e7d7b4c016455865504909644b4381ede78	Mirai	elf geofenced mirai ua-wget USA x86

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox evasive mirai

Link:

https://www.filescan.io/uploads/695726ec8d1aa9829e28b0cb/reports/8dfc3196-5420-4569-aecf-20e35f4f09c7/overview

Verdict:

Malicious

File Type:

ps1

First seen:

2026-01-01T18:09:00Z UTC

Last seen:

2026-01-03T03:39:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/3046a730c53d084e825493abb25e7d7ec1e65c5d13f941f62f8e5fef71f8eda7/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/d66f77bb-d5d4-4632-921d-1cec9736e151

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/3046a730c53d084e825493abb25e7d7ec1e65c5d13f941f62f8e5fef71f8eda7

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3046a730c53d084e825493abb25e7d7ec1e65c5d13f941f62f8e5fef71f8eda7/

Verdict:

Malicious

Threat:

Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/3046a730c53d084e825493abb25e7d7ec1e65c5d13f941f62f8e5fef71f8eda7

Threat name:

Script-Shell.Worm.Mirai

Status:

Malicious

First seen:

2026-01-01 23:05:39 UTC

File Type:

Text (Shell)

AV detection:

14 of 24 (58.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gbdkomgfhuee5asusov3ext5p3a6mxc5cp4ud5rprzp664py5wtq._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/260106-k7rwpsfv7b/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/3046a730c53d084e825493abb25e7d7ec1e65c5d13f941f62f8e5fef71f8eda7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh