MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 317c7fe5b3fbe20f3b15f1749d0cbd399bed012c84860a645cdad536477d003d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	317c7fe5b3fbe20f3b15f1749d0cbd399bed012c84860a645cdad536477d003d
SHA3-384 hash:	d0c3938d0e8e70a994876737994b6a32142267feb77582cc9fd9bf503854273887d93e02b9ce42f017914448ee32f2dc
SHA1 hash:	6460158c0c7c464031c53c657e1e5d6d2b5e5547
MD5 hash:	d56308bf487c0242820edf0aefe33f16
humanhash:	king-sad-earth-illinois
File name:	mao_http.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'241 bytes
First seen:	2026-02-07 13:41:09 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	96:mwKaAAtgBIC+8Yy8O5SZYz0zmk24SuMS4k2wSQ:UQ9
TLSH	T1CF61F1FC50E0EEA3CC45A90CBE698351930382E7AC71FD7C5C694676488071A39EB7AD
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://160.250.225.17/bins/mao.x86_64	1b9e17462a47afb7ba79400f147f699ca70909f51a971bab80e20177ae024ef3	Mirai	elf mirai ua-wget
http://160.250.225.17/bins/mao.x86	201c0b78693a3091d9a7e26aa7110c77beb13289ea5978f1edd4b1359567ea6e	Mirai	elf mirai ua-wget
http://160.250.225.17/bins/mao.mips	eb83574b4e79b73f2669e257643a06811b5a3d392ebc8597130bc8102b4a6b7f	Mirai	elf mirai ua-wget
http://160.250.225.17/bins/mao.mpsl	c39ce9aeb58024de86d0df1aaed297a308cf59745d0c8589db81902cdb402bb5	Mirai	elf mirai ua-wget
http://160.250.225.17/bins/mao.arm	37511f960894bb1bec92f792eb9a772a6a7926596155cbe3f60ca2b81a04e743	Mirai	elf mirai ua-wget
http://160.250.225.17/bins/mao.arm5	f2eb51eaf6ec0d4e1293922014c2df9fd4fa62ade85fc2e47c56269d37c030ba	Mirai	elf mirai ua-wget
http://160.250.225.17/bins/mao.arm6	65c1b5a4909e6f0bad16e48d4005f68d453936b72256564900537445582b0591	Mirai	elf mirai ua-wget
http://160.250.225.17/bins/mao.arm7	48737f8fa20358f195fb9670e6ee0444c9760f50f02bda7d78472dbfd0a08bab	Mirai	elf mirai ua-wget
http://160.250.225.17/bins/mao.ppc	e66306f6a71cb948e0b5f4e55e5159a2380e8d61d3923380ce25264db244aeee	Mirai	elf mirai ua-wget
http://160.250.225.17/bins/mao.m68k	e7b3c9c00f79eca8e50a27c0462ff5f0cd3ac4148200508aa77b3eef21fd1cbb	Mirai	elf mirai ua-wget
http://160.250.225.17/bins/mao.sh4	2fce8de8728f1291b308fa7f5d4f096e83e4bc90df63645d7de50e7c62463934	Mirai	elf mirai ua-wget
http://160.250.225.17/bins/mao.spc	e2b29014d4de16f628b0785438dd2de9a4003af819e7f9a266bd751415764b2b	Mirai	elf mirai ua-wget
http://160.250.225.17/bins/mao.arc	0cce20071a014da88feb55d7935d8525390f1bb31cc8259018f57ed1bb1292fd	Mirai	elf mirai ua-wget
http://160.250.225.17/bins/mao.i686	58c9220ae7d6e5e39d2fe77cb2a3d9df5929572ba2f8cab82e2b0e2f2ab5b13f	Mirai	elf mirai ua-wget
http://160.250.225.17/bins/mao.i486	0029fe67bf75b12aa1497f5302e59294502f57f59dd47d0c7d8e9a376794adf5	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive

Link:

https://www.filescan.io/uploads/698740fb930564ff3c90fc58/reports/8a1c5325-a799-4b27-8336-659919a94e3f/overview

Result

Gathering data

Status:

Failed

Link:

https://sandbox.kunai.rocks/analysis/425960b6-a3bd-4204-950f-e1b050a1f414

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/317c7fe5b3fbe20f3b15f1749d0cbd399bed012c84860a645cdad536477d003d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/317c7fe5b3fbe20f3b15f1749d0cbd399bed012c84860a645cdad536477d003d/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/317c7fe5b3fbe20f3b15f1749d0cbd399bed012c84860a645cdad536477d003d

Threat name:

Script-Shell.Trojan.Vigorf

Status:

Malicious

First seen:

2026-02-07 13:41:21 UTC

File Type:

Text (Shell)

AV detection:

8 of 36 (22.22%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gf6h7znt7pra6oyv6f2j2df5hgn62ajmqsdauzc43lktmr35aa6q._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet defense_evasion discovery linux

Link:

https://tria.ge/reports/260207-qy748agz6d/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/317c7fe5b3fb/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh