MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3322a331765adeddd26136f8dcebbecccff71f7b29ec9f2ce74736b7244faa1c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3322a331765adeddd26136f8dcebbecccff71f7b29ec9f2ce74736b7244faa1c
SHA3-384 hash: d2384b11117871c38d58395a6ea9d6ef9cdc920d625d403eeebbacd158c7e56677c573dae8be837395578371afddd08c
SHA1 hash: de325b66baca55135acde440297ed3ec439e7840
MD5 hash: b49af872e546f684a15dcff1e0fa6bbd
humanhash: paris-east-colorado-yankee
File name:zy.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:975 bytes
First seen:2025-09-20 06:41:58 UTC
Last seen:2025-09-25 10:02:35 UTC
File type: sh
MIME type:text/plain
ssdeep 24:GIbr5zOt+MB09Byz5ktP1zkktPvzWktpN7lwktpOlFktv:jr5CEA09EkUkUkxykwkd
TLSH T1CC11E2CC0174AC326DC55E9AB923892994C6C4F52A9F8DD0E04A4537FCCDA45F372B7A
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://194.31.222.17/v/armv4le333d6098ba7af114b4e8b290f0e587592067b8e153798bf4763262d2074ad96 Miraiarm elf geofenced mirai ua-wget USA
http://194.31.222.17/v/armv5l79d810e67c7bd6c6669214c1c4b631829d90726886b4167a232813d8434ef3f7 Miraiarm elf geofenced mirai ua-wget USA
http://194.31.222.17/v/armv7lc3788d92bfc3a08dbcca4476832c46b099bcad182c56cdbccf837eb0edb6cd77 Miraiarm elf geofenced mirai ua-wget USA
http://194.31.222.17/v/mipsd4e2e83716082a12346f565d13cc06546a099a05725f194c135f7b3839473a6c Mirai32-bit DEU elf geofenced mirai Mozi opendir
http://194.31.222.17/v/mipsel8db391280f5fda83a9dc476d69d093827bb72b3a90c3112679855eacabb996e1 Mirai32-bit DEU elf geofenced mirai Mozi opendir

Intelligence

File Origin
# of uploads :
2
# of downloads :
58
Origin country :
DE DE
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
busybox
Link:
https://www.filescan.io/uploads/68ce4cd2254431b688d66972/reports/6e25d696-1149-423b-910c-fb9412ec8c00/overview
Verdict:
Malicious
File Type:
ps1
First seen:
2025-09-20T04:03:00Z UTC
Last seen:
2025-09-20T04:03:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/3322a331765adeddd26136f8dcebbecccff71f7b29ec9f2ce74736b7244faa1c/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/9a10b8ec-10be-4248-b4c8-940ad862964f
Behavior Graph:
Download SVG
%3 guuid=4d74644e-1b00-0000-5734-4424f2060000 pid=1778 /usr/bin/sudo guuid=7861bc50-1b00-0000-5734-4424f9060000 pid=1785 /tmp/sample.bin guuid=4d74644e-1b00-0000-5734-4424f2060000 pid=1778->guuid=7861bc50-1b00-0000-5734-4424f9060000 pid=1785 execve guuid=855f1751-1b00-0000-5734-4424fb060000 pid=1787 /usr/bin/dash guuid=7861bc50-1b00-0000-5734-4424f9060000 pid=1785->guuid=855f1751-1b00-0000-5734-4424fb060000 pid=1787 clone guuid=9a349a52-1b00-0000-5734-442402070000 pid=1794 /usr/bin/rm delete-file guuid=7861bc50-1b00-0000-5734-4424f9060000 pid=1785->guuid=9a349a52-1b00-0000-5734-442402070000 pid=1794 execve guuid=2d03de52-1b00-0000-5734-442403070000 pid=1795 /usr/bin/rm delete-file guuid=7861bc50-1b00-0000-5734-4424f9060000 pid=1785->guuid=2d03de52-1b00-0000-5734-442403070000 pid=1795 execve guuid=0ac12153-1b00-0000-5734-442405070000 pid=1797 /usr/bin/rm delete-file guuid=7861bc50-1b00-0000-5734-4424f9060000 pid=1785->guuid=0ac12153-1b00-0000-5734-442405070000 pid=1797 execve guuid=d0e26e53-1b00-0000-5734-442407070000 pid=1799 /usr/bin/dash guuid=7861bc50-1b00-0000-5734-4424f9060000 pid=1785->guuid=d0e26e53-1b00-0000-5734-442407070000 pid=1799 clone guuid=b33cdf53-1b00-0000-5734-44240a070000 pid=1802 /usr/bin/dash guuid=7861bc50-1b00-0000-5734-4424f9060000 pid=1785->guuid=b33cdf53-1b00-0000-5734-44240a070000 pid=1802 clone guuid=b9532b54-1b00-0000-5734-44240d070000 pid=1805 /usr/bin/dash guuid=7861bc50-1b00-0000-5734-4424f9060000 pid=1785->guuid=b9532b54-1b00-0000-5734-44240d070000 pid=1805 clone guuid=5156b664-1b00-0000-5734-44242d070000 pid=1837 /usr/bin/chmod guuid=7861bc50-1b00-0000-5734-4424f9060000 pid=1785->guuid=5156b664-1b00-0000-5734-44242d070000 pid=1837 execve guuid=c09b1c65-1b00-0000-5734-44242e070000 pid=1838 /usr/bin/dash guuid=7861bc50-1b00-0000-5734-4424f9060000 pid=1785->guuid=c09b1c65-1b00-0000-5734-44242e070000 pid=1838 clone guuid=1161c765-1b00-0000-5734-442432070000 pid=1842 /usr/bin/dash guuid=7861bc50-1b00-0000-5734-4424f9060000 pid=1785->guuid=1161c765-1b00-0000-5734-442432070000 pid=1842 clone guuid=dc165b71-1b00-0000-5734-442450070000 pid=1872 /usr/bin/chmod guuid=7861bc50-1b00-0000-5734-4424f9060000 pid=1785->guuid=dc165b71-1b00-0000-5734-442450070000 pid=1872 execve guuid=c8539971-1b00-0000-5734-442451070000 pid=1873 /usr/bin/dash guuid=7861bc50-1b00-0000-5734-4424f9060000 pid=1785->guuid=c8539971-1b00-0000-5734-442451070000 pid=1873 clone guuid=b80d3c73-1b00-0000-5734-442457070000 pid=1879 /usr/bin/dash guuid=7861bc50-1b00-0000-5734-4424f9060000 pid=1785->guuid=b80d3c73-1b00-0000-5734-442457070000 pid=1879 clone guuid=a15af17e-1b00-0000-5734-442472070000 pid=1906 /usr/bin/chmod guuid=7861bc50-1b00-0000-5734-4424f9060000 pid=1785->guuid=a15af17e-1b00-0000-5734-442472070000 pid=1906 execve guuid=b9b6387f-1b00-0000-5734-442474070000 pid=1908 /usr/bin/dash guuid=7861bc50-1b00-0000-5734-4424f9060000 pid=1785->guuid=b9b6387f-1b00-0000-5734-442474070000 pid=1908 clone guuid=d3eae87f-1b00-0000-5734-442478070000 pid=1912 /usr/bin/dash guuid=7861bc50-1b00-0000-5734-4424f9060000 pid=1785->guuid=d3eae87f-1b00-0000-5734-442478070000 pid=1912 clone guuid=0fc4ba8c-1b00-0000-5734-44248f070000 pid=1935 /usr/bin/chmod guuid=7861bc50-1b00-0000-5734-4424f9060000 pid=1785->guuid=0fc4ba8c-1b00-0000-5734-44248f070000 pid=1935 execve guuid=02caf58c-1b00-0000-5734-442491070000 pid=1937 /usr/bin/dash guuid=7861bc50-1b00-0000-5734-4424f9060000 pid=1785->guuid=02caf58c-1b00-0000-5734-442491070000 pid=1937 clone guuid=c34e738d-1b00-0000-5734-442495070000 pid=1941 /usr/bin/dash guuid=7861bc50-1b00-0000-5734-4424f9060000 pid=1785->guuid=c34e738d-1b00-0000-5734-442495070000 pid=1941 clone guuid=b99f429a-1b00-0000-5734-4424b2070000 pid=1970 /usr/bin/chmod guuid=7861bc50-1b00-0000-5734-4424f9060000 pid=1785->guuid=b99f429a-1b00-0000-5734-4424b2070000 pid=1970 execve guuid=15de7a9a-1b00-0000-5734-4424b4070000 pid=1972 /usr/bin/dash guuid=7861bc50-1b00-0000-5734-4424f9060000 pid=1785->guuid=15de7a9a-1b00-0000-5734-4424b4070000 pid=1972 clone guuid=c3dc2a51-1b00-0000-5734-4424fc060000 pid=1788 /usr/bin/cat guuid=855f1751-1b00-0000-5734-4424fb060000 pid=1787->guuid=c3dc2a51-1b00-0000-5734-4424fc060000 pid=1788 execve guuid=62b93151-1b00-0000-5734-4424fd060000 pid=1789 /usr/bin/grep guuid=855f1751-1b00-0000-5734-4424fb060000 pid=1787->guuid=62b93151-1b00-0000-5734-4424fd060000 pid=1789 execve guuid=ba8b3751-1b00-0000-5734-4424fe060000 pid=1790 /usr/bin/grep guuid=855f1751-1b00-0000-5734-4424fb060000 pid=1787->guuid=ba8b3751-1b00-0000-5734-4424fe060000 pid=1790 execve guuid=00e53c51-1b00-0000-5734-4424ff060000 pid=1791 /usr/bin/grep guuid=855f1751-1b00-0000-5734-4424fb060000 pid=1787->guuid=00e53c51-1b00-0000-5734-4424ff060000 pid=1791 execve guuid=28cb4251-1b00-0000-5734-442400070000 pid=1792 /usr/bin/cut guuid=855f1751-1b00-0000-5734-4424fb060000 pid=1787->guuid=28cb4251-1b00-0000-5734-442400070000 pid=1792 execve guuid=c39d7953-1b00-0000-5734-442408070000 pid=1800 /usr/bin/cp write-file guuid=d0e26e53-1b00-0000-5734-442407070000 pid=1799->guuid=c39d7953-1b00-0000-5734-442408070000 pid=1800 execve guuid=796be853-1b00-0000-5734-44240b070000 pid=1803 /usr/bin/chmod guuid=b33cdf53-1b00-0000-5734-44240a070000 pid=1802->guuid=796be853-1b00-0000-5734-44240b070000 pid=1803 execve guuid=0a603554-1b00-0000-5734-44240e070000 pid=1806 /usr/bin/curl net send-data write-file guuid=b9532b54-1b00-0000-5734-44240d070000 pid=1805->guuid=0a603554-1b00-0000-5734-44240e070000 pid=1806 execve 287749b9-1937-53b1-8818-44b73ae22708 194.31.222.17:80 guuid=0a603554-1b00-0000-5734-44240e070000 pid=1806->287749b9-1937-53b1-8818-44b73ae22708 send: 85B guuid=6b03d165-1b00-0000-5734-442433070000 pid=1843 /usr/bin/curl net send-data write-file guuid=1161c765-1b00-0000-5734-442432070000 pid=1842->guuid=6b03d165-1b00-0000-5734-442433070000 pid=1843 execve guuid=6b03d165-1b00-0000-5734-442433070000 pid=1843->287749b9-1937-53b1-8818-44b73ae22708 send: 85B guuid=e60b4973-1b00-0000-5734-442458070000 pid=1880 /usr/bin/curl net send-data write-file guuid=b80d3c73-1b00-0000-5734-442457070000 pid=1879->guuid=e60b4973-1b00-0000-5734-442458070000 pid=1880 execve guuid=e60b4973-1b00-0000-5734-442458070000 pid=1880->287749b9-1937-53b1-8818-44b73ae22708 send: 85B guuid=9185fc7f-1b00-0000-5734-442479070000 pid=1913 /usr/bin/curl net send-data write-file guuid=d3eae87f-1b00-0000-5734-442478070000 pid=1912->guuid=9185fc7f-1b00-0000-5734-442479070000 pid=1913 execve guuid=9185fc7f-1b00-0000-5734-442479070000 pid=1913->287749b9-1937-53b1-8818-44b73ae22708 send: 83B guuid=d79c798d-1b00-0000-5734-442496070000 pid=1942 /usr/bin/curl net send-data write-file guuid=c34e738d-1b00-0000-5734-442495070000 pid=1941->guuid=d79c798d-1b00-0000-5734-442496070000 pid=1942 execve guuid=d79c798d-1b00-0000-5734-442496070000 pid=1942->287749b9-1937-53b1-8818-44b73ae22708 send: 85B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/3322a331765adeddd26136f8dcebbecccff71f7b29ec9f2ce74736b7244faa1c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3322a331765adeddd26136f8dcebbecccff71f7b29ec9f2ce74736b7244faa1c/
Threat name:
Script-Shell.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-09-20 06:43:28 UTC
File Type:
Text (Shell)
AV detection:
8 of 24 (33.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gmrkgmlwllpn3utbg34nz256zth7oh33fhwj6lhhi43lojcpvioa._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/250920-hgg8gaem5w/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/3322a331765adeddd26136f8dcebbecccff71f7b29ec9f2ce74736b7244faa1c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 3322a331765adeddd26136f8dcebbecccff71f7b29ec9f2ce74736b7244faa1c

(this sample)

Mirai

elf e333d6098ba7af114b4e8b290f0e587592067b8e153798bf4763262d2074ad96

  
URLhaus
https://urlhaus.abuse.ch/url/3627561/
  
Delivery method
Distributed via web download
  
Dropping
MD5 f79e16a572b31fd90195274c2a38baf7
  
Dropping
SHA256 e333d6098ba7af114b4e8b290f0e587592067b8e153798bf4763262d2074ad96

Comments