MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 360467c3b733513c922b90d0e222067509df6481636926fa1786d0273169f4da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	360467c3b733513c922b90d0e222067509df6481636926fa1786d0273169f4da
SHA3-384 hash:	231e74fe5926199e6dd75534995710e87abcb32a38fdbc62ac5dd2b13cdc983ba1ba3e8776d075d68afb1ae74c8bd960
SHA1 hash:	bcd6d4f9725a0e5af57c1283892b4474b467069f
MD5 hash:	baf0a66fcbad46f82afca7e98c467449
humanhash:	magazine-florida-uncle-bacon
File name:	tol.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	5'027 bytes
First seen:	2026-01-25 19:17:09 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	96:rfLklqkfm9+Ftflq38SfkfcrPfcH0zHfvAhugfz8tiMfkfcrsGf16HsifaZK5Jft:i
TLSH	T109A1B36150114FF2DE0E8E16A9744F0A358857892992BE48DFFA39DBD6CFFCA3105E90
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://144.172.100.228/mamakmukekkontol/zerobotv9.x86	64c1492109495906dfedbdf64d99a0b80d5c32ac8a5665135b000624ad2eccbe	Mirai	elf geofenced mirai ua-wget USA
http://144.172.100.228/mamakmukekkontol/zerobotv9.mips	deb70af83a9b3bb8f9424b709c3f6342d0c63aa10e7f8df43dd7a457bda8f060	Mirai	elf geofenced mirai ua-wget USA
http://144.172.100.228/mamakmukekkontol/zerobotv9.arc	5c96edcd514733da92b19c23a0f6ec4f99532dae7d9dc7fc134746b01431eebd	Mirai	elf geofenced mirai ua-wget USA
http://144.172.100.228/mamakmukekkontol/zerobotv9.i686	f0da131e151040febbf2741de344d2dd7084d48da6c6b8ec3990cf34a84540c3	Mirai	elf geofenced mirai ua-wget USA
http://144.172.100.228/mamakmukekkontol/zerobotv9.x86_64	d7112dd3220ccb0b3e757b006acf9b92af466a285bbb0674258bcc9ad463f616	Mirai	elf geofenced mirai ua-wget USA
http://144.172.100.228/mamakmukekkontol/zerobotv9.mpsl	6e4e797262c80b9117aded5d25ff2752cd83abe631096b66e120cc3599a82e4e	Mirai	elf geofenced mirai ua-wget USA
http://144.172.100.228/mamakmukekkontol/zerobotv9.arm	c1f986b48e1d56d6a39d21fbc618411713d0d24a97b96f73c0fff554d271e86d	Mirai	elf geofenced mirai ua-wget USA
http://144.172.100.228/mamakmukekkontol/zerobotv9.arm5	263a363e2483bf9fd9f915527f5b5255daa42bbfa1e606403169575d6555a58c	Mirai	elf geofenced mirai ua-wget USA
http://144.172.100.228/mamakmukekkontol/zerobotv9.arm6	045a1e42cb64e4aa91601f65a80ec5bd040ea4024c6d3b051cb1a6aa15d03b57	Mirai	elf geofenced mirai ua-wget USA
http://144.172.100.228/mamakmukekkontol/zerobotv9.arm7	c8e8b627398ece071a3a148d6f38e46763dc534f9bfd967ebc8ac3479540111f	Mirai	elf geofenced mirai ua-wget USA
http://144.172.100.228/mamakmukekkontol/zerobotv9.ppc	c4c160602e5d637c6367908715b4dd4a4423ddf007d53a5db132663eb95bc6dd	Mirai	elf geofenced mirai ua-wget USA
http://144.172.100.228/mamakmukekkontol/zerobotv9.spc	cc1efbca0da739b7784d833e56a22063ec4719cd095b16e3e10f77efd4277e24	Mirai	elf geofenced mirai ua-wget USA
http://144.172.100.228/mamakmukekkontol/zerobotv9.m68k	d024039824db6fe535ddd51bc81099c946871e4e280c48ed6e90dada79ccfcc7	Mirai	elf geofenced mirai ua-wget USA
http://144.172.100.228/mamakmukekkontol/zerobotv9.sh4	a0f0495ab470e4ee7e8f3dff17fe1eb0e42936fd968d2ea8a0fa279563594da7	Mirai	elf geofenced mirai ua-wget USA

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox evasive

Link:

https://www.filescan.io/uploads/69766c405db9ae4770915c5f/reports/e4ac4101-21c3-44a8-ab88-488b489707ee/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2026-01-12T21:16:00Z UTC

Last seen:

2026-01-27T12:58:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/360467c3b733513c922b90d0e222067509df6481636926fa1786d0273169f4da/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/71fb03f0-dd94-4a78-892a-38d7b5bb883f

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/360467c3b733513c922b90d0e222067509df6481636926fa1786d0273169f4da

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/360467c3b733513c922b90d0e222067509df6481636926fa1786d0273169f4da/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/360467c3b733513c922b90d0e222067509df6481636926fa1786d0273169f4da

Threat name:

Linux.Trojan.Vigorf

Status:

Malicious

First seen:

2026-01-13 02:31:17 UTC

File Type:

Text (Shell)

AV detection:

15 of 36 (41.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gycgpq5xgnitzerlsdioeiqgoue56zebmnusn6qxq3icomlj6tna._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/260125-xzhz2sfw9d/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

UPX packed file

Enumerates running processes

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/360467c3b733/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.39

Link:

https://yomi.yoroi.company/submissions/360467c3b733513c922b90d0e222067509df6481636926fa1786d0273169f4da

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Linux_Shellscript_Downloader Create hunting rule
Author:	albertzsigovits
Description:	Generic Approach to Shellscript downloaders

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh