MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39ac0a211f8b511f7e21e71df9a1902962ebbead2c658c6ee4e1066efeb2f3de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 39ac0a211f8b511f7e21e71df9a1902962ebbead2c658c6ee4e1066efeb2f3de
SHA3-384 hash: bdeb1c953614c8f81a301d07acfd4d3a26c6241a2a2d2d50bc9805f5ddf85955a1592b712ddd422c7b2c18656733dc3c
SHA1 hash: d4f6ce7ca1d1554fb1cc8ab35789145853d2bb8f
MD5 hash: a0241c1fd6fc5020c6c68017a8fbdd42
humanhash: indigo-fillet-delaware-aspen
File name:wget.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:392 bytes
First seen:2026-01-18 02:28:26 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 12:6q1YRhqiNIl5GqP0LKyqiMBtqc5G3qGJdHwR:6q1YRhqiNI7Gq6KyqiktqcMqGJa
TLSH T12DE0A9CE3424B766068DFE84BAB359446881C3C516780F38FEE5046248D8B047718A5B
Magika batch
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://130.12.180.132/bb/arm5n/an/aarm elf geofenced mirai opendir ua-wget USA
http://130.12.180.132/bb/arm6n/an/aarm elf geofenced mirai opendir ua-wget USA
http://130.12.180.132/bb/arm7n/an/aarm elf geofenced opendir ua-wget USA
http://130.12.180.132/bb/mipsn/an/aelf geofenced mips mirai opendir ua-wget USA
http://130.12.180.132/bb/mpsln/an/aelf geofenced mips opendir ua-wget USA
http://130.12.180.132/bb/x86n/an/aelf geofenced opendir ua-wget USA x86

Intelligence

File Origin
# of uploads :
1
# of downloads :
64
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
File Type:
text
First seen:
2026-01-17T23:39:00Z UTC
Last seen:
2026-01-17T23:45:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.a
Link:
https://opentip.kaspersky.com/39ac0a211f8b511f7e21e71df9a1902962ebbead2c658c6ee4e1066efeb2f3de/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/c5121285-9520-4c6e-81c1-c9396e3d2896
Behavior Graph:
Download SVG
%3 guuid=11b55613-1900-0000-9221-04c80e070000 pid=1806 /usr/bin/sudo guuid=bde12415-1900-0000-9221-04c814070000 pid=1812 /tmp/sample.bin guuid=11b55613-1900-0000-9221-04c80e070000 pid=1806->guuid=bde12415-1900-0000-9221-04c814070000 pid=1812 execve guuid=29558715-1900-0000-9221-04c815070000 pid=1813 /usr/bin/wget net send-data write-file guuid=bde12415-1900-0000-9221-04c814070000 pid=1812->guuid=29558715-1900-0000-9221-04c815070000 pid=1813 execve guuid=c08ffd29-1900-0000-9221-04c838070000 pid=1848 /usr/bin/chmod guuid=bde12415-1900-0000-9221-04c814070000 pid=1812->guuid=c08ffd29-1900-0000-9221-04c838070000 pid=1848 execve guuid=35e95c2a-1900-0000-9221-04c839070000 pid=1849 /usr/bin/dash guuid=bde12415-1900-0000-9221-04c814070000 pid=1812->guuid=35e95c2a-1900-0000-9221-04c839070000 pid=1849 clone guuid=1ce0032b-1900-0000-9221-04c83c070000 pid=1852 /usr/bin/wget net send-data write-file guuid=bde12415-1900-0000-9221-04c814070000 pid=1812->guuid=1ce0032b-1900-0000-9221-04c83c070000 pid=1852 execve guuid=6b90153b-1900-0000-9221-04c859070000 pid=1881 /usr/bin/chmod guuid=bde12415-1900-0000-9221-04c814070000 pid=1812->guuid=6b90153b-1900-0000-9221-04c859070000 pid=1881 execve guuid=bfbe523b-1900-0000-9221-04c85a070000 pid=1882 /usr/bin/dash guuid=bde12415-1900-0000-9221-04c814070000 pid=1812->guuid=bfbe523b-1900-0000-9221-04c85a070000 pid=1882 clone guuid=1b471d3c-1900-0000-9221-04c85d070000 pid=1885 /usr/bin/wget net send-data write-file guuid=bde12415-1900-0000-9221-04c814070000 pid=1812->guuid=1b471d3c-1900-0000-9221-04c85d070000 pid=1885 execve guuid=69ca1a52-1900-0000-9221-04c884070000 pid=1924 /usr/bin/chmod guuid=bde12415-1900-0000-9221-04c814070000 pid=1812->guuid=69ca1a52-1900-0000-9221-04c884070000 pid=1924 execve guuid=5e02a152-1900-0000-9221-04c885070000 pid=1925 /usr/bin/dash guuid=bde12415-1900-0000-9221-04c814070000 pid=1812->guuid=5e02a152-1900-0000-9221-04c885070000 pid=1925 clone guuid=aae0be53-1900-0000-9221-04c887070000 pid=1927 /usr/bin/wget net send-data write-file guuid=bde12415-1900-0000-9221-04c814070000 pid=1812->guuid=aae0be53-1900-0000-9221-04c887070000 pid=1927 execve guuid=78b99763-1900-0000-9221-04c88c070000 pid=1932 /usr/bin/chmod guuid=bde12415-1900-0000-9221-04c814070000 pid=1812->guuid=78b99763-1900-0000-9221-04c88c070000 pid=1932 execve guuid=d2d3fe63-1900-0000-9221-04c88e070000 pid=1934 /usr/bin/dash guuid=bde12415-1900-0000-9221-04c814070000 pid=1812->guuid=d2d3fe63-1900-0000-9221-04c88e070000 pid=1934 clone guuid=58ef1f66-1900-0000-9221-04c894070000 pid=1940 /usr/bin/wget net send-data write-file guuid=bde12415-1900-0000-9221-04c814070000 pid=1812->guuid=58ef1f66-1900-0000-9221-04c894070000 pid=1940 execve guuid=08bca974-1900-0000-9221-04c8ac070000 pid=1964 /usr/bin/chmod guuid=bde12415-1900-0000-9221-04c814070000 pid=1812->guuid=08bca974-1900-0000-9221-04c8ac070000 pid=1964 execve guuid=b9d21b75-1900-0000-9221-04c8ae070000 pid=1966 /usr/bin/dash guuid=bde12415-1900-0000-9221-04c814070000 pid=1812->guuid=b9d21b75-1900-0000-9221-04c8ae070000 pid=1966 clone guuid=15714677-1900-0000-9221-04c8b5070000 pid=1973 /usr/bin/wget net send-data write-file guuid=bde12415-1900-0000-9221-04c814070000 pid=1812->guuid=15714677-1900-0000-9221-04c8b5070000 pid=1973 execve guuid=4740268a-1900-0000-9221-04c8ce070000 pid=1998 /usr/bin/chmod guuid=bde12415-1900-0000-9221-04c814070000 pid=1812->guuid=4740268a-1900-0000-9221-04c8ce070000 pid=1998 execve guuid=929a818a-1900-0000-9221-04c8cf070000 pid=1999 /home/sandbox/x86 guuid=bde12415-1900-0000-9221-04c814070000 pid=1812->guuid=929a818a-1900-0000-9221-04c8cf070000 pid=1999 execve guuid=567be7ad-1900-0000-9221-04c8f2070000 pid=2034 /usr/bin/rm delete-file guuid=bde12415-1900-0000-9221-04c814070000 pid=1812->guuid=567be7ad-1900-0000-9221-04c8f2070000 pid=2034 execve b104693e-fe28-56dc-bd48-05d8322e6f3c 130.12.180.132:80 guuid=29558715-1900-0000-9221-04c815070000 pid=1813->b104693e-fe28-56dc-bd48-05d8322e6f3c send: 136B guuid=1ce0032b-1900-0000-9221-04c83c070000 pid=1852->b104693e-fe28-56dc-bd48-05d8322e6f3c send: 136B guuid=1b471d3c-1900-0000-9221-04c85d070000 pid=1885->b104693e-fe28-56dc-bd48-05d8322e6f3c send: 136B guuid=aae0be53-1900-0000-9221-04c887070000 pid=1927->b104693e-fe28-56dc-bd48-05d8322e6f3c send: 136B guuid=58ef1f66-1900-0000-9221-04c894070000 pid=1940->b104693e-fe28-56dc-bd48-05d8322e6f3c send: 136B guuid=15714677-1900-0000-9221-04c8b5070000 pid=1973->b104693e-fe28-56dc-bd48-05d8322e6f3c send: 135B guuid=929a818a-1900-0000-9221-04c8cf070000 pid=2017 /home/sandbox/x86 guuid=929a818a-1900-0000-9221-04c8cf070000 pid=1999->guuid=929a818a-1900-0000-9221-04c8cf070000 pid=2017 clone guuid=929a818a-1900-0000-9221-04c8cf070000 pid=2018 /home/sandbox/x86 guuid=929a818a-1900-0000-9221-04c8cf070000 pid=1999->guuid=929a818a-1900-0000-9221-04c8cf070000 pid=2018 clone guuid=929a818a-1900-0000-9221-04c8cf070000 pid=2019 /home/sandbox/x86 guuid=929a818a-1900-0000-9221-04c8cf070000 pid=1999->guuid=929a818a-1900-0000-9221-04c8cf070000 pid=2019 clone guuid=929a818a-1900-0000-9221-04c8cf070000 pid=2020 /home/sandbox/x86 guuid=929a818a-1900-0000-9221-04c8cf070000 pid=1999->guuid=929a818a-1900-0000-9221-04c8cf070000 pid=2020 clone guuid=1cfc6bad-1900-0000-9221-04c8ef070000 pid=2031 /home/sandbox/x86 guuid=929a818a-1900-0000-9221-04c8cf070000 pid=1999->guuid=1cfc6bad-1900-0000-9221-04c8ef070000 pid=2031 clone guuid=ac927dad-1900-0000-9221-04c8f0070000 pid=2032 /home/sandbox/x86 delete-file dns net send-data zombie guuid=929a818a-1900-0000-9221-04c8cf070000 pid=1999->guuid=ac927dad-1900-0000-9221-04c8f0070000 pid=2032 execve 4f6baed0-9587-596c-82b3-fd721afe4cc1 10.0.2.3:53 guuid=ac927dad-1900-0000-9221-04c8f0070000 pid=2032->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 94B 6ebb187f-6d94-5efc-8ed9-8e971afaa6e1 meow.cecilioc2.xyz:7070 guuid=ac927dad-1900-0000-9221-04c8f0070000 pid=2032->6ebb187f-6d94-5efc-8ed9-8e971afaa6e1 con guuid=ac927dad-1900-0000-9221-04c8f0070000 pid=2060 /home/sandbox/x86 zombie guuid=ac927dad-1900-0000-9221-04c8f0070000 pid=2032->guuid=ac927dad-1900-0000-9221-04c8f0070000 pid=2060 clone guuid=ac927dad-1900-0000-9221-04c8f0070000 pid=2061 /home/sandbox/x86 zombie guuid=ac927dad-1900-0000-9221-04c8f0070000 pid=2032->guuid=ac927dad-1900-0000-9221-04c8f0070000 pid=2061 clone guuid=ac927dad-1900-0000-9221-04c8f0070000 pid=2062 /home/sandbox/x86 dns send-data zombie guuid=ac927dad-1900-0000-9221-04c8f0070000 pid=2032->guuid=ac927dad-1900-0000-9221-04c8f0070000 pid=2062 clone guuid=ac927dad-1900-0000-9221-04c8f0070000 pid=2063 /home/sandbox/x86 zombie guuid=ac927dad-1900-0000-9221-04c8f0070000 pid=2032->guuid=ac927dad-1900-0000-9221-04c8f0070000 pid=2063 clone guuid=ac927dad-1900-0000-9221-04c8f0070000 pid=2224 /home/sandbox/x86 write-file zombie guuid=ac927dad-1900-0000-9221-04c8f0070000 pid=2032->guuid=ac927dad-1900-0000-9221-04c8f0070000 pid=2224 clone guuid=ac927dad-1900-0000-9221-04c8f0070000 pid=2249 /home/sandbox/x86 zombie guuid=ac927dad-1900-0000-9221-04c8f0070000 pid=2032->guuid=ac927dad-1900-0000-9221-04c8f0070000 pid=2249 clone guuid=ac927dad-1900-0000-9221-04c8f0070000 pid=2062->6ebb187f-6d94-5efc-8ed9-8e971afaa6e1 send: 18B guuid=9aa81a05-1a00-0000-9221-04c8c7080000 pid=2247 /home/sandbox/x86 guuid=ac927dad-1900-0000-9221-04c8f0070000 pid=2224->guuid=9aa81a05-1a00-0000-9221-04c8c7080000 pid=2247 clone guuid=81c3a005-1a00-0000-9221-04c8cb080000 pid=2251 /usr/bin/systemctl guuid=ac927dad-1900-0000-9221-04c8f0070000 pid=2224->guuid=81c3a005-1a00-0000-9221-04c8cb080000 pid=2251 execve
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/39ac0a211f8b511f7e21e71df9a1902962ebbead2c658c6ee4e1066efeb2f3de
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/39ac0a211f8b511f7e21e71df9a1902962ebbead2c658c6ee4e1066efeb2f3de/
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/39ac0a211f8b511f7e21e71df9a1902962ebbead2c658c6ee4e1066efeb2f3de
Threat name:
Linux.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2026-01-18 02:58:49 UTC
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hgwauii7rnir67rb44o7timqffroxpvnfrsyy3xe4edg57vs6ppa._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/260118-cyrwcabw7b/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/39ac0a211f8b511f7e21e71df9a1902962ebbead2c658c6ee4e1066efeb2f3de

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 39ac0a211f8b511f7e21e71df9a1902962ebbead2c658c6ee4e1066efeb2f3de

(this sample)

elf d8dfd517ae77d892702c59bae3cda16824667f19891fc91d5e9752e5664a3e59

  
URLhaus
https://urlhaus.abuse.ch/url/3759642/
  
Delivery method
Distributed via web download
  
Dropping
MD5 c96ec283ab4f248ef3b34c4e43de0779
  
Dropping
SHA256 d8dfd517ae77d892702c59bae3cda16824667f19891fc91d5e9752e5664a3e59

Comments