MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39bb91671ae26554e7f1649f7aa8e990db27013304ef136d1e2f524d03c07e4c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 39bb91671ae26554e7f1649f7aa8e990db27013304ef136d1e2f524d03c07e4c
SHA3-384 hash: ffe62fa2b538a667f2bc5b718118f5e8f3f019f90d0146815f28b2f4af0ac40a8a7075e7d99205b5d75f6cfbd29276e4
SHA1 hash: a4c1220cf272a76893855276a7abcd7935ee91c9
MD5 hash: 380b42581d6386e4d5209061994cfcca
humanhash: rugby-fish-hawaii-three
File name:sex.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:493 bytes
First seen:2026-04-01 15:03:38 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 12:YkdMvSHvtkdMvx5HvlZwkdMvhNI1HvBkdMvq6HvjJwkdMpH9wkdMAHy:+gvJPvlwhNIZvdtvdy9ty
TLSH T1E6F05BCD8C41F343C59F9ADD3021C614F007D5D4A9451F0BE74C4972A74A950E40775E
Magika txt
Reporter BlinkzSec
URLMalware sample (SHA256 hash)SignatureTags
http://178.16.52.148/rebirth.arm159c73d8e746064ba1187265ac47ac3bdd35642275c68a10d8fe45722652d336 Miraielf mirai ua-wget
http://178.16.52.148/rebirth.arm5d767060b7b8f808367f3f0eb2f5fdf59143c057a09f0fb8e5d9ca8414d061158 Miraielf mirai ua-wget
http://178.16.52.148/rebirth.arm63d83173d1a4cd927066a324926b4f5001f2e98825c480de180b6f9eb492cacfe Miraielf mirai ua-wget
http://178.16.52.148/rebirth.arm78b92f02ece73bd262a89f19d9f583dabb824b0fb683f2797614274341d149ed7 Miraiarm elf mirai ua-wget
http://178.16.52.148/rebirth.mips3db7969c50574330d864c08ed6409055dd2153ff8763e8a47e11f8dca9d432e8 Miraielf mips mirai ua-wget
http://178.16.52.148/rebirth.mipseln/an/aelf ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
41
Origin country :
GB GB
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Linux.Downloader-32.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
File Type:
text
First seen:
2026-04-01T12:33:00Z UTC
Last seen:
2026-04-01T17:51:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a
Link:
https://opentip.kaspersky.com/39bb91671ae26554e7f1649f7aa8e990db27013304ef136d1e2f524d03c07e4c/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/2870ea8e-bb86-4dae-992f-a4548f76a0e9
Behavior Graph:
Download SVG
%3 guuid=1a2c4b84-1900-0000-f737-1cae410b0000 pid=2881 /usr/bin/sudo guuid=575efa86-1900-0000-f737-1cae490b0000 pid=2889 /tmp/sample.bin guuid=1a2c4b84-1900-0000-f737-1cae410b0000 pid=2881->guuid=575efa86-1900-0000-f737-1cae490b0000 pid=2889 execve guuid=790b5487-1900-0000-f737-1cae4b0b0000 pid=2891 /usr/bin/busybox net send-data write-file guuid=575efa86-1900-0000-f737-1cae490b0000 pid=2889->guuid=790b5487-1900-0000-f737-1cae4b0b0000 pid=2891 execve guuid=ef9ebc99-1900-0000-f737-1cae660b0000 pid=2918 /usr/bin/chmod guuid=575efa86-1900-0000-f737-1cae490b0000 pid=2889->guuid=ef9ebc99-1900-0000-f737-1cae660b0000 pid=2918 execve guuid=a9bbfe99-1900-0000-f737-1cae670b0000 pid=2919 /usr/bin/dash guuid=575efa86-1900-0000-f737-1cae490b0000 pid=2889->guuid=a9bbfe99-1900-0000-f737-1cae670b0000 pid=2919 clone guuid=d5bc999a-1900-0000-f737-1cae6a0b0000 pid=2922 /usr/bin/busybox net send-data write-file guuid=575efa86-1900-0000-f737-1cae490b0000 pid=2889->guuid=d5bc999a-1900-0000-f737-1cae6a0b0000 pid=2922 execve guuid=589807a8-1900-0000-f737-1cae7f0b0000 pid=2943 /usr/bin/chmod guuid=575efa86-1900-0000-f737-1cae490b0000 pid=2889->guuid=589807a8-1900-0000-f737-1cae7f0b0000 pid=2943 execve guuid=404d63a8-1900-0000-f737-1cae810b0000 pid=2945 /usr/bin/dash guuid=575efa86-1900-0000-f737-1cae490b0000 pid=2889->guuid=404d63a8-1900-0000-f737-1cae810b0000 pid=2945 clone guuid=8f89d3a9-1900-0000-f737-1cae860b0000 pid=2950 /usr/bin/busybox net send-data write-file guuid=575efa86-1900-0000-f737-1cae490b0000 pid=2889->guuid=8f89d3a9-1900-0000-f737-1cae860b0000 pid=2950 execve guuid=dc0b63b7-1900-0000-f737-1caea10b0000 pid=2977 /usr/bin/chmod guuid=575efa86-1900-0000-f737-1cae490b0000 pid=2889->guuid=dc0b63b7-1900-0000-f737-1caea10b0000 pid=2977 execve guuid=ecb0bcb7-1900-0000-f737-1caea20b0000 pid=2978 /usr/bin/dash guuid=575efa86-1900-0000-f737-1cae490b0000 pid=2889->guuid=ecb0bcb7-1900-0000-f737-1caea20b0000 pid=2978 clone guuid=da9864b8-1900-0000-f737-1caea50b0000 pid=2981 /usr/bin/busybox net send-data write-file guuid=575efa86-1900-0000-f737-1cae490b0000 pid=2889->guuid=da9864b8-1900-0000-f737-1caea50b0000 pid=2981 execve guuid=d29240c6-1900-0000-f737-1caec10b0000 pid=3009 /usr/bin/chmod guuid=575efa86-1900-0000-f737-1cae490b0000 pid=2889->guuid=d29240c6-1900-0000-f737-1caec10b0000 pid=3009 execve guuid=98d296c6-1900-0000-f737-1caec30b0000 pid=3011 /usr/bin/dash guuid=575efa86-1900-0000-f737-1cae490b0000 pid=2889->guuid=98d296c6-1900-0000-f737-1caec30b0000 pid=3011 clone guuid=ffb12cc7-1900-0000-f737-1caec70b0000 pid=3015 /usr/bin/busybox net send-data write-file guuid=575efa86-1900-0000-f737-1cae490b0000 pid=2889->guuid=ffb12cc7-1900-0000-f737-1caec70b0000 pid=3015 execve guuid=836dd7d6-1900-0000-f737-1caeee0b0000 pid=3054 /usr/bin/chmod guuid=575efa86-1900-0000-f737-1cae490b0000 pid=2889->guuid=836dd7d6-1900-0000-f737-1caeee0b0000 pid=3054 execve guuid=b8921dd7-1900-0000-f737-1caef00b0000 pid=3056 /usr/bin/dash guuid=575efa86-1900-0000-f737-1cae490b0000 pid=2889->guuid=b8921dd7-1900-0000-f737-1caef00b0000 pid=3056 clone guuid=5d5522d8-1900-0000-f737-1caef50b0000 pid=3061 /usr/bin/busybox net send-data guuid=575efa86-1900-0000-f737-1cae490b0000 pid=2889->guuid=5d5522d8-1900-0000-f737-1caef50b0000 pid=3061 execve guuid=54ed44dd-1900-0000-f737-1cae030c0000 pid=3075 /usr/bin/chmod guuid=575efa86-1900-0000-f737-1cae490b0000 pid=2889->guuid=54ed44dd-1900-0000-f737-1cae030c0000 pid=3075 execve guuid=0cd982dd-1900-0000-f737-1cae050c0000 pid=3077 /usr/bin/dash guuid=575efa86-1900-0000-f737-1cae490b0000 pid=2889->guuid=0cd982dd-1900-0000-f737-1cae050c0000 pid=3077 clone 1e7e7e5e-490f-5cf9-abc0-9fdd648b67f6 178.16.52.148:80 guuid=790b5487-1900-0000-f737-1cae4b0b0000 pid=2891->1e7e7e5e-490f-5cf9-abc0-9fdd648b67f6 send: 87B guuid=d5bc999a-1900-0000-f737-1cae6a0b0000 pid=2922->1e7e7e5e-490f-5cf9-abc0-9fdd648b67f6 send: 88B guuid=8f89d3a9-1900-0000-f737-1cae860b0000 pid=2950->1e7e7e5e-490f-5cf9-abc0-9fdd648b67f6 send: 88B guuid=da9864b8-1900-0000-f737-1caea50b0000 pid=2981->1e7e7e5e-490f-5cf9-abc0-9fdd648b67f6 send: 88B guuid=ffb12cc7-1900-0000-f737-1caec70b0000 pid=3015->1e7e7e5e-490f-5cf9-abc0-9fdd648b67f6 send: 88B guuid=5d5522d8-1900-0000-f737-1caef50b0000 pid=3061->1e7e7e5e-490f-5cf9-abc0-9fdd648b67f6 send: 90B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/39bb91671ae26554e7f1649f7aa8e990db27013304ef136d1e2f524d03c07e4c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/39bb91671ae26554e7f1649f7aa8e990db27013304ef136d1e2f524d03c07e4c/
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/39bb91671ae26554e7f1649f7aa8e990db27013304ef136d1e2f524d03c07e4c
Threat name:
Document-HTML.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-04-01 15:02:40 UTC
File Type:
Text (Shell)
AV detection:
9 of 36 (25.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hg5zczy24jsvjz7rmspxvkhjsdnsoajtatxrg3i6f5je2a6apzga._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/260401-sfnzqsgx5x/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/39bb91671ae26554e7f1649f7aa8e990db27013304ef136d1e2f524d03c07e4c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 39bb91671ae26554e7f1649f7aa8e990db27013304ef136d1e2f524d03c07e4c

(this sample)

Mirai

elf 8b92f02ece73bd262a89f19d9f583dabb824b0fb683f2797614274341d149ed7

  
URLhaus
https://urlhaus.abuse.ch/url/3809935/
  
Delivery method
Distributed via web download
  
Dropping
MD5 dc4362bbe0a9346a3fe58ba2193da8e5
  
Dropping
SHA256 8b92f02ece73bd262a89f19d9f583dabb824b0fb683f2797614274341d149ed7

Comments