MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b9a50826c83693a023ef643778c4fb4b50d6226b69f2d996ccc365ddcf499bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b9a50826c83693a023ef643778c4fb4b50d6226b69f2d996ccc365ddcf499bf
SHA3-384 hash: 1e3455eb60aca240acd041de967f99f4713eac29eddf244820763f484859c3e2af475d4a293521204709760ee924ca99
SHA1 hash: dae7f04e9eda1c2c3895f5b40c07f0a2928c82bb
MD5 hash: 19e56c2a52227d23812d29d55567ea91
humanhash: south-michigan-idaho-sierra
File name:wget.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:814 bytes
First seen:2025-12-22 07:34:10 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 12:aYj+VWq+VyNNIl5zA+V70LKj+VZgOs+VneC+V9ON/+VRSE+VktaKA+Vej+VSiA+Y:jVYNI7KK3Fm6LtBCxxv
TLSH T1D601FACD26515345440CCE48766E0A18965ABBC0B4B4CF29ACD4187F9C997087068F4B
Magika asm
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://143.20.185.78/bins/arm8a6ddd16ceeec5a114f3e8319a225ce5f75cba9225d79855231de0b113472d1f Miraielf mirai ua-wget
http://143.20.185.78/bins/arm5d2a961569e9ce75e16e24f1ce9614e45a83ce50d90dc0af52347cffb33e30509 Miraielf mirai ua-wget
http://143.20.185.78/bins/arm69c8738bb0a3663b08bbd4a0b78db2d4d1204f120c959717a7471864828956655 Miraielf mirai ua-wget
http://143.20.185.78/bins/arm7263f89416439f5e9d7c35621153981655eec33e46fb7f7eb70ad43357d0cfad6 Miraielf mirai ua-wget
http://143.20.185.78/bins/m68k6c109c0a95546cb495003464b596291095e5fc0a9502644b99eaa5cb5f1c0c3e Miraielf mirai ua-wget
http://143.20.185.78/bins/mips97f6da2917e358287321571ea5aca6dcd706d8791e52f882c39937b347169b21 Miraielf mirai ua-wget
http://143.20.185.78/bins/mpsln/an/aelf ua-wget
http://143.20.185.78/bins/ppc27d0189c10636921860c51dcb5f48dbae0ebcb5871713973b6a1b194e5a9b761 Miraielf mirai ua-wget
http://143.20.185.78/bins/sh4002bc08e9e4252f58e402d64fb46bb1d4ed3acf453bbd69d2a1f8888ed16616e Miraielf mirai ua-wget
http://143.20.185.78/bins/spc85d24859f9da4218bc6cd4c98243c62530c4a7a7b71407a3628eebe85dd06e91 Miraielf mirai ua-wget
http://143.20.185.78/bins/x869ebe58ec528e0153eb1113aec8024c58d21a0d513912a496ff4daf1b8c8393f5 Miraielf mirai ua-wget
http://143.20.185.78/bins/x86_644e8f0ba152cffbf54a5c44fbd3253a3979326bf455120a6bbb6e749a090f9fff Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
42
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
mirai
Link:
https://www.filescan.io/uploads/6948f47e3f8fdbf8e94e48e1/reports/c5cac014-b698-42be-a3cd-64cfbffb065b/overview
Verdict:
Malicious
File Type:
ps1
First seen:
2025-12-22T06:11:00Z UTC
Last seen:
2025-12-22T06:56:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/3b9a50826c83693a023ef643778c4fb4b50d6226b69f2d996ccc365ddcf499bf/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/ac2f59d9-7309-4ad2-bbfa-9a557e29a13a
Behavior Graph:
Download SVG
%3 guuid=b0aabd4e-2000-0000-5d91-e182d50b0000 pid=3029 /usr/bin/sudo guuid=fc348650-2000-0000-5d91-e182dc0b0000 pid=3036 /tmp/sample.bin guuid=b0aabd4e-2000-0000-5d91-e182d50b0000 pid=3029->guuid=fc348650-2000-0000-5d91-e182dc0b0000 pid=3036 execve guuid=348db950-2000-0000-5d91-e182de0b0000 pid=3038 /usr/bin/wget net send-data guuid=fc348650-2000-0000-5d91-e182dc0b0000 pid=3036->guuid=348db950-2000-0000-5d91-e182de0b0000 pid=3038 execve guuid=1fdc6759-2000-0000-5d91-e182f70b0000 pid=3063 /usr/bin/chmod guuid=fc348650-2000-0000-5d91-e182dc0b0000 pid=3036->guuid=1fdc6759-2000-0000-5d91-e182f70b0000 pid=3063 execve guuid=1063c559-2000-0000-5d91-e182f90b0000 pid=3065 /usr/bin/dash guuid=fc348650-2000-0000-5d91-e182dc0b0000 pid=3036->guuid=1063c559-2000-0000-5d91-e182f90b0000 pid=3065 clone guuid=c925d059-2000-0000-5d91-e182fa0b0000 pid=3066 /usr/bin/wget net send-data guuid=fc348650-2000-0000-5d91-e182dc0b0000 pid=3036->guuid=c925d059-2000-0000-5d91-e182fa0b0000 pid=3066 execve guuid=daab5d61-2000-0000-5d91-e1820b0c0000 pid=3083 /usr/bin/chmod guuid=fc348650-2000-0000-5d91-e182dc0b0000 pid=3036->guuid=daab5d61-2000-0000-5d91-e1820b0c0000 pid=3083 execve guuid=5b41bf61-2000-0000-5d91-e1820d0c0000 pid=3085 /usr/bin/dash guuid=fc348650-2000-0000-5d91-e182dc0b0000 pid=3036->guuid=5b41bf61-2000-0000-5d91-e1820d0c0000 pid=3085 clone guuid=7ab4e161-2000-0000-5d91-e1820f0c0000 pid=3087 /usr/bin/wget net send-data guuid=fc348650-2000-0000-5d91-e182dc0b0000 pid=3036->guuid=7ab4e161-2000-0000-5d91-e1820f0c0000 pid=3087 execve guuid=41a4b567-2000-0000-5d91-e1821e0c0000 pid=3102 /usr/bin/chmod guuid=fc348650-2000-0000-5d91-e182dc0b0000 pid=3036->guuid=41a4b567-2000-0000-5d91-e1821e0c0000 pid=3102 execve guuid=61e0ff67-2000-0000-5d91-e1821f0c0000 pid=3103 /usr/bin/dash guuid=fc348650-2000-0000-5d91-e182dc0b0000 pid=3036->guuid=61e0ff67-2000-0000-5d91-e1821f0c0000 pid=3103 clone guuid=2e5b1168-2000-0000-5d91-e182200c0000 pid=3104 /usr/bin/wget net send-data guuid=fc348650-2000-0000-5d91-e182dc0b0000 pid=3036->guuid=2e5b1168-2000-0000-5d91-e182200c0000 pid=3104 execve guuid=17c3e56d-2000-0000-5d91-e182310c0000 pid=3121 /usr/bin/chmod guuid=fc348650-2000-0000-5d91-e182dc0b0000 pid=3036->guuid=17c3e56d-2000-0000-5d91-e182310c0000 pid=3121 execve guuid=d5991b6e-2000-0000-5d91-e182330c0000 pid=3123 /usr/bin/dash guuid=fc348650-2000-0000-5d91-e182dc0b0000 pid=3036->guuid=d5991b6e-2000-0000-5d91-e182330c0000 pid=3123 clone guuid=877c206e-2000-0000-5d91-e182340c0000 pid=3124 /usr/bin/wget net send-data guuid=fc348650-2000-0000-5d91-e182dc0b0000 pid=3036->guuid=877c206e-2000-0000-5d91-e182340c0000 pid=3124 execve guuid=e5c27374-2000-0000-5d91-e182480c0000 pid=3144 /usr/bin/chmod guuid=fc348650-2000-0000-5d91-e182dc0b0000 pid=3036->guuid=e5c27374-2000-0000-5d91-e182480c0000 pid=3144 execve guuid=9588b974-2000-0000-5d91-e182490c0000 pid=3145 /usr/bin/dash guuid=fc348650-2000-0000-5d91-e182dc0b0000 pid=3036->guuid=9588b974-2000-0000-5d91-e182490c0000 pid=3145 clone guuid=32e9c674-2000-0000-5d91-e1824a0c0000 pid=3146 /usr/bin/wget net send-data guuid=fc348650-2000-0000-5d91-e182dc0b0000 pid=3036->guuid=32e9c674-2000-0000-5d91-e1824a0c0000 pid=3146 execve guuid=0c5dc87a-2000-0000-5d91-e182590c0000 pid=3161 /usr/bin/chmod guuid=fc348650-2000-0000-5d91-e182dc0b0000 pid=3036->guuid=0c5dc87a-2000-0000-5d91-e182590c0000 pid=3161 execve guuid=f2d5647b-2000-0000-5d91-e1825a0c0000 pid=3162 /usr/bin/dash guuid=fc348650-2000-0000-5d91-e182dc0b0000 pid=3036->guuid=f2d5647b-2000-0000-5d91-e1825a0c0000 pid=3162 clone guuid=32f87a7b-2000-0000-5d91-e1825b0c0000 pid=3163 /usr/bin/wget net send-data guuid=fc348650-2000-0000-5d91-e182dc0b0000 pid=3036->guuid=32f87a7b-2000-0000-5d91-e1825b0c0000 pid=3163 execve guuid=30244482-2000-0000-5d91-e182680c0000 pid=3176 /usr/bin/chmod guuid=fc348650-2000-0000-5d91-e182dc0b0000 pid=3036->guuid=30244482-2000-0000-5d91-e182680c0000 pid=3176 execve guuid=26638082-2000-0000-5d91-e1826a0c0000 pid=3178 /usr/bin/dash guuid=fc348650-2000-0000-5d91-e182dc0b0000 pid=3036->guuid=26638082-2000-0000-5d91-e1826a0c0000 pid=3178 clone guuid=ea618582-2000-0000-5d91-e1826b0c0000 pid=3179 /usr/bin/wget net send-data guuid=fc348650-2000-0000-5d91-e182dc0b0000 pid=3036->guuid=ea618582-2000-0000-5d91-e1826b0c0000 pid=3179 execve guuid=1559ef89-2000-0000-5d91-e182740c0000 pid=3188 /usr/bin/chmod guuid=fc348650-2000-0000-5d91-e182dc0b0000 pid=3036->guuid=1559ef89-2000-0000-5d91-e182740c0000 pid=3188 execve guuid=43df5e8a-2000-0000-5d91-e182750c0000 pid=3189 /usr/bin/dash guuid=fc348650-2000-0000-5d91-e182dc0b0000 pid=3036->guuid=43df5e8a-2000-0000-5d91-e182750c0000 pid=3189 clone guuid=ac30798a-2000-0000-5d91-e182760c0000 pid=3190 /usr/bin/wget net send-data guuid=fc348650-2000-0000-5d91-e182dc0b0000 pid=3036->guuid=ac30798a-2000-0000-5d91-e182760c0000 pid=3190 execve guuid=48869d91-2000-0000-5d91-e182770c0000 pid=3191 /usr/bin/chmod guuid=fc348650-2000-0000-5d91-e182dc0b0000 pid=3036->guuid=48869d91-2000-0000-5d91-e182770c0000 pid=3191 execve guuid=bc544192-2000-0000-5d91-e182780c0000 pid=3192 /usr/bin/dash guuid=fc348650-2000-0000-5d91-e182dc0b0000 pid=3036->guuid=bc544192-2000-0000-5d91-e182780c0000 pid=3192 clone guuid=e9c96692-2000-0000-5d91-e182790c0000 pid=3193 /usr/bin/wget net send-data guuid=fc348650-2000-0000-5d91-e182dc0b0000 pid=3036->guuid=e9c96692-2000-0000-5d91-e182790c0000 pid=3193 execve guuid=fdaa9399-2000-0000-5d91-e182860c0000 pid=3206 /usr/bin/chmod guuid=fc348650-2000-0000-5d91-e182dc0b0000 pid=3036->guuid=fdaa9399-2000-0000-5d91-e182860c0000 pid=3206 execve guuid=c9b9209a-2000-0000-5d91-e182880c0000 pid=3208 /usr/bin/dash guuid=fc348650-2000-0000-5d91-e182dc0b0000 pid=3036->guuid=c9b9209a-2000-0000-5d91-e182880c0000 pid=3208 clone guuid=3ec0459a-2000-0000-5d91-e1828a0c0000 pid=3210 /usr/bin/wget net send-data guuid=fc348650-2000-0000-5d91-e182dc0b0000 pid=3036->guuid=3ec0459a-2000-0000-5d91-e1828a0c0000 pid=3210 execve guuid=25e780a1-2000-0000-5d91-e182980c0000 pid=3224 /usr/bin/chmod guuid=fc348650-2000-0000-5d91-e182dc0b0000 pid=3036->guuid=25e780a1-2000-0000-5d91-e182980c0000 pid=3224 execve guuid=1260d1a1-2000-0000-5d91-e1829a0c0000 pid=3226 /usr/bin/dash guuid=fc348650-2000-0000-5d91-e182dc0b0000 pid=3036->guuid=1260d1a1-2000-0000-5d91-e1829a0c0000 pid=3226 clone guuid=9ef2dea1-2000-0000-5d91-e1829b0c0000 pid=3227 /usr/bin/wget net send-data guuid=fc348650-2000-0000-5d91-e182dc0b0000 pid=3036->guuid=9ef2dea1-2000-0000-5d91-e1829b0c0000 pid=3227 execve guuid=3d9cffa7-2000-0000-5d91-e182a40c0000 pid=3236 /usr/bin/chmod guuid=fc348650-2000-0000-5d91-e182dc0b0000 pid=3036->guuid=3d9cffa7-2000-0000-5d91-e182a40c0000 pid=3236 execve guuid=466953a8-2000-0000-5d91-e182a50c0000 pid=3237 /usr/bin/dash guuid=fc348650-2000-0000-5d91-e182dc0b0000 pid=3036->guuid=466953a8-2000-0000-5d91-e182a50c0000 pid=3237 clone guuid=aa685aa8-2000-0000-5d91-e182a60c0000 pid=3238 /usr/bin/rm delete-file guuid=fc348650-2000-0000-5d91-e182dc0b0000 pid=3036->guuid=aa685aa8-2000-0000-5d91-e182a60c0000 pid=3238 execve 697679a7-cc0f-5478-83af-785833bd0767 143.20.185.78:80 guuid=348db950-2000-0000-5d91-e182de0b0000 pid=3038->697679a7-cc0f-5478-83af-785833bd0767 send: 136B guuid=c925d059-2000-0000-5d91-e182fa0b0000 pid=3066->697679a7-cc0f-5478-83af-785833bd0767 send: 137B guuid=7ab4e161-2000-0000-5d91-e1820f0c0000 pid=3087->697679a7-cc0f-5478-83af-785833bd0767 send: 137B guuid=2e5b1168-2000-0000-5d91-e182200c0000 pid=3104->697679a7-cc0f-5478-83af-785833bd0767 send: 137B guuid=877c206e-2000-0000-5d91-e182340c0000 pid=3124->697679a7-cc0f-5478-83af-785833bd0767 send: 137B guuid=32e9c674-2000-0000-5d91-e1824a0c0000 pid=3146->697679a7-cc0f-5478-83af-785833bd0767 send: 137B guuid=32f87a7b-2000-0000-5d91-e1825b0c0000 pid=3163->697679a7-cc0f-5478-83af-785833bd0767 send: 137B guuid=ea618582-2000-0000-5d91-e1826b0c0000 pid=3179->697679a7-cc0f-5478-83af-785833bd0767 send: 136B guuid=ac30798a-2000-0000-5d91-e182760c0000 pid=3190->697679a7-cc0f-5478-83af-785833bd0767 send: 136B guuid=e9c96692-2000-0000-5d91-e182790c0000 pid=3193->697679a7-cc0f-5478-83af-785833bd0767 send: 136B guuid=3ec0459a-2000-0000-5d91-e1828a0c0000 pid=3210->697679a7-cc0f-5478-83af-785833bd0767 send: 136B guuid=9ef2dea1-2000-0000-5d91-e1829b0c0000 pid=3227->697679a7-cc0f-5478-83af-785833bd0767 send: 139B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/3b9a50826c83693a023ef643778c4fb4b50d6226b69f2d996ccc365ddcf499bf
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3b9a50826c83693a023ef643778c4fb4b50d6226b69f2d996ccc365ddcf499bf/
Threat name:
Linux.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2025-12-22 07:35:22 UTC
File Type:
Text (Shell)
AV detection:
17 of 36 (47.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=honfbatmqnutuar66zbxpdcpws2q2yrgw2ps3glmzq3f3xhutg7q._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/251223-ltbg8ssngw/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/3b9a50826c83693a023ef643778c4fb4b50d6226b69f2d996ccc365ddcf499bf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 3b9a50826c83693a023ef643778c4fb4b50d6226b69f2d996ccc365ddcf499bf

(this sample)

Mirai

elf 8a6ddd16ceeec5a114f3e8319a225ce5f75cba9225d79855231de0b113472d1f

  
URLhaus
https://urlhaus.abuse.ch/url/3735107/
  
Delivery method
Distributed via web download
  
Dropping
MD5 9803d9ef3d650f07df77bf74c927ad45
  
Dropping
SHA256 8a6ddd16ceeec5a114f3e8319a225ce5f75cba9225d79855231de0b113472d1f

Comments