MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4082a6b5a60b62345f56d5336e9b28e03c2233efb6c40454fd0d6d05860d5c8b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	4082a6b5a60b62345f56d5336e9b28e03c2233efb6c40454fd0d6d05860d5c8b
SHA3-384 hash:	6bc2e68ec6c005f246ec29204c5e9d1cd065649cd4ea22125668afd573590ed3fdc3d78f46a7f5381aa728f1c2ab3df9
SHA1 hash:	edf34eead8e2a41bfb51f4872e4fd6c39752e972
MD5 hash:	fa936d8206e36fde302fd135100e596a
humanhash:	colorado-spring-timing-shade
File name:	xcurl.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'915 bytes
First seen:	2025-08-09 06:29:32 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:VPWyasMUkqpWlA9A5Btaxq3c+5LijOP6o55Lw3klNz7K:VNBsaxCWjOP6oLUIxG
TLSH	T14651BAA941292C5FF7189E4BB3BB8D1D12325FB9106FCF89DF813529DC4DA64A0D3622
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://213.209.150.187/odin.arm	9a36946cbdf2682af5b0227ee93b120c3c0543f260076bb2094638a71b68e294	Mirai	elf geofenced mirai ua-wget USA
http://213.209.150.187/odin.arm5n	d89b9aa7f0ac337077c5614d1d8321d1a0dff5280560bde0a8339c0dba0abd5d	Mirai	elf geofenced mirai ua-wget USA
http://213.209.150.187/odin.arm7	bdde0035d6b37dce2fff359848916a559640206659024577d4fa61608b4931bc	Mirai	elf geofenced mirai ua-wget USA
http://213.209.150.187/odin.m68k	a11b9aef373169010a4822273a8a16fb4deb9e386166e4b94aa791f34a25f39e	Mirai	elf geofenced mirai ua-wget USA
http://213.209.150.187/odin.mips	a25ff39e978fa88f79d10bcd25a86bc48d196af8e2046be47a886ce4dd6a6650	Mirai	elf geofenced mirai ua-wget USA
http://213.209.150.187/odin.mpsl	96f1e58ca140b8babe3873412dc17b203d2b87df2e70886625c249d3db092789	Mirai	elf geofenced mirai ua-wget USA
http://213.209.150.187/odin.ppc	e7834d6e7af525e9200c4f98255f6a3db500d86e1a1d254610c1f5d47a90575b	Mirai	elf geofenced mirai ua-wget USA
http://213.209.150.187/odin.sh4	b185e773d0014ff89e12a4ba6075282488a1b130af190e3d8c064d618c11cf7e	Mirai	elf geofenced mirai ua-wget USA
http://213.209.150.187/odin.spc	3ccec93311c41cc3a813b5762e249706c4cc3fd2c04894585300e05221268a01	Mirai	elf geofenced mirai ua-wget USA
http://213.209.150.187/odin.x86	aa14c7945115ba63c093f4ca508af7a9b20198c432a70b68cab2f52bad4121c7	Mirai	elf geofenced mirai ua-wget USA
http://213.209.150.187/bizy.arm5	n/a	n/a	elf ua-wget
http://213.209.150.187/bizy.arm6	n/a	n/a	elf ua-wget
http://213.209.150.187/bizy.arm7	n/a	n/a	elf ua-wget
http://213.209.150.187/bizy.arm8	n/a	n/a	elf ua-wget
http://213.209.150.187/bizy.mips	n/a	n/a	elf ua-wget
http://213.209.150.187/bizy.mpsl	n/a	n/a	elf ua-wget
http://213.209.150.187/bizy.mipss	n/a	n/a	elf ua-wget
http://213.209.150.187/bizy.mpsls	n/a	n/a	elf ua-wget
http://213.209.150.187/bizy.riscv	e2fbe4a0085cfa107069c0a614ecae10e3b1b04f1ecfee287f2d5abdc2b79a13	Mirai	elf mirai ua-wget
http://213.209.150.187/bizy.x86	n/a	n/a	elf ua-wget
http://213.209.150.187/bizy.x64	n/a	n/a	elf ua-wget
http://213.209.150.187/bizy.mips64	2fa27985ef9b46d3584dcff9ec777b1fdd62ea98a7660490cc3ebb5fc5b79172	Mirai	elf mirai ua-wget
http://213.209.150.187/bizy.mpsl64	8b35595ec94e07930eaf57ce734a1d48ab90db9ee97073bedda788574786eeda	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Status:

Failed

Link:

https://sandbox.kunai.rocks/analysis/a1a96e9e-f861-4ddc-a052-64299d8dc654

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/4082a6b5a60b62345f56d5336e9b28e03c2233efb6c40454fd0d6d05860d5c8b

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4082a6b5a60b62345f56d5336e9b28e03c2233efb6c40454fd0d6d05860d5c8b/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/4082a6b5a60b62345f56d5336e9b28e03c2233efb6c40454fd0d6d05860d5c8b

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2025-08-09 06:30:57 UTC

File Type:

Text (Shell)

AV detection:

10 of 23 (43.48%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=icbknnngbnrdix2w2uzw5gzi4a6cem7pw3caivh5bvwqlbqnlsfq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/250809-g88n3asvez/

Behaviour

Enumerates kernel/hardware configuration

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

UPX packed file

File and Directory Permissions Modification

Deletes itself

Executes dropped EXE

Contacts a large (14568) amount of remote hosts

Creates a large amount of network flows

Mirai

Mirai family

Malware Config

C2 Extraction:

104d.hldns.ru

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4082a6b5a60b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4082a6b5a60b62345f56d5336e9b28e03c2233efb6c40454fd0d6d05860d5c8b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.