MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 489e2e274923863955068bf07d9050ef9da2fc70918cd64a1b2380ef28dbfa22. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	489e2e274923863955068bf07d9050ef9da2fc70918cd64a1b2380ef28dbfa22
SHA3-384 hash:	d7c00ee2aa4e91c3984c08ce6818505e9d28673430aea71b5ae3a4873f29a688e993f09bb33de60b0ff1a8a0744f16e1
SHA1 hash:	6ebf68b96d3e9ca79d06388b496552d1bc15daf1
MD5 hash:	4cafe7b810f4bc18a3bdfb7a9fbd0852
humanhash:	artist-lion-delta-london
File name:	wget.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	1'026 bytes
First seen:	2025-10-25 13:48:17 UTC
Last seen:	2025-10-25 23:18:22 UTC
File type:	sh
MIME type:	text/x-shellscript
ssdeep	12:ywQwJlPhKYhA+lk19NIl5d1Ca0LKNMNgOFx4JMJ6O7tjQ/SOZ7eNt2KJlf2G9kCo:EwPgalsNI76KjIGK5MlsNtVnO0vf8jn
TLSH	T15E11E4DF35911FF28E4C9F0CFE7114665406B3D4F9130E745583187A8DE6788BA28E96
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://94.156.152.237/bins/arm	8dc7ed0c0eb3a98210823b48a59180a41c881cdba6570d76bb542cc2f0cd7fb9	Mirai	arm elf geofenced mirai opendir ua-wget USA
http://94.156.152.237/bins/arm5	fd60d6b5596fac5d5e86b209a594861131202d04b43cc8d70e71f07465b381b3	Mirai	arm elf geofenced mirai opendir ua-wget USA
http://94.156.152.237/bins/arm6	9a761ce53d6e9a4c2cdd70fe66abbc6dfc87d79334f09d289b25d5515ddafe26	Mirai	arm elf geofenced mirai opendir ua-wget USA
http://94.156.152.237/bins/arm7	ac3bc92e6f0a7dd9c82a4e8e4d6145f086895b1717d7432fbd203471836374c4	Mirai	arm elf geofenced mirai opendir ua-wget USA
http://94.156.152.237/bins/m68k	06cee20c7375828a3819a0c5163fab524d61aea85f1b11a8a6a1651775353000	Mirai	elf geofenced m68k mirai opendir ua-wget USA
http://94.156.152.237/bins/mips	1f619b2d63bf46e759181edafab3743171ac4fa54308451a6318f6a5424275fd	Mirai	elf geofenced mips mirai opendir ua-wget USA
http://94.156.152.237/bins/mpsl	n/a	n/a	elf ua-wget
http://94.156.152.237/bins/ppc	467aba87dd511756b865bd480c1caa85a759fb625a582e0b3745daf2eb03842e	Mirai	elf geofenced mirai opendir PowerPC ua-wget USA
http://94.156.152.237/bins/sh4	bc2b9ff74cbe81585f1badb17d6555e23c214305a121b3f4ec02d249c632b8a5	Mirai	elf geofenced mirai opendir SuperH ua-wget USA
http://94.156.152.237/bins/spc	01eb5884ecf3d7e9615a4694fe4c0477e444054c0941503d1ff467e8dd2f7ff8	Mirai	elf geofenced mirai opendir sparc ua-wget USA
http://94.156.152.237/bins/x86	f7181a9e714a5d2858399b75ab327b17ec0c48c0d4809c49af7d6bfb99c237c8	Mirai	elf geofenced mirai opendir ua-wget USA x86
http://94.156.152.237/bins/x86_64	4cbb02a607e7e41985733d4ebcd9881da78c1d6ed68e6781c4dcaca0befa7470	Mirai	elf geofenced mirai opendir ua-wget USA x86

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-10-25T11:02:00Z UTC

Last seen:

2025-10-26T10:14:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/489e2e274923863955068bf07d9050ef9da2fc70918cd64a1b2380ef28dbfa22/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/b5411215-47ed-47dc-8395-09ce02b11eaa

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/489e2e274923863955068bf07d9050ef9da2fc70918cd64a1b2380ef28dbfa22

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/489e2e274923863955068bf07d9050ef9da2fc70918cd64a1b2380ef28dbfa22/

Threat name:

Script-Shell.Trojan.Vigorf

Status:

Malicious

First seen:

2025-10-25 13:49:30 UTC

File Type:

Text (Shell)

AV detection:

14 of 24 (58.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jcpc4j2jeoddsvigrpyh3ecq56o2f7dqsggnmsq3eoao6kg37ira._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:owari botnet defense_evasion discovery linux

Link:

https://tria.ge/reports/251025-q4epvswkcm/

Behaviour

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Reads system network configuration

Enumerates active TCP sockets

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.11

Link:

https://yomi.yoroi.company/submissions/489e2e274923863955068bf07d9050ef9da2fc70918cd64a1b2380ef28dbfa22

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 489e2e274923863955068bf07d9050ef9da2fc70918cd64a1b2380ef28dbfa22

(this sample)

Mirai

elf ab273a6adb648557386f686f0cf8d53659999382320d529766c0b1a10718ba3f

URLhaus

https://urlhaus.abuse.ch/url/3687161/

Delivery method

Distributed via web download

Dropping

MD5 61ea1128c5f99e3e5825d02f78ec4ac0

Dropping

SHA256 ab273a6adb648557386f686f0cf8d53659999382320d529766c0b1a10718ba3f

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample