MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ab96f447a3fe783269b9bebea3c02ced3338ac4948da8b84a29664cfa2c509b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	4ab96f447a3fe783269b9bebea3c02ced3338ac4948da8b84a29664cfa2c509b
SHA3-384 hash:	6697f3359fbe33de72261ea2a484215fc8f65e9694e313cb6de592b4f6efd855b8f700a436c5bf8659de351b5a92c26a
SHA1 hash:	6e6d12cadbdf94ae96176e6d522068cc9a1c6bc8
MD5 hash:	54121bde7c78e9f309af7c566ef5f54c
humanhash:	wolfram-sweet-oregon-glucose
File name:	all.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	942 bytes
First seen:	2026-06-05 01:49:54 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	12:xpZSFNIstLKuavD9jXWkdM9ISRpK2EduXU:xp8FNImKuAyRpKGU
TLSH	T1E711BADE30EF24B55C02BE42B05188D4F549F2DBB9A69F48FC848EB18597BB5302CB85
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://5.175.223.249/data_arm4	ebcbc9ed3fc243326104277396da19e8a96927936e1d48c2b79f06385f80e93c	Mirai	elf mirai ua-wget
http://5.175.223.249/data_arm5	c99bda9c36167aec7d2e0543eae7290a9e6f128da87b688559208bcb02938aa1	Mirai	elf mirai ua-wget
http://5.175.223.249/data_arm6	n/a	n/a	elf ua-wget
http://5.175.223.249/data_arm7	ce30abebd7c1e9fe5b016ae13bc72a9ab154d9293b5df8b0f45904e05dd5d89b	Mirai	elf mirai ua-wget
http://5.175.223.249/data_aarch64	6d8fdf8f5886c594e4705cc207f70c979293c28a59d3fd27fac7ae617e469038	Mirai	elf mirai ua-wget
http://5.175.223.249/data_mips	c72fd954187659d1c9a9ac03c8711944061b26007d5f30f471ef148bc354aa00	Mirai	elf mirai ua-wget
http://5.175.223.249/data_mipsel	c7b379b588dcd3801157e0cfb817bf0484839be8a2e8515654e7a78d17bf3744	Mirai	elf mirai ua-wget
http://5.175.223.249/data_mips-uclibc	b847130751c20bd5f4c6e4309d928dcee7620d4dc94bcdbc46c03bbc17543edb	Mirai	elf mirai ua-wget
http://5.175.223.249/data_mipsel-uclibc	e28a394b2e5c3d1627c75b81af09c2b0206905f168b55b6722a303b52022d815	Mirai	elf mirai ua-wget
http://5.175.223.249/data_powerpc	3352f2ce5764e2875177af4eeb54c2fb92072326ee84e9ee65de86738f73824d	Mirai	elf mirai ua-wget
http://5.175.223.249/data_x86	8a4d59c745036a82a74cace444ba9a20dcd909d5637eba03cdcd2971d42707bb	Mirai	elf mirai ua-wget
http://5.175.223.249/data_x86_64	0e5416385b4d4ae5a00d3bdfd7d38bf44d8582a71a23be5c2e0b160afce2edee	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/6a222b63099ef368af20490f/reports/a230d88d-c356-4864-86d4-4b18f3e38d3d/overview

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/5a788aac-ec12-441e-8acc-707036cd1f2e

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/4ab96f447a3fe783269b9bebea3c02ced3338ac4948da8b84a29664cfa2c509b

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4ab96f447a3fe783269b9bebea3c02ced3338ac4948da8b84a29664cfa2c509b/

Verdict:

Malicious

Threat:

Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/4ab96f447a3fe783269b9bebea3c02ced3338ac4948da8b84a29664cfa2c509b

Threat name:

Document-HTML.Downloader.Heuristic

Status:

Malicious

First seen:

2026-06-05 01:50:50 UTC

File Type:

Text (Shell)

AV detection:

7 of 36 (19.44%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jk4w6rd2h7tygju3tpv6upacz3jthcwessg2rockfftez6rmkcnq._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/260605-b9gzvabv2j/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/4ab96f447a3fe783269b9bebea3c02ced3338ac4948da8b84a29664cfa2c509b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh