MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b9c4067e620042390837d0f63d921fc47b7d675d89503b9383f7b4b6fa96f83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b9c4067e620042390837d0f63d921fc47b7d675d89503b9383f7b4b6fa96f83
SHA3-384 hash: c3958ed24d0758447b3a336411662273a36e45974fc241da82c99b5e8a68e1d7148f08488fd54d62f8610ac2a084b58a
SHA1 hash: f437425a7fc205703b7617a2569983167e0a428f
MD5 hash: 7c7dc9f3da340548bd46c86f42774d0f
humanhash: bakerloo-apart-one-butter
File name:w.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:798 bytes
First seen:2026-01-22 12:23:06 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 12:nVH6KVHIPVHjIWLVHyeCVHJNVHo67VH4VovVHCnVH8VH33VHTgOvjn:cIE36mVo0fEjn
TLSH T1BF0180CF91941F7086648F2CB973C41C600D89D1F68306EC964F08799EA9F15F756F89
Magika txt
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://94.156.152.67/bins/4rm86414e5dc4a6412453c70c42545f1b17ca423a27739825730a4aa5c26b57f19c Miraimirai opendir
http://94.156.152.67/bins/4rm5f7c16a1a44a9dc6b3ee1f73afffdcd425ca67e0e9c70df44544d488826ad5d8b Miraimirai opendir
http://94.156.152.67/bins/4rm60725116cab37fe76b32f0e460f6dd085bd44618f800918722650bfcd99fbfb5a Miraimirai opendir
http://94.156.152.67/bins/4rm7269c7e600d41cd03b27026d9ea50021b37c36fbf457b44d0f1870180be7ff434 Miraimirai opendir
http://94.156.152.67/bins/sh41a5a9c16ffb10732468c63adce73c8d97117a701b17646bd6b18c868ccf3911d Miraimirai opendir
http://94.156.152.67/bins/ppced2400f0b058f632797e1c8d3f767473ee2bc150576f729d21990bdb67eb45d4 Miraimirai opendir
http://94.156.152.67/bins/m1ps56fbe540dbc23fddc5be95941b83730ae9a7cb6e95945da3877f27bb281cb6e5 Miraimirai opendir
http://94.156.152.67/bins/m1ps3l9f9f1cde25c8a1ae8e6c3386fe9b92eb41dad1f5c54145b87a5012f70f65fc95 Miraimirai opendir
http://94.156.152.67/bins/spce41e5677380874d4dc1a6cfe1de973ce81f144f6aaf70d9aa45cf32d3dff3d68 Miraimirai opendir
http://94.156.152.67/bins/x861cdcec3f4fd3d942bbea8523307209f733d6c9d6914e006568a989ea48601d698 Miraimirai opendir
http://94.156.152.67/bins/m68kbfc0640f2489867fb6befa8ffe3d07610d44a47b95602091b342163828297673 Miraimirai opendir

Intelligence

File Origin
# of uploads :
1
# of downloads :
23
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Linux.Downloader-32.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
busybox mirai
Link:
https://www.filescan.io/uploads/697216b555805a763ff0045a/reports/e0da69f9-997a-4705-9143-43c86dbb0efa/overview
Result
Gathering data
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/cc1f2216-ae90-441a-b8db-0bdbc39a890c
Behavior Graph:
Download SVG
%3 guuid=9f80fc02-1800-0000-4ef5-5d43880c0000 pid=3208 /usr/bin/sudo guuid=c41af005-1800-0000-4ef5-5d43890c0000 pid=3209 /tmp/sample.bin guuid=9f80fc02-1800-0000-4ef5-5d43880c0000 pid=3208->guuid=c41af005-1800-0000-4ef5-5d43890c0000 pid=3209 execve guuid=670a4906-1800-0000-4ef5-5d438a0c0000 pid=3210 /usr/bin/busybox net send-data write-file guuid=c41af005-1800-0000-4ef5-5d43890c0000 pid=3209->guuid=670a4906-1800-0000-4ef5-5d438a0c0000 pid=3210 execve guuid=4983e910-1800-0000-4ef5-5d439a0c0000 pid=3226 /usr/bin/chmod guuid=c41af005-1800-0000-4ef5-5d43890c0000 pid=3209->guuid=4983e910-1800-0000-4ef5-5d439a0c0000 pid=3226 execve guuid=961d9311-1800-0000-4ef5-5d439b0c0000 pid=3227 /usr/bin/dash guuid=c41af005-1800-0000-4ef5-5d43890c0000 pid=3209->guuid=961d9311-1800-0000-4ef5-5d439b0c0000 pid=3227 clone guuid=23f18913-1800-0000-4ef5-5d439f0c0000 pid=3231 /usr/bin/busybox net send-data write-file guuid=c41af005-1800-0000-4ef5-5d43890c0000 pid=3209->guuid=23f18913-1800-0000-4ef5-5d439f0c0000 pid=3231 execve guuid=cf7b881d-1800-0000-4ef5-5d43ab0c0000 pid=3243 /usr/bin/chmod guuid=c41af005-1800-0000-4ef5-5d43890c0000 pid=3209->guuid=cf7b881d-1800-0000-4ef5-5d43ab0c0000 pid=3243 execve guuid=b166cc1d-1800-0000-4ef5-5d43ac0c0000 pid=3244 /usr/bin/dash guuid=c41af005-1800-0000-4ef5-5d43890c0000 pid=3209->guuid=b166cc1d-1800-0000-4ef5-5d43ac0c0000 pid=3244 clone guuid=ce0d9c1e-1800-0000-4ef5-5d43af0c0000 pid=3247 /usr/bin/busybox net send-data write-file guuid=c41af005-1800-0000-4ef5-5d43890c0000 pid=3209->guuid=ce0d9c1e-1800-0000-4ef5-5d43af0c0000 pid=3247 execve guuid=8fbcc428-1800-0000-4ef5-5d43bd0c0000 pid=3261 /usr/bin/chmod guuid=c41af005-1800-0000-4ef5-5d43890c0000 pid=3209->guuid=8fbcc428-1800-0000-4ef5-5d43bd0c0000 pid=3261 execve guuid=3bae6529-1800-0000-4ef5-5d43be0c0000 pid=3262 /usr/bin/dash guuid=c41af005-1800-0000-4ef5-5d43890c0000 pid=3209->guuid=3bae6529-1800-0000-4ef5-5d43be0c0000 pid=3262 clone guuid=878de22a-1800-0000-4ef5-5d43c00c0000 pid=3264 /usr/bin/busybox net send-data write-file guuid=c41af005-1800-0000-4ef5-5d43890c0000 pid=3209->guuid=878de22a-1800-0000-4ef5-5d43c00c0000 pid=3264 execve guuid=cf092238-1800-0000-4ef5-5d43db0c0000 pid=3291 /usr/bin/chmod guuid=c41af005-1800-0000-4ef5-5d43890c0000 pid=3209->guuid=cf092238-1800-0000-4ef5-5d43db0c0000 pid=3291 execve guuid=5dda7038-1800-0000-4ef5-5d43dd0c0000 pid=3293 /usr/bin/dash guuid=c41af005-1800-0000-4ef5-5d43890c0000 pid=3209->guuid=5dda7038-1800-0000-4ef5-5d43dd0c0000 pid=3293 clone guuid=e406b139-1800-0000-4ef5-5d43e40c0000 pid=3300 /usr/bin/busybox net send-data write-file guuid=c41af005-1800-0000-4ef5-5d43890c0000 pid=3209->guuid=e406b139-1800-0000-4ef5-5d43e40c0000 pid=3300 execve guuid=758a2983-1800-0000-4ef5-5d437b0d0000 pid=3451 /usr/bin/chmod guuid=c41af005-1800-0000-4ef5-5d43890c0000 pid=3209->guuid=758a2983-1800-0000-4ef5-5d437b0d0000 pid=3451 execve guuid=bab56283-1800-0000-4ef5-5d437d0d0000 pid=3453 /usr/bin/dash guuid=c41af005-1800-0000-4ef5-5d43890c0000 pid=3209->guuid=bab56283-1800-0000-4ef5-5d437d0d0000 pid=3453 clone guuid=ba597783-1800-0000-4ef5-5d437e0d0000 pid=3454 /usr/bin/busybox net send-data write-file guuid=c41af005-1800-0000-4ef5-5d43890c0000 pid=3209->guuid=ba597783-1800-0000-4ef5-5d437e0d0000 pid=3454 execve guuid=223c8d90-1800-0000-4ef5-5d43990d0000 pid=3481 /usr/bin/chmod guuid=c41af005-1800-0000-4ef5-5d43890c0000 pid=3209->guuid=223c8d90-1800-0000-4ef5-5d43990d0000 pid=3481 execve guuid=767cfd90-1800-0000-4ef5-5d439b0d0000 pid=3483 /usr/bin/dash guuid=c41af005-1800-0000-4ef5-5d43890c0000 pid=3209->guuid=767cfd90-1800-0000-4ef5-5d439b0d0000 pid=3483 clone guuid=7d330b91-1800-0000-4ef5-5d439c0d0000 pid=3484 /usr/bin/busybox net send-data write-file guuid=c41af005-1800-0000-4ef5-5d43890c0000 pid=3209->guuid=7d330b91-1800-0000-4ef5-5d439c0d0000 pid=3484 execve guuid=c7fc269e-1800-0000-4ef5-5d43b50d0000 pid=3509 /usr/bin/chmod guuid=c41af005-1800-0000-4ef5-5d43890c0000 pid=3209->guuid=c7fc269e-1800-0000-4ef5-5d43b50d0000 pid=3509 execve guuid=e7716c9e-1800-0000-4ef5-5d43b60d0000 pid=3510 /usr/bin/dash guuid=c41af005-1800-0000-4ef5-5d43890c0000 pid=3209->guuid=e7716c9e-1800-0000-4ef5-5d43b60d0000 pid=3510 clone guuid=7319349f-1800-0000-4ef5-5d43b80d0000 pid=3512 /usr/bin/busybox net send-data write-file guuid=c41af005-1800-0000-4ef5-5d43890c0000 pid=3209->guuid=7319349f-1800-0000-4ef5-5d43b80d0000 pid=3512 execve guuid=7b0012ac-1800-0000-4ef5-5d43cc0d0000 pid=3532 /usr/bin/chmod guuid=c41af005-1800-0000-4ef5-5d43890c0000 pid=3209->guuid=7b0012ac-1800-0000-4ef5-5d43cc0d0000 pid=3532 execve guuid=cf0b72ac-1800-0000-4ef5-5d43ce0d0000 pid=3534 /usr/bin/dash guuid=c41af005-1800-0000-4ef5-5d43890c0000 pid=3209->guuid=cf0b72ac-1800-0000-4ef5-5d43ce0d0000 pid=3534 clone guuid=45ea54ad-1800-0000-4ef5-5d43d00d0000 pid=3536 /usr/bin/busybox net send-data write-file guuid=c41af005-1800-0000-4ef5-5d43890c0000 pid=3209->guuid=45ea54ad-1800-0000-4ef5-5d43d00d0000 pid=3536 execve guuid=fbbbf3b7-1800-0000-4ef5-5d43e20d0000 pid=3554 /usr/bin/chmod guuid=c41af005-1800-0000-4ef5-5d43890c0000 pid=3209->guuid=fbbbf3b7-1800-0000-4ef5-5d43e20d0000 pid=3554 execve guuid=20eb7cb8-1800-0000-4ef5-5d43e30d0000 pid=3555 /usr/bin/dash guuid=c41af005-1800-0000-4ef5-5d43890c0000 pid=3209->guuid=20eb7cb8-1800-0000-4ef5-5d43e30d0000 pid=3555 clone guuid=f303a4b8-1800-0000-4ef5-5d43e40d0000 pid=3556 /usr/bin/busybox net send-data write-file guuid=c41af005-1800-0000-4ef5-5d43890c0000 pid=3209->guuid=f303a4b8-1800-0000-4ef5-5d43e40d0000 pid=3556 execve guuid=7abc29c3-1800-0000-4ef5-5d43f10d0000 pid=3569 /usr/bin/chmod guuid=c41af005-1800-0000-4ef5-5d43890c0000 pid=3209->guuid=7abc29c3-1800-0000-4ef5-5d43f10d0000 pid=3569 execve guuid=88b38cc3-1800-0000-4ef5-5d43f30d0000 pid=3571 /home/sandbox/x861 net guuid=c41af005-1800-0000-4ef5-5d43890c0000 pid=3209->guuid=88b38cc3-1800-0000-4ef5-5d43f30d0000 pid=3571 execve guuid=25966f3b-1900-0000-4ef5-5d430b0f0000 pid=3851 /usr/bin/busybox net send-data write-file guuid=c41af005-1800-0000-4ef5-5d43890c0000 pid=3209->guuid=25966f3b-1900-0000-4ef5-5d430b0f0000 pid=3851 execve guuid=670ca546-1900-0000-4ef5-5d431d0f0000 pid=3869 /usr/bin/chmod guuid=c41af005-1800-0000-4ef5-5d43890c0000 pid=3209->guuid=670ca546-1900-0000-4ef5-5d431d0f0000 pid=3869 execve guuid=1cb32e47-1900-0000-4ef5-5d43220f0000 pid=3874 /usr/bin/dash guuid=c41af005-1800-0000-4ef5-5d43890c0000 pid=3209->guuid=1cb32e47-1900-0000-4ef5-5d43220f0000 pid=3874 clone guuid=f95b1749-1900-0000-4ef5-5d432a0f0000 pid=3882 /usr/bin/rm delete-file guuid=c41af005-1800-0000-4ef5-5d43890c0000 pid=3209->guuid=f95b1749-1900-0000-4ef5-5d432a0f0000 pid=3882 execve a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 94.156.152.67:80 guuid=670a4906-1800-0000-4ef5-5d438a0c0000 pid=3210->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 84B guuid=23f18913-1800-0000-4ef5-5d439f0c0000 pid=3231->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 85B guuid=ce0d9c1e-1800-0000-4ef5-5d43af0c0000 pid=3247->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 85B guuid=878de22a-1800-0000-4ef5-5d43c00c0000 pid=3264->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 85B guuid=e406b139-1800-0000-4ef5-5d43e40c0000 pid=3300->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 84B guuid=ba597783-1800-0000-4ef5-5d437e0d0000 pid=3454->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 84B guuid=7d330b91-1800-0000-4ef5-5d439c0d0000 pid=3484->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 85B guuid=7319349f-1800-0000-4ef5-5d43b80d0000 pid=3512->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 87B guuid=45ea54ad-1800-0000-4ef5-5d43d00d0000 pid=3536->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 84B guuid=f303a4b8-1800-0000-4ef5-5d43e40d0000 pid=3556->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 85B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=88b38cc3-1800-0000-4ef5-5d43f30d0000 pid=3571->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=3094f7c3-1800-0000-4ef5-5d43f40d0000 pid=3572 /home/sandbox/x861 guuid=88b38cc3-1800-0000-4ef5-5d43f30d0000 pid=3571->guuid=3094f7c3-1800-0000-4ef5-5d43f40d0000 pid=3572 clone guuid=0a72a8ff-1800-0000-4ef5-5d436e0e0000 pid=3694 /home/sandbox/x861 guuid=88b38cc3-1800-0000-4ef5-5d43f30d0000 pid=3571->guuid=0a72a8ff-1800-0000-4ef5-5d436e0e0000 pid=3694 clone guuid=4c36583b-1900-0000-4ef5-5d43090f0000 pid=3849 /home/sandbox/x861 guuid=88b38cc3-1800-0000-4ef5-5d43f30d0000 pid=3571->guuid=4c36583b-1900-0000-4ef5-5d43090f0000 pid=3849 clone guuid=6550603b-1900-0000-4ef5-5d430a0f0000 pid=3850 /home/sandbox/x861 net send-data zombie guuid=88b38cc3-1800-0000-4ef5-5d43f30d0000 pid=3571->guuid=6550603b-1900-0000-4ef5-5d430a0f0000 pid=3850 clone guuid=6550603b-1900-0000-4ef5-5d430a0f0000 pid=3850->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con 2660a4ff-e544-5e59-895a-f0df08e52f43 94.156.152.67:1999 guuid=6550603b-1900-0000-4ef5-5d430a0f0000 pid=3850->2660a4ff-e544-5e59-895a-f0df08e52f43 send: 10B guuid=0b1e763b-1900-0000-4ef5-5d430c0f0000 pid=3852 /home/sandbox/x861 guuid=6550603b-1900-0000-4ef5-5d430a0f0000 pid=3850->guuid=0b1e763b-1900-0000-4ef5-5d430c0f0000 pid=3852 clone guuid=e0c72277-1900-0000-4ef5-5d43a60f0000 pid=4006 /home/sandbox/x861 guuid=6550603b-1900-0000-4ef5-5d430a0f0000 pid=3850->guuid=e0c72277-1900-0000-4ef5-5d43a60f0000 pid=4006 clone guuid=f6c4d7b2-1900-0000-4ef5-5d434b100000 pid=4171 /home/sandbox/x861 guuid=6550603b-1900-0000-4ef5-5d430a0f0000 pid=3850->guuid=f6c4d7b2-1900-0000-4ef5-5d434b100000 pid=4171 clone guuid=25966f3b-1900-0000-4ef5-5d430b0f0000 pid=3851->a0cce8c1-8de3-5e77-97c2-8db8bf5fa654 send: 85B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/4b9c4067e620042390837d0f63d921fc47b7d675d89503b9383f7b4b6fa96f83
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4b9c4067e620042390837d0f63d921fc47b7d675d89503b9383f7b4b6fa96f83/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/4b9c4067e620042390837d0f63d921fc47b7d675d89503b9383f7b4b6fa96f83
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jooeaz7geaccheedpuhwhwjb7rd3pvtv3ckqhojyh55uw35jn6bq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/260122-pkk7vsfs7b/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 4b9c4067e620042390837d0f63d921fc47b7d675d89503b9383f7b4b6fa96f83

(this sample)

Mirai

elf 86414e5dc4a6412453c70c42545f1b17ca423a27739825730a4aa5c26b57f19c

  
URLhaus
https://urlhaus.abuse.ch/url/3761990/
  
Delivery method
Distributed via web download
  
Dropping
MD5 2a07098743362300b3d0c57c9f1ad83d
  
Dropping
SHA256 86414e5dc4a6412453c70c42545f1b17ca423a27739825730a4aa5c26b57f19c

Comments