MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e118f7e11053e5639d2c76d7982fbcdd12c36e25a9cfd278e6fbe2ea1cc1dec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e118f7e11053e5639d2c76d7982fbcdd12c36e25a9cfd278e6fbe2ea1cc1dec
SHA3-384 hash: e2e32e30f49c00e9260b701600a05b4e0e5f09b2324aad54e86d55be158c24e3aa9ddd743d2a00d2e7640738ac251685
SHA1 hash: 2bb401e6763add285290fbb6c151b3f05924be2e
MD5 hash: 9807bbb801afe2e7a0e93155591e91e8
humanhash: spring-mirror-double-victor
File name:v.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:616 bytes
First seen:2026-06-04 05:26:52 UTC
Last seen:2026-06-04 21:29:26 UTC
File type: sh
MIME type:text/plain
ssdeep 12:kvyzSJafUOvPBENI3g9aOvPBENg9aOvPBEXP99qqdct8O8F/85Bnf7QqpPqpc:k0fUOvaNI3gkOvaakOvaXPOMetkOf7r
TLSH T1CDF07DFEE043A23978549548FA6C2471E653E66115307E78BFC36CB1E1ECC54716278A
Magika shell
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://195.96.132.13/lul.arm7d241994cd6b7f0bc29cdb25f1e909de0ba8bc25c2cdd45cdc76381c951ac46c8 Miraielf mirai ua-wget
http://195.96.132.13/lul.arm1635f339c767ba9575a5c021db422a495d41d5006f46bb3c084228ade1349d4d Miraielf mirai ua-wget
http://195.96.132.13/lul.arm5cec38d757d53e6f2ba2724afd2cdb42176dd91a3251812d92f0a7c574d93d30c Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
2
# of downloads :
66
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Linux.DownLoader.2650.27437.9024.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive
Link:
https://www.filescan.io/uploads/6a210cbc4bb6e36d180ac08c/reports/9b56c794-4fd8-44ae-8700-38e4108fc8c7/overview
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/11720363-842a-4e31-954f-14d834e61c90
Behavior Graph:
Download SVG
%3 guuid=834e8706-1a00-0000-ee3d-3bc1510a0000 pid=2641 /usr/bin/sudo guuid=38e8ce08-1a00-0000-ee3d-3bc1580a0000 pid=2648 /tmp/sample.bin guuid=834e8706-1a00-0000-ee3d-3bc1510a0000 pid=2641->guuid=38e8ce08-1a00-0000-ee3d-3bc1580a0000 pid=2648 execve guuid=96c13409-1a00-0000-ee3d-3bc15a0a0000 pid=2650 /usr/bin/wget net send-data write-file guuid=38e8ce08-1a00-0000-ee3d-3bc1580a0000 pid=2648->guuid=96c13409-1a00-0000-ee3d-3bc15a0a0000 pid=2650 execve guuid=13512219-1a00-0000-ee3d-3bc1840a0000 pid=2692 /usr/bin/chmod guuid=38e8ce08-1a00-0000-ee3d-3bc1580a0000 pid=2648->guuid=13512219-1a00-0000-ee3d-3bc1840a0000 pid=2692 execve guuid=2e037019-1a00-0000-ee3d-3bc1860a0000 pid=2694 /usr/bin/dash guuid=38e8ce08-1a00-0000-ee3d-3bc1580a0000 pid=2648->guuid=2e037019-1a00-0000-ee3d-3bc1860a0000 pid=2694 clone guuid=ff369e1b-1a00-0000-ee3d-3bc18c0a0000 pid=2700 /usr/bin/wget net send-data write-file guuid=38e8ce08-1a00-0000-ee3d-3bc1580a0000 pid=2648->guuid=ff369e1b-1a00-0000-ee3d-3bc18c0a0000 pid=2700 execve guuid=ede54328-1a00-0000-ee3d-3bc1ae0a0000 pid=2734 /usr/bin/chmod guuid=38e8ce08-1a00-0000-ee3d-3bc1580a0000 pid=2648->guuid=ede54328-1a00-0000-ee3d-3bc1ae0a0000 pid=2734 execve guuid=270faf28-1a00-0000-ee3d-3bc1af0a0000 pid=2735 /usr/bin/dash guuid=38e8ce08-1a00-0000-ee3d-3bc1580a0000 pid=2648->guuid=270faf28-1a00-0000-ee3d-3bc1af0a0000 pid=2735 clone guuid=0c07cb29-1a00-0000-ee3d-3bc1b30a0000 pid=2739 /usr/bin/wget net send-data write-file guuid=38e8ce08-1a00-0000-ee3d-3bc1580a0000 pid=2648->guuid=0c07cb29-1a00-0000-ee3d-3bc1b30a0000 pid=2739 execve guuid=48302e36-1a00-0000-ee3d-3bc1d00a0000 pid=2768 /usr/bin/chmod guuid=38e8ce08-1a00-0000-ee3d-3bc1580a0000 pid=2648->guuid=48302e36-1a00-0000-ee3d-3bc1d00a0000 pid=2768 execve guuid=96129d36-1a00-0000-ee3d-3bc1d10a0000 pid=2769 /usr/bin/dash guuid=38e8ce08-1a00-0000-ee3d-3bc1580a0000 pid=2648->guuid=96129d36-1a00-0000-ee3d-3bc1d10a0000 pid=2769 clone 64fe253b-db51-504c-837e-9f888b7c378c 195.96.132.13:80 guuid=96c13409-1a00-0000-ee3d-3bc15a0a0000 pid=2650->64fe253b-db51-504c-837e-9f888b7c378c send: 136B guuid=ff369e1b-1a00-0000-ee3d-3bc18c0a0000 pid=2700->64fe253b-db51-504c-837e-9f888b7c378c send: 135B guuid=0c07cb29-1a00-0000-ee3d-3bc1b30a0000 pid=2739->64fe253b-db51-504c-837e-9f888b7c378c send: 136B
Score:
92%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/4e118f7e11053e5639d2c76d7982fbcdd12c36e25a9cfd278e6fbe2ea1cc1dec
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4e118f7e11053e5639d2c76d7982fbcdd12c36e25a9cfd278e6fbe2ea1cc1dec/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/4e118f7e11053e5639d2c76d7982fbcdd12c36e25a9cfd278e6fbe2ea1cc1dec
Threat name:
Script-BAT.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-06-04 05:27:38 UTC
File Type:
Text (Shell)
AV detection:
5 of 36 (13.89%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jyiy67qrau7fmoosy5wxtax3zxisynxclkop2j4on67c5iomdxwa._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/260604-f5mfzsas3s/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/4e118f7e11053e5639d2c76d7982fbcdd12c36e25a9cfd278e6fbe2ea1cc1dec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 4e118f7e11053e5639d2c76d7982fbcdd12c36e25a9cfd278e6fbe2ea1cc1dec

(this sample)

Mirai

elf d241994cd6b7f0bc29cdb25f1e909de0ba8bc25c2cdd45cdc76381c951ac46c8

  
URLhaus
https://urlhaus.abuse.ch/url/3856337/
  
Delivery method
Distributed via web download
  
Dropping
MD5 216e85189d845c1cb2ba2adac3d6b4c7
  
Dropping
SHA256 d241994cd6b7f0bc29cdb25f1e909de0ba8bc25c2cdd45cdc76381c951ac46c8

Comments