MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fcce9c11a928402670877d13e130d0137fd901fb5d5f4092808c7b41ddee9a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4fcce9c11a928402670877d13e130d0137fd901fb5d5f4092808c7b41ddee9a1
SHA3-384 hash: 2f5415e31461b84ac0b6d07510a6f0e091f3ebbad07198b3cb250b9e474f5b583b247b72794dd8c973d45f34f9565fd0
SHA1 hash: 3b5bea6763ae66e5c635b7b25909ca4d6ab9f770
MD5 hash: 37b8883b91de522e043575879ffc8aa4
humanhash: orange-uranus-table-table
File name:wget.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:541 bytes
First seen:2026-03-25 03:51:40 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 6:eJ+jnXCIXCIfdzIrAdQKmsdUI3LndmHWJFa0LKiev:eJ+jXCQJ98iL4Z0LKVv
TLSH T129F044DB2BE53A62404ACF10F3624D96610DE7D49093CACD64CD2D677C549C0B99CEA1
Magika txt
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://91.92.241.94/mips515fa150dd501477994d59e301e24a5bc61f121709f92a209ce2d5c4ff1c4f1e Miraielf gafgyt mips mirai ua-wget
http://91.92.241.94/mpsl54770cc6f92091ece1475548324fe4255f9c2b6002c4285fe34b7dc6f38575d0 Miraielf mips mirai ua-wget
http://91.92.241.94/arm45dc7e84871af255a0706465eee841ddeb13819d9b1555b6976e3f96d2591521e Miraiarm elf mirai ua-wget
http://91.92.241.94/arm5bf2f32cf70d2783d25d1df96f63a0bb00c6fd8cc12f55339c962e11f08326732 Miraiarm elf mirai ua-wget
http://91.92.241.94/arm7e4ad930449f130b22330db4edcdba4d3cc64f73b0fec860372992c0ea05e21d2 Miraiarm elf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
41
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
busybox mirai
Link:
https://www.filescan.io/uploads/69c35bef5229aae88c84edbd/reports/0812d195-7cbd-41a8-bc18-fff01f06452d/overview
Result
Gathering data
Verdict:
Malicious
File Type:
text
Detections:
HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.a
Link:
https://opentip.kaspersky.com/4fcce9c11a928402670877d13e130d0137fd901fb5d5f4092808c7b41ddee9a1/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/9443257f-ab1d-48ba-9ae1-f17e2a84e160
Behavior Graph:
Download SVG
%3 guuid=54e85755-1800-0000-6ea0-451d880c0000 pid=3208 /usr/bin/sudo guuid=07ca8559-1800-0000-6ea0-451d890c0000 pid=3209 /tmp/sample.bin guuid=54e85755-1800-0000-6ea0-451d880c0000 pid=3208->guuid=07ca8559-1800-0000-6ea0-451d890c0000 pid=3209 execve guuid=4ed5da59-1800-0000-6ea0-451d8a0c0000 pid=3210 /usr/bin/rm guuid=07ca8559-1800-0000-6ea0-451d890c0000 pid=3209->guuid=4ed5da59-1800-0000-6ea0-451d8a0c0000 pid=3210 execve guuid=57cd8f5a-1800-0000-6ea0-451d8b0c0000 pid=3211 /usr/bin/wget net send-data write-file guuid=07ca8559-1800-0000-6ea0-451d890c0000 pid=3209->guuid=57cd8f5a-1800-0000-6ea0-451d8b0c0000 pid=3211 execve guuid=22ff386b-1800-0000-6ea0-451d8f0c0000 pid=3215 /usr/bin/chmod guuid=07ca8559-1800-0000-6ea0-451d890c0000 pid=3209->guuid=22ff386b-1800-0000-6ea0-451d8f0c0000 pid=3215 execve guuid=10cf9b6b-1800-0000-6ea0-451d910c0000 pid=3217 /usr/bin/dash guuid=07ca8559-1800-0000-6ea0-451d890c0000 pid=3209->guuid=10cf9b6b-1800-0000-6ea0-451d910c0000 pid=3217 clone guuid=de8a2a6c-1800-0000-6ea0-451d940c0000 pid=3220 /usr/bin/wget net send-data write-file guuid=07ca8559-1800-0000-6ea0-451d890c0000 pid=3209->guuid=de8a2a6c-1800-0000-6ea0-451d940c0000 pid=3220 execve guuid=4ee1eb7a-1800-0000-6ea0-451da50c0000 pid=3237 /usr/bin/chmod guuid=07ca8559-1800-0000-6ea0-451d890c0000 pid=3209->guuid=4ee1eb7a-1800-0000-6ea0-451da50c0000 pid=3237 execve guuid=e562547b-1800-0000-6ea0-451da60c0000 pid=3238 /usr/bin/dash guuid=07ca8559-1800-0000-6ea0-451d890c0000 pid=3209->guuid=e562547b-1800-0000-6ea0-451da60c0000 pid=3238 clone guuid=2018eb7b-1800-0000-6ea0-451da90c0000 pid=3241 /usr/bin/wget net send-data write-file guuid=07ca8559-1800-0000-6ea0-451d890c0000 pid=3209->guuid=2018eb7b-1800-0000-6ea0-451da90c0000 pid=3241 execve guuid=e3aa4487-1800-0000-6ea0-451dbe0c0000 pid=3262 /usr/bin/chmod guuid=07ca8559-1800-0000-6ea0-451d890c0000 pid=3209->guuid=e3aa4487-1800-0000-6ea0-451dbe0c0000 pid=3262 execve guuid=b5379f87-1800-0000-6ea0-451dbf0c0000 pid=3263 /usr/bin/dash guuid=07ca8559-1800-0000-6ea0-451d890c0000 pid=3209->guuid=b5379f87-1800-0000-6ea0-451dbf0c0000 pid=3263 clone guuid=6447e488-1800-0000-6ea0-451dc10c0000 pid=3265 /usr/bin/wget net send-data write-file guuid=07ca8559-1800-0000-6ea0-451d890c0000 pid=3209->guuid=6447e488-1800-0000-6ea0-451dc10c0000 pid=3265 execve guuid=682b5695-1800-0000-6ea0-451dda0c0000 pid=3290 /usr/bin/chmod guuid=07ca8559-1800-0000-6ea0-451d890c0000 pid=3209->guuid=682b5695-1800-0000-6ea0-451dda0c0000 pid=3290 execve guuid=edca8995-1800-0000-6ea0-451ddc0c0000 pid=3292 /usr/bin/dash guuid=07ca8559-1800-0000-6ea0-451d890c0000 pid=3209->guuid=edca8995-1800-0000-6ea0-451ddc0c0000 pid=3292 clone guuid=2e110896-1800-0000-6ea0-451ddf0c0000 pid=3295 /usr/bin/wget net send-data write-file guuid=07ca8559-1800-0000-6ea0-451d890c0000 pid=3209->guuid=2e110896-1800-0000-6ea0-451ddf0c0000 pid=3295 execve guuid=ab528ca3-1800-0000-6ea0-451dfd0c0000 pid=3325 /usr/bin/chmod guuid=07ca8559-1800-0000-6ea0-451d890c0000 pid=3209->guuid=ab528ca3-1800-0000-6ea0-451dfd0c0000 pid=3325 execve guuid=09f4dca3-1800-0000-6ea0-451dff0c0000 pid=3327 /usr/bin/dash guuid=07ca8559-1800-0000-6ea0-451d890c0000 pid=3209->guuid=09f4dca3-1800-0000-6ea0-451dff0c0000 pid=3327 clone 59a44c65-0739-58c2-b090-c9afea904369 91.92.241.94:80 guuid=57cd8f5a-1800-0000-6ea0-451d8b0c0000 pid=3211->59a44c65-0739-58c2-b090-c9afea904369 send: 131B guuid=de8a2a6c-1800-0000-6ea0-451d940c0000 pid=3220->59a44c65-0739-58c2-b090-c9afea904369 send: 131B guuid=2018eb7b-1800-0000-6ea0-451da90c0000 pid=3241->59a44c65-0739-58c2-b090-c9afea904369 send: 131B guuid=6447e488-1800-0000-6ea0-451dc10c0000 pid=3265->59a44c65-0739-58c2-b090-c9afea904369 send: 131B guuid=2e110896-1800-0000-6ea0-451ddf0c0000 pid=3295->59a44c65-0739-58c2-b090-c9afea904369 send: 131B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/4fcce9c11a928402670877d13e130d0137fd901fb5d5f4092808c7b41ddee9a1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4fcce9c11a928402670877d13e130d0137fd901fb5d5f4092808c7b41ddee9a1/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/4fcce9c11a928402670877d13e130d0137fd901fb5d5f4092808c7b41ddee9a1
Threat name:
Linux.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2026-03-25 03:52:20 UTC
File Type:
Text (Shell)
AV detection:
8 of 36 (22.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j7gotqi2skcaezyio7it4eynae373ea7wxk7icjibdd3iho65gqq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/260325-ee6lhaez3j/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/4fcce9c11a928402670877d13e130d0137fd901fb5d5f4092808c7b41ddee9a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 4fcce9c11a928402670877d13e130d0137fd901fb5d5f4092808c7b41ddee9a1

(this sample)

Mirai

elf 515fa150dd501477994d59e301e24a5bc61f121709f92a209ce2d5c4ff1c4f1e

  
URLhaus
https://urlhaus.abuse.ch/url/3804530/
  
Delivery method
Distributed via web download
  
Dropping
MD5 454d1bcee0f66cb8d99065a8ae44b027
  
Dropping
SHA256 515fa150dd501477994d59e301e24a5bc61f121709f92a209ce2d5c4ff1c4f1e

Comments