MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59c52e9ec13aa8f1b48f28bf5a3ddf0d58b8ca2e0cb8a596a30557a535ba4cab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 59c52e9ec13aa8f1b48f28bf5a3ddf0d58b8ca2e0cb8a596a30557a535ba4cab
SHA3-384 hash: cd1682ecf7c0600e7cabcac2971969da2ec4315b0d3e74647f342894dba81227e6e4ac912eed882c66d03267d6bfcee0
SHA1 hash: 54215fa95a84220957c8e35231268f136f465748
MD5 hash: 374a041692549fef584f642261a5ad41
humanhash: missouri-bluebird-march-eighteen
File name:w.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:751 bytes
First seen:2026-01-01 10:05:54 UTC
Last seen:2026-01-02 07:42:17 UTC
File type: sh
MIME type:text/plain
ssdeep 12:dUlxqU9UneKlCEU9UTiKl2EU9U7dKAU9U5U9Um9qU9UzFG10qU9Uw1U9Uk7IAU9T:ix7ilC5/KlQbl3d5nQMGrHR
TLSH T1C6011EEB41BA9922C79C8D8830AA88386544D6D53EB28FCCDC5C44B16DC7919B166F8A
Magika html
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://158.94.208.27/parm9a9f7624b0dad8817e70e72a007686c91f1a53d2dc254817f9ee6fd19eed0ce6 Miraielf mirai ua-wget
http://158.94.208.27/parmsn/an/aelf
http://158.94.208.27/parm78027c6f089be296b3961b35fd9f4dc03edd64d05288e5e51ded9a3a25c0ab6b3 Miraielf mirai ua-wget
http://158.94.208.27/psh44e49fbeee717728935e64e493d8b0685c0da63b15b10c5c8875f1499e8a89a92 Miraielf mirai ua-wget
http://158.94.208.27/pnpcn/an/aelf
http://158.94.208.27/pmips648a1ad85e1ef2c1306e922cb9fee502490224f527dfbcbd9397c11a1db03cb1 Miraielf mirai ua-wget
http://158.94.208.27/pmpsl46280c6dceff8fe250699ec09396d2170a5ef12e74ffcca4a3c4ccbb839cc1d3 Miraielf mirai ua-wget
http://158.94.208.27/pm68k72bf7021a323e4f8668499f2c124973c6d4744abddab61449824d7b5334249f6 Miraielf mirai ua-wget
http://158.94.208.27/px8681aa3a1cec78008abbe0506a44c20fc80efe006f5c4d84fdec6c8ed9d84521d6 Miraielf mirai ua-wget
http://158.94.208.27/px86_64113bc2274f429d9cd5cb64c14738556807e72c051f5409a5be4857ed5480fb84 Miraielf mirai

Intelligence

File Origin
# of uploads :
3
# of downloads :
45
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Linux.Downloader-32.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
busybox mirai
Link:
https://www.filescan.io/uploads/69564713127d6a14e0cb25ce/reports/b9be9991-46af-49e4-8cad-b42204a1eb7c/overview
Verdict:
Clean
File Type:
text
Link:
https://opentip.kaspersky.com/59c52e9ec13aa8f1b48f28bf5a3ddf0d58b8ca2e0cb8a596a30557a535ba4cab/results?tab=lookup
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/59c52e9ec13aa8f1b48f28bf5a3ddf0d58b8ca2e0cb8a596a30557a535ba4cab
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/59c52e9ec13aa8f1b48f28bf5a3ddf0d58b8ca2e0cb8a596a30557a535ba4cab/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/59c52e9ec13aa8f1b48f28bf5a3ddf0d58b8ca2e0cb8a596a30557a535ba4cab
Threat name:
Win32.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2026-01-01 10:06:15 UTC
File Type:
Text (Shell)
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lhcs5hwbhkupdnepfc7vupo7bvmlrsrobs4klfvdavl2knn2jsvq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/260106-k59nqsypcx/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/59c52e9ec13aa8f1b48f28bf5a3ddf0d58b8ca2e0cb8a596a30557a535ba4cab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 59c52e9ec13aa8f1b48f28bf5a3ddf0d58b8ca2e0cb8a596a30557a535ba4cab

(this sample)

Mirai

elf 531ca7efe0b460fa89bb5bbba7ae474e19e44727dd7b7207e6d80c6aef604b5a

Mirai

elf 5d4e5eba46e6f90c22cebbafe3e1b082a2d87a4ef0170b6eb4848101dfcd398c

  
URLhaus
https://urlhaus.abuse.ch/url/3747933/
  
Delivery method
Distributed via web download
  
Dropping
MD5 820e0420b0aa169d546e3075eab98543
  
Dropping
SHA256 5d4e5eba46e6f90c22cebbafe3e1b082a2d87a4ef0170b6eb4848101dfcd398c

Comments