MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b1fc4f679e0d623a085833708a6d288c7f9b2310ee0bdedc6104a274ff95fe7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b1fc4f679e0d623a085833708a6d288c7f9b2310ee0bdedc6104a274ff95fe7
SHA3-384 hash: ad30656d2a1d6353d7e662de212155c65c6a627f65c24884030e5509e71d27a1a206ce305be844ad3a672e313070a6e3
SHA1 hash: ce78059f2e4bfe717cbc9fa9303f09b61d61b201
MD5 hash: f5e3bce1449950def58df4bc0fe0d5a3
humanhash: bravo-ink-alaska-quebec
File name:tplink.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:2'160 bytes
First seen:2026-01-01 19:14:55 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:boGGMpzaU+odcO9PDY6iGq6bQaMZ79ecr+PsN6iDv6El/ZAat/0:kz8+U+odb9bYCq6bQaMZ79eE+ENHv6E8
TLSH T1024104DE2491B1B63A9DCF44F2710E39A40FE2C131C5DD98EA4A186349AE60A313AB19
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://109.123.232.177/mips7e1a5c16951974c30f775b557b8e69d5230e647f3acee190cf5b9b48047b48e4 Miraicensys elf mirai ua-wget
http://109.123.232.177/mpsl6e753ec653094369936b4185b49a9d4be8fcf4621c644bbe0f544cabb544a7da Miraicensys elf mirai ua-wget
http://109.123.232.177/arm4ba70281b45e43d9145537f8f608809260ac41730d89da9ba6630b65f45eba103 Miraicensys elf mirai ua-wget
http://109.123.232.177/arm55139290e059e4802e13868753c5e3784c4f508bb25ef3cfd5d3545e90272d3e2 Miraicensys elf mirai ua-wget
http://109.123.232.177/arm79e3fe15487eae34785c80bc9477d06c1153dde304c583ba0c037d39d4e58cd84 Miraicensys elf mirai ua-wget
http://109.123.232.177/x86_64001c9c983afed1489f2a681b2d4045ae6120ecca1640045068d68d443891168b Miraicensys elf mirai ua-wget
http://109.123.232.177/aarch644a488ebc2c03bd187f910292cc2a0aba51b229e1af5957f78710d4cda06b9710 Miraicensys elf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
34
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
busybox
Link:
https://www.filescan.io/uploads/6956c7cd8d1aa9829e288ee6/reports/9a400377-9d3c-4f03-9411-4d2bdf6f8804/overview
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-01-01T16:21:00Z UTC
Last seen:
2026-01-03T06:35:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.a
Link:
https://opentip.kaspersky.com/5b1fc4f679e0d623a085833708a6d288c7f9b2310ee0bdedc6104a274ff95fe7/results?tab=lookup
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/5b1fc4f679e0d623a085833708a6d288c7f9b2310ee0bdedc6104a274ff95fe7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b1fc4f679e0d623a085833708a6d288c7f9b2310ee0bdedc6104a274ff95fe7/
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/5b1fc4f679e0d623a085833708a6d288c7f9b2310ee0bdedc6104a274ff95fe7
Threat name:
Script-Shell.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2026-01-01 19:15:26 UTC
File Type:
Text (Shell)
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lmp4j5tz4dlchiefqm3qrjwsrdd7tmrrb3ql33ogcbfcot7zl7tq._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
antivm credential_access defense_evasion discovery linux upx
Link:
https://tria.ge/reports/260101-xyldsahk61/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Checks CPU configuration
Reads system network configuration
Reads process memory
UPX packed file
Enumerates active TCP sockets
Enumerates running processes
File and Directory Permissions Modification
Deletes system logs
Executes dropped EXE
Renames itself
Unexpected DNS network traffic destination
Contacts a large (30160) amount of remote hosts
Creates a large amount of network flows
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.06
Link:
https://yomi.yoroi.company/submissions/5b1fc4f679e0d623a085833708a6d288c7f9b2310ee0bdedc6104a274ff95fe7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 5b1fc4f679e0d623a085833708a6d288c7f9b2310ee0bdedc6104a274ff95fe7

(this sample)

Mirai

elf 7e1a5c16951974c30f775b557b8e69d5230e647f3acee190cf5b9b48047b48e4

  
URLhaus
https://urlhaus.abuse.ch/url/3748652/
  
Delivery method
Distributed via web download
  
Dropping
MD5 8dcd7876655002d2e0aaf2382cc3af26
  
Dropping
SHA256 7e1a5c16951974c30f775b557b8e69d5230e647f3acee190cf5b9b48047b48e4

Comments