MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f4831d6685b10793fcdf3fcac397864e1e62ede9ca4e11b70c41bb1611dcbb3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	5f4831d6685b10793fcdf3fcac397864e1e62ede9ca4e11b70c41bb1611dcbb3
SHA3-384 hash:	4b2389fcdd64ebb22155e5612ea286095403a5d836805a47094ade46f845df484d95300a58c565c144eb6d380edd3846
SHA1 hash:	e686fa27b0ee4136e3d48d68e4e03ece8bc1ec62
MD5 hash:	512d04136ae4334537722c4ca4a7d5c4
humanhash:	oxygen-lactose-double-bravo
File name:	wget.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	1'014 bytes
First seen:	2025-12-21 13:26:40 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	12:ywQwJlPq9YhhzlFy9NIl5mkCa0LK2ZNgOFanJMS9O7tjRaSOZ8pNtf5Ssf2G9Fxo:EwPSMlUNI7MKJIYm5slONtx1O0Hf8jn
TLSH	T1EE1196DE359153A2854CDF88AF79046D9028BAC4A9B0CF349CD6583ECCEE7487439B56
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://143.20.185.78/bins/arm	8a6ddd16ceeec5a114f3e8319a225ce5f75cba9225d79855231de0b113472d1f	Mirai	elf mirai ua-wget
http://143.20.185.78/bins/arm5	d2a961569e9ce75e16e24f1ce9614e45a83ce50d90dc0af52347cffb33e30509	Mirai	elf mirai ua-wget
http://143.20.185.78/bins/arm6	9c8738bb0a3663b08bbd4a0b78db2d4d1204f120c959717a7471864828956655	Mirai	elf mirai ua-wget
http://143.20.185.78/bins/arm7	263f89416439f5e9d7c35621153981655eec33e46fb7f7eb70ad43357d0cfad6	Mirai	elf mirai ua-wget
http://143.20.185.78/bins/m68k	6c109c0a95546cb495003464b596291095e5fc0a9502644b99eaa5cb5f1c0c3e	Mirai	elf mirai ua-wget
http://143.20.185.78/bins/mips	97f6da2917e358287321571ea5aca6dcd706d8791e52f882c39937b347169b21	Mirai	elf mirai ua-wget
http://143.20.185.78/bins/mpsl	n/a	n/a	elf ua-wget
http://143.20.185.78/bins/ppc	27d0189c10636921860c51dcb5f48dbae0ebcb5871713973b6a1b194e5a9b761	Mirai	elf mirai ua-wget
http://143.20.185.78/bins/sh4	002bc08e9e4252f58e402d64fb46bb1d4ed3acf453bbd69d2a1f8888ed16616e	Mirai	elf mirai ua-wget
http://143.20.185.78/bins/spc	85d24859f9da4218bc6cd4c98243c62530c4a7a7b71407a3628eebe85dd06e91	Mirai	elf mirai ua-wget
http://143.20.185.78/bins/x86	9ebe58ec528e0153eb1113aec8024c58d21a0d513912a496ff4daf1b8c8393f5	Mirai	elf mirai ua-wget
http://143.20.185.78/bins/x86_64	4e8f0ba152cffbf54a5c44fbd3253a3979326bf455120a6bbb6e749a090f9fff	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive mirai

Link:

https://www.filescan.io/uploads/6947f5b1e126b9ff438abe84/reports/a2b1fc34-6dce-44c4-878b-bfe6b0d4ec71/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-12-21T11:02:00Z UTC

Last seen:

2025-12-21T12:52:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/5f4831d6685b10793fcdf3fcac397864e1e62ede9ca4e11b70c41bb1611dcbb3/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/da317fa1-a178-4d4f-91e3-b9bc043676c5

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/5f4831d6685b10793fcdf3fcac397864e1e62ede9ca4e11b70c41bb1611dcbb3

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5f4831d6685b10793fcdf3fcac397864e1e62ede9ca4e11b70c41bb1611dcbb3/

Threat name:

Script-Shell.Trojan.Multiverze

Status:

Malicious

First seen:

2025-12-21 13:27:16 UTC

File Type:

Text (Shell)

AV detection:

14 of 24 (58.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=l5eddvtilmihsp6n6p6kyolymtq6mlw6tssocg3qyqn3cyi5zozq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:owari botnet defense_evasion discovery linux

Link:

https://tria.ge/reports/251221-qp8z6adl3w/

Behaviour

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Reads system network configuration

Enumerates active TCP sockets

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.11

Link:

https://yomi.yoroi.company/submissions/5f4831d6685b10793fcdf3fcac397864e1e62ede9ca4e11b70c41bb1611dcbb3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh