MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 620e9a7dc1090c48edae5bb3374b9b0a7fc7fa3d1f4063f49e9fb10d11df8b15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	620e9a7dc1090c48edae5bb3374b9b0a7fc7fa3d1f4063f49e9fb10d11df8b15
SHA3-384 hash:	c9bd3415ed52dde25243c1548b94d8fa785c2c6ae3e268cf1ae7c4497367d2fcd48dcdd9aaec438ecbae969d7712528a
SHA1 hash:	d9313fcea6c221a4f634eeb3ddff27007e3c76e2
MD5 hash:	95353f04087412d8adf9c9c4f01a1fc3
humanhash:	april-fish-quiet-victor
File name:	620e9a7dc1090c48edae5bb3374b9b0a7fc7fa3d1f4063f49e9fb10d11df8b15
Download:	download sample
Signature	Mirai Create hunting rule
File size:	1'845 bytes
First seen:	2026-05-28 22:30:29 UTC
Last seen:	2026-05-29 13:24:09 UTC
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:T+kuoDdBHWtIf1CvRWFPFBM/hf/u/1bC/2/2waZf6fF81o7jt4gKJWwJbHR4BYWd:qq1m5No72A
TLSH	T1C831CA9AA0B891418588CE40B0F54DCF773BA69061A5463AF8433EB780C9D6A311DAFF
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	c2hunter
Tags:	31-56-209-72 sh wraith

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://31.56.209.72/iran.x86_64	ac0fa0ac1a0e8e7f17328b85565988fc635f3c6298219779071ac06b0176a082	Mirai	mirai wraith
http://31.56.209.72/iran.aarch64	a685313f3a72b5ad36df2c040aefab162bfd50c5914296a64bc298502091f00b	Mirai	mirai wraith
http://31.56.209.72/iran.m68k	5f7aad3cd758c51387940f9899324d461bfc58cedf819594f3b002b42ddbd4cd	Mirai	mirai wraith
http://31.56.209.72/iran.mips	3a06875b9404a65b68a43ddeebb17ae3e7569f0a003df2ee2f673ec591727dcd	Mirai	mirai wraith
http://31.56.209.72/iran.mipsel	36839038451f5ab313a47212fd7d904f668fd449383017a9b4696f1ef42dc5ac	Mirai	mirai wraith
http://31.56.209.72/iran.powerpc	4701e50221f07b0f642dc8b1793e8759bd722d192d514740132ac54fc16c7f6e	Mirai	31-56-209-72 elf mirai ua-wget
http://31.56.209.72/iran.sparc	ca7500cb2ded4077485e952dd953ec6c56a7064967a813c0d06bacfa26765854	Mirai	31-56-209-72 elf mirai ua-wget
http://31.56.209.72/iran.sh4	cc39b770d4557969d538258e162a86c7698d86af53665a105d648b0ae0d85de0	Mirai	31-56-209-72 elf mirai ua-wget
http://31.56.209.72/iran.arc	e2542debca5a511aa354fa38329b819194c7a044191f70e0840ac678a8f1baff	Mirai	31-56-209-72 elf mirai ua-wget
http://31.56.209.72/iran.i486	1a1016c10626697a229d879faf65881c8a53a74136e59ebc5197c500d448d8d7	Mirai	31-56-209-72 elf mirai ua-wget
http://31.56.209.72/iran.armv4l	1164d0e17da932bb76bfe1797943dfadcb26eab5306366ca61353a6d7735076c	Mirai	31-56-209-72 elf mirai ua-wget
http://31.56.209.72/iran.armv5l	06cd8b579b111c6b1c2d75b41f792908fec69cf8406fc6745043101aac53c599	Mirai	31-56-209-72 elf mirai ua-wget
http://31.56.209.72/iran.armv6l	20727a163bcbe6aca6dfdde726d7049df53a93d08d238aec93266e1ef11d9206	Mirai	31-56-209-72 elf mirai ua-wget
http://31.56.209.72/iran.armv7l	1eb3f62d55cf55412c164fa7cd891d40225066d391ea54363de788f29f20d8c1	Mirai	31-56-209-72 elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

File Type:

unix shell

First seen:

2026-05-28T19:38:00Z UTC

Last seen:

2026-05-29T05:40:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/620e9a7dc1090c48edae5bb3374b9b0a7fc7fa3d1f4063f49e9fb10d11df8b15/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/943058f6-cae7-469d-b1db-0a6cc4d798ee

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/620e9a7dc1090c48edae5bb3374b9b0a7fc7fa3d1f4063f49e9fb10d11df8b15

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/620e9a7dc1090c48edae5bb3374b9b0a7fc7fa3d1f4063f49e9fb10d11df8b15/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/620e9a7dc1090c48edae5bb3374b9b0a7fc7fa3d1f4063f49e9fb10d11df8b15

Threat name:

Script.Downloader.Iranbot

Status:

Malicious

First seen:

2026-05-28 22:30:44 UTC

File Type:

Text (Shell)

AV detection:

16 of 38 (42.11%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mihju7obbeger3noloztos43bj74p6r5d5agh5e6t6yq2eo7rmkq._file

Result

Malware family:

n/a

Score:

1/10

Tags:

linux

Link:

https://tria.ge/reports/260528-2e52asdz4v/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.11

Link:

https://yomi.yoroi.company/submissions/620e9a7dc1090c48edae5bb3374b9b0a7fc7fa3d1f4063f49e9fb10d11df8b15

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh