MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6956dbac3319b8acbb5bef935e05da5b2de2e429812a7a632b32ae6d745f5dc9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 5

Intelligence 5 IOCs YARA 1 File information Comments

SHA256 hash:	6956dbac3319b8acbb5bef935e05da5b2de2e429812a7a632b32ae6d745f5dc9
SHA3-384 hash:	652fa38b124b87d95f7241a6e808be7ccd81df06ebbcdecb86650b120c927357b752c2f6250f8400f39fd7ab85667a37
SHA1 hash:	6130738cc6bdc76e1c2b5dc97911568669720f36
MD5 hash:	cc8dafe0c108a5d2fd857a89e229cf76
humanhash:	lamp-fish-pizza-ink
File name:	run.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'907 bytes
First seen:	2025-11-04 00:50:38 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	24:OCT0a02JMcdGdbiBop9puZwIEfIEnE2EhEZYLvA9Abw5NzvzLGLJUfokv/a/hM3Y:gx2JMkSbiBEjuZvvcvyYObwbUhM3Y
TLSH	T10B516D9E0200DB31D60CDE4FF7F2B134610FA182A7DEDA45B9900E6C0EC9D4CA685E61
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://196.251.87.194/bins/xnxnxnxnxnxnxnxnaarch64xnxn	82fc91467ae3118635d5baf0c4a1b8e2985f81aff6f14dc104ff437a159e0869	Mirai	arm elf geofenced mirai ua-wget USA
http://196.251.87.194/bins/xnxnxnxnxnxnxnxni386xnxn	f8ea21971d321e0acaebb05c9b4f1d83df638d72dee68acd9c031fe47c1e689b	Mirai	elf geofenced mirai ua-wget USA x86
http://196.251.87.194/bins/xnxnxnxnxnxnxnxnloongarch64xnxn	d4d15b10f86194f4526390a76687063937d910dc744d770fbc4a646d7d8e49ea	Mirai	elf geofenced mirai ua-wget USA
http://196.251.87.194/bins/xnxnxnxnxnxnxnxnm68kxnxn	e75d1e9b8b075abfc60c3db669af4c073efd35d94f2aca3e528f3af6e3eea772	Mirai	elf geofenced m68k mirai ua-wget USA
http://196.251.87.194/bins/xnxnxnxnxnxnxnxnmicroblazexnxn	f7efc9025574ceacaba61d1cb5d62cc80f4396bd5e42766a9e0254d2f6aa8d3a	Mirai	elf geofenced mirai ua-wget USA
http://196.251.87.194/bins/xnxnxnxnxnxnxnxnmipsxnxn	23e8188ff6a5422aa9a12a008406d166d10ceb6f5db08183acbd65a6898d3e7e	Mirai	elf geofenced mips mirai ua-wget USA
http://196.251.87.194/bins/xnxnxnxnxnxnxnxnor1kxnxn	52af6dd63be1b558d11570db5111b06a4fe6707593167c3a91f69f5e6dc156fe	Mirai	elf geofenced mirai ua-wget USA
http://196.251.87.194/bins/xnxnxnxnxnxnxnxnpowerpcxnxn	9e5647981fd2d0a93efa242dfaf007bf4c983e2677db31e4f3ac2437db290bac	Mirai	elf geofenced mirai PowerPC ua-wget USA
http://196.251.87.194/bins/xnxnxnxnxnxnxnxnriscv32xnxn	f1db9998646df4dfc57937b2b5df86ed03d5b55001319741405fc2025308c520	Mirai	elf mirai ua-wget
http://196.251.87.194/bins/xnxnxnxnxnxnxnxnriscv64xnxn	c3417dee4858027801671539b5d663158f65f8e0f99d30715f0117d2857cdcc5	Mirai	elf geofenced mirai RISC-V ua-wget USA
http://196.251.87.194/bins/xnxnxnxnxnxnxnxnsh2xnxn	349d2a4ef7d1928bb8c8c8db8aa1114e48af7a4595e195bda21e0e3803dc13f6	Mirai	elf geofenced mirai SuperH ua-wget USA
http://196.251.87.194/bins/xnxnxnxnxnxnxnxnsh4xnxn	573ed9dde72bdbf9fd366ba569e819c517c1c8795b8a24eefa415716dec13318	Mirai	elf mirai ua-wget
http://196.251.87.194/bins/xnxnxnxnxnxnxnxnx86_64xnxn	c5a64433d8e8865032a3edd2db818c0e379073c65497e2742ba002f4c6a2315c	Mirai	elf geofenced mirai ua-wget USA x86

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

File Type:

text

First seen:

2025-11-03T23:06:00Z UTC

Last seen:

2025-11-04T00:12:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/6956dbac3319b8acbb5bef935e05da5b2de2e429812a7a632b32ae6d745f5dc9/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/8333044f-382c-414c-a54b-195e3ddb870c

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/6956dbac3319b8acbb5bef935e05da5b2de2e429812a7a632b32ae6d745f5dc9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6956dbac3319b8acbb5bef935e05da5b2de2e429812a7a632b32ae6d745f5dc9/

Threat name:

Linux.Downloader.Generic

Status:

Suspicious

First seen:

2025-11-04 00:53:39 UTC

File Type:

Text (Shell)

AV detection:

4 of 24 (16.67%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nflnxlbtdg4kzo2356jv4bo2lmw6fzbjqevhuyzlgkxg25c7lxeq._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/251104-a8acya1mdt/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/6956dbac3319b8acbb5bef935e05da5b2de2e429812a7a632b32ae6d745f5dc9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.