MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6bee097968d5468854f58ae86da97e0d87801dece2f9545dce00541e1e8c8744. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	6bee097968d5468854f58ae86da97e0d87801dece2f9545dce00541e1e8c8744
SHA3-384 hash:	fdc49affdea5fca94444e948621689ce6a57633610ac70c21049eb9a5bbedcf8fba8e49e812e0b46033e1831937a2041
SHA1 hash:	b1c45d524e5174dfacd88d01497e5d8f6eea8287
MD5 hash:	f699d79490fb19659936bf2ee6a6e42f
humanhash:	massachusetts-lactose-two-stream
File name:	fentbins.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	1'857 bytes
First seen:	2026-01-13 06:18:00 UTC
Last seen:	2026-01-13 18:38:58 UTC
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:iqxdqCUqRheGqvCkqMcLqZtJq2MqS8qnRqOz:iqxdqCUqLeGqvdqMcLqZ7q2MqS8qnRqa
TLSH	T14A312FC52341353169A1DD2B7ABBC984B2F47065BEC52A2966D83CE8C1DCF08FC51F92
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://87.121.112.124/bins/fent.x86	0d32236bfdd18985046bc80818bfa5b8baec2ca0a982d61bf4b62d898d94d08f	Mirai	elf mirai ua-wget
http://87.121.112.124/bins/fent.mips	6668094256bac1ecf829e2686192d4de0322c65ad24b6bce0137dc1ca5ccb844	Mirai	elf mirai ua-wget
http://87.121.112.124/bins/fent.mpsl	7b3f23580daa37bf9fc7811a111b25ad60eeb3b6ebed2fb531fd3b44fb2ee8a6	Mirai	elf mirai ua-wget
http://87.121.112.124/bins/fent.arm4	n/a	n/a	elf ua-wget
http://87.121.112.124/bins/fent.arm5	3b50fa8b73b431bf3c4ceafc12bbf57d7227d1f2586cb6cabe5fded45e511d55	Mirai	elf mirai ua-wget
http://87.121.112.124/bins/fent.arm6	7b9538d470db982bd0b900a517de9275c8a2a9427657a85358f1da8723a7814c	Mirai	elf mirai ua-wget
http://87.121.112.124/bins/fent.arm7	1bf10173feab7e57ff553a91fa313a213a025f5e295852db136707fe1173bb14	Mirai	elf mirai ua-wget
http://87.121.112.124/bins/fent.ppc	ae1a3bf5a75f9610aa20349f03c58bb144b7de874fd4800ec477934dd0ebfeb8	Mirai	elf mirai ua-wget
http://87.121.112.124/bins/fent.m68k	0a147ad163eb46d153a692d285093dd08042cc9f377fe75cff63189e5c82eee8	Mirai	elf mirai ua-wget
http://87.121.112.124/bins/fent.sh4	05733b6df5ecb188fcece2cce03ee0cd4926facf754d10a2b6e8143c315ba18a	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox medusa mirai

Link:

https://www.filescan.io/uploads/6965e3af3827c9e1249a64c6/reports/26c0d1af-55de-49c7-899c-99aae33026a4/overview

Result

Gathering data

Verdict:

Malicious

File Type:

Script

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/6bee097968d5468854f58ae86da97e0d87801dece2f9545dce00541e1e8c8744/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/31806215-8f19-4d33-afd5-40611877f11d

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/6bee097968d5468854f58ae86da97e0d87801dece2f9545dce00541e1e8c8744

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6bee097968d5468854f58ae86da97e0d87801dece2f9545dce00541e1e8c8744/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/6bee097968d5468854f58ae86da97e0d87801dece2f9545dce00541e1e8c8744

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2026-01-13 05:22:50 UTC

File Type:

Text (Shell)

AV detection:

22 of 36 (61.11%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=npxas6li2vdiqvhvrlug3kl6bwdyahpm4l4vixooabkb4humq5ca._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet defense_evasion discovery linux

Link:

https://tria.ge/reports/260113-g2sz2act7h/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6bee097968d5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.39

Link:

https://yomi.yoroi.company/submissions/6bee097968d5468854f58ae86da97e0d87801dece2f9545dce00541e1e8c8744

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Linux_Shellscript_Downloader Create hunting rule
Author:	albertzsigovits
Description:	Generic Approach to Shellscript downloaders

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh