MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d8d4f606300d2a89e47705813ab1355357032215fe352ff48626f1b17966af9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	6d8d4f606300d2a89e47705813ab1355357032215fe352ff48626f1b17966af9
SHA3-384 hash:	ff83fa272cf1ce29d56111950d2f917ce477e99d8b4df5c5abe14c9dde81e29a5e75a56f48db3037e5813ec1823759a3
SHA1 hash:	f05edc50baba73912d52291a99228c1b77780d12
MD5 hash:	5ebbdc49637e8e54bddb334f1f0b774e
humanhash:	summer-avocado-five-four
File name:	tuxbot.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'154 bytes
First seen:	2026-01-13 17:32:05 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:IJeO3hUnZm8PfZEGtQYWQQjJaNP6lKMYwNIfXknlqK1XxlHV3oVUnHXcq3:KZGuvhtliXPq33
TLSH	T148412BDD329208762E54ED9BF979C4A4B189DD8799C27E2CD5DC78ED40AED0C30406D7
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://217.60.199.86/bins/x86	54092bf9a09d18fdf8bc83b7ca915641cf21255a3c989aaa2e30dfa25293506f	Mirai	mirai opendir
http://217.60.199.86/bins/mips	c2aff2660d8b5ea827f8a5bf9401affb2994d66239e8628fbd1e9e2a914094bc	Mirai	mirai opendir
http://217.60.199.86/bins/x86_64	274d5b2af811b6926f5db8ffec75ad24d13b346ec9f50932e05b1a25336aaa33	Mirai	mirai opendir
http://217.60.199.86/bins/mpsl	n/a	n/a	ua-wget
http://217.60.199.86/bins/arm	d034c7d719e318421a3b53628c01a391e5ed12e9aab094bd92d2f0bdaedac930	Mirai	mirai opendir
http://217.60.199.86/bins/arm5	e2748be8a9347cab41dff679342c23bea8f5acfcb054647b74e75c96acaa3ce9	Mirai	mirai opendir
http://217.60.199.86/bins/arm6	d365cdf89d8938f69d1fe85b257f95bc271d881446af9159d17de248857bb308	Mirai	mirai opendir
http://217.60.199.86/bins/arm7	6442d8181b8ccd02286b222cb6400d50a8df9e17af67ad605d7ac3a67849d2a4	Mirai	mirai opendir
http://217.60.199.86/bins/ppc	6f81a648d0f60af32ae52c3a72c94372f20982cc8becf201ec8d36650a1b9cee	Mirai	mirai opendir
http://217.60.199.86/bins/spc	d1feceb6547770de7a5ec0f980dbdcf1de1a416c0af9e112c51df6efdb905199	Mirai	mirai opendir
http://217.60.199.86/bins/m68k	b28a25ae14facd9f3268dffa9e3a8d3a91a8552fe0c09c4a6e65f9633d1f5d7d	Mirai	mirai opendir
http://217.60.199.86/bins/sh4	6efca9a211962bc442bbb5597ea193a3454457079608f09f0e959fa569079f6e	Mirai	mirai opendir

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive mirai

Link:

https://www.filescan.io/uploads/696681b3b5214ecba5eec2e9/reports/9efa20f8-8cb9-4c43-873b-09404abeed78/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2026-01-13T14:43:00Z UTC

Last seen:

2026-01-13T23:44:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.a HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.cx

Link:

https://opentip.kaspersky.com/6d8d4f606300d2a89e47705813ab1355357032215fe352ff48626f1b17966af9/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/da4fc623-6585-41aa-bd47-fafe197d8919

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/6d8d4f606300d2a89e47705813ab1355357032215fe352ff48626f1b17966af9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6d8d4f606300d2a89e47705813ab1355357032215fe352ff48626f1b17966af9/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/6d8d4f606300d2a89e47705813ab1355357032215fe352ff48626f1b17966af9

Threat name:

Linux.Trojan.Geninst

Status:

Malicious

First seen:

2026-01-13 17:32:38 UTC

File Type:

Text (Shell)

AV detection:

21 of 38 (55.26%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nwgu6yddadjkrhshobmbhkytku2xamrbl7rvf72imjxrwf4wnl4q._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:owari antivm botnet defense_evasion discovery linux

Link:

https://tria.ge/reports/260113-v4glnsd19c/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

Reads system network configuration

Enumerates active TCP sockets

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.39

Link:

https://yomi.yoroi.company/submissions/6d8d4f606300d2a89e47705813ab1355357032215fe352ff48626f1b17966af9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_202412_suspect_bash_script Create hunting rule
Author:	abuse.ch
Description:	Detects suspicious Linux bash scripts

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh