MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 71a0aa26ecf371a881b316901016c971637dbd4c2cd9fb84c2bece9a1caf30d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	71a0aa26ecf371a881b316901016c971637dbd4c2cd9fb84c2bece9a1caf30d8
SHA3-384 hash:	9053ba817b98fc7cbb04120c019ef3a7d0f237bea96c12f644fc9ae039665368f4085733782641a2db0e340b876eca66
SHA1 hash:	6954edbc3450ddddf495b3352d1049cd9c4c2563
MD5 hash:	5138e0380c5f3d5cafa34e613cb64dfd
humanhash:	nine-artist-ink-kitten
File name:	mao_http.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'181 bytes
First seen:	2026-01-31 16:41:07 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	96:g64Ko41YZMGeESwo6hMBmzqzI8W+kW864eEmSW:Is9
TLSH	T1EE6117FD42A0BF93CCC5A54CBA1482E1B34B51F5FD72F63C9C684BAA0441B15748BAB9
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://185.242.3.127/bins/mao.x86_64	80e2ffefac43ba12de92a71d3fb462576c6e13618faf4b1162198410a0f8f953	Mirai	elf ua-wget
http://185.242.3.127/bins/mao.x86	b4811f5f075acbe9bda16a8b5ea29896ba145c3a8f134ab77adff8d4f2b419e0	Mirai	elf ua-wget
http://185.242.3.127/bins/mao.mips	286bec72def7d4044f9b2a1ce818b88fa3e4f34d1fc99239daba332208ebc357	Mirai	elf ua-wget
http://185.242.3.127/bins/mao.mpsl	1e6a4ee419d25c51719fc42649d8dace40a9baba3f5d76ce46a9816fb73e5eb1	Mirai	elf ua-wget
http://185.242.3.127/bins/mao.arm	21fd5b0561383fa90237da3d6affa587530664784e39f7e5896efa144c28e679	Mirai	elf ua-wget
http://185.242.3.127/bins/mao.arm5	a1cf80d0816c77f25ef181424cd3b806898d6657f2226791e672d20c2a725305	Mirai	elf ua-wget
http://185.242.3.127/bins/mao.arm6	54a8965b645fd70a21c5883c49d4da0e33bbabf8ed08f73ad8f8d70d5c4cab3c	Mirai	elf ua-wget
http://185.242.3.127/bins/mao.arm7	9598019e3b3d919d7df0e26ad0dcc12d95a6314fc7b3dbfc627bd0eb70437a3e	Mirai	elf ua-wget
http://185.242.3.127/bins/mao.ppc	b1e0eca2d77f3d2295c9fa4c44001fd9d4e48df7b10aa25b5cad01f61be9dda7	Mirai	elf ua-wget
http://185.242.3.127/bins/mao.m68k	5a85876c444eb38221bec627bb6887cf041e4f4aeea4e5117f04121ee88a59d1	Mirai	elf ua-wget
http://185.242.3.127/bins/mao.sh4	77e020fefb70aaca3863a0041041cf9a597465ab1d357b07ad015876fbf23fab	Mirai	elf ua-wget
http://185.242.3.127/bins/mao.spc	6b096d6a6ff4ad70aa27c1e7f1bee577aec33e259639599fc38b12ce175e07ff	Mirai	elf ua-wget
http://185.242.3.127/bins/mao.arc	b9373f4df561e2be8ec80117331d22d9efd546c9d51865b66743a69c77ce8121	Mirai	elf ua-wget
http://185.242.3.127/bins/mao.i686	2b541bff6d90991ed882c039587e3623acecc9c3c32a522b69a496bc50afbe30	Mirai	elf ua-wget
http://185.242.3.127/bins/mao.i486	7ca1830b7217d38b4b596f0146c8a5f0107c5ec4ca25f1e3e8f37bc8103ba2d4	Mirai	elf ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

Verdict:

Malicious

File Type:

unix shell

First seen:

2026-01-31T05:31:00Z UTC

Last seen:

2026-01-31T16:50:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/71a0aa26ecf371a881b316901016c971637dbd4c2cd9fb84c2bece9a1caf30d8/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/28c1f66a-32b3-4d77-9245-9680c39a9682

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/71a0aa26ecf371a881b316901016c971637dbd4c2cd9fb84c2bece9a1caf30d8

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/71a0aa26ecf371a881b316901016c971637dbd4c2cd9fb84c2bece9a1caf30d8/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/71a0aa26ecf371a881b316901016c971637dbd4c2cd9fb84c2bece9a1caf30d8

Threat name:

Script-Shell.Worm.Mirai

Status:

Malicious

First seen:

2026-01-31 16:34:26 UTC

File Type:

Text (Shell)

AV detection:

10 of 36 (27.78%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ogqkujxm6ny2rantc2ibafwjofrx3pkmftm7xbgcx3hjuhfpgdma._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet defense_evasion discovery linux

Link:

https://tria.ge/reports/260131-t7bzxscz9b/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/71a0aa26ecf3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.36

Link:

https://yomi.yoroi.company/submissions/71a0aa26ecf371a881b316901016c971637dbd4c2cd9fb84c2bece9a1caf30d8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh