MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 72eff03b8573329818b38185074aa763e99d15f5709fecc44f9afece21dc06d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	72eff03b8573329818b38185074aa763e99d15f5709fecc44f9afece21dc06d8
SHA3-384 hash:	6cb8ae1b7cef092cca0a2318da6343e71c82de6a12dedc534da5dadd0876ba6f7f26046c8f4665c169caf2e269709f48
SHA1 hash:	1a6bf8ceeb92a03c7143db9eb1f7dbf80a73ba7c
MD5 hash:	a78df4a4e52e25cff44712ee65503dce
humanhash:	artist-chicken-georgia-single
File name:	sshbins.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'460 bytes
First seen:	2026-03-16 03:06:14 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:ZFazPMBcGeLzXb17xnPI+75sYFs4az/hxxFRQn0YKQDO+l:ZFazPMBxWzpe1JNzFTAOO
TLSH	T1E06154D4C83094378C868A0BF561E29A5DDC93E599E0C12C57A8DE3711E2F3E7C9FA42
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://88.214.20.14/bins/tux.x86	4e51e9939761fa2348056923c01c52c22f7504db578032cd60ced6fc6fd6ef21	Mirai	mirai
http://88.214.20.14/bins/tux.mips	a9c17380091a7393278d5a6e712e10eb5895894bcc581a6fe0572a4fd63e7f15	Mirai	mirai
http://88.214.20.14/bins/tux.mpsl	f10369703a0a762d12401c40b0c0c0b8b89f4179c1e14714182b4eabaf9253c1	Mirai	mirai
http://88.214.20.14/bins/tux.arm	824264de5a67cd58bd91d70f82bbe817d727ff641135dc9e0b199a7f8633224e	Mirai	mirai
http://88.214.20.14/bins/tux.arc	1467464238cd5701035429e38da6dccd94824ae384a0ea0b479d8106cc63ffe8	Mirai	mirai
http://88.214.20.14/bins/tux.arm4	n/a	n/a	n/a
http://88.214.20.14/bins/tux.arm5	e2334ec8f063439a2d3287a8f4570f1a939dd30c93ca75b15574a4fa4a2803b5	Mirai	mirai
http://88.214.20.14/bins/tux.arm6	22565595c04aeb2ce3468ce8212164bf7747f693e1ae180c1636adabd50c1381	Mirai	mirai
http://88.214.20.14/bins/tux.arm7	01cbaaa24b9edf6b9c5a5b1410f9d5744303c27e3bd8403677c2fd6708ae5e4e	Mirai	mirai
http://88.214.20.14/bins/tux.ppc	00cb050a8c83d1250ad1d33c2a07a1c393de621d48c70f6113927a81eea52822	Mirai	mirai
http://88.214.20.14/bins/tux.m68k	0a92d0246341763621a5b0808df4fabd035c323e50354c6d6a2fc457b5ec61fb	Mirai	mirai
http://88.214.20.14/bins/tux.sh4	a8c55e579790c6ffe5239b837488f71456bde46f3b89a3ec31bf37aa9ebd2686	Mirai	mirai

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox evasive

Link:

https://www.filescan.io/uploads/69b773dd493cb7d62dff23f4/reports/00e50fa0-732a-4d18-b01c-31931eddcee9/overview

Verdict:

Malicious

File Type:

unix shell

Detections:

HEUR:Trojan-Downloader.Shell.Agent.gen

Link:

https://opentip.kaspersky.com/72eff03b8573329818b38185074aa763e99d15f5709fecc44f9afece21dc06d8/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/94a4da89-d274-41a9-b847-9e70d92546cf

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/72eff03b8573329818b38185074aa763e99d15f5709fecc44f9afece21dc06d8

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/72eff03b8573329818b38185074aa763e99d15f5709fecc44f9afece21dc06d8/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/72eff03b8573329818b38185074aa763e99d15f5709fecc44f9afece21dc06d8

Threat name:

Win32.Trojan.Vigorf

Status:

Malicious

First seen:

2026-03-16 03:07:22 UTC

File Type:

Text (Shell)

AV detection:

9 of 24 (37.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=olx7ao4fomzjqgftqgcqosvhmpuz2fpvocp6zrcptl7m4io4a3ma._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet defense_evasion discovery linux

Link:

https://tria.ge/reports/260316-dmc4gsbs6z/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

Reads system network configuration

Enumerates active TCP sockets

Enumerates running processes

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Contacts a large (87612) amount of remote hosts

Creates a large amount of network flows

Mirai

Mirai family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/72eff03b8573329818b38185074aa763e99d15f5709fecc44f9afece21dc06d8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh