MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 72f78ab333e0ee1a87754dfb1660a68153141c9af3fc9bb610350304819494c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 72f78ab333e0ee1a87754dfb1660a68153141c9af3fc9bb610350304819494c0
SHA3-384 hash: b6be6845de6f1c0d27a2c3a902737232db0db4b1f2b4b8c11052cd11d20fbde814cdc74d1bb071fe7d5e4af46a8a1631
SHA1 hash: 3dc1bfd8d9a17754dc5a11f55fae202e5a8bd37b
MD5 hash: 3a2ac6771022b15660e8846a93a1c6d2
humanhash: nine-beryllium-twenty-india
File name:po
Download: download sample
Signature Mirai
Create hunting rule
File size:505 bytes
First seen:2026-01-01 01:44:04 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 6:SdCNbTZ6WYT0FdAWJNKZjXIT0FdmLzPEiC0FdmwEc0FdmuNNIF+KZEBFIS0FdmSz:6aTqwzTJTwmLcwm4wm6NIbMTwmSak
TLSH T1B0F0BB9FB1247E13514D8D6B77B2061E00A1938C2917079EEDE2547A84E9780375CAE4
Magika shell
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://130.12.180.64/zermipsdf87a7a75fbcb3907cd9a50599541a524827b421a1d37961cea908f5bd20fba1 Miraielf mirai ua-wget
http://130.12.180.64/zermpsld964a7a68c53a69a082064984e6779bf20d0b00f3e5eb6c729cf745650f7f595 Miraielf mirai ua-wget
http://130.12.180.64/zerarm6e1eb38ceacb9b22d4feca47c5599c5327102fa22614c5cbe4dbb6dfe653a091 Miraielf gafgyt mirai ua-wget
http://130.12.180.64/zerarm5de82bd365213a87054f09be19c1f67ac8672b4924719ca900911448c5974ea68 Miraielf gafgyt mirai ua-wget
http://130.12.180.64/zerarm615328497efb82492607b67225a59d1d73d8d8334cba2f90f7acf1cbc85ef3cf7 Miraielf mirai ua-wget
http://130.12.180.64/zerarm74d68ee855dfd77cdf365e4af3a99a10412fe38f0c9d27f43ee2e16c306d42b4b Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
52
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive mirai
Link:
https://www.filescan.io/uploads/69561b04127d6a14e0cb0ad2/reports/73c4ec11-dd15-40a7-ac12-f9d825fc399f/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/72f78ab333e0ee1a87754dfb1660a68153141c9af3fc9bb610350304819494c0
Verdict:
Malicious
File Type:
text
First seen:
2026-01-01T01:09:00Z UTC
Last seen:
2026-01-01T05:50:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/72f78ab333e0ee1a87754dfb1660a68153141c9af3fc9bb610350304819494c0/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/5ad21fdd-91b8-41d7-a046-2c3d2df6b8ca
Behavior Graph:
Download SVG
%3 guuid=d97104e1-1900-0000-f232-924f630b0000 pid=2915 /usr/bin/sudo guuid=330edce2-1900-0000-f232-924f670b0000 pid=2919 /tmp/sample.bin guuid=d97104e1-1900-0000-f232-924f630b0000 pid=2915->guuid=330edce2-1900-0000-f232-924f670b0000 pid=2919 execve guuid=8bf937e3-1900-0000-f232-924f680b0000 pid=2920 /usr/bin/wget net send-data write-file guuid=330edce2-1900-0000-f232-924f670b0000 pid=2919->guuid=8bf937e3-1900-0000-f232-924f680b0000 pid=2920 execve guuid=10cac1ea-1900-0000-f232-924f710b0000 pid=2929 /usr/bin/chmod guuid=330edce2-1900-0000-f232-924f670b0000 pid=2919->guuid=10cac1ea-1900-0000-f232-924f710b0000 pid=2929 execve guuid=c3ee07eb-1900-0000-f232-924f720b0000 pid=2930 /usr/bin/dash guuid=330edce2-1900-0000-f232-924f670b0000 pid=2919->guuid=c3ee07eb-1900-0000-f232-924f720b0000 pid=2930 clone guuid=3dfa1deb-1900-0000-f232-924f730b0000 pid=2931 /usr/bin/rm guuid=330edce2-1900-0000-f232-924f670b0000 pid=2919->guuid=3dfa1deb-1900-0000-f232-924f730b0000 pid=2931 execve guuid=43b05deb-1900-0000-f232-924f740b0000 pid=2932 /usr/bin/rm guuid=330edce2-1900-0000-f232-924f670b0000 pid=2919->guuid=43b05deb-1900-0000-f232-924f740b0000 pid=2932 execve guuid=59989deb-1900-0000-f232-924f750b0000 pid=2933 /usr/bin/wget net send-data write-file guuid=330edce2-1900-0000-f232-924f670b0000 pid=2919->guuid=59989deb-1900-0000-f232-924f750b0000 pid=2933 execve guuid=dc597cf2-1900-0000-f232-924f810b0000 pid=2945 /usr/bin/chmod guuid=330edce2-1900-0000-f232-924f670b0000 pid=2919->guuid=dc597cf2-1900-0000-f232-924f810b0000 pid=2945 execve guuid=b0d8dbf2-1900-0000-f232-924f830b0000 pid=2947 /usr/bin/dash guuid=330edce2-1900-0000-f232-924f670b0000 pid=2919->guuid=b0d8dbf2-1900-0000-f232-924f830b0000 pid=2947 clone guuid=aecae8f2-1900-0000-f232-924f840b0000 pid=2948 /usr/bin/rm guuid=330edce2-1900-0000-f232-924f670b0000 pid=2919->guuid=aecae8f2-1900-0000-f232-924f840b0000 pid=2948 execve guuid=b98e37f3-1900-0000-f232-924f860b0000 pid=2950 /usr/bin/rm guuid=330edce2-1900-0000-f232-924f670b0000 pid=2919->guuid=b98e37f3-1900-0000-f232-924f860b0000 pid=2950 execve guuid=3bf27ef3-1900-0000-f232-924f870b0000 pid=2951 /usr/bin/wget net send-data write-file guuid=330edce2-1900-0000-f232-924f670b0000 pid=2919->guuid=3bf27ef3-1900-0000-f232-924f870b0000 pid=2951 execve guuid=28b9f3f7-1900-0000-f232-924f910b0000 pid=2961 /usr/bin/chmod guuid=330edce2-1900-0000-f232-924f670b0000 pid=2919->guuid=28b9f3f7-1900-0000-f232-924f910b0000 pid=2961 execve guuid=7a272bf8-1900-0000-f232-924f930b0000 pid=2963 /usr/bin/dash guuid=330edce2-1900-0000-f232-924f670b0000 pid=2919->guuid=7a272bf8-1900-0000-f232-924f930b0000 pid=2963 clone guuid=c9d330f8-1900-0000-f232-924f940b0000 pid=2964 /usr/bin/rm guuid=330edce2-1900-0000-f232-924f670b0000 pid=2919->guuid=c9d330f8-1900-0000-f232-924f940b0000 pid=2964 execve guuid=7aec68f8-1900-0000-f232-924f950b0000 pid=2965 /usr/bin/rm guuid=330edce2-1900-0000-f232-924f670b0000 pid=2919->guuid=7aec68f8-1900-0000-f232-924f950b0000 pid=2965 execve guuid=af8bacf8-1900-0000-f232-924f960b0000 pid=2966 /usr/bin/wget net send-data write-file guuid=330edce2-1900-0000-f232-924f670b0000 pid=2919->guuid=af8bacf8-1900-0000-f232-924f960b0000 pid=2966 execve guuid=820f73fd-1900-0000-f232-924f9f0b0000 pid=2975 /usr/bin/chmod guuid=330edce2-1900-0000-f232-924f670b0000 pid=2919->guuid=820f73fd-1900-0000-f232-924f9f0b0000 pid=2975 execve guuid=5c61ddfd-1900-0000-f232-924fa10b0000 pid=2977 /usr/bin/dash guuid=330edce2-1900-0000-f232-924f670b0000 pid=2919->guuid=5c61ddfd-1900-0000-f232-924fa10b0000 pid=2977 clone guuid=6621e7fd-1900-0000-f232-924fa20b0000 pid=2978 /usr/bin/rm guuid=330edce2-1900-0000-f232-924f670b0000 pid=2919->guuid=6621e7fd-1900-0000-f232-924fa20b0000 pid=2978 execve guuid=537939fe-1900-0000-f232-924fa30b0000 pid=2979 /usr/bin/rm guuid=330edce2-1900-0000-f232-924f670b0000 pid=2919->guuid=537939fe-1900-0000-f232-924fa30b0000 pid=2979 execve guuid=8dbf92fe-1900-0000-f232-924fa40b0000 pid=2980 /usr/bin/wget net send-data write-file guuid=330edce2-1900-0000-f232-924f670b0000 pid=2919->guuid=8dbf92fe-1900-0000-f232-924fa40b0000 pid=2980 execve guuid=2df2e802-1a00-0000-f232-924fad0b0000 pid=2989 /usr/bin/chmod guuid=330edce2-1900-0000-f232-924f670b0000 pid=2919->guuid=2df2e802-1a00-0000-f232-924fad0b0000 pid=2989 execve guuid=d39e3f03-1a00-0000-f232-924fae0b0000 pid=2990 /usr/bin/dash guuid=330edce2-1900-0000-f232-924f670b0000 pid=2919->guuid=d39e3f03-1a00-0000-f232-924fae0b0000 pid=2990 clone guuid=07bb5603-1a00-0000-f232-924faf0b0000 pid=2991 /usr/bin/rm guuid=330edce2-1900-0000-f232-924f670b0000 pid=2919->guuid=07bb5603-1a00-0000-f232-924faf0b0000 pid=2991 execve guuid=c1d0aa03-1a00-0000-f232-924fb00b0000 pid=2992 /usr/bin/rm guuid=330edce2-1900-0000-f232-924f670b0000 pid=2919->guuid=c1d0aa03-1a00-0000-f232-924fb00b0000 pid=2992 execve guuid=956ef803-1a00-0000-f232-924fb10b0000 pid=2993 /usr/bin/wget net send-data write-file guuid=330edce2-1900-0000-f232-924f670b0000 pid=2919->guuid=956ef803-1a00-0000-f232-924fb10b0000 pid=2993 execve guuid=fb455908-1a00-0000-f232-924fb80b0000 pid=3000 /usr/bin/chmod guuid=330edce2-1900-0000-f232-924f670b0000 pid=2919->guuid=fb455908-1a00-0000-f232-924fb80b0000 pid=3000 execve guuid=d843a108-1a00-0000-f232-924fba0b0000 pid=3002 /usr/bin/dash guuid=330edce2-1900-0000-f232-924f670b0000 pid=2919->guuid=d843a108-1a00-0000-f232-924fba0b0000 pid=3002 clone guuid=d312af08-1a00-0000-f232-924fbb0b0000 pid=3003 /usr/bin/rm guuid=330edce2-1900-0000-f232-924f670b0000 pid=2919->guuid=d312af08-1a00-0000-f232-924fbb0b0000 pid=3003 execve guuid=12f1f808-1a00-0000-f232-924fbd0b0000 pid=3005 /usr/bin/rm guuid=330edce2-1900-0000-f232-924f670b0000 pid=2919->guuid=12f1f808-1a00-0000-f232-924fbd0b0000 pid=3005 execve f22fee75-ab34-540d-95fe-696883c6f4ad 130.12.180.64:80 guuid=8bf937e3-1900-0000-f232-924f680b0000 pid=2920->f22fee75-ab34-540d-95fe-696883c6f4ad send: 135B guuid=59989deb-1900-0000-f232-924f750b0000 pid=2933->f22fee75-ab34-540d-95fe-696883c6f4ad send: 135B guuid=3bf27ef3-1900-0000-f232-924f870b0000 pid=2951->f22fee75-ab34-540d-95fe-696883c6f4ad send: 134B guuid=af8bacf8-1900-0000-f232-924f960b0000 pid=2966->f22fee75-ab34-540d-95fe-696883c6f4ad send: 135B guuid=8dbf92fe-1900-0000-f232-924fa40b0000 pid=2980->f22fee75-ab34-540d-95fe-696883c6f4ad send: 135B guuid=956ef803-1a00-0000-f232-924fb10b0000 pid=2993->f22fee75-ab34-540d-95fe-696883c6f4ad send: 135B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/72f78ab333e0ee1a87754dfb1660a68153141c9af3fc9bb610350304819494c0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/72f78ab333e0ee1a87754dfb1660a68153141c9af3fc9bb610350304819494c0/
Threat name:
Document-HTML.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-01-01 02:10:44 UTC
File Type:
Text (Shell)
AV detection:
7 of 24 (29.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ol3yvmzt4dxbvb3vjx5rmyfgqfjrihe26p6jxnqqgubqjamustaa._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/260106-n5jdbszlgp/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/72f78ab333e0ee1a87754dfb1660a68153141c9af3fc9bb610350304819494c0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 72f78ab333e0ee1a87754dfb1660a68153141c9af3fc9bb610350304819494c0

(this sample)

Mirai

elf a502198e5939baca3a98fa41901e51663130801311d177930ce3cdad5e6fff3a

  
URLhaus
https://urlhaus.abuse.ch/url/3740314/
  
Delivery method
Distributed via web download
  
Dropping
MD5 0f1abbaee92f8012338cb41a84995187
  
Dropping
SHA256 a502198e5939baca3a98fa41901e51663130801311d177930ce3cdad5e6fff3a

Comments