MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77724279d46695ca979728770a3fd506bf3d3ed1a68161e3b959c79de044376a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	77724279d46695ca979728770a3fd506bf3d3ed1a68161e3b959c79de044376a
SHA3-384 hash:	15cfed516e392cb82cb447402e79f8a1aeb7d49495613f3c84bcaf3408faddffb8f64b23af1626135e31f878a489ce2a
SHA1 hash:	1360555f82c67568702a76762a46c0af310a2e1a
MD5 hash:	64db1a7d172d9bace814ebf73bb5c459
humanhash:	stairway-river-six-fifteen
File name:	thinkphp
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'905 bytes
First seen:	2026-02-08 16:48:41 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:vNBQBqB0BuBBezEBLBqBlBkBqBPFUfBjBmO:vNBQBqB0BuB4EBLBqBlBkBqBPFUfBjBl
TLSH	T1B851A5C5B3925A30FFB25E6A79F68004B0D0E095E7D7EE81D0EC65BC494EF0994A4B92
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://158.94.210.195/bins/sora.x86	725e13862af947197344fcb7ab345488a74762b936e841237df7f433fcbc31d8	Mirai	elf mirai ua-wget
http://158.94.210.195/bins/sora.mips	dec39ef87e6860891a50f3184cb34a0d6b9f80400091f181c68cefb2cdb3e4a4	Mirai	elf mirai ua-wget
http://158.94.210.195/bins/sora.x86_64	163a4b5be84e43243e6ccf8c9244e24e04c3429308a563ab20423f2970c65c33	Mirai	elf mirai ua-wget
http://158.94.210.195/bins/sora.i468	n/a	n/a	elf ua-wget
http://158.94.210.195/bins/sora.i686	ee98b5fd6ee15fe38e33baf14028d87592a86b3efa666d411bc283214b34dac2	Mirai	elf mirai ua-wget
http://158.94.210.195/bins/sora.mpsl	96a33a462b4026fa48a0bf747fa37915c04d4bce7f9052effe1767559bf6fa24	Mirai	elf mirai ua-wget
http://158.94.210.195/bins/sora.arm4	n/a	n/a	elf ua-wget
http://158.94.210.195/bins/sora.arm5	7dcbe81f748cc63db9d293c2dedebb86a9fd2299d9bd50043437c5a75107a64b	Mirai	elf mirai ua-wget
http://158.94.210.195/bins/sora.arm6	3a9659465e555c2e7d6ded5e96b14301a7a1fadc539ea6a32383db5250cd5778	Mirai	elf mirai ua-wget
http://158.94.210.195/bins/sora.arm7	32de63a0ea3a16d33fa478b59d9ac4ca503eabff97a35c5a4d9fa6e841479c28	Mirai	elf mirai ua-wget
http://158.94.210.195/bins/sora.ppc	824247c83d959b72bf2287af03ea5a96c496ff7eb077596e4d363e3e04994ced	Mirai	elf mirai ua-wget
http://158.94.210.195/bins/sora.ppc440fp	n/a	n/a	elf ua-wget
http://158.94.210.195/bins/sora.m68k	5408fbe38b20d2a90df7f4da3f41224a7769ea9ed5ca00442c344afb64cc8306	Mirai	elf mirai ua-wget
http://158.94.210.195/bins/sora.sh4	7754516998ed27fc3572da4127e51c381f0ceba586e0b32da846c14fd604cb00	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

Result

Gathering data

Status:

Failed

Link:

https://sandbox.kunai.rocks/analysis/cf433077-8ff0-40af-960d-85b8a3c5b580

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/77724279d46695ca979728770a3fd506bf3d3ed1a68161e3b959c79de044376a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/77724279d46695ca979728770a3fd506bf3d3ed1a68161e3b959c79de044376a/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/77724279d46695ca979728770a3fd506bf3d3ed1a68161e3b959c79de044376a

Threat name:

Linux.Downloader.Morila

Status:

Malicious

First seen:

2026-02-08 16:45:28 UTC

File Type:

Text (Shell)

AV detection:

22 of 36 (61.11%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=o5zee6oum2k4vf4xfb3qup6va27t2pwru2awdy5zlhdz3yceg5va._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:sora antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/260208-vbshgabv3g/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

UPX packed file

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Unexpected DNS network traffic destination

Contacts a large (20017) amount of remote hosts

Creates a large amount of network flows

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/77724279d466/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Linux_Shellscript_Downloader Create hunting rule
Author:	albertzsigovits
Description:	Generic Approach to Shellscript downloaders

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh